diff --git a/i18n/ar/404.md b/i18n/ar/404.md new file mode 100644 index 00000000..24ce7747 --- /dev/null +++ b/i18n/ar/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - تَعَذَّرَ العُثُور + +يتعذَّر العثور على الصفحة التي تبحث عنها! هل مقصدُك إحدى الصفحات التالية؟ + +- [مُقدِّمة إلى نمذَجَة التَّهديد](basics/threat-modeling.md) +- [خوادِم DNS المُوصَّى بها](dns.md) +- [أفضل متصفحات الويب للحاسب المكتبي](desktop-browsers.md) +- [أفضَل مزودي VPN](vpn.md) +- [مُنتدى إرشاداتُ الخصوصيَّة](https://discuss.privacyguides.net) +- [مُدوِّناتنا](https://blog.privacyguides.org) diff --git a/i18n/ar/CODE_OF_CONDUCT.md b/i18n/ar/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/ar/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/ar/about/criteria.md b/i18n/ar/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/ar/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/ar/about/donate.md b/i18n/ar/about/donate.md new file mode 100644 index 00000000..a1deb3e0 --- /dev/null +++ b/i18n/ar/about/donate.md @@ -0,0 +1,50 @@ +--- +title: قم بدعمنا +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/ar/about/index.md b/i18n/ar/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/ar/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/ar/about/notices.md b/i18n/ar/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/ar/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/ar/about/privacy-policy.md b/i18n/ar/about/privacy-policy.md new file mode 100644 index 00000000..3a16f158 --- /dev/null +++ b/i18n/ar/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "سياسة الخصوصية" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/ar/about/privacytools.md b/i18n/ar/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/ar/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/ar/about/services.md b/i18n/ar/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/ar/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/ar/about/statistics.md b/i18n/ar/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/ar/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/ar/advanced/communication-network-types.md b/i18n/ar/advanced/communication-network-types.md new file mode 100644 index 00000000..20bbe9ff --- /dev/null +++ b/i18n/ar/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[ما نوصي به من برامج مراسلة فورية](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/ar/advanced/dns-overview.md b/i18n/ar/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/ar/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/ar/advanced/payments.md b/i18n/ar/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/ar/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/ar/advanced/tor-overview.md b/i18n/ar/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/ar/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/ar/android.md b/i18n/ar/android.md new file mode 100644 index 00000000..481bad8a --- /dev/null +++ b/i18n/ar/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/ar/assets/img/account-deletion/exposed_passwords.png b/i18n/ar/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/ar/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/ar/assets/img/android/rss-apk-dark.png b/i18n/ar/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/ar/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/ar/assets/img/android/rss-apk-light.png b/i18n/ar/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/ar/assets/img/android/rss-apk-light.png differ diff --git a/i18n/ar/assets/img/android/rss-changes-dark.png b/i18n/ar/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/ar/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/ar/assets/img/android/rss-changes-light.png b/i18n/ar/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/ar/assets/img/android/rss-changes-light.png differ diff --git a/i18n/ar/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/ar/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/how-tor-works/tor-encryption.svg b/i18n/ar/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/how-tor-works/tor-path-dark.svg b/i18n/ar/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/ar/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/ar/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/how-tor-works/tor-path.svg b/i18n/ar/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/ar/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ar/assets/img/multi-factor-authentication/fido.png b/i18n/ar/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/ar/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/ar/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/ar/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/ar/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/ar/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/ar/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/ar/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/ar/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/ar/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/ar/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/ar/basics/account-creation.md b/i18n/ar/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/ar/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/ar/basics/account-deletion.md b/i18n/ar/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/ar/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/ar/basics/common-misconceptions.md b/i18n/ar/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/ar/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/ar/basics/common-threats.md b/i18n/ar/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/ar/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/ar/basics/email-security.md b/i18n/ar/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/ar/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/ar/basics/multi-factor-authentication.md b/i18n/ar/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ae57848d --- /dev/null +++ b/i18n/ar/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/ar/basics/passwords-overview.md b/i18n/ar/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/ar/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/ar/basics/threat-modeling.md b/i18n/ar/basics/threat-modeling.md new file mode 100644 index 00000000..895ccfb9 --- /dev/null +++ b/i18n/ar/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "نمذَجَةُ التَّهديد" +icon: 'المادة/الحساب-المستهدف' +description: موازنة الأمان، الخصوصية، وقابلية الاستخدام تعد واحدة من أول وأصعب المهام التي ستواجهها في رحلة الخصوصية. +--- + +موازنة الأمان، الخصوصية، وقابلية الاستخدام تعد واحدة من أول وأصعب المهام التي ستواجهها في رحلة الخصوصية. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/ar/basics/vpn-overview.md b/i18n/ar/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/ar/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/ar/calendar.md b/i18n/ar/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/ar/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/ar/cloud.md b/i18n/ar/cloud.md new file mode 100644 index 00000000..e375d093 --- /dev/null +++ b/i18n/ar/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/ar/cryptocurrency.md b/i18n/ar/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/ar/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/ar/data-redaction.md b/i18n/ar/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/ar/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/ar/desktop-browsers.md b/i18n/ar/desktop-browsers.md new file mode 100644 index 00000000..85ee0d78 --- /dev/null +++ b/i18n/ar/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/ar/desktop.md b/i18n/ar/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/ar/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/ar/dns.md b/i18n/ar/dns.md new file mode 100644 index 00000000..29ddcde9 --- /dev/null +++ b/i18n/ar/dns.md @@ -0,0 +1,139 @@ +--- +title: "محلِّلات أنظمة أسماء النطاقات (DNS)" +icon: material/dns +description: هنا بعض موفِّري خدمة أنظمة أسماء النطاقات المعمَّاة لتستبدل ما ضبطه لك موفِّر خدمة الإنترنت. +--- + +ينبغي استخدام أنظمة أسماء النطاقات المعمَّاة الموجودة في خوادم جهات خارجية فقط لتجاوز [حظرها](https://en.wikipedia.org/wiki/DNS_blocking)، وذلك إن تيقَّنت من أن ذلك ليست له عواقب. لن يخفي استخدام نظام أسماء نطاق معمًّى ما تتصفَّح. + +[استزد علمًا عن أنظمة أسماء النطاقات :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## موفِّرو الخدمة الموصى بهم + +| الموفِّر | سياسة الخصوصية | الموافيق | تسجيل الأنشطة | ECS | التصفية | +| ------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -------------------------------------------------------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------- | +| [**آدجارد**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | بعض منه ١ | لا يوجد | حسب اختيار الخادم. لك العثور على قائمة التصفيات المستخدمة هنا. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**كلاودفلير**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | بعض منه ٢ | لا يوجد | حسب اختيار الخادم. | +| [**كنترول دي**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | اختياري٣ | لا يوجد | حسب اختيار الخادم. | +| [**ملفاد**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | لا يوجد٤ | لا يوجد | حسب اختيار الخادم. لك العثور على قائمة التصفيات المستخدمة هنا. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**نكست‌دي‌إن‌إس**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | اختياري٥ | اختياري | حسب اختيار الخادم. | +| [**كواد٩**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | بعض منه٦ | اختياري | حسب اختيار الخادم، وحظر البرمجيات الخبيثة مفعَّل مبدئيًّا. | + +## المعايير + +**عليك التنبُّه لأننا لسنا ذوي صلة بأيٍّ من المشاريع التي نوصي بها**، وزيادةً على [معاييرنا القياسية](about/criteria.md) فقد طوَّرنا مجموعة متطلَّبات تتيح لنا توصية توصيات موضوعية. ينبغي لك الاطِّلاع على هذه القائمة قبل الاختيار منها، وابحث بنفسك لتتيقَّن من أن ما اخترت يناسبك. + +!!! مثال «هذا القسم جديد» + + لا نزال نجتهد في تعريف معايير واضحة لكلِّ قسم من صفحتنا، فلعلَّ هذا يتغيَّر. إن كانت لديك أيُّ أسئلة عن معاييرنا [فاسأل في منتدانا](https://discuss.privacyguides.net/latest)، ولا تظنَّنا غفلنا عن شيء ما لم يُذكر هنا. توجد العديد من الأوجه المناقَشة قبلما نوصي بمشروع، وتوثيقها كلها لا يزال جاريًا. + +- يجب أن يدعم [إضافات الأمان لأنظمة أسماء النطاقات](advanced/dns-overview.md#what-is-dnssec). +- [تدنية الأسماء المؤهَّلة](advanced/dns-overview.md#what-is-qname-minimization). +- يسمح بتعطيل [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs). +- يفضِّل دعم [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) أو دعم geo-steering. + +## الدعم الأصيل لأنظمة التشغيل + +### أندرويد + +يدعم أندرويد ٩ وما بعده أنظمة أسماء النطاقات عبر أمن طبقة النقل (DNS over TLS). تجد هذا الإعداد في: **الإعدادات** ← ** الشبكة والإنترنت ** ← **نظام أسماء نطاقات خاص**. + +### أجهزة أبل + +تدعم آخر إصدارات آي‌أو‌إس و آيباد‌أو‌إس و تي‌في‌أو‌إس و ماك‌أو‌إس أنظمة DoT و DoH. يوجد دعم أصيل لهذه الموافيق باستخدام [ملفَّات تعريف الضبط](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) أو باستخدام [واجهة برمجة إعدادات نظام تسمية النطاقات](https://developer.apple.com/documentation/networkextension/dns_settings). + +لك اختيار ضبط نظام تسمية النطاقات بعد تثبيت ملفِّ تعريف ضبط أو تثبيت تطبيق يستخدم واجهة برمجة إعدادات نظام تسمية النطاقات. إن كانت شبكة خاصَّة افتراضية (VPN) مفعَّلةً فسوف تُحلَّل الاتصالات داخلها باستخدام نظام تسمية نطاقاتها وليس باستخدام إعدادات نظامك. + +#### ملفَّات التعريف الموقَّعة + +لا تتيح أبل واجهةً أصيلةً لإنشاء ملفَّات تعريف معمَّاة. [مُنشئ ملفَّات تعريف نظام تسمية النطاقات الآمن](https://dns.notjakob.com/tool.html) هو أداة غير رسمية تتيح لك إنشاء ملفَّات تعريف نظام تسمية النطاقات معمَّاة، ولكن ضع في حسبانك أنها لن توقَّع. تفضَّل ملفَّات التعريف الموقَّعة على غيرها، وذلك ﻷن التوقيع يؤكِّد أصلها وصحَّتها. تعلَّم ملفَّات التعريف الموقَّعة بعلامة «مؤكَّد» خضراء. لتستزيد علمًا عن توقيع الرموز عليك مطالعة [عن توقيع الرموز](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). توفِّر [آدجارد](https://adguard.com/en/blog/encrypted-dns-ios-14.html) و [نكست‌دي‌إن‌إس](https://apple.nextdns.io) و [كواد٩](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/) **ملفَّات تعريف موقَّعةً**. + +!!! معلومات + + [لا يدعم](https://github.com/systemd/systemd/issues/8639) ‹systemd-resolved› ميفاق DoH بعد، وهو ما تستخدمه الكثير من توزيعات لينكس لتبحث في أنظمة تسمية النطاقات. إن أردت استخدام DoH فعليك تثبيت وسيط مثل [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) [وضبطه](https://wiki.archlinux.org/title/Dnscrypt-proxy) ليستلم كلَّ استعلامات أنظمة تسمية النطاقات من محلِّل نظامك ويوجِّههم عبر HTTPS. + +## وسطاء أنظمة تسمية النطاقات المعمَّاة + +توفِّر برمجيات التوسُّط بين أنظمة تسمية النطاقات وسيطًا محليًّا [لمحلِّل نظام التسمية غير المعمَّى](advanced/dns-overview.md#unencrypted-dns) لتوجِّه الطلبات له. ويشيع استخدامه في المنصَّات التي لا تدعم [أنظمة تسمية النطاقات المعمَّاة](advanced/dns-overview.md#what-is-encrypted-dns) أصلًا. + +### ريثنك‌دي‌إن‌إس + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=left } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=left } + + **ريثنك‌دي‌إن‌إس** هو عميل أندرويد مفتوح المصدر يدعم [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) و [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot) و [DNSCrypt](advanced/dns-overview.md#dnscrypt) والتوسُّط لأنظمة تسمية النطاقات وتخزين استجاباتها مؤقَّتًا وتسجيل استعلاماتها محليًّا، ويُستخدم جدارًا ناريًّا أيضًا. + + [:octicons-home-16: صفحتهم](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="سياسة الخصوصية" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=التوثيق} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="رمز المصدر" } + + ??? التنزيلات + + - [:simple-googleplay: متجر بلاي](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: جت‌هب](https://github.com/celzero/rethink-app/releases) + +### دي‌إن‌إس‌كربت-بروكسي + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=left } + + **دي‌إن‌إس‌كربت-بروكسي** هو وسيط أنظمة تسمية نطاقات يدعم [DNSCrypt](advanced/dns-overview.md#dnscrypt) و [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) [وأنظمة تسمية النطاقات المُجَهَّلة](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! تحذير «[**لا تخفي**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) ميزة تجهيل أنظمة تسمية النطاقات بقية نشاطات الشبكة.» + + [:octicons-repo-16: المستودع](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=التوثيق} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="رمز المصدر" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=ساهم } + + ??? التنزيلات + + - [:simple-windows11: ويندوز](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: ماك‌أوإس](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: لينكس](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## خيارات الاستضافة الذاتية + +تتيح الاستضافة الذاتية لنظام تسمية نطاقات التصفية في المنصَّات المتحكَّم بها، مثل أجهزة التلفاز الذكية وغيرها من أجهزة إنترنت الأشياء، وذلك لأن جهة العميل لا تحتاج لأي برمجيات. + +### آدجارد هوم + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=left } + + **آدجارد هوم** هو نظام [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) مفتوح المصدر يستخدم [تصفية أنظمة تسمية النطاقات](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) ليحظر محتويات الوِب غير المرغوب بها، كالإعلانات. + + لدى آدجارد هوم واجهة وِب متقنة الصنع ترى فيها المعلومات وتدير ما حُظر. + + [:octicons-home-16: الصفحة الرئيسة](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="سياسة الخصوصية" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=التوثيق} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="رمز المصدر" } + +### باي-هول + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=left } + + **باي-هول** هو نظام[DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) مفتوح المصدر يستخدم [تصفية أنظمة تسمية النطاقات](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) ليحظر محتويات الوِب غير المرغوب بها، كالإعلانات. + + صُمِّم باي-هول ليستضاف في جهاز راسبيري باي، ولكنَّه ليس محدودًا به. لهذه البرمجية واجهة وِب سهلة الاستخدام ترى فيها المعلومات وتدير ما حُظر. + + [:octicons-home-16: الصفحة الرئيسة](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="سياسة الخصوصية" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=التوثيق} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="رمز المصدر" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=ساهم } + +[^1]: تخزِّن آدجارد قياسات الأداء المجمَّعة من خوادم أنظمة تسمية نطاقاتهم، وتتضمَّن عدد الطلبات المكتملة لكلِّ خادم، وعدد الطلبات المحظورة، وسرعة معالجة الطلبات. وتخزِّن أيضًا قاعدة بيانات بها النطاقات المطلوبة خلال آخر ٢٤ ساعة. «نحتاج هذه المعلومات لنتحرَّى ونحظر المتتبِّعات والمخاطر الجديدة.» «وكذلك نسجِّل عدد المرات التي تُحظر فيها المتتبِّعات. نحتاج هذه المعلومات لنزيل القواعد القديمة من تصفياتنا.» [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: تجمِّع وتخزِّن كلاودفلير عددًا قليلًا من استعلامات أنظمة تسمية النطاقات المرسلة للمحلِّل ١٫١٫١٫١. لا تسجِّل خدمة المحلِّل ١٫١٫١٫١ بيانات شخصيةً، وغالب ما تسِّجل من بيانات لا تعرِّف الأشخاص تخزَّن مدَّة ٢٥ ساعةً لا أكثر. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: تسجِّل كنترول دي البيانات من المحلِّلات المدفوعة التي لها ملفَّات تعريف مخصَّصة فقط. المحلِّلات المجَّانية لا تسجِّل بيانات. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: خدمة أنظمة تسمية النطاقات من ملفاد متاحة للمشتركين في خدمة الشبكة الخاصة الافتراضية ولغير المشتركين كذلك. تزعم سياسة خصوصيتهم صريحًا أنهم لا يسجِّلون طلبات أنظمة تسمية النطاقات أبدًا. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: تستطيع نكست‌دي‌إن‌إس توفير معلومات ومزايا تسجيل حسب الطلب. لك اختيار مدَّة الاحتفاظ ومواضع تخزين التسجيل لأيِّ سجِّلات أردت. إن لم يُطلب تسجيل بيانات فلن تسجَّل. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: تجمع كواد٩ بعض البيانات لمراقبة المخاطر والاستجابات. ويمكن لتلك البيانات أن تُخلط وتُشارك، وغرض ذلك قد يكون لأبحاث الأمن. لا تجمع كواد٩ ولا تسجِّل عناوين IP أو أيَّ بيانات تصنِّفها معرِّفةً شخصيًّا. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/ar/email-clients.md b/i18n/ar/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/ar/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/ar/email.md b/i18n/ar/email.md new file mode 100644 index 00000000..7fd6ebdf --- /dev/null +++ b/i18n/ar/email.md @@ -0,0 +1,503 @@ +--- +title: "البُرُد الإلكترونية" +icon: material/email +description: توفِّر الجهات المذكورة مخزنًا آمنًا لرسائلك، والكثير منهم يدعم تعمية أوبن‌بي‌جي‌بي مع جهات أخرى. +--- + +حتَّى ولو كان البريد الإلكتروني حاجةً لتستخدم أيَّ خدمة إنترنت فإننا لا نوصي به للتحادث. تأمَّل استخدام خدمة اتصال مباشر تدعم السرية المستقبلية لتحادث الناس بدلًا من استخدام بريد إلكتروني. + +[ما نوصي به من برامج مراسلة فورية](real-time-communication.md ""){.md-button} + +خلا ذلك فنوصي بعدد من موفِّري خدمة البريد الإلكتروني، وذلك حسب استدامة نموذجات عملهم وأمنهم ومزايا الخصوصية عندهم. + +- [موفِّرو خدمة البريد الإلكتروني الداعمون لأوبن‌بي‌جي‌بي :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [غيرهم من موفَّري الخدمة المعمَّاة :material-arrow-right-drop-circle:](#more-providers) +- [خدمات تكنين البُرُد الإلكترونية :material-arrow-right-drop-circle:](#email-aliasing-services) +- [خيارات الاستضافة الذاتية :material-arrow-right-drop-circle:](#self-hosting-email) + +## الخدمات الداعمة لأوبن‌بي‌جي‌بي + +يدعهم هؤلاء تعمية وفكَّ تعمية أوبن‌بي‌جي‌بي أصلًا، ويمتثلون معيار دليل مفتاح الوِب (WKD)، مما يتيح لهم إرسال رسائل إلكترونيةً معمَّاةً بين الأطراف بغضِّ النظر عن مصدرها. فمثلًا: باستطاعة مستخدم بريد بروتون إرسال رسالة معمَّاة بين الأطراف، وكون المستقبل مستخدم Mailbox.org، أو لك استقبال إشعارات معمَّاةً بأوبن‌بي‌جي‌بي من خدمات الإنترنت الداعمة له. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [بريد بروتون](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! تحذير + + حتَّى عند استخدام تقنية تعمية بين الأطراف مثل أوبن‌بي‌جي‌بي فسوف توجد بعض البيانات الوصفية غير المعمَّاة في عنوان الرسالة. طالع المزيد عن [البيانات الوصفية في البُرُد الإلكترونية](basics/email-security.md#email-metadata-overview). + + لا يدعم أوبن‌بي‌جي‌بي السرية المستقبلية، ويعني هذا أنه في حال سرقة مفتاحك الخاصِّ أو مفتاح المستقبل فسوف تكون كلُّ الرسائل السابقة بينكما قابلةً لفكِّ التعمية. [كيف أحمي مفاتيحي الخاصَّة؟](basics/email-security.md#how-do-i-protect-my-private-keys) + +### بريد بروتون + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=left } + + **بريد بروتون** هو خدمة بُرُد إلكترونية تركِّز في الخصوصية والتعمية والأمن واليسر. وهم يعملون منذ **٢٠١٣**. ومقرُّ بروتون أي‌جي في جنيف في سويسرا. تبدأ الحسابات عندهم لها سعة تخزين ٥٠٠ م‌بايت، وذلك حسب الاشتراك المجاني. + + [:octicons-home-16: الصفحة الرئيسة](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="خدمة أَنيِن" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="سياسة الخصوصية" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=التوثيق} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="رمز المصدر" } + + ??? التنزيلات + + - [:simple-googleplay: متجر بلاي](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: آب ستور](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: جت‌هب](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: ويندوز](https://proton.me/mail/bridge#download) + - [:simple-apple: ماك‌أو‌إس](https://proton.me/mail/bridge#download) + - [:simple-linux: لينكس](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: وِب](https://mail.proton.me) + +للحسابات المجانية قيود، كعجزهم عن البحث في النصوص وعدم استخدام [جسر بريد بروتون](https://proton.me/mail/bridge)، وتحتاجه إن أردت استخدام [أحد برامج البريد في سطح المكتب الموصى بها](email-clients.md) (مثل ثندربرد). لمن اشترك في حساب عند بريد بروتون مزايا، مثل جسر بريد بروتون ومساحة تخزين إضافية ودعم أسماء النطاق المخصَّصة. أعطت [سكيورتم](https://research.securitum.com) [شهادةً](https://proton.me/blog/security-audit-all-proton-apps) لتطبيقات بريد بروتون في التاسع من نوفمبر عام ٢٠٢١. + +إن كان عندك اشتراك «بروتون أنلمتد» أو «بروتون بزنس» أو «فجنري بلان» فسوف تحصل على اشتراك [سمبل‌لوج‌إن](#simplelogin) مجَّانًا. + +عند بريد بروتون تقارير تعطُّل داخلية **لا** يشاركونها مع أيِّ جهة خارجية. ولك تعطيلها في: **الإعدادات** > ** إذهب للإعدادات** > **الحساب** > **الأمن والخصوصية** > **أرسل تقارير التعطُّل**. + +#### :material-check:{ .pg-green } النطاقات المخصَّصة والكنى + +بإمكان مشتركي بريد بروتون استخدام أسماء نطاق من عندهم أو لهم استخدام عنوان [جامع](https://proton.me/support/catch-all). وكذلك يدعم بريد بروتون [العنونة الفرعية](https://proton.me/support/creating-aliases)، وهي مفيدة لمن لا يريد شراء نطاق. + +#### :material-check:{ .pg-green } سُبُل الدفع الخاصَّة + +[يقبل](https://proton.me/support/payment-options) بريد بروتون الدفع نقدًا عن طريق البريد، ويقبل كذلك الدفع ببطاقات الائتمان والبطاقات المصرفية [وبتكوين](advanced/payments.md#other-coins-bitcoin-ethereum-etc) وبي‌بال. + +#### :material-check:{ .pg-green } أمن الحساب + +يدعم بريد بروتون [الاستيثاق بخطوتين عبر](https://proton.me/support/two-factor-authentication-2fa) «كلمة المرور لمرة واحدة حسب الوقت (TOTP)» [ومفاتيح أمن العتاد](https://proton.me/support/2fa-security-key) وفق معيارَي FIDO2 و U2F. ويتطلَّب استخدام مفاتيح أمن العتاد إعداد الاستيثاق بخطوتين عبر كلمة المرور لمرة واحدة حسب الوقت. + +#### :material-check:{ .pg-green } أمن البيانات + +عند بريد بروتون [تعمية دون أيِّ وصول](https://proton.me/blog/zero-access-encryption) لبُرُدك الإلكترونية [وتقويماتك](https://proton.me/news/protoncalendar-security-model). لا يمكن لأحد الوصول للبيانات المعمَّاة دون أيِّ وصول سواك. + +بعض المعلومات المخزَّنة في [متراسلي بروتون](https://proton.me/support/proton-contacts) ليست مؤمَّنةً بتعمية دون أيِّ وصول، كالأسماء المعروضة وعناوين البُرُد الإلكترونية. تُعلَّم حقول المتراسلين الداعمة للتعمية دون أيِّ وصول بعلامة قفل، كأرقام الجوالات. + +#### :material-check:{ .pg-green } تعمية البريد الإلكتروني + +عند بريد بروتون [دعم مدمج لتعمية أوبن‌بي‌جي‌بي](https://proton.me/support/how-to-use-pgp) في صفحة البريد. تعمَّى الرسائل المرسلة لحسابات بريد بروتون الأخرى تلقائيًّا، ولك تمكين تعمية أوبن‌بي‌جي‌بي لعناوين البريد خارج بروتون في إعدادات حسابك. ويتيح لك أيضًا [تعمية الرسائل المرسلة لغير عناوين بروتون](https://proton.me/support/password-protected-emails) دون حاجتهم لتسجيل حساب بريد بروتون او استخدام برمجية مثل أوبن‌بي‌جي‌بي. + +يدعم بريد بروتون اكتشاف المفاتيح العامَّة باستخدام HTTP من [دليل مفاتيح الوِب (WKD) التابع لهم](https://wiki.gnupg.org/WKD). ويتيح هذا لمن ليس عنده بريد بروتون العثور على مفاتيح أوبن‌بي‌جي‌بي لحسابات بريد بروتون بسهولة، وذلك لتمكين التعمية بين الأطراف بين موفِّري خدمة البريد الإلكترونيِّ. + + +#### :material-information-outline:{ .pg-blue } إنهاء الحسابات + +إن كان عندك حساب مدفوع [ولم تدفع الفاتورة](https://proton.me/support/delinquency) ١٤ يومًا فلن تستطيع الوصول لبياناتك. وبعد ثلاثين يوم يصبح حسابك خاملًا لا يستقبل الرسائل. وسوف يستمر إصدار الفواتير خلال هذه المدَّة. + +#### :material-information-outline:{ .pg-blue } وظائف إضافية + +يعرض بريد بروتون حسابًا «لا نهائيًّا» قيمته ٩٫٩٩ يورو لكلِّ شهر، ويتيح الوصول لشبكة بروتون الافتراضية الخاصَّة، واستخدام عدَّة حسابات ونطاقات وكنًى و مساحة تخزين ٥٠٠ ج‌بايت. + +ليس عند بريد بروتون ميزة الإرث الرقميِّ. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=left } + + **Mailbox.org** هو خدمة بريد إلكترونيٍّ تركِّز على الأمن والخلوِّ من الإعلانات، وهي تستلم طاقتها من مصادر خاصَّة ١٠٠٪ صديقة للبيئة. وهم يعملون منذ ٢٠١٤. ومقرُّهم في برلين في ألمانيا. تبدأ الحسابات ولها مساحة تخزين ٢ ج‌بايت، وتمكن زيادتها حسب الحاجة. + + [:octicons-home-16: الصفحة الرئيسة](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Pسياسة الخصوصية" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=التوثيق} + + ??? التنزيلات + + - [:octicons-browser-16: وِب](https://login.mailbox.org) + +#### :material-check:{ .pg-green } النطاقات المخصَّصة والكنى + +تتيح لك Mailbox.org استخدام اسم نطاق من عندك، وكذلك تدعم العناوين [الجامعة](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). وزد على ذلك أنهم يدعمون [العنونة الفرعية](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it)، وهي مفيدة لمن لا يريد شراء نطاق. + +#### :material-check:{ .pg-green } سُبُل الدفع الخاصَّة + +لا تقبل Mailbox.org الدفع باستخدام العملات المعمَّاة، وسبب ذلك أن معالج دفعهم، بِت‌بَي، علَّق عملياته في ألمانيا. ولكنهم يقبلون الدفع نقدًا عبر البريد، ودفع النقد لحساب مصرف، والتحويل المصرفيَّ، وبطاقات الائتمان، وبَي‌بال، وبعض معالجي الدفع في ألمانيا: paydirekt و Sofortüberweisung. + +#### :material-check:{ .pg-green } أمن الحساب + +تدعم Mailbox.org [الاستيثاق بخطوتين](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) في موقعهم فقط. لك استخدام كلمة مرور لمرة واحدة حسب الوقت (TOTP) أو [يوبِكي](https://en.wikipedia.org/wiki/YubiKey) من [يوبِكلاود](https://www.yubico.com/products/services-software/yubicloud). بعض معايير الوِب مثل [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) ليست مدعومةً بعد. + +#### :material-information-outline:{ .pg-blue } أمن البيانات + +تتيح Mailbox.org تعمية الرسائل الواردة باستخدام [صندوق البريد المعمَّى](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). تعمَّى الرسائل الواردة باستخدام مفتاحك العامِّ فورًا. + +ولكن [أوبن-إكستشينج](https://en.wikipedia.org/wiki/Open-Xchange)، وهي منصَّة البرمجيات التي تستخدمها Mailbox.org، [ لا تدعم](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) تعمية دفتر عناوينك وتقويمك. لعلَّ [خيارًا مستقلًّا](calendar.md) أفضل لهذه المعلومات. + +#### :material-check:{ .pg-green } تعمية البريد الإلكتروني + +لدى Mailbox.org [تعمية مدمجة](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) في موقعهم، وهذا ييسِّر إرسال الرسائل باستخدام مفاتيح أوبن‌بي‌جي‌بي العامَّة. وكذلك يتيحون [لمستقبلي الرسائل من خارج خوادمهم كشف تعمية رسالة](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) في خوادم Mailbox.org. فائدة هذا تظهر في حال كان المستقبل ليس لديه أوبن‌بي‌جي‌بي ولا يستطيع كشف تعمية نسخة من الرسالة في صندوق بريده. + +تدعم Mailbox.org اكتشاف المفتايح العامَّة باستخدام HTTP من [دليل مفاتيح الوِب (WKD)](https://wiki.gnupg.org/WKD) التابع لهم. ويتيح هذا لمن ليس عنده Mailbox.org العثور على مفاتيح أوبن‌بي‌جي‌بي لحسابات Mailbox.org بسهولة، وذلك لتمكين التعمية بين الأطراف بين موفِّري خدمة البريد الإلكترونيِّ. + +#### :material-information-outline:{ .pg-blue } إنهاء الحسابات + +يعيَّن حسابك حساب مستخدم مقيَّد عند انتهاء عقدك، وبعد [ثلاثين يوم سوف يحذف نهائيًّا](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } وظائف إضافية + +بإمكانك الوصول لحسابك في Mailbox.org باستخدام IMAP/SMTP عبر [خدمة .onion](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). ولكن لا يمكن الوصول لواجهة موقعهم باستخدام خدمة .onion، وقد تواجه أخطاء شهادة TLS. + +عند كلِّ الحسابات مساحة تخزين قليلة، [وتمكن تعميتها](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). وتوفِّر Mailbox.org الكنية [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely)، وهو تفرض تعمية TLS على الاتصال بين خوادم البريد، وإن لم يعمَّ فلن ترسل الرسائل. تدعم Mailbox.org [إكستشينج-أكتف‌سنك](https://en.wikipedia.org/wiki/Exchange_ActiveSync)، وكذلك تدعم معايير الوصول القياسية مثل IMAP و POP3. + +عند Mailbox.org ميزة الإرث الرقميِّ لكلِّ الاشتراكات. فبوسعك اختيار ما إن أردت أن تورِّث أيَّ بيانات لك، وذلك إن سجَّل ذلك ورثاؤك وشهدت بذلك. غير ذلك فيمكنك ترشيح شخص باسمه وعنوانه. + +## مقدِّموا خدمة آخرون + +يخزِّن مقدمِّو الخدمة هؤلاء بُرُدك معمَّاةً تعمية دون معرفة، وهذا جاعلهم خيارات جيِّدةً لتخزِّنها فيها. ولكنهم لا يدعمون معايير تعمية للاتصالات المعمَّاة بين الطرفين تتوافق بين الموفِّرين. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### ستارت‌ميل + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=left } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=left } + + **ستارت‌ميل** هي خدمة بُرُد إلكترونية تركِّز على الأمن والخصوصية، وذلك باستخدامها تعمية أوبن‌بي‌جي‌بي. وهم يعملون منذ ٢٠١٤، ومقرُّهم في بولفارد ١١ في زايست في هولندا. تبدأ الحسابات بمساحة تخزين ١١ ج‌بايت. ويوفِّرون ثلاثين يومًا تجربةً. + + [:octicons-home-16: الصفحة الرئيسة](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="سياسة الخصوصية" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=التوثيق} + + ??? التنزيلات + + - [:octicons-browser-16: وِب](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } النطاقات المخصَّصة والكنى + +للحسابات الشخصية استخدام الكنى [المخصَّصة والسريعة](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases). وتتاح كذلك [النطاقات المخصَّصة](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain). + +#### :material-alert-outline:{ .pg-orange } سُبُل الدفع الخاصَّة + +تقبل ستارت‌ميل فيزا وماستركارد وأميركن إكسبرس وبي‌بال. ولديهم أيضًا [خيارات دفع](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) أخرى، [كبتكوين](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (وهذا حاليًّا للحسابات الشخصية فقط)، والخصم المباشر من سيبا للحسابات التي عمرها أكثر من سنة. + +#### :material-check:{ .pg-green } أمن الحساب + +تدعم ستارت‌ميل الاستيثاق بخطوتين باستخدام كلمة مرور لمرَّة واحدة حسب الوقت [في موقعهم فقط](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). ولا يسمحون بالاستيثاق بمفتاح أمن المعامل الثاني الشامل (U2F). + +#### :material-information-outline:{ .pg-blue } أمن البيانات + +لدى ستارت‌ميل [تعمية دون أيِّ وصول](https://www.startmail.com/en/whitepaper/#_Toc458527835) باستخدام نظام «خزنة المستخدم». فإن سجَّلت دخولك فسوف تُفتح الخزنة، وعند ذلك تُنقل البُرُد إلى الخزنة من قائمة الانتظار، وهناك تُكشف تعميتها باستخدام ما يوافقها من مفاتيح خاصَّة. + +تدعم ستارت‌ميل استيراد [المتراسلين](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts)، ولكن الوصول لهم محصور في موقعهم وليس باستخدام موافيق مثل [كال‌داف](https://en.wikipedia.org/wiki/CalDAV). ولا يخزَّن المتراسلون باستخدام التعمية دون علم. + +#### :material-check:{ .pg-green } تعمية البريد الإلكتروني + +عند ستارت‌ميل [تعمية مدمجة](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) في موقعهم، وهذا ييسِّر إرسال الرسائل المعمَّاة باستخدام مفاتيح أوبن‌بي‌جي‌بي العامَّة. ولكنهم لا يدعمون معيار دليل مفاتيح الوِب، وهذا يصعِّب على موفِّري الخدمة الآخرين والعملاء اكتشاف المفاتيح العامَّة لصناديق بُرُدهم. + +#### :material-information-outline:{ .pg-blue } إنهاء الحسابات + +حال انتهاء صلاحية الحساب فسوف تحذف ستارت‌ميل الحساب نهائيًّا بعد [ستة أشهر وفي ثلاث مراحل](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } وظائف إضافية + +تتيح ستارت‌ميل التوسُّط للصور داخل الرسائل. فإن سمحت لصورة أن تحمَّل فلن يعرف مرسلها عنوان IP التابع لك. + +ليس عند ستارت‌ميل ميزة الإرث الرقميِّ. + +### توتنوتا + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=left } + + **توتنوتا** هي خدمة بُرُد إلكترونية تركِّز على الأمن والخصوصية باستخدام التعمية. وهم يعملون منذ ٢٠١١، ومقرُّهم في هانوفر في ألمانيا. تبدأ الحسابات المجانية عندهم بمساحة تخزين ١ ج‌بايت. + + [:octicons-home-16: الصفحة الرئيسة](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="سياسة الخصوصية" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=التوثيق} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="رمز المصدر" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=ساهم } + + ??? التنزيلات + + - [:simple-googleplay: متجر بلاي](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: آب ستور](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: جت‌هب](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: ويندوز](https://tutanota.com/#download) + - [:simple-apple: ماك‌أو‌إس](https://tutanota.com/#download) + - [:simple-linux: لينكس](https://tutanota.com/#download) + - [:octicons-browser-16: وِب](https://mail.tutanota.com/) + +لا تدعم توتنوتا [ميفاق IMAP](https://tutanota.com/faq/#imap) أو استخدام [تطبيقات البُرُد الإلكترونية](email-clients.md) غير تطبيقهم، ولن تستطيع إضافة [حسابات خارجية](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) في تطبيقهم. ولا يدعم [استيراد الرسائل](https://github.com/tutao/tutanota/issues/630) ولا [المجلَّدات الفرعية](https://github.com/tutao/tutanota/issues/927) حاليًّا، ولكنَّ هذا [في صدد التغيير](https://tutanota.com/blog/posts/kickoff-import). يمكن تصدير الرسائل [فرادًى أو مجمَّعةً حسب الاختيار](https://tutanota.com/howto#generalMail) لكلِّ مجلَّد، ولعلَّ هذا مزعج إن كانت عندك العديد من المجلَّدات. + +#### :material-check:{ .pg-green } النطاقات المخصَّصة والكنى + +تتاح للحسابات المدفوعة ما أقصاه ٥ [كنًى](https://tutanota.com/faq#alias) [وأسماء نطاق مخصَّصة](https://tutanota.com/faq#custom-domain). لا تسمح توتنوتا [بالعنونة الفرعية (العنونة الإضافية)](https://tutanota.com/faq#plus)، لكن بوسعك استخدام [مصياد شامل](https://tutanota.com/howto#settings-global)، وذلك باسم نطاق مخصَّص. + +#### :material-information-outline:{ .pg-blue } سُبُل الدفع الخاصَّة + +لا تقبل توتنوتا مباشرةً إلى بطاقات الإئتمان وبي‌بال، ولكن يمكنك استخدام [العملات المعمَّاة](cryptocurrency.md) لشراء بطاقات هدايا عن طريق [تعاونهم](https://tutanota.com/faq/#cryptocurrency) مع بروكسيستور. + +#### :material-check:{ .pg-green } أمن الحساب + +تدعم توتنوتا [الاستيثاق بخطوتين](https://tutanota.com/faq#2fa)، وذلك عبر كلمة مرور لمرَّة واحدة حسب الوقت أو مفتاح أمن المعامل الثاني الشامل. + +#### :material-check:{ .pg-green } أمن البيانات + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } إنهاء الحسابات + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/ar/encryption.md b/i18n/ar/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/ar/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/ar/file-sharing.md b/i18n/ar/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/ar/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/ar/financial-services.md b/i18n/ar/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/ar/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/ar/frontends.md b/i18n/ar/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/ar/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/ar/index.md b/i18n/ar/index.md new file mode 100644 index 00000000..fdd5cbab --- /dev/null +++ b/i18n/ar/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.ar.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## لماذا ينبغي عليَّ الاهتمام؟ + +##### "ليس لديَّ شيئٌ اُخفيه. لماذا يجب أن أهتم بخصوصيتي؟ " + +تمامًا مثل الحق في محاكمة عادلة، حق التعليم، حق الزواج، والعديد من الحقوق الأخرى، لم يُدعَم حقنا في الخصوصية دائمًا. في مُعظم الأُمُور، لا يزال الأمر كذلك. كافح العديد من الأشخاص لأجل حقنا في الخصوصية. ==الخصوصية حق من حقوق الإنسان، أصيل فينا جميعًا==، يحق لنا (دون تمييز). + +يجب عليك عدم الخلط بين الخصوصية والسريَّة. نحن نعلم ما يحدث في الحَمَّام، لكنك ما زلت تغلق الباب، أليس كذلك؟ هذا لأنك تريد الخصوصية وليس السريَّة. **الجميع** لديه شيء لحمايته. الخصوصية شيء أصيل في البشريَّة. + +[:material-target-account: تهديدات الإنترنت الشائعة](basics/common-threats.md ""){.md-button.md-button--primary} + +## ماذا يجب أن أفعل؟ + +##### أولًا، تحتاج إلى وضع خُطَّة + +إنَّ محاولة حماية جميع بياناتك من الجميع طوال الوقت أمر غير عملي، مكلف، ومُرهِق. لكن لا تقلق! الأمان هو إجراء، من خلال التفكير مسبقًا، يمكنك وضع خطة تناسبك. لا يقتصر الأمان على الأدوات الَّتي تستخدمُها أو البرامِج الَّتي تنزِّلُها. بدلاً من ذلك، يبدأ الأمر بفهم التهديدات الفريدة التي تواجهك، وكيف يمكنك التخفيف منها. + +==هذه العملية لتحديد التهديدات وتحديد الإجراءات المضادة تسمى **نَمذَجَةُ التَّهدِيد**==، وهي تشكل الأساس لكل خِطَّة أمان وخصوصية جيدة. + +[:material-book-outline: تعرَّف على المَزيد حولَ نَمذَجَةِ التَّهدِيد](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## نحتاجُك! إليك كيفية المشاركة: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="انضم إلى منتدانا" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="تابعنا على ماستودون" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="ساهم في هذا الموقع" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="ساعد في ترجمة هذا الموقع" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="تحدث معنا على ماتريكس" } +[:material-information-outline:](about/index.md){ title="تعلم المزيد عنا" } +[:material-hand-coin-outline:](about/donate.md){ title="ادعم المشروع" } + +من المهم أن يُحدَّث موقع ويب مثل إرشادات الخصوصية بشكل مستمر. نحتاج إلى أن يراقب جمهورنا تحديثات برمجيات التطبيقات المدرجة على موقعنا ومتابعة آخر الأخبار حول مقدمي الخدمة الذين نوصي بهم. من الصعب مواكبة الوتيرة السريعة للإنترنت، لكننا نبذل قصارى جهدنا. إذا اكتشفت خطأً، اعتقدت أنه لا يجب إدراج مقدم خدمة، لاحظت اختفاء مزود مؤهَّل، اعتقدت أن المكون الإضافي للمتصفح لم يعد هو الخيار الأفضل، أو اكتشفت أي مشكلة أخرى، يرجى إبلاغنا بذلك. diff --git a/i18n/ar/kb-archive.md b/i18n/ar/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/ar/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/ar/meta/brand.md b/i18n/ar/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/ar/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/ar/meta/git-recommendations.md b/i18n/ar/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/ar/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/ar/meta/uploading-images.md b/i18n/ar/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/ar/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/ar/meta/writing-style.md b/i18n/ar/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/ar/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/ar/mobile-browsers.md b/i18n/ar/mobile-browsers.md new file mode 100644 index 00000000..c6be3a37 --- /dev/null +++ b/i18n/ar/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/ar/multi-factor-authentication.md b/i18n/ar/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/ar/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/ar/news-aggregators.md b/i18n/ar/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/ar/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/ar/notebooks.md b/i18n/ar/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/ar/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/ar/os/android-overview.md b/i18n/ar/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/ar/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/ar/os/linux-overview.md b/i18n/ar/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/ar/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/ar/os/qubes-overview.md b/i18n/ar/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/ar/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/ar/passwords.md b/i18n/ar/passwords.md new file mode 100644 index 00000000..59579402 --- /dev/null +++ b/i18n/ar/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/ar/productivity.md b/i18n/ar/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/ar/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/ar/real-time-communication.md b/i18n/ar/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/ar/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/ar/router.md b/i18n/ar/router.md new file mode 100644 index 00000000..a494c017 --- /dev/null +++ b/i18n/ar/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/ar/search-engines.md b/i18n/ar/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/ar/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/ar/tools.md b/i18n/ar/tools.md new file mode 100644 index 00000000..d9e57d9b --- /dev/null +++ b/i18n/ar/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/ar/tor.md b/i18n/ar/tor.md new file mode 100644 index 00000000..4ed6ad30 --- /dev/null +++ b/i18n/ar/tor.md @@ -0,0 +1,120 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![شعار تور](assets/img/self-contained-networks/tor.svg){ align=right } + +شبكة **تور** هي خوادم يديرها متطوِّعون تتيح لك الاتصال بها مجَّانًا وتحسِّن خصوصيتك وأمنك في الإنترنت. ويمكن للأفراد والمؤسسات مشاركة المعلومات عبرها باستخدام «خدمات .onion الخفية»، وذلك دون نهك خصوصيتهم. فكون اتصالات تور صعبة الحظر والتتبع يجعل تور أداةً فعَّالةً لتجاوز الرقابة. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=الصفحة الرئيسة } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="خدمة أَنيِن" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=التوثيق} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="رمز المصدر" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=ساهم } + +يعمل تور عن طريق توجيه اتصالاتك عبر خوادم المتطوِّعين، وذلك بدلًا من الاتصال بالموقع الذي تريد مباشرةً. يلبِّس هذا أصل الاتصال، وليس بوسع أي خادم في سبيل الاتصال رؤيته من بدايته لمقصده، مما يعني أن حتى الخوادم المستخدمة للاتصال لا تنتهك مجهوليتك. + +[نظرة عامة شاملة عن تور :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## الاتصال بتور + +عندك الكثير من السُّبُل للتتَّصل بشبكة تور من جهازك، وأشيعها **متصفِّح تور**، وهو تشعُّب من فيرفكس مصمَّم للتصفُّح المستور، ويُتاح في أجهزة سطح المكتب ونظام أندرويد. وزيادةً على التطبيقات المذكورة أدناه فهناك أنظمة تشغيل مصمَّمة للتتَّصل بشبكة تور، مثل [وونكس](desktop.md#whonix) في [كيوبس أو‌إس](desktop.md#qubes-os)، وأمانه أأمن متصفِّح تور العاديِّ. + +### متصفِّح تور + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=left } + + **متصفِّح تور** خير خيار إن أردت المجهولية، فهو يمكِّنك من الاتصال بشبكة تور وجسورها، وفيه إعدادات مبدئية تُضبط حسب مستوى الأمن: *قياسي* و*أأمن* و*أشدُّ أمن*. + + [:octicons-home-16: الصفحة الرئيسة](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="خدمة أَنيِن" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=التوثيق } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="رمز المصدر" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=ساهم } + + ??? التنزيلات + + - [:simple-googleplay: متجر بلاي](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: أندرويد](https://www.torproject.org/download/#android) + - [:simple-windows11: ويندوز](https://www.torproject.org/download/) + - [:simple-apple: ماك‌أو‌إس](https://www.torproject.org/download/) + - [:simple-linux: لينكس](https://www.torproject.org/download/) + - [:simple-freebsd: فري‌بي‌إس‌دي](https://www.freshports.org/security/tor) + +!!! خطر + + لا تثبِّت أيَّ إضافات في متصفِّح تور **أبدًا**، ولا تحرِّر إعدادات ‹about:config›، ويشمل ذلك ما نقترحه في فيرفكس. تميِّزك الإضافات والإعدادات المختلفة عن البقية في شبكة تور، وهذه يسهِّل تبصيم [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting) متصفِّحك. + +صمِّم متصفِّح تور لمكافحة التبصيم، أو كشف هويَّتك حسب ضبط متصفِّحك. وزبدة القول أنه عليك **ألا** تعدِّل المتصفِّح خلا [مستويات الأمن](https://tb-manual.torproject.org/security-settings/) المبدئية. + +### أُربوت + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=left } + + **أربوت** هو شبكة تور افتراضية خاصة للأجهزة الذكية، وما يفعله هو توجيه اتصالاتك من أيِّ تطبيق عبر شبكة تور. + + [:octicons-home-16: الصفحة الرئيسة](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="سياسة الخصوصية" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=التوثيق} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="رمز المصدر" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=ساهم } + + ??? التنزيلات + + - [:simple-googleplay: متجر بلاي](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: آب ستور](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: جت‌هب](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! فائدة «فوائد لنظام أندرويد» + + بإمكان أربوت التوسُّط لتطبيقات معيَّنة حال دعمها توسُّط SOCKS أو HTTP. ويستطيع أيضا توسيط كلِّ اتصالات شبكتك باستخدام شبكة افتراضية خاصَّة [VpnService](https://developer.android.com/reference/android/net/VpnService)، ولك استخدامه مع مفتاح أيقاف الشبكات الافتراضية في :gear: **الإعدادات** ← **الشبكة والإنترنت** ← **الشبكات الافتراضية الخاصة** ← :gear: ← **امنع الاتصالات دون شبكة افتراضية خاصَّة**. + + غالبًا ما تجد إصدار أربوت قديمًا في مستودع [إف-درويد](https://guardianproject.info/fdroid) لمشروع جارديَن [ومتجر بلاي](https://play.google.com/store/apps/details?id=org.torproject.android)، فربما من الأفضل أن تنزِّله من [مستودع جت‌هب](https://github.com/guardianproject/orbot/releases) مباشرةً. + + كلُّ الإصدارات وُقِّع عليها بنفس التوقيع، لذلك تتوافق. + +## المرحِّلات والجسور + +### سنوفليك + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=left } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=left } + + يتيح لك **سنوفليك** أن تساهم بشيء من حيِّز نطاقك في مشروع تور، ويكون ذلك عبر تشغيل «وسيط سنوفليك» ضمن متصفِّحك. + + يستطيع من يخضع للرقابة أن يستعمل وسطاء سنوفليك ليتَّصل بشبكة تور. ييسِّر سنوفليك المساهمة في شبكة تور، فلا تحتاج لمعلومات تقنية لتشغِّل مرحِّل تور أو جسرًا له. + + [:octicons-home-16: الصفحة الرئيسة](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=التوثيق} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="رمز المصدر" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=ساهم } + + ??? التنزيلات + + + - [:simple-firefoxbrowser: فيرفكس](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: كروم](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: وِب](https://snowflake.torproject.org/embed "اترك هذه الصفحة مفتوحةً لتصير وسيط سنوفليك") + +??? فائدة «سنوفليك مضمَّن» + + بوسعك تمكين سنوفليك في متصفِّحك بنقر المفتاح أدناه ==وترك الصفحة مفتوحةً==. ويمكنك أيضًا تثبيت سنوفليك إضافةً في متصفِّحك، ولك تشغيله طالما فُتح متصفِّحك، ولكن تنبَّه لأن إضافة إضافات خارجية يزيد المخاطر. + +
+ إن لم يظهر لك التضمين فتيقَّن من أنك لا تحظر الإطار الخارجيَّ من ‹torproject.org›. أو زر [هذه الصفحة](https://snowflake.torproject.org/embed.html). + +لا يفيد سنوفليك في تحسين خصوصيتك أبدًا، وليس سبيلًا لاتصال بشبكة تور داخل متصفِّحك. ولكن إن كان اتصالك بالإنترنت لا يخضع لرقابة فتخيَّر تشغيله لتعين من يستعمل شبكات تخضع لها في تحسين خصوصيتهم. ولا تقلق حيال أيِّ صفحات يزورها من يستخدم وسيطك، ﻷن عنوان IP لهم يطابق ذاك التابع لعقدة مخرج تور، لا عقدتك. + +إن تشغيل وسيط سنوفليك ليس منذرًا بالخطر، بل أقلُّ خطرًا من تشغيل مرحِّل تور أو جسر له، وهذا ليس بذاك الخطر أصلًا. ولكنه يوسِّط الاتصالات عبر شبكتك، ولعلَّ لهذا تبعات، خاصَّةً إن كانت شبكتك محدودةً. عليك تمعُّن [سبيل عمل سنوفليك](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) قبل أن تقرِّر تشغيل وسيط. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/ar/video-streaming.md b/i18n/ar/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/ar/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/ar/vpn.md b/i18n/ar/vpn.md new file mode 100644 index 00000000..0b7c871c --- /dev/null +++ b/i18n/ar/vpn.md @@ -0,0 +1,327 @@ +--- +title: "خِدْمَات شبكة خاصة افتراضية" +icon: material/vpn +description: هذه هي أفضل خِدْمَات شبكة خاصة افتراضية للمحافظة خصوصيتك وأمانك على الإنترنت. اعثر على مزود للخدمة هنا ليس يريد التجسس عليك. +--- + +إذا كنت تبحث عن **خصوصية** إضافية من مزود خدمة الإنترنت لك، أو عندما تتصل بشبكة واي-فاي عامة، أو في أثناء استخدامك لشبكة تورنت، قد يكون استخدام شبكة خاصة افتراضية هو الحل بالنسبة لك ما دمت على دراية بالمخاطر المترتبة على ذلك. نعتقد بأن هؤلاء هم أفضل المزودين: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "الشبكات الخاصة الافتراضية لا توفر إخفاء الهُوِيَّة" + + **لن يؤدي** استخدام شبكة خاصة افتراضية إلى إبقاء عاداتك التصفحية مجهولة الهُوِيَّة، ولن يضيف حماية إلى الاتصالات المستخدمة لميفاق (HTTP) الغير آمنة. + + في حال بحثك عن **إخفاء الخوية**، يجب استخدم متصفح Tor بدلاً من شبكة خاصة افتراضية. + + إذا كنت تبحث عن **أمان** إضافي، يجب التأكد من الاتصال بمواقع الويب باستخدام ميفاق HTTPS. الشبكات الخاصة الافتراضية ليست بديلاً للممارسات الأمنية الجيدة. + + [نزّل متصفح Tor](https://www:torproject.org/){ .md-button .md-button--primary } [خرافات، وأسئلة شائعة متعلقة بمتصفح Tor](advanced/tor-overview.md){ .md-button } + +[نظرة عامة شاملة على الشبكات الخاصة الافتراضية: :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## موفِّرو الخدمة الموصى بهم + +يستخدم مزودو الخدمة ممن نوصي بهم التعمية، ويقبلون عملة Monero الرقمية، ويدعمون ميفاق WireGuard و نطام OpenVPN، ولديهم سياسة عدم التسجيل. للمزيد من المعلومات، اطلع على [قائمة المعايير](#criteria). + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### ملفاد + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/bn/404.md b/i18n/bn/404.md new file mode 100644 index 00000000..25c1c780 --- /dev/null +++ b/i18n/bn/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) diff --git a/i18n/bn/CODE_OF_CONDUCT.md b/i18n/bn/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/bn/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/bn/about/criteria.md b/i18n/bn/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/bn/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/bn/about/donate.md b/i18n/bn/about/donate.md new file mode 100644 index 00000000..8accd67a --- /dev/null +++ b/i18n/bn/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/bn/about/index.md b/i18n/bn/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/bn/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/bn/about/notices.md b/i18n/bn/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/bn/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/bn/about/privacy-policy.md b/i18n/bn/about/privacy-policy.md new file mode 100644 index 00000000..26c668d1 --- /dev/null +++ b/i18n/bn/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/bn/about/privacytools.md b/i18n/bn/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/bn/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/bn/about/services.md b/i18n/bn/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/bn/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/bn/about/statistics.md b/i18n/bn/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/bn/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/bn/advanced/communication-network-types.md b/i18n/bn/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/bn/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/bn/advanced/dns-overview.md b/i18n/bn/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/bn/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/bn/advanced/payments.md b/i18n/bn/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/bn/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/bn/advanced/tor-overview.md b/i18n/bn/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/bn/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/bn/android.md b/i18n/bn/android.md new file mode 100644 index 00000000..03eb727d --- /dev/null +++ b/i18n/bn/android.md @@ -0,0 +1,426 @@ +--- +title: "অ্যান্ড্রয়েড" +icon: 'ফন্টঅ্যাওসাম/ ব্র্যান্ড / অ্যান্ড্রয়েড' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: অ্যান্ড্রয়েড + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: অ্যান্ড্রয়েড + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: অ্যান্ড্রয়েড + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: অ্যান্ড্রয়েড + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: অ্যান্ড্রয়েড +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. রেকমেন্ডেশন + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP এর ডেরিভেটিভস্ + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + পুরোনো ডিভাইসগুলিতে (যেমন GrapheneOS CalyxOS এর "extended support" ডিভাইসগুলো) সম্পুর্ন সিকিউরিটি থাকে না, OEM সাপোর্ট দেওয়া বন্ধ করে দেওয়ার জন্য। যেকোনো সফটওয়্যার ইনস্টলড থাকুক না কেনো এইসমস্ত ডিভাইসগুলো কে কখনোই সম্পূর্ণ ভাবে নিরাপদ বিবেচনা করা যাবে না + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + প্রাইভেসি এবং সিকিউরিটি এর জন্য **GrapheneOS** সবথেকে ভালো। + + GrapheneOS তে কিছু বাড়তি [সিকিউরিটি](https://en.wikipedia.org/wiki/Hardening_(computing)) এবং প্রাইভেসি রয়েছে। It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/bn/assets/img/account-deletion/exposed_passwords.png b/i18n/bn/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/bn/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/bn/assets/img/android/rss-apk-dark.png b/i18n/bn/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/bn/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/bn/assets/img/android/rss-apk-light.png b/i18n/bn/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/bn/assets/img/android/rss-apk-light.png differ diff --git a/i18n/bn/assets/img/android/rss-changes-dark.png b/i18n/bn/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/bn/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/bn/assets/img/android/rss-changes-light.png b/i18n/bn/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/bn/assets/img/android/rss-changes-light.png differ diff --git a/i18n/bn/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/bn/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/how-tor-works/tor-encryption.svg b/i18n/bn/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/how-tor-works/tor-path-dark.svg b/i18n/bn/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/bn/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/bn/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/how-tor-works/tor-path.svg b/i18n/bn/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/bn/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/bn/assets/img/multi-factor-authentication/fido.png b/i18n/bn/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/bn/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/bn/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/bn/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/bn/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/bn/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/bn/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/bn/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/bn/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/bn/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/bn/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/bn/basics/account-creation.md b/i18n/bn/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/bn/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/bn/basics/account-deletion.md b/i18n/bn/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/bn/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/bn/basics/common-misconceptions.md b/i18n/bn/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/bn/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/bn/basics/common-threats.md b/i18n/bn/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/bn/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/bn/basics/email-security.md b/i18n/bn/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/bn/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/bn/basics/multi-factor-authentication.md b/i18n/bn/basics/multi-factor-authentication.md new file mode 100644 index 00000000..78659d10 --- /dev/null +++ b/i18n/bn/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +সাধারণত, যদি কোনো হ্যাকার (বা শত্রু) আপনার পাসওয়ার্ড ডিক্রিপ্ট করতে সক্ষম হয় তাহলে তারা যে অ্যাকাউন্টে ওই পাসওয়ার্ড আছে সেটিতে প্রবেশ করতে সক্ষম হবে। MFA আছে এমন একটি অ্যাকাউন্ট-এর ক্ষেত্রে হ্যাকারকে পাসওয়ার্ড ( যা আপনি *জানেন*) এবং আপনার মালিকানাধীন একটি ডিভাইস (যা আপনার *কাছে আছে*), যেমন আপনার ফোন,উভয়ই থাকলে তবে হ্যাকার হ্যাক করতে সক্ষম হবে। + +MFA পদ্ধতিগুলির নিরাপত্তা বিভিন্নরকম হতে পারে ,আক্রমণকারীর পক্ষে আপনার MFA পদ্ধতিতে অ্যাক্সেস লাভ করা যত কঠিন, ততই ভালো। Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA পদ্ধতিগুলির তুলনা + +### এসএমএস বা ইমেইল MFA + +এসএমএস বা ইমেলের ওটিপি কোডগুলির মাধ্যমে MFA-এর ব্যবহার অ্যাকাউন্টগুলিকে সুরক্ষিত করার একটি দুর্বল উপায়৷ ইমেল বা এসএমএস-এর মাধ্যমে কোড পাওয়া "যা আপনার *আছে*" ধারণা থেকে দূরে সরে যায়, কারণ হ্যাকার বিভিন্ন রকম ভাবে আপনার [ফোন নম্বর দখল করতে পারে](https://en.wikipedia.org/wiki/SIM_swap_scam) বা আপনার কোনো ডিভাইস স্পর্শ না করেই আপনার ইমেলে অ্যাক্সেস পেতে পারে। যদি কোনো অননুমোদিত ব্যক্তি আপনার ইমেলের অ্যাক্সেস লাভ করে, তাহলে তারা আপনার সেই ইমেইল ব্যবহার করে পাসওয়ার্ড রিসেট করতে পারে এবং অথেনটিকেশন কোড পেতে পারে, যা শেষ পর্যন্ত তাকে আপনার একাউন্ট-এর সম্পূর্ণ এক্সেস দেবে। + +### মোবাইলের নোটিফিকেশন + +পুশ নোটিফিকেশন MFA এমন একটা পদ্ধতি যেখানে আপনার ফোনের একটি অ্যাপে নোটিফিকেশন পাঠানো হয়, যাতে আপনাকে নতুন অ্যাকাউন্ট লগইন নিশ্চিত করতে বলে। এই পদ্ধতিটি এসএমএস বা ইমেলের চেয়ে তুলনামূলকভাবে অনেক ভালো, যেহেতু একজন আক্রমণকারী সাধারণত লগগড -ইন করা ডিভাইস ছাড়া এই নোটিফিকেশনগুলি পেতে সক্ষম হবে না, যার মানে তাদের প্রথমে আপনার অন্য ডিভাইসগুলির মধ্যে একটিকে হ্যাক করতে হবে ৷ + +আমরা প্রত্যেকেই ভুল করি, এবং আপনি অন্যমনস্কতাবশত লগইন এপ্রুভ করে দিতে পারেন তার সম্ভাবনা রয়েছে। লগইন এর জন্য নোটিফিকেশনগুলি সাধারণত আপনার *সমস্ত ডিভাইসে* একসঙ্গে পাঠানো হয়, যদি আপনার অনেকগুলি ডিভাইস থাকে তবে তা MFA কোড পাওয়ার সম্ভাবনা বৃদ্ধি করে৷ + +পুশ নোটিফিকেশন MFA -এর নিরাপত্তা অ্যাপের গুণমান, সার্ভারের, এবং এটি তৈরিকারী ব্যাক্তির ওপর নির্ভর করে। একটি অ্যাপ্লিকেশন ইনস্টল করার অর্থ হল যে আপনাকে প্রায়ই ক্ষতিকারক পারমিশনগুলি একসেপ্ট করতে হবে, যা ওই অ্যাপ্লিকেশনকে ডিভাইসের অন্যান্য ডেটা অ্যাক্সেস করার অনুমতি দেয়৷ অনেক সময় বিভিন্ন পরিষেবার জন্য আপনাকে বিভিন্ন এপ্লিকেশন ইনস্টল করতে হতে পারে, সেই এপ্লিকেশন টি আবার কোনো পাসওয়ার্ড ছাড়াই ওপেন হতে পারে, যা মোটেও ভালো TOTP জেনারেটার এপ্লিকেশন এর লক্ষণ নয়। + +### সময়-সাপেক্ষ ওয়ান-টাইম পাসওয়ার্ড (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. শেয়ার্ড সিক্রেট অথেনটিকেশন অ্যাপের ভিতরে সুরক্ষিত থাকে এবং কখনও কখনও পাসওয়ার্ড দ্বারা সুরক্ষিত থাকে। + +সময়-সাপেক্ষ কোড তারপর শেয়ার্ড সিক্রেট এবং সময় থেকে জেনারেট হয়। As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +যদি আপনার কাছে TOTP সহ একটি হার্ডওয়্যার সিকিউরিটি কী থাকে (যেমন Yubico অথেন্টিকেটর সাথে একটি YubiKey), আমরা সুপারিশ করি যে আপনি হার্ডওয়্যারে আপনার "শেয়ার্ড সিক্রেট " রাখুন৷ YubiKey-এর মতো হার্ডওয়্যার এমনভাবে তৈরী করা হয়েছিল যাতে "শেয়ারড সিক্রেট" বের করা এবং কপি করা কঠিন হয় একটি YubiKey ইন্টারনেটের সাথে যুক্ত থাকে না, কিন্তু TOTP যুক্ত একটি ফোন ইন্টারনেট এর সাথে যুক্ত থাকে। + +[WebAuthn](#fido-fast-identity-online) এর অপরপক্ষে TOTP [ফিশিং](https://en.wikipedia.org/wiki/Phishing) বা রি-উজ এটাক এর বিরুদ্ধে কোন সুরক্ষা প্রদান করে না। If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +আপনার উজার-নেম, পাসওয়ার্ড এবং বর্তমান TOTP কোড হাতানোর জন্য, আপনাকে প্রতারণা করার চেষ্টায় একজন আক্ক্রমণকারী একটি অফিসিয়াল পরিষেবার অনুকরণ করে একটি ওয়েবসাইট সেট আপ করতে পারে। আক্রমণকারী সেই রেকর্ড করা তথ্যগুলি ব্যবহার করে প্রকৃত পরিষেবাতে লগ ইন করতে এবং অ্যাকাউন্ট হাইজ্যাক করতে সক্ষম হতে পারে। + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### হার্ডওয়্যার সিকিউরিটি কী + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### সময়-সাপেক্ষ ওয়ান-টাইম পাসওয়ার্ড (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/bn/basics/passwords-overview.md b/i18n/bn/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/bn/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/bn/basics/threat-modeling.md b/i18n/bn/basics/threat-modeling.md new file mode 100644 index 00000000..72d64044 --- /dev/null +++ b/i18n/bn/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: প্রাইভেসি সিকিউরিটি, এবং ব্যবহারযোগ্যতা এর মধ্যে ভারসাম্য রক্ষা করা আপনার প্রাইভেসি যাত্রার সবথেকে কঠিন কাজ। +--- + +প্রাইভেসি সিকিউরিটি, এবং ব্যবহারযোগ্যতা এর মধ্যে ভারসাম্য রক্ষা করা আপনার প্রাইভেসি যাত্রার সবথেকে কঠিন কাজ। Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +যদি আপনি **সবথেকে** সিকিউর সফটও়্যারগুলো ব্যাবহার করতে চান আপনাকে *কিছু* ব্যবহারযোগ্যতা বিসর্জন দিতে হবে। And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. একারণে থ্রেট মডেল তৈরি করা জরুরি। + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. আমি কি রক্ষা করতে চাই? +2. কার থেকে আমি রক্ষা করতে চাই? +3. এটি আমার কতটা রক্ষা করা প্রয়োজন? +4. আমি ব্যর্থ হলে পরিণতি কতটা খারাপ? +5. সম্ভাব্য ফল রোধ করার জন্য আমি কতটা সমস্যার মধ্য দিয়ে যেতে ইচ্ছুক? + +### আমি কি রক্ষা করতে চাই? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### কার থেকে আমি রক্ষা করতে চাই? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### এটি আমার কতটা রক্ষা করা প্রয়োজন? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### আমি ব্যর্থ হলে পরিণতি কতটা খারাপ? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### সম্ভাব্য ফল রোধ করার জন্য আমি কতটা সমস্যার মধ্য দিয়ে যেতে ইচ্ছুক? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**আপনি কি রক্ষা করতে চান? (অথবা, *আপনার কাছে কি এমন জিনিস আছে যা রক্ষা করার দরকার?*)** +: + +আপনার জিনিসপত্র এর মধ্যে গয়না, ইলেকট্রনিকস, গুরুত্বপূর্ণ কাগজপত্র অথবা ফটো পড়তে পারে। + +**কার থেকে আপনি রক্ষা করতে চান?** +: + +আপনার সিকিউরিটি এর আক্রমণকারী ডাকাত, রুমমেট বা অতিথি হতে পারে। + +**আপনাকে রক্ষা করতে হবে তার সম্ভাবনা কত?** +: + +আপনার আশেপাশে কি চুরির ইতিহাস আছে? How trustworthy are your roommates or guests? আপনার প্রতিপক্ষের ক্ষমতা কি? আপনার কী কী ঝুঁকি বিবেচনা করা উচিত? + +**আপনি ব্যর্থ হলে পরিণতি কতটা খারাপ?** +: + +আপনার বাড়িতে এমন কিছু আছে যা আপনি অন্য কিছু দিয়ে পরিবর্তন করতে পারবেন না? Do you have the time or money to replace those things? আপনার কি বীমা আছে যা আপনার বাড়ি থেকে চুরি হওয়া জিনিসগুলি কভার করে? + +**সম্ভাব্য ফল রোধ করার জন্য আপনি কতটা সমস্যার মধ্য দিয়ে যেতে ইচ্ছুক?** +: + +আপনি সংবেদনশীল নথি রাখার জন্য একটি সেফ কিনতে ইচ্ছুক? আপনি কি একটি উচ্চ মানের তালা কিনতে সামর্থ্য? আপনার কি স্থানীয় ব্যাঙ্কে কোনও সিকিউরিটি বাক্স খোলার এবং সেখানে আপনার মূল্যবান জিনিসপত্র রাখার সময় আছে? + +আপনি একবার নিজেকে এই প্রশ্নগুলি জিজ্ঞাসা করলে আপনি কী পদক্ষেপ নেবেন তা বুঝতে পারবেন। যদি আপনার জিনিসপত্রগুলো দামী হয়, কিন্তু ডাকাতি হওয়ার সম্ভাবনা কম, তাহলে বেশি টাকা তলাতে খরচ করার দরকার হবে না। But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/bn/basics/vpn-overview.md b/i18n/bn/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/bn/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/bn/calendar.md b/i18n/bn/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/bn/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/bn/cloud.md b/i18n/bn/cloud.md new file mode 100644 index 00000000..e375d093 --- /dev/null +++ b/i18n/bn/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/bn/cryptocurrency.md b/i18n/bn/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/bn/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/bn/data-redaction.md b/i18n/bn/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/bn/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/bn/desktop-browsers.md b/i18n/bn/desktop-browsers.md new file mode 100644 index 00000000..85ee0d78 --- /dev/null +++ b/i18n/bn/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/bn/desktop.md b/i18n/bn/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/bn/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/bn/dns.md b/i18n/bn/dns.md new file mode 100644 index 00000000..7d24c217 --- /dev/null +++ b/i18n/bn/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### অ্যান্ড্রয়েড + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/bn/email-clients.md b/i18n/bn/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/bn/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/bn/email.md b/i18n/bn/email.md new file mode 100644 index 00000000..62156fdd --- /dev/null +++ b/i18n/bn/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/bn/encryption.md b/i18n/bn/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/bn/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/bn/file-sharing.md b/i18n/bn/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/bn/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/bn/financial-services.md b/i18n/bn/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/bn/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/bn/frontends.md b/i18n/bn/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/bn/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/bn/index.md b/i18n/bn/index.md new file mode 100644 index 00000000..55115303 --- /dev/null +++ b/i18n/bn/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.bn.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/bn/kb-archive.md b/i18n/bn/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/bn/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/bn/meta/brand.md b/i18n/bn/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/bn/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/bn/meta/git-recommendations.md b/i18n/bn/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/bn/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/bn/meta/uploading-images.md b/i18n/bn/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/bn/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/bn/meta/writing-style.md b/i18n/bn/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/bn/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/bn/mobile-browsers.md b/i18n/bn/mobile-browsers.md new file mode 100644 index 00000000..d87ac47f --- /dev/null +++ b/i18n/bn/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - অ্যান্ড্রয়েড + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## অ্যান্ড্রয়েড + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/bn/multi-factor-authentication.md b/i18n/bn/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/bn/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/bn/news-aggregators.md b/i18n/bn/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/bn/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/bn/notebooks.md b/i18n/bn/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/bn/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/bn/os/android-overview.md b/i18n/bn/os/android-overview.md new file mode 100644 index 00000000..4eefe344 --- /dev/null +++ b/i18n/bn/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: ফন্টঅ্যাওসাম/ ব্র্যান্ড / অ্যান্ড্রয়েড +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/bn/os/linux-overview.md b/i18n/bn/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/bn/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/bn/os/qubes-overview.md b/i18n/bn/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/bn/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/bn/passwords.md b/i18n/bn/passwords.md new file mode 100644 index 00000000..a5d5c220 --- /dev/null +++ b/i18n/bn/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - অ্যান্ড্রয়েড + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - অ্যান্ড্রয়েড + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - অ্যান্ড্রয়েড + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: অ্যান্ড্রয়েড + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/bn/productivity.md b/i18n/bn/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/bn/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/bn/real-time-communication.md b/i18n/bn/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/bn/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/bn/router.md b/i18n/bn/router.md new file mode 100644 index 00000000..a494c017 --- /dev/null +++ b/i18n/bn/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/bn/search-engines.md b/i18n/bn/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/bn/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/bn/tools.md b/i18n/bn/tools.md new file mode 100644 index 00000000..d9e57d9b --- /dev/null +++ b/i18n/bn/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/bn/tor.md b/i18n/bn/tor.md new file mode 100644 index 00000000..b1f2afbf --- /dev/null +++ b/i18n/bn/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/bn/video-streaming.md b/i18n/bn/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/bn/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/bn/vpn.md b/i18n/bn/vpn.md new file mode 100644 index 00000000..6bba2546 --- /dev/null +++ b/i18n/bn/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/de/404.md b/i18n/de/404.md new file mode 100644 index 00000000..a09b11b8 --- /dev/null +++ b/i18n/de/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Seite nicht gefunden + +Wir konnten die Seite, nach der du gesucht hast, nicht finden! Vielleicht hast du nach einer dieser Seiten gesucht? + +- [Einführung in die Bedrohungsmodellierung](basics/threat-modeling.md) +- [Empfohlene DNS-Anbieter](dns.md) +- [Beste Desktop-Webbrowser](desktop-browsers.md) +- [Beste VPN-Anbieter](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Unser Blog](https://blog.privacyguides.org) diff --git a/i18n/de/CODE_OF_CONDUCT.md b/i18n/de/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..c6f9e57f --- /dev/null +++ b/i18n/de/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Verhaltenskodex der Gemeinschaft + +**Wir verpflichten uns**, unsere Gemeinschaft zu einer belästigungsfreien Erfahrung für alle zu machen. + +**Wir bemühen uns,**, ein positives Umfeld zu schaffen, indem wir eine einladende und integrative Sprache verwenden und die Standpunkte anderer respektieren. + +**Wir verbieten** unangemessenes oder anderweitig inakzeptables Verhalten, wie z. B. sexualisierte Sprache, Trolling und beleidigende Kommentare oder anderweitige Förderung von Intoleranz oder Belästigung. + +## Gemeinschaftsstandards + +Was wir von den Mitgliedern unserer Gemeinschaften erwarten: + +1. **Keine Fehlinformationen verbreiten** + + Wir schaffen eine evidenzbasierte Bildungsgemeinschaft rund um Datenschutz und Informationssicherheit, keine Heimat für Verschwörungserzählungen. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Unsere Community-Mitglieder sind kein kostenloser technischer Support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Geltungsbereich + +Unser Verhaltenskodex gilt für alle Projektbereiche und auch dann, wenn eine Person das Privacy Guides Projekt in anderen Gemeinschaften vertritt. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Kontakt + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +Alle Verantwortlichen der Community sind verpflichtet, die Privatsphäre und die Sicherheit der Person, die einen Vorfall meldet, zu respektieren. diff --git a/i18n/de/about/criteria.md b/i18n/de/about/criteria.md new file mode 100644 index 00000000..c331aa56 --- /dev/null +++ b/i18n/de/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Allgemeine Kriterien +--- + +!!! example "Work in Progress" + + Die folgende Seite ist in Arbeit und spiegelt zum aktuell noch nicht die vollständigen Kriterien für unsere Empfehlungen wider. Frühere Diskussion zu diesem Thema: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Nachfolgend sind einige Punkte aufgeführt, die für alle Einsendungen an Privacy Guides zutreffen müssen. Für jede Kategorie gelten zusätzliche Anforderungen für die Aufnahme. + +## Finanz-Offenlegung + +Wir verdienen kein Geld mit Empfehlungen bestimmter Produkte, wir verwenden keine Affiliate-Links, und wir gewähren keine besondere Gegenleistung für Projektspender. + +## Allgemeine Richtlinien + +Wir wenden diese Prioritäten beim Prüfen neuer Empfehlungen an: + +- **Sicher**: Tools sollten, wo möglich, bewährte Sicherheitspraktiken anwenden. +- **Verfügbarkeit der Quellen**: Open-Source-Projekte werden meist gegenüber gleichwertigen proprietären Alternativen bevorzugt. +- **Plattformübergreifend**: Wir bevorzugen Empfehlungen die plattformübergreifend sind, um eine Herstellerbindung zu vermeiden. +- **Aktive Entwicklung**: Die von uns empfohlenen Tools sollten aktiv weiterentwickelt werden, nicht gewartete Projekte werden in den meisten Fällen entfernt. +- **Benutzerfreundlichkeit**: Die Tools sollten für die meisten Computerbenutzer zugänglich sein, ein übermäßig technischer Hintergrund sollte nicht erforderlich sein. +- **Dokumentiert**: Die Werkzeuge sollten über eine klare und ausführliche Dokumentation zum Gebrauch verfügen. + +## Selbsteinreichungen von Entwicklern + +Wir haben diese Anforderungen an Entwickler, die eigene Projekt oder Software zur Prüfung einreichen möchten. + +- Muss die Zugehörigkeit offenlegen, d.h. deine Position innerhalb des eingereichten Projekts. + +- Muss ein Sicherheits-Whitepaper haben, wenn es sich um ein Projekt handelt, das den Umgang mit sensiblen Informationen beinhaltet, wie z. B. Messenger, Passwort-Manager, verschlüsselte Cloud-Speicherung usw. + - Status der Prüfung durch Dritte. Wir möchten wissen, ob eine vorhanden oder geplant ist. Wenn möglich, gib bitte an, wer die Prüfung durchführen wird. + +- Muss erklären, was das Projekt im Hinblick auf den Schutz der Privatsphäre bietet. + - Löst es ein neues Problem? + - Warum sollte jemand es den Alternativen vorziehen? + +- Must state what the exact threat model is with their project. + - Den potenziellen Nutzern sollte klar sein, was das Projekt bieten kann und was nicht. diff --git a/i18n/de/about/donate.md b/i18n/de/about/donate.md new file mode 100644 index 00000000..563b0d5a --- /dev/null +++ b/i18n/de/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Uns unterstützen +--- + + +Es braucht eine Menge [Leute](https://github.com/privacyguides/privacyguides.org/graphs/contributors) und [Arbeit](https://github.com/privacyguides/privacyguides.org/pulse/monthly) um die Privacy Guides auf dem neuesten Stand zu halten und Wissen über Datenschutz und Massenüberwachung zu verbreiten. Wenn dir gefällt, was wir tun, kannst du dich beteiligen, indem du [die Website bearbeitest](https://github.com/privacyguides/privacyguides.org) oder [Übersetzungen](https://crowdin.com/project/privacyguides) beisteuerst. + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective akzeptiert Zahlungen per Kredit-/Debitkarte, PayPal und Banküberweisung. + +[Auf OpenCollective.com spenden](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Spenden, die direkt über Open Collective gemacht werden, sind in den USA in der Regel steuerlich absetzbar, da unser steuerlicher Träger (die Open Collective Foundation) eine eingetragene 501(c)3 Organisation ist. Nach deiner Spende erhältst du eine Spendenbescheinigung von der Open Collective Foundation. Privacy Guides bietet keine Finanzberatung an, und Sie sollten sich an Ihren Steuerberater wenden, um herauszufinden, ob dies auf Sie zutrifft. + +Wenn du bereits GitHub-Sponsoring verwendest, kannst du unsere Organisation auch dort unterstützen. + +[Sponsor uns auf GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Unterstützer/-innen + +Ein besonderer Dank geht an alle, die unsere Mission unterstützen! :heart: + +*Bitte beachten Sie: Dieser Abschnitt lädt ein Widget direkt von Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/de/about/index.md b/i18n/de/about/index.md new file mode 100644 index 00000000..b5fa9082 --- /dev/null +++ b/i18n/de/about/index.md @@ -0,0 +1,102 @@ +--- +title: "Über Privacy Guides" +description: Privacy Guides ist eine sozial motivierte Website, die Informationen zum Schutz der eigenen Datensicherheit und Privatsphäre bereitstellt. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** ist eine sozial motivierte Website, die [Informationen](/kb) zum Schutz der eigenen Datensicherheit und Privatsphäre bereitstellt. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. Wir sind ein gemeinnütziges Kollektiv, welches ausschließlich von freiwilligen [Teammitgliedern](https://discuss.privacyguides.net/g/team) und Mitwirkenden betrieben wird. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> Um [datenschutzfreundliche alternative] Apps zu finden, besuchen Sie Websites wie Good Reports und **Privacy Guides**, die datenschutzfreundliche Apps in einer Vielzahl von Kategorien auflisten, darunter auch E-Mail-Anbieter (in der Regel mit kostenpflichtigen Tarifen), die nicht von den großen Technologieunternehmen betrieben werden. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Unser Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Webseite](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: E-Mail](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: E-Mail](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Webseite](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Webseite](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Website-Lizenz + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Sofern nicht anders angegeben, werden die Originalinhalte auf dieser Website unter der [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE)zur Verfügung gestellt. Das bedeutet, dass es allen freisteht, das Material in jedem Medium oder Format für jeden Zweck, auch kommerziell, zu kopieren und weiterzugeben, solange `Privacy Guides (www.privacyguides.org)` in angemessener Anerkannt und ein Link zur Lizenz angeben wird. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/de/about/notices.md b/i18n/de/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/de/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/de/about/privacy-policy.md b/i18n/de/about/privacy-policy.md new file mode 100644 index 00000000..68fcdf5f --- /dev/null +++ b/i18n/de/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Datenschutzerklärung" +--- + +Privacy Guides ist ein Gemeinschaftsprojekt, das von einer Reihe aktiver freiwilliger Mitarbeiter*innen betrieben wird. Die öffentliche Liste der Teammitglieder [kann auf GitHub](https://github.com/orgs/privacyguides/people)eingesehen werden. + +## Daten, die wir von Besuchenden sammeln + +Die Privatsphäre unserer Website-Besuchenden ist uns wichtig, daher tracken wir keine Einzel Personen. Als Besuchende unserer Website: + +- Werden keine persönlichen Informationen gesammelt +- Werden keine Informationen wie Cookies im Browser gespeichert +- Werden keine Informationen an Dritte weitergegeben, gesendet oder verkauft +- Werden keine Informationen an Werbefirmen weitergegeben +- Werden keine Informationen über persönliche und verhaltensbezogene Trends gesammelt oder ausgewertet +- Werden keine Informationen monetarisiert + +Die von uns gesammelten Daten können auf unserer [Statistikseite](statistics.md) einsehen werden. + +Wir betreiben eine selbst gehostete Installation von [Plausible Analytics](https://plausible.io), um einige anonyme Nutzungsdaten zu statistischen Zwecken zu sammeln. Das Ziel ist es, allgemeine Trends in unserem Website-Verkehr zu verfolgen, nicht aber, einzelne Besuchende zu verfolgen. Alle Daten sind nur in aggregierter Form vorhanden. Keine persönlichen Daten werden erfasst. + +Zu den erfassten Daten gehören Verweisquellen, Top-Seiten, Besuchsdauer, Informationen über das während des Besuchs verwendete Gerät (Gerätetyp, Betriebssystem, Land und Browser) und mehr. Mehr über die Funktionsweise von Plausible und die datenschutzkonforme Erfassung von Informationen sind [hier](https://plausible.io/data-policy) zu erfahren. + +## Daten, die wir von Kontoinhabenden sammeln + +Auf einigen Websites und Diensten, die wir anbieten, kann für viele Funktionen ein Konto erforderlich sein. So kann beispielsweise ein Konto erforderlich sein, um auf einer Forenplattform Themen zu veröffentlichen und zu beantworten. + +Um sich für die meisten Konten anzumelden, benötigen wir einen Namen, einen Benutzernamen, eine E-Mail-Adresse und ein Passwort. Falls eine Website mehr Informationen als nur diese Daten benötigt, wird dies deutlich gekennzeichnet und in einer separaten Datenschutzerklärung pro Website vermerkt. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +Das Team von Privacy Guides hat im Allgemeinen keinen Zugang zu personenbezogenen Daten, abgesehen von dem begrenzten Zugang, der über einige Moderationspanels gewährt wird. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/de/about/privacytools.md b/i18n/de/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/de/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/de/about/services.md b/i18n/de/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/de/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/de/about/statistics.md b/i18n/de/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/de/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/de/advanced/communication-network-types.md b/i18n/de/advanced/communication-network-types.md new file mode 100644 index 00000000..b65ff69f --- /dev/null +++ b/i18n/de/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Empfohlene Instant Messenger](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/de/advanced/dns-overview.md b/i18n/de/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/de/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/de/advanced/payments.md b/i18n/de/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/de/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/de/advanced/tor-overview.md b/i18n/de/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/de/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/de/android.md b/i18n/de/android.md new file mode 100644 index 00000000..481bad8a --- /dev/null +++ b/i18n/de/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/de/assets/img/account-deletion/exposed_passwords.png b/i18n/de/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/de/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/de/assets/img/android/rss-apk-dark.png b/i18n/de/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/de/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/de/assets/img/android/rss-apk-light.png b/i18n/de/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/de/assets/img/android/rss-apk-light.png differ diff --git a/i18n/de/assets/img/android/rss-changes-dark.png b/i18n/de/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/de/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/de/assets/img/android/rss-changes-light.png b/i18n/de/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/de/assets/img/android/rss-changes-light.png differ diff --git a/i18n/de/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/de/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/how-tor-works/tor-encryption.svg b/i18n/de/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/how-tor-works/tor-path-dark.svg b/i18n/de/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/de/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/de/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/how-tor-works/tor-path.svg b/i18n/de/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/de/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/de/assets/img/multi-factor-authentication/fido.png b/i18n/de/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/de/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/de/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/de/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/de/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/de/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/de/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/de/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/de/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/de/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/de/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/de/basics/account-creation.md b/i18n/de/basics/account-creation.md new file mode 100644 index 00000000..ee329f9c --- /dev/null +++ b/i18n/de/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Benutzerkontenerstellung" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Oft melden sich Menschen für Dienste an, ohne nachzudenken. Vielleicht ist es ein Streaming-Dienst, mit dem du die neue Serie, über die alle reden, sehen kannst, oder ein Konto, mit dem du einen Rabatt für dein Lieblingsrestaurant bekommst. In jedem Fall solltest du die Auswirkungen auf Ihre Daten jetzt und in Zukunft beachten. + +Mit jedem neuen Dienst, den du nutzt, sind Risiken verbunden. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/de/basics/account-deletion.md b/i18n/de/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/de/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/de/basics/common-misconceptions.md b/i18n/de/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/de/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/de/basics/common-threats.md b/i18n/de/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/de/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/de/basics/email-security.md b/i18n/de/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/de/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/de/basics/multi-factor-authentication.md b/i18n/de/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ce8f9530 --- /dev/null +++ b/i18n/de/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Faktor-Authentifizierung" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/de/basics/passwords-overview.md b/i18n/de/basics/passwords-overview.md new file mode 100644 index 00000000..08574123 --- /dev/null +++ b/i18n/de/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Einführung in Passwörter" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwörter sind ein wesentlicher Bestandteil unseres täglichen digitalen Lebens. Wir nutzen sie, um unsere Konten, unsere Geräte und unsere Geheimnisse zu schützen. Obwohl sie oft das Einzige sind, was zwischen uns und Angreifenden steht, die es auf unsere privaten Daten abgesehen haben, wird nicht viel über sie nachgedacht, was oft dazu führt, dass Passwörter verwendet werden, die leicht zu erraten oder mit roher Gewalt heraus findbar sind. + +## Bewährte Praktiken + +### Verwendung einzigartiger Kennwörter + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Verwendung zufällig generierter Passwörter + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Passwörter speichern + +### Passwortverwaltung + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/de/basics/threat-modeling.md b/i18n/de/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/de/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/de/basics/vpn-overview.md b/i18n/de/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/de/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/de/calendar.md b/i18n/de/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/de/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/de/cloud.md b/i18n/de/cloud.md new file mode 100644 index 00000000..e375d093 --- /dev/null +++ b/i18n/de/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/de/cryptocurrency.md b/i18n/de/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/de/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/de/data-redaction.md b/i18n/de/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/de/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/de/desktop-browsers.md b/i18n/de/desktop-browsers.md new file mode 100644 index 00000000..85ee0d78 --- /dev/null +++ b/i18n/de/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/de/desktop.md b/i18n/de/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/de/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/de/dns.md b/i18n/de/dns.md new file mode 100644 index 00000000..867d1fd1 --- /dev/null +++ b/i18n/de/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Verschlüsseltes DNS hilft dir nicht dabei, deine Browsing-Aktivitäten zu verbergen. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Empfohlene DNS-Anbieter + +| DNS-Anbieter | Datenschutzerklärung | Protokolle | Logging | ECS | Filter | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | ------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Klartext
DoH/3
DoT
DNSCrypt | Some[^1] | Nein | Nach Server Wahl. Die verwendete Filterliste findest du hier. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Klartext
DoH/3
DoT | Some[^2] | Nein | Nach Server Wahl. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Klartext
DoH/3
DoT
DoQ | Optional[^3] | Nein | Nach Server Wahl. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Nein[^4] | Nein | Nach Server Wahl. Die verwendete Filterliste findest du hier. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Klartext
DoH/3
DoT | Optional[^5] | Optional | Nach Server Wahl. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Klartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Nach Server Wahl, Schadware wird standardmäßig blockiert. | + +## Kriterien + +**Bitte beachte, dass wir mit keinem der Projekte, die wir empfehlen, verbunden sind.** Zusätzlich zu unseren [Standardkriterien](about/criteria.md) haben wir eine Reihe klarer Anforderungen entwickelt, die es uns ermöglichen, objektive Empfehlungen zu geben. Wir empfehlen, sich mit dieser Liste vertraut zu machen, bevor sich für ein Projekt entschieden wird und eigenen Nachforschungen anzustellen, um sicherzustellen, dass es die richtige Wahl ist. + +!!! example "This section is new" + + Wir arbeiten daran, definierte Kriterien für jeden Bereich unserer Website festzulegen, daher kann dies sich noch ändern. Bei Fragen zu unseren Kriterien, können diese [in unserem Forum] (https://discuss.privacyguides.net/latest) gestellt werden. Und gehen Sie nicht davon aus, dass wir etwas bei unseren Empfehlungen nicht berücksichtigt haben, wenn es hier nicht aufgeführt ist. Es gibt viele Faktoren, die berücksichtigt und besprochen werden, wenn wir ein Projekt empfehlen, und die Dokumentation jedes einzelnen Faktors ist ein laufender Prozess. + +- Muss [DNSSEC](advanced/dns-overview.md#what-is-dnssec) unterstützen. +- [QNAME Minimierung](advanced/dns-overview.md#what-is-qname-minimization). +- Erlaubt es [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) zu deaktivieren. +- Bevorzugt [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) Unterstützung oder Geo-Steering-Unterstützung. + +## Unterstützung durch Betriebssysteme von Haus aus + +### Android + +Android 9 und höher unterstützen DNS über TLS. Die Einstellungen sind zu finden unter: **Einstellungen** → **Netzwerk & Internet** → **Privates DNS**. + +### Apple-Geräte + +Die neuesten Versionen von iOS, iPadOS, tvOS und macOS unterstützen sowohl DoT als auch DoH. Beide Protokolle werden nativ über [Konfigurationsprofile](https://support.apple.com/de-de/guide/security/secf6fb9f053/web) oder über die [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings)unterstützt. + +Nach der Installation eines Konfigurationsprofils oder einer Anwendung, die die DNS-Einstellungs-API verwendet, kann die DNS-Konfiguration ausgewählt werden. Wenn ein VPN aktiv ist, verwendet die DNS Auflösung innerhalb des VPN-Tunnels die DNS-Einstellungen des VPN und nicht deine systemweiten Einstellungen. + +#### Signierte Profile + +Apple bietet keine native Schnittstelle zur Erstellung von Profilen mit verschlüsseltem DNS. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) ist ein inoffizielles Tool zur Erstellung eigener Profile mit verschlüsseltem DNS, diese sind jedoch nicht signiert. Signierte Profile sind zu bevorzugen; das Signieren bestätigt die Herkunft eines Profils und trägt dazu bei, die Integrität der Profile zu gewährleisten. Signierte Konfigurationsprofile erhalten ein grünes "Verifiziert"-Label. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, das viele Linux-Distributionen für ihre DNS Abfragen verwenden, unterstützt noch nicht [DoH](https://github.com/systemd/systemd/issues/8639). Wenn trotzdem DoH verwendent werden soll, muss ein Proxy wie [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) installiert und [konfiguriert](https://wiki.archlinux.org/title/Dnscrypt-proxy) werden, um alle DNS-Anfragen vom System-Resolver entgegenzunehmen und sie über HTTPS weiterzuleiten. + +## Verschlüsseltes DNS-Proxy + +Verschlüsseltes DNS-Proxy-Software bietet einen lokalen Proxy, an den der [unverschlüsselte DNS](advanced/dns-overview.md#unencrypted-dns) weitergeleitet wird. Normalerweise wird es auf Plattformen verwendet, die [verschlüsseltes DNS](advanced/dns-overview.md#what-is-encrypted-dns) nicht unterstützen. + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** ist ein Open-Source Android-Client, der [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) und DNS-Proxy unterstützt, DNS-Antworten zwischenspeichert, DNS-Anfragen lokal protokolliert und auch als Firewall verwendet werden kann. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Selbstgehostete Lösungen + +Eine selbst gehostete DNS-Lösung ist nützlich für die Filterung auf kontrollierten Plattformen wie Smart-TVs und anderen IoT-Geräten, da keine clientseitige Software erforderlich ist. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** ist ein Open-Source [DNS-Sinkhole](https://de.wikipedia.org/wiki/DNS-Sinkhole), das [DNS-Filterung](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) verwendet, um unerwünschte Webinhalte wie Werbung zu blockieren. + + AdGuard Home bietet eine ausgefeilte Weboberfläche, über die Einblicke erhalten und blockierte Inhalte verwalten werden können. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** ist ein Open-Source [DNS-Sinkhole](https://de.wikipedia.org/wiki/DNS-Sinkhole), das [DNS-Filterung](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) verwendet, um unerwünschte Webinhalte wie Werbung zu blockieren. + + Pi-hole ist für den Betrieb auf einem Raspberry Pi konzipiert, ist aber nicht auf diese Hardware beschränkt. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/de/email-clients.md b/i18n/de/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/de/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/de/email.md b/i18n/de/email.md new file mode 100644 index 00000000..f52ba5b7 --- /dev/null +++ b/i18n/de/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +E-Mail ist praktisch eine Notwendigkeit für die Nutzung aller Online-Dienste, wir empfehlen sie jedoch nicht für Gespräche von Mensch zu Mensch. Anstatt E-Mails für die Kontaktaufnahme mit anderen Personen zu verwenden, sollte ein Instant Messenger benutzt werden, der vorwärts gerichtete Geheimhaltung(forward secrecy) unterstützt. + +[Empfohlene Instant Messenger](real-time-communication.md ""){.md-button} + +Für alles andere empfehlen wir eine Reihe von E-Mail-Anbietern, die auf nachhaltigen Geschäftsmodellen basieren und integrierten Sicherheits- und Datenschutzfunktionen bieten. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP-kompatible Dienste + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. Zum Beispiel können Proton Mail-Benutzende eine E2EE-Nachricht an Mailbox.org-Benutzende senden, oder sie können OpenPGP-verschlüsselte Benachrichtigungen von Internetdiensten erhalten, die dies unterstützen. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + Bei der Verwendung von E2EE-Technologien wie OpenPGP enthalten E-Mails immer noch einige Metadaten in der Kopfzeile der E-Mail die nicht verschlüsselt sind. Mehr über [E-Mail Medadaten](basics/email-security.md#email-metadata-overview). + + OpenPGP unterstützt auch keine vorwärts gerichtete Geheimhaltung, d.h. wenn entweder der eigene private Schlüssel oder der der Empfangenden gestohlen wird, sind alle vorher damit verschlüsselten Nachrichten offengelegt. [Wie schütze ich meine privaten Schlüssel?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** ist ein E-Mail-Dienst mit dem Schwerpunkt auf Datenschutz, Verschlüsselung, Sicherheit und Benutzerfreundlichkeit. Sie sind seit **2013** in Betrieb. Die Proton AG hat ihren Sitz in Genève, Schweiz. Konten im kostenlosen Tarif beginnen mit 500 MB Speicherplatz. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Kostenlose Konten haben einige Einschränkungen, wie z. B. die fehlende Möglichkeit, Text zu durchsuchen, und keinen Zugang zu [Proton Mail Bridge](https://proton.me/mail/bridge), die für die Verwendung eines [empfohlenen Desktop-E-Mail-Programms](email-clients.md) (z. B. Thunderbird) erforderlich ist. Bezahlte Konten umfassen Funktionen wie Proton Mail Bridge, zusätzlichen Speicher und das Verwenden eigener Domains. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technologie + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Datenschutz + +Wir ziehen es vor, dass die von uns empfohlenen Anbieter*innen so wenig Daten wie möglich sammeln. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Sicherheit + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Vertrauen + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Zusätzliche Funktionalitäten + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/de/encryption.md b/i18n/de/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/de/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/de/file-sharing.md b/i18n/de/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/de/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/de/financial-services.md b/i18n/de/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/de/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/de/frontends.md b/i18n/de/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/de/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/de/index.md b/i18n/de/index.md new file mode 100644 index 00000000..f8c9978f --- /dev/null +++ b/i18n/de/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.de.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Warum sollte mich das interessieren? + +##### "Ich habe nichts zu verbergen. Warum sollte ich mir Sorgen um meine Privatsphäre machen?" + +Ähnlich wie das Recht auf gemischtrassige Ehen, das Frauenwahlrecht, das Recht auf freie Meinungsäußerung und viele andere wurde unser Recht auf Privatsphäre nicht immer gewährt. In einigen Diktaturen ist das immer noch der Fall. Generationen vor uns haben für unser Recht auf Privatsphäre gekämpft. ==Privatsphäre ist ein Menschenrecht, das uns allen innewohnt,== auf das wir (ohne Diskriminierung) Anspruch haben. + +Privatsphäre sollte nicht mit Geheimhaltung verwechselt werden. Wir wissen, was auf der Toilette passiert, aber machen trotzdem die Tür zu. Das liegt daran, dass wir Privatsphäre wollen, keine Geheimhaltung. **Alle** haben etwas zu schützen. Privatsphäre ist etwas, das uns menschlich macht. + +[:material-target-account: Häufige Internetbedrohungen](basics/common-threats.md ""){.md-button.md-button--primary} + +## Was kann ich tun? + +##### Zunächst muss ein Plan erstellt werden + +Der Versuch, alle unsere Daten ständig vor allen zu schützen, ist unpraktisch, teuer und anstrengend. Aber keine Sorge! Sicherheit ist ein Prozess, und durch vorausschauendes denken, kannst du einen Plan erstellen, der für dich geeignet ist. Bei Sicherheit geht es nicht nur um die Tools, die du verwendest, oder die Software, die du herunterlädst. Vielmehr geht es darum, die einzigartigen Bedrohungen zu verstehen, mit denen du konfrontiert bist, und herauszufinden, wie diese entschärft werden können. + +== Dieser Prozess der Identifizierung von Bedrohungen und der Festlegung von Gegenmaßnahmen wird als **Bedrohungsanalyse** bezeichnet== und bildet die Grundlage für jeden guten Sicherheits- und Datenschutzplan. + +[:material-book-outline: Mehr über die Bedrohungsanalyse erfahren](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Wir brauchen dich! Hier ist, wie man sich beteiligt: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Trete unserem Forum bei" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Folge uns auf Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Trage zu dieser Website bei" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Hilf diese Website zu Übersetze" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chatte mit uns auf Matrix" } +[:material-information-outline:](about/index.md){ title="Erfahre mehr über uns" } +[:material-hand-coin-outline:](about/donate.md){ title="Unterstütze das Projekt" } + +Es ist wichtig, dass eine Website wie Privacy Guides immer auf dem neuesten Stand bleibt. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. Es ist schwer, mit der Schnelllebigkeit des Internets Schritt zu halten, aber wir versuchen unser Bestes. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/de/kb-archive.md b/i18n/de/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/de/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/de/meta/brand.md b/i18n/de/meta/brand.md new file mode 100644 index 00000000..25bb5035 --- /dev/null +++ b/i18n/de/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +Der Name der Website lautet **Privacy Guides** und sollte **nicht** geändert werden zu: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +Der Name des Subreddits lautet **r/PrivacyGuides** oder **the Privacy Guides Subreddit**. + +Weitere Branding-Richtlinien können unter [github.com/privacyguides/brand](https://github.com/privacyguides/brand) gefunden werden + +## Markenzeichen + +"Privacy Guides" und das Schild-Logo sind Markenzeichen von Jonah Aragon, die uneingeschränkte Nutzung wird dem Privacy Guides Projekt gewährt. + +Ohne auf seine Rechte zu verzichten, berät Privacy Guides andere nicht über den Umfang seiner geistigen Eigentumsrechte. Privacy Guides erlaubt oder genehmigt keine Verwendung seiner Markenzeichen in einer Art und Weise, die zu Verwechslungen führen kann, indem sie eine Verbindung mit oder ein Sponsoring durch Privacy Guides impliziert. Wenn Sie Kenntnis von einer solchen Nutzung haben, wenden Sie sich bitte an Jonah Aragon unter jonah@privacyguides.org. Wenden Sie sich an Ihren Rechtsbeistand, wenn Sie Fragen haben. diff --git a/i18n/de/meta/git-recommendations.md b/i18n/de/meta/git-recommendations.md new file mode 100644 index 00000000..b154211b --- /dev/null +++ b/i18n/de/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Empfehlungen +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## SSH-Schlüssel Commit-Signierung aktivieren + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/de/meta/uploading-images.md b/i18n/de/meta/uploading-images.md new file mode 100644 index 00000000..47fa880a --- /dev/null +++ b/i18n/de/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Bilder hochladen +--- + +Hier sind einige allgemeine Regeln um zu Privacy Guides beizutragen: + +## Bilder + +- Wir **bevorzugen** SVG-Bilder, aber wenn diese nicht vorhanden sind, können wir PNG-Bilder verwenden + +Firmenlogos haben eine Leinwandgröße von: + +- 128x128px +- 384x128px + +## Optimierung + +### PNG + +Verwende [OptiPNG](https://sourceforge.net/projects/optipng/) um das PNG-Bild zu optimieren: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) alle SVG-Bilder. + +In Inkscape: + +1. Speichern unter... +2. Dateityp auf "Optimiertes SVG (*.svg)" setzen + +In der **Optionen** Registerkarte: + +- **Anzahl der signifikaten Stellen für Koordinaten** > **5** +- [x] Einschalten **Farbwerte kürzen** +- [x] Einschalten **CSS-Attribute in XML-Attribute umwandeln** +- [x] Einschalten **Gruppen zusammenklappen** +- [x] Einschalten **Gruppen für ähnliche Attribute erstellen** +- [ ] Ausschalten **Editor-Daten erhalten** +- [ ] Ausschalten **Unreferenzierte Definitionen erhalten** +- [x] Einschalten **Renderer-Fehler umgehen** + +In der **SVG-Ausgabe** Registerkarte unter **Dokumenteinstellungen**: + +- [ ] Ausschalten **XML-Deklaration entfernen** +- [x] Einschalten **Metadaten entfernen** +- [x] Einschalten **Kommentare entfernen** +- [x] Einschalten **Rasterbilder einbetten** +- [x] Einschalten **Viewbox aktivieren** + +In der **SVG-Ausgabe** Registerkarte unter **Formatierung**: + +- [ ] Ausschalten **Ausgabe mit Zeilenumbrüchen und Einrückungen formatieren** +- **Zeichen für Einrückungen** > Wähle **Leerzeichen** +- **Einrücktiefe** > **1** +- [ ] Ausschalten **"xml:space"-Attribut vom SVG-Wurzelelement entfernen** + +In der **IDs** Registerkarte: + +- [x] Einschalten **Unbenutzte IDs entfernen** +- [ ] Ausschalten **IDs kürzen** +- **Präfix für gekürzte IDs** > `leer lassen` +- [x] Einschalten **Manuell erstellte IDs, die nicht mit Ziffern enden, erhalten** +- **Folgende IDs erhalten** > `leer lassen` +- **IDs mit folgendem Präfix erhalten** > `leer lassen` + +#### CLI + +Das Gleiche kann mit dem [Scour](https://github.com/scour-project/scour) Befehl erreicht werden: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/de/meta/writing-style.md b/i18n/de/meta/writing-style.md new file mode 100644 index 00000000..e422d4a6 --- /dev/null +++ b/i18n/de/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Das [Zielpublikum](https://www.plainlanguage.gov/guidelines/audience/) von Privacy Guides besteht hauptsächlich aus durchschnittlichen, Techniknutzenden Erwachsenen. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +Menschen brauchen keine übermäßig komplexen Artikel mit geringer Relevanz für sie. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Personen direkt ansprechen + +Wir schreiben *für* für eine Vielzahl von Menschen, aber wir schreiben *an* die Person, die es tatsächlich liest. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Quelle: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organisieren von Inhalten + +Organisieren ist der Schlüssel. Inhalte sollten von den wichtigsten zu den am wenigsten wichtigen Informationen fließen und Kopfzeilen so oft wie nötig verwendet werden, um verschiedene Ideen logisch zu trennen. + +- Limit the document to around five or six sections. Lange Dokumente sollten wahrscheinlich in einzelne Seiten aufgeteilt werden. +- Mark important ideas with **bold** or *italics*. + +Quelle: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Überschriften sind hilfreich, reichen aber nicht aus. Establish a context for your audience before you provide them with the details. +> +> Wir schreiben oft so, wie wir denken, indem wir zuerst unsere Prämissen und dann unsere Schlussfolgerung formulieren. Es mag die natürliche Art sein, Gedanken zu entwickeln, aber wir enden mit dem Themensatz am Ende des Absatzes. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Quelle: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Worte sind von Bedeutung. Sie sind die grundlegenden Bausteine der schriftlichen und mündlichen Kommunikation. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +Wir sollten versuchen, Abkürzungen so weit wie möglich zu vermeiden, aber Technologie ist voll von Abkürzungen. Im Allgemeinen sollte die Abkürzung/das Akronym ausgeschrieben werden, wenn sie/es zum ersten Mal auf einer Seite verwendet wird, und die Abkürzung in die Glossar-Datei für Abkürzungen aufgenommen werden, wenn sie wiederholt verwendet wird. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> Und das Original, mit stärkeren, einfacheren Worten: +> +> > Mehr Nachtjobs würden die Jugendlichen von der Straße fernhalten. + +## Prägnant sein + +> Unnecessary words waste your audience’s time. Gutes Schreiben ist wie ein Gespräch. Omit information that the audience doesn’t need to know. Als Fachexperte kann dies schwierig sein, daher ist es wichtig, dass jemand die Informationen aus der Perspektive des Publikums betrachtet. + +Quelle: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verben sind der Treibstoff des Schreibens. Sie geben Sätzen Kraft und Richtung. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Verwendung von "muss" für Anforderungen + +> - "musst" für eine Verpflichtung +> - "darf nicht" für ein Verbot +> - "kann" für eine Ermessensentscheidung +> - "sollte" für eine Empfehlung diff --git a/i18n/de/mobile-browsers.md b/i18n/de/mobile-browsers.md new file mode 100644 index 00000000..c6be3a37 --- /dev/null +++ b/i18n/de/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/de/multi-factor-authentication.md b/i18n/de/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/de/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/de/news-aggregators.md b/i18n/de/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/de/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/de/notebooks.md b/i18n/de/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/de/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/de/os/android-overview.md b/i18n/de/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/de/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/de/os/linux-overview.md b/i18n/de/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/de/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/de/os/qubes-overview.md b/i18n/de/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/de/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/de/passwords.md b/i18n/de/passwords.md new file mode 100644 index 00000000..59579402 --- /dev/null +++ b/i18n/de/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/de/productivity.md b/i18n/de/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/de/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/de/real-time-communication.md b/i18n/de/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/de/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/de/router.md b/i18n/de/router.md new file mode 100644 index 00000000..64521da3 --- /dev/null +++ b/i18n/de/router.md @@ -0,0 +1,50 @@ +--- +title: "Router-Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Nachstehend sind ein paar alternative Betriebssysteme gelistet, die auf Routern, WLAN-Zugangspunkten usw. eingesetzt werden können. + +## OpenWrt + +!!! recommendation + + ![OpenWrt-Logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt-Logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt* ist ein auf Linux basierendes Betriebssystem; es wird primär auf eingebetteten Geräten zum Weiterleiten des Netzwerkverkehrs genutzt. Es enthält util-linux, uClib und BusyBox. Alle Komponenten sind für Heim-Router optimiert. + + [:octicons-home-16: Hauptseite](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Quellcode" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Mitwirken } + +Sie können in der [table of hardware](https://openwrt.org/toh/start) von OpenWrt nachsehen, ob Ihr Gerät unterstützt wird. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense* ist eine FreeBSD-basierte Open-Source-Firewall- und Routing-Plattform, die viele erweiterte Funktionen wie Traffic Shaping, Load Balancing und VPN-Funktionen enthält, wobei viele weitere Funktionen in Form von Plugins verfügbar sind. OPNsense wird in der Regel als Perimeter-Firewall, Router, Wireless Access Point, DHCP-Server, DNS-Server und VPN-Endpunkt eingesetzt. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense wurde ursprünglich als Fork von [pfSense](https://en.wikipedia.org/wiki/PfSense) entwickelt. Beide Projekte sind bekannt dafür, freie und zuverlässige Firewall-Distributionen zu sein, die Funktionen bieten, die oft nur in teuren kommerziellen Firewalls zu finden sind. Die Entwickler von OPNsense [zitierten](https://docs.opnsense.org/history/thefork.html) eine Reihe von Sicherheits- und Code-Qualitätsproblemen mit pfSense, die ihrer Meinung nach eine Abspaltung des Projekts erforderlich machten, sowie Bedenken hinsichtlich der Mehrheitsübernahme von pfSense durch Netgate und der zukünftigen Ausrichtung des pfSense-Projekts. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/de/search-engines.md b/i18n/de/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/de/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/de/tools.md b/i18n/de/tools.md new file mode 100644 index 00000000..98d0007c --- /dev/null +++ b/i18n/de/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router-Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/de/tor.md b/i18n/de/tor.md new file mode 100644 index 00000000..8c2e2c59 --- /dev/null +++ b/i18n/de/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +Das **Tor** Netzwerk besteht aus von freiwillig betriebenen Servern, die es ermöglichen, kostenlos die eigene Privatsphäre und Sicherheit im Internet zu verbessern. Einzelpersonen und Organisationen können auch Informationen über das Tor-Netzwerk mit ".onion versteckten Diensten" austauschen, ohne ihre Privatsphäre zu gefährden. Da der Tor-Verkehr schwer zu blockieren und zurückzuverfolgen ist, ist Tor ein effektives Werkzeug zur Zensur Umgehung. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor funktioniert, indem es deinen Internetverkehr über diese von Freiwilligen betriebenen Server leitet, anstatt eine direkte Verbindung zu der Website herzustellen, die du besuchen willst. Dadurch wird verschleiert, woher der Datenverkehr kommt, und kein Server im Verbindungspfad ist in der Lage, den vollständigen Pfad zu sehen, woher der Datenverkehr kommt und wohin er geht, was bedeutet, dass selbst die Server, die du für die Verbindung verwendest, deiner Anonymität nichts anhaben können. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Verbinden mit Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/de/video-streaming.md b/i18n/de/video-streaming.md new file mode 100644 index 00000000..e62ce3da --- /dev/null +++ b/i18n/de/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +Die primäre Bedrohung bei der Nutzung einer Videostreaming-Plattform besteht darin, dass deine Streaming-Gewohnheiten und Abonnementlisten dazu verwendet werden könnten, um ein Profil von dir zu erstellen. Du solltest diese Tools zusammen mit einem [VPN](vpn.md) oder [Tor](https://www.torproject.org/) verwenden, damit nicht so leicht ein Nutzungsprofil von dir erstellt werden kann. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/de/vpn.md b/i18n/de/vpn.md new file mode 100644 index 00000000..b7f60687 --- /dev/null +++ b/i18n/de/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs bieten keine Anonymität" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Tor herunterladen](https://www.torproject.org/){ .md-button .md-button--primary } [Tor-Mythen & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Empfohlene Anbieter + +Die von uns empfohlenen Anbieter verwenden Verschlüsselung, akzeptieren Monero, unterstützen WireGuard & OpenVPN und haben eine No-Logging-Richtlinie. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** ist ein weiterer Premium-VPN-Anbieter und ist seit 2009 aktiv. IVPN hat den Sitz in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Datenschutzrichtlinie" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Quellcode" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Der Grund dafür ist eine kürzere Route (weniger Sprünge) zum Ziel. +{ .annotate } + +1. Stand: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN unterstützt das WireGuard®-Protokoll. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Darüber hinaus zielt WireGuard darauf ab, einfacher und leistungsfähiger zu sein. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN-Clients unterstützen Zwei-Faktor-Authentifizierung (die Clients von Mullvad nicht). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** ist ein schnelles und preiswertes VPN mit einem ernsthaften Fokus auf Transparenz und Sicherheit. Mullvad ist seit **2009** in Betrieb. Mullvad ist in Schweden ansässig und bietet keine kostenlose Testversion an. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Dienst" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Datenschutzrichtlinie" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Quellcode" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Der Grund dafür ist eine kürzere Route (weniger Sprünge) zum Ziel. +{ .annotate } + +1. Stand: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. Sie akzeptieren auch Swish- und Banküberweisungen. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad unterstützt das WireGuard®-Protokoll. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Darüber hinaus zielt WireGuard darauf ab, einfacher und leistungsfähiger zu sein. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** ist ein starker Anwärter im VPN-Bereich und ist seit 2016 in Betrieb. Die Proton AG hat ihren Sitz in der Schweiz und bietet sowohl eine begrenzte kostenlose als auch eine umfangreichere Premium-Option an. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Datenschutzrichtlinie" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Quellcode" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Der Grund dafür ist eine kürzere Route (weniger Sprünge) zum Ziel. +{ .annotate } + +1. Stand: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Im Januar 2020 hat sich Proton VPN einem unabhängigen Audit durch SEC Consult unterzogen. SEC Consult fand einige Sicherheitslücken mit mittlerem und niedrigem Risiko in den Windows-, Android- und iOS-Anwendungen von Proton VPN, die alle von Proton VPN vor der Veröffentlichung der Berichte "ordnungsgemäß behoben" wurden. Keines der festgestellten Probleme hätte angreifenden Fernzugriff auf dein Gerät oder deinen Datenverkehr ermöglicht. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN unterstützt hauptsächlich das WireGuard®-Protokoll. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Darüber hinaus zielt WireGuard darauf ab, einfacher und leistungsfähiger zu sein. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN Clients unterstützen Zwei-Faktor-Authentifizierung auf allen Plattformen außer Linux. Proton VPN hat eigene Server und Rechenzentren in der Schweiz, Island und Schweden. Sie bieten mit ihrem DNS-Dienst die Möglichkeit, Werbung und Schadware zu blockieren. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. Wenn du diese Funktion benötigst und einen Mac mit Intel-Chipsatz verwendest, solltest du einen anderen VPN-Dienst nutzen. + +## Kriterien + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. Ein VPN ist kein Werkzeug für illegale Aktivitäten. Verlasse dich nicht auf "no Log" Richtlienen. + +**Bitte beachte, dass wir mit keinem der Projekte, die wir empfehlen, verbunden sind. Dies ermöglicht es uns, völlig objektive Empfehlungen zu geben.** Zusätzlich zu unseren [Standardkriterien](about/criteria.md) haben wir eine Reihe klarer Anforderungen für alle VPN-Anbieter*innen entwickelt, die empfohlen werden wollen, darunter starke Verschlüsselung, unabhängige Sicherheitsprüfungen, moderne Technologie und mehr. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technologie + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Unterstützung von starken Protokollen wie WireGuard & OpenVPN. +- Notaus ist in den Clients integriert. +- Multihop-Unterstützung. Multihopping ist wichtig, um Daten im Falle einer Kompromittierung eines einzelnen Knotens geheim zu halten. +- Wenn VPN-Clients zur Verfügung gestellt werden, sollten sie [Open Source](https://de.wikipedia.org/wiki/Open_Source)sein, wie die VPN-Software, die in der Regel in sie integriert ist. Wir sind der Meinung, dass [Quellcode](https://de.wikipedia.org/wiki/Quelltext) mehr Transparenz darüber bietet, was dein Gerät tatsächlich tut. + +**Best Case:** + +- Unterstützung von WireGuard und OpenVPN. +- Notaus mit hochgradig konfigurierbaren Optionen (Aktivierung/Deaktivierung in bestimmten Netzen, beim Booten usw.) +- Einfach zu bedienende VPN-Clients +- Unterstützt [IPv6](https://de.wikipedia.org/wiki/IPv6). Wir erwarten, dass die Server eingehende Verbindungen über IPv6 zulassen und dir den Zugang zu Diensten ermöglichen, die auf IPv6-Adressen gehostet werden. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Datenschutz + +Wir ziehen es vor, dass die von uns empfohlenen Anbieter*innen so wenig Daten wie möglich sammeln. Der Verzicht auf die Erhebung personenbezogener Daten bei der Anmeldung und die Annahme anonymer Zahlungsformen sind erforderlich. + +**Mindestvoraussetzung um zu qualifizieren:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- Für die Registrierung sind keine persönlichen Daten erforderlich: Höchstens Benutzername, Passwort und E-Mail. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Sicherheit + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Vertrauen + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Mindestvoraussetzung um zu qualifizieren:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Zusätzliche Funktionalitäten + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/el/404.md b/i18n/el/404.md new file mode 100644 index 00000000..868dd7b6 --- /dev/null +++ b/i18n/el/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Δε βρέθηκε + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Εισαγωγή στα Μοντέλα Απειλών](basics/threat-modeling.md) +- [Προτεινόμενοι Πάροχοι DNS](dns.md) +- [Τα Καλύτερα Προγράμματα Περιήγησης Ιστού για Υπολογιστές](desktop-browsers.md) +- [Οι καλύτεροι πάροχοι VPN](vpn.md) +- [Φόρουμ Οδηγών Απορρήτου](https://discuss.privacyguides.net) +- [Το Blog μας](https://blog.privacyguides.org) diff --git a/i18n/el/CODE_OF_CONDUCT.md b/i18n/el/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/el/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/el/about/criteria.md b/i18n/el/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/el/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/el/about/donate.md b/i18n/el/about/donate.md new file mode 100644 index 00000000..8accd67a --- /dev/null +++ b/i18n/el/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/el/about/index.md b/i18n/el/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/el/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/el/about/notices.md b/i18n/el/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/el/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/el/about/privacy-policy.md b/i18n/el/about/privacy-policy.md new file mode 100644 index 00000000..26c668d1 --- /dev/null +++ b/i18n/el/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/el/about/privacytools.md b/i18n/el/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/el/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/el/about/services.md b/i18n/el/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/el/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/el/about/statistics.md b/i18n/el/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/el/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/el/advanced/communication-network-types.md b/i18n/el/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/el/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/el/advanced/dns-overview.md b/i18n/el/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/el/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/el/advanced/payments.md b/i18n/el/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/el/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/el/advanced/tor-overview.md b/i18n/el/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/el/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/el/android.md b/i18n/el/android.md new file mode 100644 index 00000000..481bad8a --- /dev/null +++ b/i18n/el/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/el/assets/img/account-deletion/exposed_passwords.png b/i18n/el/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/el/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/el/assets/img/android/rss-apk-dark.png b/i18n/el/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/el/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/el/assets/img/android/rss-apk-light.png b/i18n/el/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/el/assets/img/android/rss-apk-light.png differ diff --git a/i18n/el/assets/img/android/rss-changes-dark.png b/i18n/el/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/el/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/el/assets/img/android/rss-changes-light.png b/i18n/el/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/el/assets/img/android/rss-changes-light.png differ diff --git a/i18n/el/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/el/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/how-tor-works/tor-encryption.svg b/i18n/el/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/how-tor-works/tor-path-dark.svg b/i18n/el/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/el/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/el/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/how-tor-works/tor-path.svg b/i18n/el/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/el/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/el/assets/img/multi-factor-authentication/fido.png b/i18n/el/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/el/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/el/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/el/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/el/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/el/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/el/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/el/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/el/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/el/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/el/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/el/basics/account-creation.md b/i18n/el/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/el/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/el/basics/account-deletion.md b/i18n/el/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/el/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/el/basics/common-misconceptions.md b/i18n/el/basics/common-misconceptions.md new file mode 100644 index 00000000..716aaf8a --- /dev/null +++ b/i18n/el/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Συνήθεις παρανοήσεις" +icon: 'material/robot-confused' +description: Η ιδιωτικότητα δεν αποτελεί ένα ξεκάθαρο ζήτημα και είναι εύκολο να παρασυρθεί κανείς από διαφημιστικούς ισχυρισμούς και άλλες παραπλανητικές πληροφορίες. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + Μιλάμε συχνά για «μετατόπιση της εμπιστοσύνης», όταν συζητάμε για λύσεις όπως τα Εικονικά Ιδιωτικά Δίκτυα(VPN) (τα οποία μετατοπίζουν την εμπιστοσύνη, που εναποθέτεις στον Πάροχο Υπηρεσιών Διαδικτύου(ISP) σου, προς τον πάροχο του VPN). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Εστιάζοντας αποκλειστικά στις πολιτικές απορρήτου και το μάρκετινγκ ενός εργαλείου ή ενός παρόχου μπορεί να σας τυφλώσει στις αδυναμίες του. Όταν αναζητάτε μια πιο ιδιωτική λύση, θα πρέπει να προσδιορίσετε, ποιο είναι το κυριότερο πρόβλημα και να βρείτε τεχνικές λύσεις για το πρόβλημα αυτό. Για παράδειγμα, κρίνεται εύλογο να αποφύγετε το Google Drive, το οποίο παρέχει στην Google πρόσβαση σε όλα τα δεδομένα σας. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Η μετάβαση σε έναν πάροχο, που «εστιάζει στην προστασία της ιδιωτικότητας» (ο οποίος δεν εφαρμόζει το E2EE) δε λύνει το πρόβλημά: απλώς μετατοπίζει την εμπιστοσύνη από την Google σε αυτόν τον πάροχο. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + Συχνά βλέπουμε ανθρώπους να περιγράφουν μοντέλα απειλής της ιδιωτικότητας, που είναι υπερβολικά πολύπλοκα. Συχνά, αυτές οι λύσεις περιλαμβάνουν προβλήματα όπως πολλοί διαφορετικοί λογαριασμοί ηλεκτρονικού ταχυδρομείου ή περίπλοκες ρυθμίσεις με πολλά κινούμενα μέρη και συνθήκες. The replies are usually answers to "What is the best way to do X?" + Η εύρεση της «καλύτερης» λύσης για τον εαυτό σας δε σημαίνει απαραίτητα, ότι αναζητάτε μια αλάνθαστη λύση με δεκάδες συνθήκες - αυτές οι λύσεις είναι συχνά δύσκολο να εφαρμοστούν ρεαλιστικά. Όπως αναφέραμε προηγουμένως, η ασφάλεια συχνά έχει ως κόστος την ευκολία. +--- + +## «Το λογισμικό ανοιχτού κώδικα είναι πάντοτε ασφαλές» ή « Το ιδιόκτητο λογισμικό είναι πιο ασφαλές» + +Αυτοί οι μύθοι πηγάζουν από μια σειρά προκαταλήψεων, ωστόσο το αν ο πηγαίος κώδικας είναι διαθέσιμος και πως αδειοδοτείται το λογισμικό δεν επηρεάζουν εγγενώς την ασφάλειά του με οποιονδήποτε τρόπο. ==Το λογισμικό ανοικτού κώδικα έχει τη δυνατότητα ** να είναι πιο ασφαλές από το ιδιόκτητο λογισμικό, αλλά δεν υπάρχει καμία απολύτως εγγύηση ότι αυτό υφίσταται στην πράξη.== Όταν αξιολογείς λογισμικό, θα πρέπει να εξετάζεις τη φήμη και την ασφάλεια κάθε εργαλείου σε ατομική βάση. + +Το λογισμικό ανοικτού κώδικα *μπορεί να ελεγχθεί από τρίτα μέρη* και είναι συχνά πιο διαφανές όσον αφορά ενδεχόμενες αδυναμίες από ότι τα αντίστοιχα ιδιόκτητα λογισμικά. Επιπροσθέτως σου επιτρέπει να ελέγξεις τον κώδικα και να απενεργοποιήσεις οποιαδήποτε ύποπτη λειτουργία ανακαλύψεις. Ωστόσο, *εκτός και αν προβείς στον παραπάνω έλεγχο*, δεν υπάρχει καμία εγγύηση, ότι ο κώδικας έχει ποτέ αξιολογηθεί, ιδίως στην περίπτωση μικρότερων έργων λογισμικού. Επίσης, η διαδικασία ανάπτυξης λογισμικού ανοιχτού κώδικα έχει σε ορισμένες περιπτώσεις αποτελέσει αντικείμενο εκμετάλλευσης, προκειμένου να εισαχθούν νέα τρωτά σημεία, ακόμα και σε μεγάλα έργα.[^1] + +Από την άλλη πλευρά, το ιδιόκτητο λογισμικό είναι λιγότερο διαφανές, αλλά αυτό δε σημαίνει ότι δεν είναι ασφαλές. Σημαντικά έργα ιδιόκτητου λογισμικού μπορούν να ελεγχθούν εσωτερικά, καθώς και από οργανισμούς τρίτων μερών και ανεξάρτητοι ερευνητές ασφάλειας είναι ακόμη σε θέση να βρουν ευπάθειες με τεχνικές όπως η αντίστροφη μηχανική. + +Για να αποφευχθούν μεροληπτικές αποφάσεις, είναι *ζήτημα ζωτικής σημασίας* να αξιολογείτε τα πρότυπα απορρήτου και ασφάλειας του λογισμικού που χρησιμοποιείτε. + +## «Η μετατόπιση της εμπιστοσύνης μπορεί να αυξήσει την ιδιωτικότητα» + +Μιλάμε συχνά για «μετατόπιση της εμπιστοσύνης», όταν συζητάμε για λύσεις όπως τα Εικονικά Ιδιωτικά Δίκτυα(VPN) (τα οποία μετατοπίζουν την εμπιστοσύνη, που εναποθέτεις στον Πάροχο Υπηρεσιών Διαδικτύου(ISP) σου, προς τον πάροχο του VPN). Ενώ αυτό προστατεύει συγκεκριμένα τα δεδομένα περιήγησης σας από τον ISP σας **, ο πάροχος VPN, που επιλέγετε, εξακολουθεί να έχει πρόσβαση στα δεδομένα περιήγησης σας: Τα δεδομένα σας δεν είναι πλήρως προστατευμένα από όλα τα μέρη. Αυτό σημαίνει οτι: + +1. Πρέπει να είστε προσεκτικοί, όταν επιλέγετε έναν πάροχο στον οποίο θα μεταφέρετε την εμπιστοσύνη σας. +2. Θα πρέπει να συνεχίσετε να χρησιμοποιείτε άλλες τεχνικές, όπως το E2EE, για να προστατεύσετε πλήρως τα δεδομένα σας. Απλώς το να μην εμπιστεύεστε έναν πάροχο και λόγω αυτής της δυσπιστίας να εμπιστεύεστε έναν άλλο δεν εξασφαλίζει την ασφάλεια των δεδομένων σας. + +## «Οι λύσεις που εστιάζουν στην προστασία της ιδιωτικότητας είναι εγγενώς αξιόπιστες» + +Εστιάζοντας αποκλειστικά στις πολιτικές απορρήτου και το μάρκετινγκ ενός εργαλείου ή ενός παρόχου μπορεί να σας τυφλώσει στις αδυναμίες του. Όταν αναζητάτε μια πιο ιδιωτική λύση, θα πρέπει να προσδιορίσετε, ποιο είναι το κυριότερο πρόβλημα και να βρείτε τεχνικές λύσεις για το πρόβλημα αυτό. Για παράδειγμα, κρίνεται εύλογο να αποφύγετε το Google Drive, το οποίο παρέχει στην Google πρόσβαση σε όλα τα δεδομένα σας. Το βασικό πρόβλημα σε αυτή την περίπτωση είναι η έλλειψη E2EE, οπότε θα πρέπει να βεβαιωθείτε, ότι ο πάροχος, που έχετε επιλέξει ως εναλλακτική, υλοποιεί πράγματι E2EE ή να χρησιμοποιήσετε ένα εργαλείο (όπως το [Cryptomator](../encryption.md#cryptomator-cloud)) που παρέχει E2EE σε οποιονδήποτε πάροχο cloud. Η μετάβαση σε έναν πάροχο, που «εστιάζει στην προστασία της ιδιωτικότητας» (ο οποίος δεν εφαρμόζει το E2EE) δε λύνει το πρόβλημά: απλώς μετατοπίζει την εμπιστοσύνη από την Google σε αυτόν τον πάροχο. + +Οι πολιτικές απορρήτου και οι επιχειρηματικές πρακτικές των παρόχων που επιλέγετε είναι πολύ σημαντικές, αλλά θα πρέπει να θεωρούνται δευτερεύουσες σε σχέση με τις τεχνικές εγγυήσεις του απορρήτου σας: Δεν θα πρέπει να μετατοπίζετε την εμπιστοσύνη σας σε άλλον πάροχο, όταν η εμπιστοσύνη σε έναν πάροχο δεν αποτελεί σε καμία περίπτωση απαίτηση. + +## « Το περίπλοκο είναι και καλύτερο» + +Συχνά βλέπουμε ανθρώπους να περιγράφουν μοντέλα απειλής της ιδιωτικότητας, που είναι υπερβολικά πολύπλοκα. Συχνά, αυτές οι λύσεις περιλαμβάνουν προβλήματα όπως πολλοί διαφορετικοί λογαριασμοί ηλεκτρονικού ταχυδρομείου ή περίπλοκες ρυθμίσεις με πολλά κινούμενα μέρη και συνθήκες. Οι απαντήσεις αποκρίνονται συνήθως στο ερώτημα "Ποιος είναι ο καλύτερος τρόπος για να κάνουμε *X*?" + +Η εύρεση της «καλύτερης» λύσης για τον εαυτό σας δε σημαίνει απαραίτητα, ότι αναζητάτε μια αλάνθαστη λύση με δεκάδες συνθήκες - αυτές οι λύσεις είναι συχνά δύσκολο να εφαρμοστούν ρεαλιστικά. Όπως αναφέραμε προηγουμένως, η ασφάλεια συχνά έχει ως κόστος την ευκολία. Παρακάτω, παρέχουμε ορισμένες συμβουλές: + +1. ==Οι ενέργειες πρέπει να εξυπηρετούν έναν συγκεκριμένο σκοπό:== Σκεφτείτε, πώς θα κάνετε αυτό που θέλετε, με τις λιγότερες δυνατές ενέργειες. +2. ==Αφαιρέστε τα σημεία ανθρώπινης αποτυχίας: == Αποτυγχάνουμε, κουραζόμαστε, και ξεχνάμε. Για να διατηρήσετε την ασφάλεια, αποφύγετε να βασίζεστε σε χειροκίνητες συνθήκες και διαδικασίες, που πρέπει να θυμάστε. +3. ==Χρησιμοποιήστε το σωστό επίπεδο προστασίας για τους σκοπούς σας.== Συχνά βλέπουμε να προτείνονται οι λεγόμενες λύσεις των δυνάμεων ασφαλείας ή οι λύσεις, που καθιστούν αδύνατη την κλήτευση. Αυτές συχνά απαιτούν εξειδικευμένη γνώση και γενικά δεν είναι αυτό που επιθυμούν οι άνθρωποι. Δεν υπάρχει νόημα να δημιουργήσετε ένα περίπλοκο μοντέλο απειλών για την ανωνυμία, αν μπορείτε εύκολα να χάσετε την εν λόγω ανωνυμία, λόγω μιας απλής παράβλεψης. + +Έτσι, πώς μπορεί αυτό να φαίνεται; + +Ένα από τα πιο ξεκάθαρα μοντέλα απειλών είναι εκείνο, όπου οι άνθρωποι *γνωρίζουν ποιος είστε* και εκείνο όπου δε γνωρίζουν. Πάντα θα υπάρχουν περιπτώσεις, στις οποίες θα πρέπει να δηλώσετε το νόμιμο όνομά σας και άλλες στις οποίες δε χρειάζεται να το κάνετε αυτό. + +1. **Πραγματική ταυτότητα** - Η πραγματική ταυτότητα χρησιμοποιείται για πράγματα στα οποία πρέπει να δηλώσετε το όνομά σας. Υπάρχουν πολλά νομικά έγγραφα και συμβόλαια, όπου απαιτείται μία νομική ταυτότητα. Μεταξύ άλλων απαιτείται για το άνοιγμα ενός τραπεζικού λογαριασμού, την υπογραφή ενός μισθωτηρίου ακινήτου, την απόκτηση διαβατηρίου, τις τελωνειακές δηλώσεις, όταν εισαγάγετε αντικείμενα ή για οποιαδήποτε άλλη συναλλαγή με την κυβέρνηση. Αυτά τα πράγματα συνήθως οδηγούν σε διαπιστευτήρια όπως πιστωτικές κάρτες, ελέγχους πιστοληπτικής ικανότητας, αριθμούς λογαριασμών και ενδεχομένως φυσικές διευθύνσεις. + + Δεν προτείνουμε τη χρήση VPN ή Tor για κανένα από αυτά τα πράγματα, καθώς η ταυτότητά σας είναι ήδη γνωστή μέσα από άλλα μέσα. + + !!! συμβουλή + + Όταν κάνετε ηλεκτρονικές αγορές, η χρήση μίας[θυρίδας δεμάτων] (https://en.wikipedia.org/wiki/Parcel_locker) μπορεί να σας βοηθήσει να διατηρήσετε τη φυσική σας διεύθυνση ιδιωτική. + +2. **Άγνωστη ταυτότητα** - Μια άγνωστη ταυτότητα θα μπορούσε να είναι ένα σταθερό ψευδώνυμο, που χρησιμοποιείτε τακτικά. Δεν είναι ανώνυμο, διότι δεν αλλάζει. Αν είστε μέλος μιας διαδικτυακής κοινότητας, ίσως είναι σκόπιμο να διατηρείτε μια persona, την οποία γνωρίζουν οι άλλοι. Αυτό το ψευδώνυμο δεν είναι ανώνυμο, διότι, αν παρακολουθείται για αρκετό χρονικό διάστημα, λεπτομέρειες σχετικά με τον ιδιοκτήτη μπορούν να αποκαλύψουν περαιτέρω πληροφορίες, όπως ο τρόπος που γράφει, οι γενικές γνώσεις του για θέματα, που τον ενδιαφέρουν κ. λ. π. + + Ίσως, είναι εύλογο να χρησιμοποιήσετε ένα VPN γι' αυτό, προκειμένου να αποκρύψετε τη διεύθυνση IP σας. Οι οικονομικές συναλλαγές είναι πιο δύσκολο να συγκαλυφθούν: Θα μπορούσατε να εξετάσετε τη χρήση ανώνυμων κρυπτονομισμάτων, όπως το [Monero](https://www.getmonero.org/). Η χρήση altcoin shifting μπορεί επίσης να σας βοηθήσει, να αποκρύψετε την προέλευση των νομισμάτων σας. Συνήθως, τα ανταλλακτήρια απαιτούν την ολοκλήρωση του KYC (know your customer), προτού σας επιτρέψουν να ανταλλάξετε παραστατικό χρήμα( fiat currency) σε οποιοδήποτε είδος κρυπτονομίσματος. Οι επιλογές συνάντησης σε τοπικό επίπεδο μπορούν επίσης να αποτελέσουν μια λύση. Ωστόσο, αυτές είναι συχνά πιο ακριβές και ενδέχεται σε ορισμένες περιπτώσεις να απαιτούν KYC. + +3. **Ανώνυμη ταυτότητα** - Ακόμα και όταν υπάρχει εμπειρία, οι ανώνυμες ταυτότητες είναι δύσκολο να διατηρηθούν για μεγάλα χρονικά διαστήματα. Θα πρέπει να είναι βραχυπρόθεσμες και βραχύβιες ταυτότητες, οι οποίες εναλλάσσονται τακτικά. + + Η χρήση του Tor μπορεί να βοηθήσει με αυτό. Αξίζει επίσης να σημειωθεί ότι η επίτευξη μεγαλύτερης ανωνυμίας είναι δυνατή μέσω της ασύγχρονης επικοινωνίας: Η επικοινωνία σε πραγματικό χρόνο είναι ευάλωτη έναντι μιας ενδεχόμενης ανάλυσης των μοτίβων πληκτρολόγησης (π.χ. περισσότερο κείμενο από μια παράγραφο, το οποίο διανέμεται σε ένα φόρουμ, μέσω ηλεκτρονικού ταχυδρομείου κ.λπ.) + +[^1]: Ένα αξιοσημείωτο παράδειγμα αυτού, είναι το περιστατικό [2021, όπου ερευνητές του Πανεπιστημίου της Μινεσότα εισήγαγαν τρία τρωτά σημεία στο έργο ανάπτυξης του πυρήνα Linux](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/el/basics/common-threats.md b/i18n/el/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/el/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/el/basics/email-security.md b/i18n/el/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/el/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/el/basics/multi-factor-authentication.md b/i18n/el/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ae57848d --- /dev/null +++ b/i18n/el/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/el/basics/passwords-overview.md b/i18n/el/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/el/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/el/basics/threat-modeling.md b/i18n/el/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/el/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/el/basics/vpn-overview.md b/i18n/el/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/el/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/el/calendar.md b/i18n/el/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/el/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/el/cloud.md b/i18n/el/cloud.md new file mode 100644 index 00000000..e375d093 --- /dev/null +++ b/i18n/el/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/el/cryptocurrency.md b/i18n/el/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/el/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/el/data-redaction.md b/i18n/el/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/el/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/el/desktop-browsers.md b/i18n/el/desktop-browsers.md new file mode 100644 index 00000000..85ee0d78 --- /dev/null +++ b/i18n/el/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/el/desktop.md b/i18n/el/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/el/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/el/dns.md b/i18n/el/dns.md new file mode 100644 index 00000000..a8cc21da --- /dev/null +++ b/i18n/el/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/el/email-clients.md b/i18n/el/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/el/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/el/email.md b/i18n/el/email.md new file mode 100644 index 00000000..62156fdd --- /dev/null +++ b/i18n/el/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/el/encryption.md b/i18n/el/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/el/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/el/file-sharing.md b/i18n/el/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/el/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/el/financial-services.md b/i18n/el/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/el/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/el/frontends.md b/i18n/el/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/el/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/el/index.md b/i18n/el/index.md new file mode 100644 index 00000000..eb57fd0a --- /dev/null +++ b/i18n/el/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.el.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Γιατί πρέπει να με νοιάζει; + +##### "Δεν έχω κάτι να κρύψω. Γιατί πρέπει να με νοιάζει η ιδιωτικότητα μου;" + +Όπως το δικαίωμα για τον διαφυλετικό γάμο, το δικαίωμα ψήφου για τις γυναικών, η ελευθερία του λόγου και πολλά άλλα, έτσι και το δικαίωμά για την ιδιωτικότητα μας δεν έχει πάντα υποστηριχθεί. Σε πολλές δικτατορίες, αυτό δεν ισχύει. Γενιές πριν από τη δική μας αγωνίστηκαν για το δικαίωμα της ιδιωτικότητας μας. ==Η ιδιωτικότητα είναι ένα ανθρώπινο δικαίωμα, εγγενές σε όλους μας,== το οποίο δικαιούμαστε (χωρίς διακρίσεις). + +Δεν πρέπει να μπερδεύεις την ιδιωτικότητα με τη μυστικότητα. Ξέρουμε τι συμβαίνει όσο είσαι στο μπάνιο, αλλά εξακολουθείς να κλείνεις την πόρτα. Αυτό συμβαίνει επειδή θέλεις ιδιωτικότητα, όχι μυστικότητα. **Όλοι** έχουν κάτι να προστατεύσουν. Η ιδιωτικότητα είναι κάτι που μας κάνει ανθρώπους. + +[:material-target-account: Συχνές Απειλές Στο Διαδίκτυο](basics/common-threats.md ""){.md-button.md-button--primary} + +## Τι πρέπει να κάνω; + +##### Πρώτα απ 'όλα, πρέπει να φτιάξεις ένα σχέδιο + +Το να προσπαθείς να προστατεύσεις συνέχεια όλα τα δεδομένα σου από όλους είναι ανέφικτο, δαπανηρό και εξαντλητικό. Αλλά μην ανησυχείς! Η ασφάλεια είναι μια διαδικασία και, αν σκέφτεσαι εκ των προτέρων, μπορείς να δημιουργήσεις ένα σχέδιο που είναι κατάλληλο για εσένα. Η ασφάλεια δεν αφορά μόνο τα εργαλεία που χρησιμοποιείς ή το λογισμικό που κατεβάζεις. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/el/kb-archive.md b/i18n/el/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/el/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/el/meta/brand.md b/i18n/el/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/el/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/el/meta/git-recommendations.md b/i18n/el/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/el/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/el/meta/uploading-images.md b/i18n/el/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/el/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/el/meta/writing-style.md b/i18n/el/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/el/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/el/mobile-browsers.md b/i18n/el/mobile-browsers.md new file mode 100644 index 00000000..c6be3a37 --- /dev/null +++ b/i18n/el/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/el/multi-factor-authentication.md b/i18n/el/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/el/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/el/news-aggregators.md b/i18n/el/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/el/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/el/notebooks.md b/i18n/el/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/el/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/el/os/android-overview.md b/i18n/el/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/el/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/el/os/linux-overview.md b/i18n/el/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/el/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/el/os/qubes-overview.md b/i18n/el/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/el/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/el/passwords.md b/i18n/el/passwords.md new file mode 100644 index 00000000..59579402 --- /dev/null +++ b/i18n/el/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/el/productivity.md b/i18n/el/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/el/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/el/real-time-communication.md b/i18n/el/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/el/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/el/router.md b/i18n/el/router.md new file mode 100644 index 00000000..2d6ecba5 --- /dev/null +++ b/i18n/el/router.md @@ -0,0 +1,50 @@ +--- +title: "Υλικολογισμικό Δρομολογητή" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Παρακάτω είναι μερικά εναλλακτικά λειτουργικά συστήματα τα οποία μπορούν να χρησιμοποιηθούν σε δρομολογητές, σημεία πρόσβασης Wi-Fi, κλπ. + +## OpenWrt + +!!! recommendation + + ![Λογότυπο OpenWrt](assets/img/router/openwrt.svg#only-light){ align=right } + ![Λογότυπο OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + Το **OpenWrt** είναι ένα λειτουργικό σύστημα βασισμένο στο Linux, χρησιμοποιείται κυρίως σε ενσωματωμένες συσκευές για τη δρομολόγηση της δικτυακής κίνησης. Περιλαμβάνει το util-linux, το uClibc και το BusyBox. Όλα τα εξαρτήματα έχουν βελτιστοποιηθεί για οικιακούς δρομολογητές. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/el/search-engines.md b/i18n/el/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/el/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/el/tools.md b/i18n/el/tools.md new file mode 100644 index 00000000..75b16d05 --- /dev/null +++ b/i18n/el/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Υλικολογισμικό Δρομολογητή + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? κίνδυνος "Τα VPN δεν παρέχουν ανωνυμία" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/el/tor.md b/i18n/el/tor.md new file mode 100644 index 00000000..b1f2afbf --- /dev/null +++ b/i18n/el/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/el/video-streaming.md b/i18n/el/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/el/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/el/vpn.md b/i18n/el/vpn.md new file mode 100644 index 00000000..d1ea79e9 --- /dev/null +++ b/i18n/el/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! κίνδυνος "Τα VPN δεν παρέχουν ανωνυμία" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/eo/404.md b/i18n/eo/404.md new file mode 100644 index 00000000..25c1c780 --- /dev/null +++ b/i18n/eo/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) diff --git a/i18n/eo/CODE_OF_CONDUCT.md b/i18n/eo/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/eo/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/eo/about/criteria.md b/i18n/eo/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/eo/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/eo/about/donate.md b/i18n/eo/about/donate.md new file mode 100644 index 00000000..8accd67a --- /dev/null +++ b/i18n/eo/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/eo/about/index.md b/i18n/eo/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/eo/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/eo/about/notices.md b/i18n/eo/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/eo/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/eo/about/privacy-policy.md b/i18n/eo/about/privacy-policy.md new file mode 100644 index 00000000..26c668d1 --- /dev/null +++ b/i18n/eo/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/eo/about/privacytools.md b/i18n/eo/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/eo/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/eo/about/services.md b/i18n/eo/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/eo/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/eo/about/statistics.md b/i18n/eo/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/eo/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/eo/advanced/communication-network-types.md b/i18n/eo/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/eo/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/eo/advanced/dns-overview.md b/i18n/eo/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/eo/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/eo/advanced/payments.md b/i18n/eo/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/eo/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/eo/advanced/tor-overview.md b/i18n/eo/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/eo/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/eo/android.md b/i18n/eo/android.md new file mode 100644 index 00000000..481bad8a --- /dev/null +++ b/i18n/eo/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/eo/assets/img/account-deletion/exposed_passwords.png b/i18n/eo/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/eo/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/eo/assets/img/android/rss-apk-dark.png b/i18n/eo/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/eo/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/eo/assets/img/android/rss-apk-light.png b/i18n/eo/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/eo/assets/img/android/rss-apk-light.png differ diff --git a/i18n/eo/assets/img/android/rss-changes-dark.png b/i18n/eo/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/eo/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/eo/assets/img/android/rss-changes-light.png b/i18n/eo/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/eo/assets/img/android/rss-changes-light.png differ diff --git a/i18n/eo/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/eo/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/how-tor-works/tor-encryption.svg b/i18n/eo/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/how-tor-works/tor-path-dark.svg b/i18n/eo/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/eo/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/eo/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/how-tor-works/tor-path.svg b/i18n/eo/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/eo/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/eo/assets/img/multi-factor-authentication/fido.png b/i18n/eo/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/eo/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/eo/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/eo/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/eo/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/eo/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/eo/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/eo/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/eo/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/eo/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/eo/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/eo/basics/account-creation.md b/i18n/eo/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/eo/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/eo/basics/account-deletion.md b/i18n/eo/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/eo/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/eo/basics/common-misconceptions.md b/i18n/eo/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/eo/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/eo/basics/common-threats.md b/i18n/eo/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/eo/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/eo/basics/email-security.md b/i18n/eo/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/eo/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/eo/basics/multi-factor-authentication.md b/i18n/eo/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ae57848d --- /dev/null +++ b/i18n/eo/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/eo/basics/passwords-overview.md b/i18n/eo/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/eo/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/eo/basics/threat-modeling.md b/i18n/eo/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/eo/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/eo/basics/vpn-overview.md b/i18n/eo/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/eo/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/eo/calendar.md b/i18n/eo/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/eo/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/eo/cloud.md b/i18n/eo/cloud.md new file mode 100644 index 00000000..e375d093 --- /dev/null +++ b/i18n/eo/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/eo/cryptocurrency.md b/i18n/eo/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/eo/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/eo/data-redaction.md b/i18n/eo/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/eo/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/eo/desktop-browsers.md b/i18n/eo/desktop-browsers.md new file mode 100644 index 00000000..85ee0d78 --- /dev/null +++ b/i18n/eo/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/eo/desktop.md b/i18n/eo/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/eo/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/eo/dns.md b/i18n/eo/dns.md new file mode 100644 index 00000000..a8cc21da --- /dev/null +++ b/i18n/eo/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/eo/email-clients.md b/i18n/eo/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/eo/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/eo/email.md b/i18n/eo/email.md new file mode 100644 index 00000000..62156fdd --- /dev/null +++ b/i18n/eo/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/eo/encryption.md b/i18n/eo/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/eo/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/eo/file-sharing.md b/i18n/eo/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/eo/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/eo/financial-services.md b/i18n/eo/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/eo/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/eo/frontends.md b/i18n/eo/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/eo/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/eo/index.md b/i18n/eo/index.md new file mode 100644 index 00000000..93af29f6 --- /dev/null +++ b/i18n/eo/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.eo.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/eo/kb-archive.md b/i18n/eo/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/eo/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/eo/meta/brand.md b/i18n/eo/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/eo/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/eo/meta/git-recommendations.md b/i18n/eo/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/eo/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/eo/meta/uploading-images.md b/i18n/eo/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/eo/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/eo/meta/writing-style.md b/i18n/eo/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/eo/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/eo/mobile-browsers.md b/i18n/eo/mobile-browsers.md new file mode 100644 index 00000000..c6be3a37 --- /dev/null +++ b/i18n/eo/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/eo/multi-factor-authentication.md b/i18n/eo/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/eo/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/eo/news-aggregators.md b/i18n/eo/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/eo/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/eo/notebooks.md b/i18n/eo/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/eo/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/eo/os/android-overview.md b/i18n/eo/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/eo/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/eo/os/linux-overview.md b/i18n/eo/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/eo/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/eo/os/qubes-overview.md b/i18n/eo/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/eo/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/eo/passwords.md b/i18n/eo/passwords.md new file mode 100644 index 00000000..59579402 --- /dev/null +++ b/i18n/eo/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/eo/productivity.md b/i18n/eo/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/eo/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/eo/real-time-communication.md b/i18n/eo/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/eo/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/eo/router.md b/i18n/eo/router.md new file mode 100644 index 00000000..a494c017 --- /dev/null +++ b/i18n/eo/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/eo/search-engines.md b/i18n/eo/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/eo/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/eo/tools.md b/i18n/eo/tools.md new file mode 100644 index 00000000..d9e57d9b --- /dev/null +++ b/i18n/eo/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/eo/tor.md b/i18n/eo/tor.md new file mode 100644 index 00000000..b1f2afbf --- /dev/null +++ b/i18n/eo/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/eo/video-streaming.md b/i18n/eo/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/eo/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/eo/vpn.md b/i18n/eo/vpn.md new file mode 100644 index 00000000..6bba2546 --- /dev/null +++ b/i18n/eo/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/es/404.md b/i18n/es/404.md new file mode 100644 index 00000000..a4d839c5 --- /dev/null +++ b/i18n/es/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - No Encontrado + +¡No pudimos encontrar la página que estabas buscando! ¿Quizás estabas buscando una de estas? + +- [Introducción a la creación de un Modelo de Amenazas](basics/threat-modeling.md) +- [Proveedores de DNS recomendados](dns.md) +- [Mejores Navegadores de Escritorio](desktop-browsers.md) +- [Mejores proveedores de VPN](vpn.md) +- [Foro de Privacy Guides](https://discuss.privacyguides.net) +- [Nuestro Blog](https://blog.privacyguides.org) diff --git a/i18n/es/CODE_OF_CONDUCT.md b/i18n/es/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..cb015d66 --- /dev/null +++ b/i18n/es/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Código de Conducta de la Comunidad + +**Nos comprometemos en** a hacer de nuestra comunidad una experiencia libre de acoso para todos. + +**Nos esforzamos** por crear un entorno positivo, utilizando lenguaje acogedor e integrador, y siendo respetuosos con los puntos de vista de los demás. + +**No permitimos** comportamientos inapropiados o inaceptables, como lenguaje sexualizado, comentarios burla e insultantes, o que fomenten intolerancia o acoso. + +## Normas Comunitarias + +Lo que esperamos de los miembros de nuestras comunidades: + +1. **No difundas información errónea** + + Estamos creando una comunidad educativa basada en pruebas en torno a la privacidad y la seguridad de la información, no un hogar para teorías conspirativas. Por ejemplo, al afirmar que un determinado software es malicioso o que ciertos datos telemétricos invaden la privacidad, explique detalladamente qué se recoge y cómo se recoge. Las afirmaciones de esta naturaleza deben estar respaldadas por pruebas técnicas. + +1. **No abuses de nuestra voluntad a ayudar** + + Los miembros de nuestra comunidad no son tu soporte técnico gratuito. Estamos encantados de ayudarte con pasos específicos en tu camino de privacidad si estás dispuesto a poner el esfuerzo de tu parte. No estamos dispuestos a responder preguntas repetidas sobre problemas informáticos genéricos que usted mismo podría haber resuelto con una búsqueda de 30 segundos en Internet. No seas un [ayuda vampiro](https://slash7.com/2006/12/22/vampires/). + +1. **Compórtate de manera positiva y constructiva** + + Ejemplos de comportamiento que contribuye a un ambiente positivo incluye: + + - Demostrando empatía y amabilidad hacia otras personas + - Siendo respetuoso de puntos de vista y experiencias diferentes + - Dando y aceptando con gracia retroalimentación constructiva + - Aceptando la responsabilidad y pedir disculpas a los afectados por nuestros errores, y aprender de la experiencia + - Enfocándonos en lo que es mejor no solo para nosotros como individuos, sino para la comunidad en general + +### Comportamiento Inaceptable + +Los siguientes comportamientos se consideran acoso y son inaceptables dentro de nuestra comunidad: + +- El uso de lenguaje o imaginería de contenido sexual, atención o avances sexuales de cualquier clase +- Trollear, insultar o comentarios despectivos y ataques personales o políticos +- Acoso público o privado +- Publicar información privada de otras personas, incluyendo dirección física o de correo electrónico sin su permiso explícito +- Otra conducta que se podría considerar inapropiada en un entorno profesional + +## Cobertura + +Nuestro Código de Conducta se aplica en todos los espacios del proyecto, también cuando una persona representa al proyecto de Privacy Guides en otras comunidades. + +Somos responsables de aclarar las normas de nuestra comunidad, y tenemos derecho a remover o modificar los comentarios de quienes participan en nuestra comunidad, según sea necesario y a nuestra discreción. + +### Contacto + +Si observas un problema en una plataforma como Matrix o Reddit, ponte en contacto con nuestros moderadores en esa plataforma en el chat, por mensaje directo o a través de cualquier medio designado del sistema "Modmail". + +Si tienes algún problema en otro lugar o nuestros moderadores de la comunidad no pueden resolverlo, contacta `jonah@privacyguides.org` y/o `dngray@privacyguides.org`. + +Todos los líderes comunitarios están obligados a respetar la privacidad y seguridad de quien reporte cualquier incidente. diff --git a/i18n/es/about/criteria.md b/i18n/es/about/criteria.md new file mode 100644 index 00000000..3f1cc3c7 --- /dev/null +++ b/i18n/es/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Criterios generales +--- + +!!! example "Trabajo en Progreso" + + La siguiente página se encuentra en construcción, y no refleja todos los criterios para nuestras recomendaciones en este momento. Discusión anterior sobre este tema: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Abajo se encuentran algunos aspectos que deben cumplir todos los envíos a Privacy Guides. Cada categoría puede tener requisitos adicionales. + +## Información financiera + +No obtenemos dinero al recomendar ciertos productos, nosotros no utilizamos enlaces de afiliados, y no realizamos alguna consideración especial a los patrocinadores del proyecto. + +## Lineamientos generales + +Aplicamos estas prioridades al considerar nuevas recomendaciones: + +- Herramientas **seguras**: Las herramientas deben seguir las mejores prácticas de seguridad cuando sea necesario. +- **Disponibilidad del código**: Proyectos de código abierto son preferidos sobre alternativas similares de código cerrado. +- **Multiplataforma**: Preferimos que las recomendaciones sean multiplataforma para evitar la dependencia de un sistema. +- **Desarrollo activo**: Las herramientas que recomendamos deben ser desarrolladas activamente, los proyectos no mantenidos serán eliminados en la mayoría de los casos. +- **Usabilidad**: Las herramientas deben ser accesibles para la mayoría de los usuarios de ordenador, no debe exigirse una formación demasiado técnica. +- **Documentado**: Las herramientas deben tener una documentación de uso clara y extensa. + +## Autoenvíos del desarrollador + +Estos son los requisitos que exigimos a los desarrolladores que deseen presentar su proyecto o programa informático. + +- Debe revelar su afiliación, es decir, su cargo dentro del proyecto que se presenta. + +- Debe tener un documento de seguridad si se trata de un proyecto que implica el manejo de información sensible, como un mensajero, un gestor de contraseñas, almacenamiento cifrado en la nube, etc. + - Estado de la auditoría de terceros. Queremos saber si tiene una, o tiene prevista una. Si es posible, mencione quién realizará la auditoría. + +- Debe explicar qué aporta el proyecto en materia de privacidad. + - ¿Resuelve algún problema nuevo? + - ¿Por qué utilizarlo en lugar de otras alternativas? + +- Deben indicar cuál es el modelo de amenaza exacto de su proyecto. + - Los usuarios potenciales deben tener claro qué puede ofrecer el proyecto y qué no. diff --git a/i18n/es/about/donate.md b/i18n/es/about/donate.md new file mode 100644 index 00000000..d94cbcf7 --- /dev/null +++ b/i18n/es/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Apoyándonos +--- + + +Se necesita a un montón de [personas](https://github.com/privacyguides/privacyguides.org/graphs/contributors) y [trabajo](https://github.com/privacyguides/privacyguides.org/pulse/monthly) para mantener Privacy Guides actualizado y difundiendo la palabra sobre la privacidad y la vigilancia masiva. Si te gusta lo que hacemos, considera formar parte [editando el sitio web](https://github.com/privacyguides/privacyguides.org) o [contribuyendo a las traducciones](https://crowdin.com/project/privacyguides). + +Si nos quieres ayudar financialmente, el método más conveniente para nosotros es que contribuyas vía Open Collective, un sitio web operado por nuestro anfitrión fiscal. Open Collective acepta pagos vía tarjeta de crédito o débito, PayPal, y transferencias bancarias. + +[Dona en OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Las donaciones hechas directamente a Open Collective son generalmente deducibles de impuestos en los Estados Unidos, porque nuestro anfitrión fiscal (la Fundación Open Collective) es una organización registrada 501(c)3. Recibirás un recibo de Open Collective Foundation después de donar. Privacy Guides no ofrece asesoramiento financiero, por lo que debe ponerse en contacto con su asesor fiscal para saber si esto es aplicable en su caso. + +Si ya haces uso de los patrocinios de GitHub, también puedes patrocinar a nuestra organización allí. + +[Patrocínanos en GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Patrocinadores + +¡Un agradecimiento especial a todos los que apoyan nuestra misión! :heart: + +*Tenga en cuenta: Esta sección carga un widget directamente desde Open Collective. Esta sección no refleja las donaciones realizadas fuera de Open Collective, y no tenemos ningún control sobre los donantes específicos que aparecen en esta sección.* + + + +## Como usamos las donaciones + +Privacy Guides es una organización **sin ánimos de lucro**. Utilizamos las donaciones para diversos fines, entre ellos: + +**Registro del dominio** +: + +Tenemos algunos nombres de dominio como `privacyguides.org` los cuales nos cuestan alrededor de 10 dólares al año para mantener su registro. + +**Alojamiento web** +: + +El tráfico de este sitio web utiliza cientos de gigabytes de datos al mes, utilizamos una variedad de proveedores de servicios para mantener este tráfico. + +**Servicios en línea** +: + +Alojamos [servicios de internet](https://privacyguides.net) para probar y mostrar diferentes productos de privacidad que nos gustan y [recomendamos](../tools.md). Algunos de ellos están disponibles públicamente para el uso de nuestra comunidad (SearXNG, Tor, etc.), y otros se proporcionan a los miembros de nuestro equipo (correo electrónico, etc.). + +**Compras de productos** +: + +Ocasionalmente compramos productos y servicios con el fin de probar nuestras [herramientas recomendadas](../tools.md). + +Seguimos trabajando con nuestro anfitrión fiscal (la Open Collective Foundation) para recibir donaciones de criptomonedas, por el momento la contabilidad es inviable para muchas transacciones más pequeñas, pero esto debería cambiar en el futuro. Mientras tanto, si desea hacer una donación considerable (> 100 dólares) en criptomoneda, por favor, póngase en contacto con [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/es/about/index.md b/i18n/es/about/index.md new file mode 100644 index 00000000..97edb757 --- /dev/null +++ b/i18n/es/about/index.md @@ -0,0 +1,102 @@ +--- +title: "Acerca de las Guías de privacidad" +description: Las Guías de Privacidad son un sitio web socialmente motivado que proporciona información para proteger tu seguridad y privacidad de datos. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Logo de Privacy Guides](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Guías de privacidad** es un sitio web socialmente motivado que proporciona [información](/kb) para proteger su seguridad y privacidad de datos. Nuestra misión es informar al público sobre el valor de la privacidad digital y las iniciativas gubernamentales globales que pretenden vigilar tu actividad en línea. Somos un colectivo sin ánimo de lucro gestionado íntegramente por [miembros voluntarios del equipo](https://discuss.privacyguides.net/g/team) y colaboradores. Nuestro sitio web no contiene publicidad y no está afiliado a ninguno de los proveedores mencionados. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Inicio } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Código fuente" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribuir } + +> Para encontrar aplicaciones [alternativas centradas en la privacidad], echa un vistazo a sitios como Good Reports y **Privacy Guides**, que enumeran aplicaciones centradas en la privacidad en diversas categorías, entre las que destacan los proveedores de correo electrónico (normalmente con planes de pago) que no están gestionados por las grandes empresas tecnológicas. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> Si estás buscando una nueva VPN, puedes acudir al código de descuento de casi cualquier podcast. Si buscas una VPN **buena**, necesitas ayuda profesional. Lo mismo ocurre con los clientes de correo electrónico, los navegadores, los sistemas operativos y los gestores de contraseñas. ¿Cómo saber cuál de ellas es la mejor opción, la más respetuosa con la privacidad? Para ello existe **Privacy Guides**, una plataforma en la que varios voluntarios buscan día tras día las mejores herramientas para proteger la intimidad en Internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Traducido del neerlandés] + +También destacado el: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), y [con cable](https://www.wired.com/story/firefox-mozilla-2022/). + +## Historia + +Privacy Guides se lanzó en septiembre de 2021 como continuación del proyecto educativo de código abierto "PrivacyTools" de [, ya desaparecido](privacytools.md). Reconocimos la importancia de las recomendaciones de productos independientes y centradas en criterios, así como del conocimiento general en el espacio de la privacidad, razón por la cual necesitábamos preservar el trabajo que habían creado tantos colaboradores desde 2015 y asegurarnos de que la información tuviera un hogar estable en la web de forma indefinida. + +En 2022, completamos la transición de nuestro principal marco web de Jekyll a MkDocs, utilizando el software de documentación `mkdocs-material`. Este cambio facilitó notablemente las contribuciones de código abierto a nuestro sitio para los forasteros, ya que en lugar de tener que conocer una sintaxis complicada para escribir entradas de forma eficaz, ahora contribuir es tan fácil como escribir un documento Markdown estándar. + +Además, lanzamos nuestro nuevo foro de debate en [discuss.privacyguides.net](https://discuss.privacyguides.net/) como plataforma comunitaria para compartir ideas y plantear preguntas sobre nuestra misión. Esto aumenta nuestra comunidad existente en Matrix y sustituye a nuestra anterior plataforma GitHub Discussions, disminuyendo nuestra dependencia de plataformas de debate propietarias. + +En lo que va de 2023 hemos lanzado traducciones internacionales de nuestro sitio web en [francés](/fr/), [hebreo](/he/), y [neerlandés](/nl/), con más idiomas en camino, posible gracias a nuestro excelente equipo de traducción en [Crowdin](https://crowdin.com/project/privacyguides). Tenemos previsto seguir adelante con nuestra misión de divulgación y educación, y buscar formas de poner de relieve con mayor claridad los peligros de la falta de concienciación sobre la privacidad en la era digital moderna, así como la prevalencia y los perjuicios de las brechas de seguridad en todo el sector tecnológico. + +## Nuestro Equipo + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Inicio](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Correo electrónico](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Correo electrónico](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Inicio](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Inicio](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Además, [muchas personas](https://github.com/privacyguides/privacyguides.org/graphs/contributors) han hecho contribuciones al proyecto. Tú también puedes, estamos en código abierto en GitHub y aceptamos sugerencias de traducción en [Crowdin](https://crowdin.com/project/privacyguides). + +Los miembros de nuestro equipo revisan todos los cambios realizados en el sitio web y se encargan de las tareas administrativas, como el web hosting y las finanzas, pero no se benefician personalmente de las donaciones hechas a este sitio. Nuestras finanzas están alojadas de forma transparente en el Open Collective Foundation 501(c)(3) en [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Las donaciones a Privacy Guides son generalmente deducibles de impuestos en los Estados Unidos. + +## Licencia de sitio + +!!! Peligro "" + + El siguiente es un resumen legible por humanos de (y no un sustituto de) la [license](/licencia). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: A menos que se indique lo contrario, el contenido original de este sitio web está disponible bajo la licencia [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). Esto significa que es libre de copiar y redistribuir el material en cualquier medio o formato para cualquier propósito, incluso comercialmente; siempre y cuando concedas el crédito adecuado a las Guías de Privacidad de `(www. privacyguides.org)` y proporcionar un enlace a la licencia. A pesar de que le está permitido, bajo ningún concepto se dará a entender por ello que el propietario de la licencia aprueba los cambios ni su uso. Si remezcla, transforma o crea a partir del contenido de este sitio web, no podrás distribuir el material modificado. + +Esta licencia está pensada para evitar que la gente comparta nuestro trabajo sin dar el crédito adecuado, y para evitar que la gente modifique nuestro trabajo de una manera que pueda ser utilizada para engañar a la gente. Si consideras que los términos de esta licencia son demasiado restrictivos para el proyecto en el que estás trabajando, ponte en contacto con nosotros en `jonah@privacyguides.org`. Estamos encantados de ofrecer opciones de licencia alternativas para proyectos bienintencionados en el ámbito de la privacidad. diff --git a/i18n/es/about/notices.md b/i18n/es/about/notices.md new file mode 100644 index 00000000..231c2ff0 --- /dev/null +++ b/i18n/es/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Avisos y responsabilidades" +--- + +## Aviso Legal + +Privacy Guides no es un bufete de abogados. Como tal, el sitio web de Privacy Guides y sus colaboradores no están proporcionando asesoría legal. El material y las recomendaciones de nuestro sitio web y de las guías no constituyen asesoramiento jurídico. Contribuir al sitio web o comunicarse con Privacy Guides u otros colaboradores sobre nuestro sitio web no crea una relación abogado-cliente. + +Dirigir este sitio web, como cualquier empresa humana, implica incertidumbre y compromisos. Esperamos que este sitio web ayude, pero puede incluir errores y no puede abordar todas las situaciones. Si tiene alguna duda sobre su situación, le animamos a que investigue por su cuenta, busque a otros expertos y participe en debates con la comunidad de Privacy Guides. Si tienes alguna pregunta legal, deberías consultar con tu propio asesor jurídico antes de seguir adelante. + +Privacy Guides es un proyecto de código abierto al que se ha contribuido bajo licencias que incluyen términos que, para la protección del sitio web y sus contribuyentes, dejan claro que el proyecto Privacy Guides y el sitio web se ofrece "tal cual", sin garantía, y renunciando a la responsabilidad por los daños resultantes del uso del sitio web o de cualquier recomendación contenida en él. Privacy Guides no garantiza ni hace ninguna declaración sobre la exactitud, los resultados probables o la fiabilidad del uso de los materiales en el sitio web o de cualquier otro modo relacionado con dichos materiales en el sitio web o en cualquier sitio de terceros vinculado en este sitio. + +Además, Privacy Guides no garantiza que este sitio web esté disponible, de forma constante o en absoluto. + +## Resumen de licencias + +!!! Peligro "" + + El siguiente es un resumen legible por humanos de (y no un sustituto de) la [license](/licencia). + +Salvo que se indique lo contrario, todo el **contenido** de este sitio web está disponible bajo los términos de [Creative Commons Attribution-NoDerivatives 4. Licencia pública internacional](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). El subyacente **código fuente** utilizado para generar este sitio web y mostrar ese contenido está publicado bajo la [licencia MIT](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Esto no incluye código de terceros incrustado en este repositorio, o código en el que se indique una licencia sustitutiva. Los siguientes son ejemplos notables, pero esta lista puede no ser exhaustiva: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) tiene licencia [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* La fuente de encabezado [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) está autorizada bajo la licencia [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* La fuente [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) utilizada para la mayor parte del texto del sitio tiene licencia según los términos detallados [aquí ](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* La fuente [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) utilizada para el texto monoespaciado en el sitio web está autorizada bajo la licencia [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Esto significa que puedes utilizar el contenido legible por humanos de este repositorio para tu propio proyecto, de acuerdo con los términos descritos en el texto de Creative Commons Attribution-NoDerivatives 4.0 International Public License. A pesar de que le está permitido, bajo ningún concepto se dará a entender por ello que el propietario de la licencia aprueba los cambios ni su uso. Tú **no puedes** utilizar la marca de Privacy Guides en tu propio proyecto sin la aprobación expresa de este proyecto. Las marcas comerciales de Privacy Guides incluyen el logotipo de "Privacy Guides" y el logotipo del escudo. + +Creemos que los logotipos y otras imágenes en `assets` obtenidos de terceros proveedores son de dominio público o **de uso leal**. En pocas palabras, la doctrina legal de [uso justo](https://es.wikipedia.org/wiki/Uso_justo) permite el uso de imágenes con derechos de autor con el propósito de identificar el tema para fines de comentario público. Sin embargo, estos logotipos y otras imágenes pueden estar sujetos a la legislación sobre marcas en una o más jurisdicciones. Antes de utilizar este contenido, asegúrese de que se utiliza para identificar a la entidad u organización propietaria de la marca comercial y de que usted tiene derecho a utilizarla según las leyes que se aplican en las circunstancias de tu uso previsto. *Al copiar el contenido de este sitio web, usted es el único responsable de asegurarse de no infringir la marca comercial o los derechos de autor de otra persona.* + +Cuando contribuyes a nuestro sitio web lo estás haciendo bajo las licencias anteriores, y estás otorgando a las Guías de Privacidad un autor, mundial, no exclusivo, transferible, sin realismo Licencia irrevocable con derecho a sublicenciar tales derechos a través de múltiples niveles de sublicencias, para reproducir, modificar, mostrar, realizar y distribuir su contribución como parte de nuestro proyecto. + +## Uso aceptable + +Usted no puedes utilizar este sitio web de ninguna manera que cause o pueda causar daños al sitio web o que afecte a la disponibilidad o accesibilidad de Privacy Guides, ni de ninguna manera que sea ilegal, ilícita, fraudulenta o perjudicial, o que esté relacionada con cualquier propósito o actividad ilícita, ilegal, fraudulenta o perjudicial. + +No debe llevar a cabo ninguna actividad de recopilación de datos sistemática o automatizada en este sitio web o en relación con él sin el consentimiento expreso por escrito de Aragon Ventures LLC, incluyendo: + +* Exceso de Escaneos Automáticos +* Ataque de Denegación de Servicio +* Scraping +* Minería de Datos +* 'Framing' (IFrames) + +--- + +*Algunas partes de este aviso fueron adoptadas de [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) en GitHub. Ese recurso y esta página están publicados bajo la licencia [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/es/about/privacy-policy.md b/i18n/es/about/privacy-policy.md new file mode 100644 index 00000000..d7e26c9d --- /dev/null +++ b/i18n/es/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Política de Privacidad" +--- + +Privacy Guides es un proyecto comunitario gestionado por una serie de colaboradores voluntarios. La lista pública de los miembros del equipo [se puede encontrar en GitHub](https://github.com/orgs/privacyguides/people). + +## Datos que recopilamos de los visitantes + +La privacidad de los visitantes de nuestro sitio web es importante para nosotros, por lo que no rastreamos a ninguna persona en particular. Como visitante de nuestro sitio web: + +- No se recopila información personal +- Ninguna información tal como las cookies se almacena en el navegador +- No se comparte, envía o vende información a terceros +- No se comparte ninguna información con empresas de publicidad +- No se extrae información ni se recolecta para obtener tendencias personales y de comportamiento +- No se monetiza ninguna información + +Puede consultar los datos que recopilamos en nuestra página [statistics](statistics.md) . + +Ejecutamos una instalación propia de [Plausible Analytics](https://plausible.io) para recopilar algunos datos de uso anónimos con fines estadísticos. El objetivo es hacer un seguimiento de las tendencias generales del tráfico de nuestro sitio web, no de los visitantes individuales. Todos los datos están en solo agregar. No se recopila información personal. + +Los datos recopilados incluyen fuentes de referencia, páginas principales, duración de la visita, información de los dispositivos (tipo de dispositivo, sistema operativo, país y navegador) utilizados durante la visita y más. Puedes aprender más acerca sobre como Plausible funciona y recopila información de una manera que respeta la privacidad [aquí](https://plausible.io/data-policy). + +## Datos que recopilamos de los titulares de cuentas + +En algunos sitios web y servicios que ofrecemos, muchas funciones pueden requerir una cuenta. Por ejemplo, puede ser necesaria una cuenta para publicar y responder a temas en una plataforma de foros. + +Para registrarse en la mayoría de las cuentas, recopilaremos un nombre, nombre de usuario, correo electrónico y contraseña. En el caso de que un sitio web requiera más información que esos datos, se indicará claramente y se señalará en una declaración de privacidad separada por sitio. + +Utilizamos los datos de su cuenta para identificarle en el sitio web y para crear páginas específicas para usted, como su página de perfil. También utilizaremos los datos de su cuenta para publicar un perfil público para usted en nuestros servicios. + +Utilizamos su correo electrónico para: + +- Notificarle sobre publicaciones y otras actividades en los sitios web o servicios. +- Restablecer su contraseña y ayudar a mantener su cuenta segura. +- Contactarle en circunstancias especiales relacionadas con su cuenta. +- Contactarle en relación con solicitudes legales, como las solicitudes de eliminación de datos de la DMCA. + +En algunos sitios web y servicios puede proporcionar información adicional para su cuenta, como una breve biografía, un avatar, su ubicación o su cumpleaños. Ponemos esa información a disposición de todos los que pueden acceder al sitio web o al servicio en cuestión. Esta información no es necesaria para utilizar ninguno de nuestros servicios y puede borrarse en cualquier momento. + +Almacenaremos los datos de su cuenta mientras su cuenta permanezca abierta. Después de cerrar una cuenta, podemos conservar algunos o todos los datos de su cuenta en forma de copias de seguridad o archivos durante un máximo de 90 días. + +## Contacto + +El equipo de Privacy Guides generalmente no tiene acceso a datos personales fuera del acceso limitado otorgado a través de algunos paneles de moderación. Las consultas sobre su información personal deben enviarse directamente a: + +```text +Jonah Aragon +Administrador de servicios +jonah@privacyguides.org +``` + +Para cualquier otra consulta, puede contactar a cualquier miembro de nuestro equipo. + +Puede presentar reclamaciones acerca del RGPD ante sus autoridades locales de supervisión de protección de datos. En Francia es la "Commission Nationale de l'Informatique et des Libertés" la que se ocupa y tramita las denuncias. Ellos proporcionan una [carta de reclamaciones](https://www.cnil.fr/en/plaintes) para utilizar. + +## Acerca de esta política + +Publicaremos cualquier versión nueva de esta declaración [aquí](privacy-policy.md). Es posible que cambiemos la forma de anunciar los cambios en futuras versiones de este documento. Mientras tanto, podemos actualizar nuestra información de contacto en cualquier momento sin anunciar ningún cambio. Consulte la [Política de privacidad](privacy-policy.md) para obtener la última información de contacto. + +En GitHub puede consultarse el [historial](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) completo de revisiones de esta página. diff --git a/i18n/es/about/privacytools.md b/i18n/es/about/privacytools.md new file mode 100644 index 00000000..6bf4a801 --- /dev/null +++ b/i18n/es/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "Preguntas frecuentes de PrivacyTools" +--- + +# Por qué dejamos de usar PrivacyTools + +En septiembre de 2021, todos los colaboradores activos acordaron por unanimidad pasar de PrivacyTools a trabajar en este sitio: Privacy Guides. Esta decisión se tomó porque el fundador de PrivacyTools y controlador del nombre de dominio había desaparecido durante un largo periodo de tiempo y no se pudo contactar con él. + +Habiendo construido un sitio y un conjunto de servicios de buena reputación en PrivacyTools.io, esto causó graves preocupaciones por el futuro de PrivacyTools, ya que cualquier interrupción futura podría acabar con toda la organización sin ningún método de recuperación. Esta transición se comunicó a la comunidad de PrivacyTools con muchos meses de antelación a través de diversos canales, como su blog, Twitter, Reddit y Mastodon, para garantizar que todo el proceso se desarrollara con la mayor fluidez posible. Lo hicimos para asegurarnos de que nadie se quedara en la oscuridad, que ha sido nuestro modus operandi desde que se creó nuestro equipo, y para asegurarnos de que Privacy Guides fuera reconocida como la misma organización fiable que era PrivacyTools antes de la transición. + +Una vez finalizado el traslado organizativo, el fundador de PrivacyTools regresó y comenzó a difundir información errónea sobre el proyecto de Privacy Guides. Siguen difundiendo información errónea además de operar una granja de enlaces pagados en el dominio de PrivacyTools. Estamos creando esta página para aclarar cualquier malentendido. + +## ¿Qué es PrivacyTools? + +PrivacyTools fue creado en 2015 por "BurungHantu", que quería hacer un recurso de información de privacidad - herramientas útiles después de las revelaciones de Snowden. El sitio creció hasta convertirse en un floreciente proyecto de código abierto con [muchos colaboradores](https://github.com/privacytools/privacytools.io/graphs/contributors), algunos de los cuales acabaron asumiendo diversas responsabilidades organizativas, como el funcionamiento de servicios en línea como Matrix y Mastodon, la gestión y revisión de los cambios en el sitio en GitHub, la búsqueda de patrocinadores para el proyecto, la redacción de publicaciones en el blog y el funcionamiento de plataformas de difusión en los medios sociales como Twitter, etc. + +A partir de 2019, BurungHantu se alejó cada vez más del desarrollo activo del sitio web y las comunidades, y comenzó a retrasar los pagos de los que era responsable en relación con los servidores que operábamos. Para evitar que nuestro administrador del sistema pague los costos del servidor de su propio bolsillo, cambiamos los métodos de donación enumerados en el sitio de las cuentas personales de PayPal y criptomonedas de BurungHantu a una nueva página de OpenCollective el [31 de octubre de 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Esto tenía la ventaja añadida de hacer nuestras finanzas completamente transparentes, un valor en el que creemos firmemente, y deducibles de impuestos en los Estados Unidos, porque estaban en manos de la Open Collective Foundation 501(c)3. Este cambio fue acordado unánimemente por el equipo y no fue impugnado. + +## Por qué nos mudamos + +En 2020, la ausencia de BurungHantu se hizo mucho más notoria. En un momento dado, requerimos que los servidores de nombres del dominio se cambiaran a servidores de nombres controlados por nuestro administrador del sistema para evitar interrupciones futuras, y este cambio no se completó hasta más de un mes después de la solicitud inicial. Desaparecía del chat público y de las salas de chat privadas del equipo en Matrix durante meses, apareciendo de vez en cuando para dar algún pequeño comentario o prometer ser más activo antes de volver a desaparecer. + +En octubre de 2020, el administrador del sistema de PrivacyTools (Jonah) [dejó](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) el proyecto debido a estas dificultades, cediendo el control a otro colaborador de larga data. Jonah había estado operando casi todos los servicios de PrivacyTools y actuando como el líder del proyecto *de facto* para el desarrollo del sitio web en ausencia de BurungHantu, por lo que su partida fue un cambio significativo para la organización. En aquel momento, debido a estos importantes cambios organizativos, BurungHantu prometió al equipo restante que volvería para tomar el control del proyecto en adelante. ==El equipo de PrivacyTools se puso en contacto a través de varios métodos de comunicación durante los meses siguientes, pero no recibió ninguna respuesta.== + +## Dependencia del nombre de dominio + +A principios de 2021, el equipo de PrivacyTools se preocupó por el futuro del proyecto, ya que el nombre de dominio iba a expirar el 1 de marzo de 2021. El dominio fue finalmente renovado por BurungHantu sin ningún comentario. + +Las preocupaciones del equipo no fueron atendidas, y nos dimos cuenta de que esto sería un problema cada año: Si el dominio caducaba habría permitido que lo robaran ocupantes ilegales o spammers, arruinando así la reputación de la organización. También habríamos tenido problemas para llegar a la comunidad para informarles de lo ocurrido. + +Sin estar en contacto con BurungHantu, decidimos que el mejor curso de acción sería pasar a un nuevo nombre de dominio mientras tuviéramos garantizado el control sobre el antiguo nombre de dominio, en algún momento antes de marzo de 2022. De esta manera, podríamos redirigir limpiamente todos los recursos de PrivacyTools al nuevo sitio sin ninguna interrupción del servicio. Esta decisión se tomó con muchos meses de antelación y se comunicó a todo el equipo con la esperanza de que BurungHantu se pusiera en contacto y asegurara su apoyo continuo al proyecto, porque con una marca reconocible y grandes comunidades en línea, alejarse de "PrivacyTools" era el resultado menos deseable posible. + +A mediados de 2021, el equipo de PrivacyTools se puso en contacto con Jonah, que aceptó reincorporarse al equipo para ayudar en la transición. + +## Llamada a la acción comunitaria + +A finales de julio de 2021 [informamos](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) a la comunidad PrivacyTools de nuestra intención de elegir un nuevo nombre y continuar el proyecto en un nuevo dominio, para ser [elegido](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) el 2 de agosto de 2022. Al final, se eligió "Privacy Guides", con el dominio `privacyguides.org` que ya poseía Jonah para un proyecto paralelo de 2020 que quedó sin desarrollar. + +## Control de r/privacytoolsIO + +Simultáneamente con los problemas del sitio web en privacytools.io, el equipo de moderación de r/privacytoolsIO se enfrentaba a retos en la gestión del subreddit. El subreddit siempre había sido operado en su mayor parte independientemente del desarrollo del sitio web, pero BurungHantu era el principal moderador del subreddit también, y era el único moderador al que se le habían concedido privilegios de "Control total". u/trai_dep era el único moderador activo en ese momento, y [publicó](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) una solicitud a los administradores de Reddit el 28 de junio de 2021, en la que pedía que se le concediera el puesto de moderador principal y privilegios de control total, con el fin de realizar los cambios necesarios en el subreddit. + +Reddit requiere que los subreddits tengan moderadores activos. Si el moderador principal está inactivo durante un largo periodo de tiempo (como un año), el puesto de moderador principal puede volver a asignarse al siguiente moderador en la lista. Para que se le concediera esta petición, BurungHantu tenía que haber estado completamente ausente de toda actividad de Reddit durante un largo periodo de tiempo, lo que era coherente con sus comportamientos en otras plataformas. + +> Si fuiste removido como moderador de un subreddit a través de una solicitud de Reddit es porque tu falta de respuesta y tu falta de actividad calificaron al subreddit para una transferencia de r/redditrequest. +> +> r/redditrequest es la forma de Reddit de asegurarse de que las comunidades tengan moderadores activos y forma parte del [Código de Conducta de Moderador](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Inicio de la transición + +El 14 de septiembre de 2021, [anunciamos](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) el inicio de nuestra migración a este nuevo dominio: + +> [...] nos pareció necesario hacer este cambio más pronto que tarde para que la gente se enterara de esta transición lo antes posible. Esto nos da el tiempo adecuado para la transición del nombre de dominio, que actualmente se está redirigiendo a www.privacyguides.org, y esperamos que dé a todos el tiempo suficiente para notar el cambio, actualizar los marcadores y los sitios web, etc. + +Este cambio [implicó:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirigiendo www.privacytools.io a [www.privacyguides.org](https://www.privacyguides.org). +- Archivar el código fuente en GitHub para preservar nuestro trabajo anterior y el rastreador de problemas, que seguimos utilizando durante meses para el desarrollo futuro de este sitio. +- Publicar anuncios en nuestro subreddit y en varias otras comunidades informando a la gente del cambio oficial. +- Cerrar formalmente los servicios de privacytools.io, como Matrix y Mastodon, y animar a los usuarios existentes a migrar lo antes posible. + +Las cosas parecían ir bien, y la mayoría de nuestra comunidad activa hizo el cambio a nuestro nuevo proyecto exactamente como esperábamos. + +## Eventos siguientes + +Aproximadamente una semana después de la transición, BurungHantu volvió a estar en línea por primera vez en casi un año, sin embargo nadie de nuestro equipo estaba dispuesto a volver a PrivacyTools debido a su histórica falta de fiabilidad. En lugar de disculparse por su prolongada ausencia, pasó inmediatamente a la ofensiva y situó la transición a Privacy Guides como un ataque contra él y su proyecto. Posteriormente, [borró](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) muchos de estos mensajes cuando la comunidad le señaló que había estado ausente y abandonado el proyecto. + +En este punto, BurungHantu afirmó que quería seguir trabajando en privacytools.io por su cuenta y solicitó que elimináramos la redirección de www.privacytools.io a [www.privacyguides.org](https://www.privacyguides.org). Le obligamos y le pedimos que mantuviera activos los subdominios de Matrix, Mastodon y PeerTube para que funcionaran como servicio público para nuestra comunidad durante al menos unos meses, con el fin de que los usuarios de esas plataformas pudieran migrar fácilmente a otras cuentas. Debido a la naturaleza federada de los servicios que prestábamos, estaban vinculados a nombres de dominio específicos, lo que hacía muy difícil la migración (y en algunos casos imposible). + +Desafortunadamente, debido a que el control del subreddit r/privacytoolsIO no fue devuelto a BurungHantu a su demanda (más información abajo), esos subdominios fueron [cortados](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) a principios de octubre, acabando con cualquier posibilidad de migración para cualquier usuario que aún usara esos servicios. + +Tras esto, BurungHantu hizo falsas acusaciones sobre el robo de donaciones del proyecto por parte de Jonah. BurungHantu tenía más de un año desde que ocurrió el presunto incidente y, sin embargo, no lo puso en conocimiento de nadie hasta después de la migración de Privacy Guides. El equipo [y la comunidad](https://twitter.com/TommyTran732/status/1526153536962281474) han pedido repetidamente a BurungHantu que aporte pruebas y comente el motivo de su silencio, y no lo ha hecho. + +BurungHantu también hizo una [publicación en Twitter](https://twitter.com/privacytoolsIO/status/1510560676967710728) alegando que un "abogado" se había puesto en contacto con él en Twitter y le estaba dando consejos, en otro intento de intimidarnos para darle el control de nuestro subreddit, y como parte de su campaña de difamación para enturbiar las aguas que rodean el lanzamiento de Privacy Guides mientras fingía ser una víctima. + +## PrivacyTools.io Ahora + +A partir del 25 de septiembre de 2022 estamos viendo cómo los planes generales de BurungHantu se hacen realidad en privacytools.io, y esta es la razón por la que hemos decidido crear esta página explicativa hoy. El sitio web que está operando parece ser una versión altamente optimizada para SEO del sitio que recomienda herramientas a cambio de una compensación financiera. Recientemente, IVPN y Mullvad, dos proveedores de VPN [recomendados](../vpn.md) casi universalmente por la comunidad de la privacidad y notables por su postura contra los programas de afiliación, fueron eliminados de PrivacyTools. ¿En su lugar? NordVPN, Surfshark, ExpressVPN y hide.me; gigantescas corporaciones de VPN con plataformas y prácticas comerciales poco fiables, famosas por sus agresivos programas de marketing y afiliación. + +==**PrivacyTools se ha convertido exactamente en el tipo de sitio que [advertimos](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) en el blog de PrivacyTools en 2019.**== Hemos intentado mantener las distancias con PrivacyTools desde la transición, pero su continuo acoso hacia nuestro proyecto y ahora su absurdo abuso de la credibilidad que su marca ha ganado a lo largo de 6 años de contribuciones de código abierto es extremadamente preocupante para nosotros. Los que realmente luchamos por la privacidad no estamos luchando entre nosotros, y no estamos recibiendo nuestro consejo del mejor postor. + +## r/privacytoolsIO Ahora + +Después del lanzamiento de [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), era poco práctico para u/trai_dep continuar moderando ambos subreddits, y con la comunidad a bordo con la transición, r/privacytoolsIO se [hizo](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) un sub restringido en un post el 1 de noviembre de 2021: + +> [...] El crecimiento de este Sub fue el resultado de un gran esfuerzo, a lo largo de varios años, del equipo de PrivacyGuides.org. Y por cada uno de ustedes. +> +> Un Subreddit es una gran cantidad de trabajo para administrar y moderar. Al igual que un jardín, requiere una atención paciente y un cuidado diario. No es una tarea para diletantes o personas con problemas de compromiso. No puede prosperar bajo un jardinero que la abandona durante varios años y luego aparece exigiendo la cosecha de este año como su tributo. Es injusto para el equipo formado hace años. Es injusto para ti. [...] + +Los subreddits no pertenecen a nadie, y especialmente no pertenecen a los titulares de las marcas. Pertenecen a sus comunidades, y la comunidad y sus moderadores tomaron la decisión de apoyar el traslado a r/PrivacyGuides. + +En los meses posteriores, BurungHantu ha amenazado y rogado para que le devuelvan el control del subreddit a su cuenta en [violación](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) de las normas de Reddit: + +> No se permiten las represalias por parte de ningún moderador con respecto a las solicitudes de eliminación. + +Para una comunidad con muchos miles de suscriptores restantes, creemos que sería increíblemente irrespetuoso devolver el control de esa plataforma masiva a la persona que la abandonó durante más de un año, y que ahora gestiona un sitio web que, en nuestra opinión, proporciona información de muy baja calidad. Preservar los años de discusiones pasadas en esa comunidad es más importante para nosotros, y por lo tanto u/trai_dep y el resto del equipo de moderación del subreddit ha tomado la decisión de mantener r/privacytoolsIO como está. + +## OpenCollective Ahora + +Nuestra plataforma de recaudación de fondos, OpenCollective, es otra fuente de controversia. Nuestra posición es que OpenCollective fue puesto en marcha por nuestro equipo y gestionado por nuestro equipo para financiar los servicios que actualmente operamos y que PrivacyTools ya no hace. Nosotros [nos pusimos en contacto](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) con todos nuestros donantes con respecto a nuestro traslado a Privacy Guides y fuimos apoyados unánimemente por nuestros patrocinadores y la comunidad. + +Por lo tanto, los fondos de OpenCollective pertenecen a Privacy Guides, fueron entregados a nuestro proyecto, y no al propietario de un nombre de dominio muy conocido. En el anuncio hecho a los donantes el 17 de septiembre de 2021, ofrecimos reembolsos a cualquier donante que no estuviera de acuerdo con la postura que adoptamos, pero nadie ha aceptado esta oferta: + +> Si algún patrocinador no está de acuerdo o se siente engañado por estos recientes acontecimientos y quiere solicitar un reembolso dadas estas circunstancias tan inusuales, por favor póngase en contacto con nuestro administrador del proyecto enviando un correo electrónico a jonah@triplebit.net. + +## Lecturas Adicionales + +Este tema se ha debatido ampliamente en nuestras comunidades en varios lugares, y parece probable que la mayoría de las personas que lean esta página ya estén familiarizadas con los acontecimientos que condujeron al cambio a Privacy Guides. Algunas de nuestras publicaciones anteriores sobre el tema pueden tener detalles adicionales que omitimos aquí por razones de brevedad. Se han enlazado a continuación para completarlo. + +- [28 de junio de 2021: solicitud de control de r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 de julio de 2021: anuncio de nuestras intenciones de mudanza en el blog de PrivacyTools, escrito por el equipo](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 de septiembre de 2021: anuncio del inicio de nuestra transición a las Guías de Privacidad en r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [17 de septiembre, 2021: anuncio en OpenCollective de Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 de septiembre de 2021: Hilo de Twitter en el que se detallan la mayoría de los acontecimientos que ahora se describen en esta página](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021: post de u/dng99 observando fallo de subdominio](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 de abril de 2022: respuesta de u/dng99 a la publicación acusatoria en el blog de PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 de mayo de 2022: respuesta de @TommyTran732 en Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [3 de septiembre de 2022: post en el foro de Techlore por @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/es/about/services.md b/i18n/es/about/services.md new file mode 100644 index 00000000..2adba1f1 --- /dev/null +++ b/i18n/es/about/services.md @@ -0,0 +1,38 @@ +# Servicios de Privacy Guides + +Ejecutamos una serie de servicios web para probar las características y promover proyectos descentralizados, federados y/o de código abierto. Muchos de estos servicios están disponibles al público y están detallados a continuación. + +[:material-comment-alert: Reportar un problema](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Enlace: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Disponibilidad: Pública +- Código fuente: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Enlace: [code.privacyguides.dev](https://code.privacyguides.dev) +- Disponibilidad: Sólo por invitación + El acceso puede otorgarse a solicitud de cualquier equipo trabajando en el desarrollo o contenido relacionado a *Privacy Guides*. +- Código fuente: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Enlace: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Disponibilidad: Sólo por invitación + El acceso puede otorgarse a solicitud de los miembros del equipo de Privacy Guides, los moderadores de Matrix, terceras partes administradoras de la comunidad Matrix, los operatores de bots de Matrix, y otros individuos en la necesidad de una presencia confiable de Matrix. +- Código fuente: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Enlace: [search.privacyguides.net](https://search.privacyguides.net) +- Disponibilidad: Pública +- Código fuente: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Enlace: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Disponibilidad: Semipública + Alojamos Indivious principalmente para servir videos de YouTube incrustados en nuestra página. Esta instancia no está destinada al público general y puede ser limitada en cualquier momento. +- Código fuente: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/es/about/statistics.md b/i18n/es/about/statistics.md new file mode 100644 index 00000000..9d1d1765 --- /dev/null +++ b/i18n/es/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Estadísticas de tráfico +--- + +## Estadísticas de la página + + +
Estadísticas generadas por Plausible Analytics
+ + + + +## Estadísticas del blog + + +
Estadísticas generadas por Plausible Analytics
+ + + diff --git a/i18n/es/advanced/communication-network-types.md b/i18n/es/advanced/communication-network-types.md new file mode 100644 index 00000000..979c36f9 --- /dev/null +++ b/i18n/es/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Tipos de redes de comunicación" +icon: 'material/transit-connection-variant' +description: Una visión general de varias arquitecturas de red comúnmente utilizadas por aplicaciones de mensajería instantánea. +--- + +Existen varias arquitecturas de red utilizadas habitualmente para transmitir mensajes entre personas. Estas redes pueden ofrecer diferentes garantías de privacidad, por lo que conviene tener en cuenta tu [modelo de amenaza](../basics/threat-modeling.md) a la hora de decidir qué aplicación utilizar. + +[Servicios de Mensajería Instantánea Recomendados](../real-time-communication.md ""){.md-button} + +## Redes centralizadas + +![Diagrama de redes centralizadas](../assets/img/layout/network-centralized.svg){ align=left } + +Los mensajeros centralizados son aquellos en los que todos los participantes están en el mismo servidor o red de servidores controlados por la misma organización. + +Algunos servicios de mensajería autoalojados te permiten configurar tu propio servidor. El autoalojamiento puede ofrecer garantías adicionales de privacidad, como la ausencia de registros de uso o acceso limitado a los metadatos (datos sobre quién habla con quién). Los servicios de mensajería centralizados autoalojados están aislados y todos deben estar en el mismo servidor para comunicarse. + +**Ventajas:** + +- Nuevas funciones y cambios pueden aplicarse más rápidamente. +- Es más fácil empezar y encontrar contactos. +- Ecosistemas de características más maduras y estables, ya que son más fáciles de programar en un software centralizado. +- Problemas de privacidad pueden reducirse cuando confías en un servidor que estás autoalojando. + +**Desventajas:** + +- Puede incluir [control o acceso restringido](https://drewdevault.com/2018/08/08/Signal.html). Esto puede incluir cosas como: +- Estar [prohibido conectar clientes de terceros](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) a la red centralizada que podría proporcionar una mayor personalización o una mejor experiencia. A menudo se define en los Términos y condiciones de uso. +- Documentación pobre o nula para desarrolladores de terceros. +- La [propiedad](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), política de privacidad y las operaciones del servicio pueden cambiar fácilmente cuando una sola entidad lo controla, potencialmente comprometiendo el servicio más adelante. +- El autoalojamiento requiere esfuerzo y conocimiento de cómo configurar un servicio. + +## Redes Federadas + +![Diagrama de redes federadas](../assets/img/layout/network-decentralized.svg){ align=left } + +Mensajeros federados utilizan varios servidores independientes y descentralizados que son capaces de comunicarse entre sí (correo electrónico es un ejemplo de un servicio federado). La federación permite a los administradores de sistemas controlar su propio servidor y seguir formando parte de la red de comunicaciones más amplia. + +Cuando autoalojados, miembros de un servidor federado pueden descubrir y comunicarse con miembros de otros servidores, aunque algunos servidores pueden optar por permanecer privados al no ser federados (por ejemplo, el servidor del equipo de trabajo). + +**Ventajas:** + +- Permite un mayor control sobre tus propios datos cuando administras tu propio servidor. +- Te permite elegir en quién confiar tus datos eligiendo entre varios servidores "públicos". +- A menudo permite los clientes de terceros que pueden ofrecer una experiencia más nativa, personalizada o accesible. +- El software del servidor se puede verificar que coincide con el código fuente público, asumiendo que tengas acceso al servidor o que confíes en la persona quien lo tiene (por ejemplo, un familiar). + +**Desventajas:** + +- Añadir nuevas funciones es más complejo porque estas funciones tienen que ser estandarizadas y probadas para asegurar que funcionen con todos los servidores en la red. +- Debido al punto anterior, pueden faltar funciones, o estar incompletas o funcionar de forma inesperada en comparación con las plataformas centralizadas, como la retransmisión de mensajes cuando se está desconectado o la eliminación de mensajes. +- Algunos metadatos pueden estar disponibles (por ejemplo, información como "quién está hablando con quién", pero no el contenido real del mensaje si se utiliza E2EE). +- Los servidores federados generalmente requieren confiar en el administrador de tu servidor. Puede que sean aficionados o que no sean "profesionales de la seguridad", y puede que no sirvan documentos estándar como una política de privacidad o unas condiciones de servicio que detallen cómo se utilizan tus datos. +- Administradores de servidores a veces deciden bloquear otros servidores que son fuente de abusos no moderados o que rompen las normas generales de comportamiento aceptado. Esto dificultará tu capacidad de comunicación con los miembros de esos servidores. + +## Redes par a par (P2P) + +![Diagrama P2P](../assets/img/layout/network-distributed.svg){ align=left } + +Los servicios de mensajería P2P se conectan a una [red distribuida](https://es.wikipedia.org/wiki/Red_distribuida) de nodos para transmitir un mensaje al destinatario sin necesidad de un servidor externo. + +Los clientes (pares) usualmente se encuentran entre sí mediante el uso de una red de [computación distribuida](https://en.wikipedia.org/wiki/Distributed_computing). Ejemplos de esto incluyen la [Tabla de hash distribuida](https://es.wikipedia.org/wiki/Tabla_de_hash_distribuida) (DHT), usada por [torrents](https://es.wikipedia.org/wiki/BitTorrent) y [IPFS](https://es.wikipedia.org/wiki/Sistema_de_archivos_interplanetario) por ejemplo. Otro enfoque son las redes basadas en la proximidad, en las que se establece una conexión a través de WiFi o Bluetooth (por ejemplo, Briar o el protocolo de red social [Scuttlebutt](https://www.scuttlebutt.nz)). + +Una vez que un par ha encontrado una ruta a su contacto a través de cualquiera de estos métodos, se establece una conexión directa entre ellos. Aunque los mensajes suelen estar encriptados, un observador puede deducir la ubicación y la identidad del remitente y del destinatario. + +Las redes P2P no utilizan servidores, ya que los pares se comunican directamente entre sí y, por tanto, no pueden ser autoalojadas. Sin embargo, algunos servicios adicionales pueden depender de servidores centralizados, como el descubrimiento de usuarios o la retransmisión de mensajes sin conexión, que pueden beneficiarse del autoalojamiento. + +**Ventajas:** + +- La información que se expone a terceros es mínima. +- Las plataformas P2P modernas implementan E2EE por defecto. No hay servidores que puedan interceptar y descifrar tus transmisiones, a diferencia de los modelos centralizados y federados. + +**Desventajas:** + +- Conjunto de funciones reducido: +- Los mensajes solo pueden enviarse cuando ambos pares están en línea, sin embargo, tu cliente puede almacenar los mensajes localmente para esperar a que el contacto vuelva a estar en línea. +- Por lo general, aumenta el uso de la batería en los dispositivos móviles, ya que el cliente debe permanecer conectado a la red distribuida para saber quién está conectado. +- Es posible que algunas funciones comunes de mensajería no se implementen o sean incompletas, como la eliminación de mensajes. +- Tu dirección IP y la de los contactos con los que te comunicas puede quedar expuesta si no utilizas el software junto con una [VPN](../vpn.md) o [Tor](../tor.md). Muchos países tienen alguna forma de vigilancia masiva y/o retención de metadatos. + +## Enrutamiento anónimo + +![Diagrama de enrutamiento anónimo](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Un servicio de mensajería que utilice [enrutamiento anónimo](https://doi.org/10.1007/978-1-4419-5906-5_628) oculta la identidad del emisor, del receptor o la evidencia de que se han comunicado. Idealmente, un servicio de mensajería debería ocultar los tres. + +Hay [muchas](https://doi.org/10.1145/3182658) formas diferentes de implementar el enrutamiento anónimo. Una de las más famosas es el [enrutamiento cebolla](https://es.wikipedia.org/wiki/Encaminamiento_cebolla) (es decir, [Tor](tor-overview.md)), que comunica mensajes cifrados a través de una red [superpuesta virtual](https://es.wikipedia.org/wiki/Red_superpuesta) que oculta la ubicación de cada nodo, así como el destinatario y el remitente de cada mensaje. El remitente y el destinatario nunca interactúan directamente y solo se reúnen a través de un nodo de encuentro secreto para que no haya filtración de direcciones IP ni de la ubicación física. Los nodos no pueden descifrar los mensajes, ni el destino final; solo el destinatario puede hacerlo. Cada nodo intermediario solo puede desencriptar una parte que indica a dónde enviar el mensaje aún encriptado a continuación, hasta que llega al destinatario que puede desencriptarlo completamente, de ahí las "capas de cebolla." + +El autoalojamiento de un nodo en una red de enrutamiento anónimo no proporciona al anfitrión beneficios adicionales de privacidad, sino que contribuye a la resistencia de toda la red contra los ataques de identificación en beneficio de todos. + +**Ventajas:** + +- La información que se expone a otras partes es mínima o nula. +- Los mensajes pueden transmitirse de forma descentralizada incluso si una de las partes está desconectada. + +**Desventajas:** + +- Lenta propagación de mensajes. +- A menudo se limita a menos tipos de medios, sobre todo de texto, ya que la red es lenta. +- Menos fiable si los nodos se seleccionan mediante enrutamiento aleatorio, algunos nodos pueden estar muy lejos del emisor y del receptor, añadiendo latencia o incluso dejando de transmitir mensajes si uno de los nodos se desconecta. +- Más complejo para empezar, ya que se requiere la creación y el respaldo seguro de una clave privada criptográfica. +- Al igual que en otras plataformas descentralizadas, añadir funciones es más complejo para los desarrolladores que en una plataforma centralizada. Por lo tanto, pueden faltar funciones o estar implementadas de forma incompleta, como la retransmisión de mensajes fuera de línea o la eliminación de mensajes. diff --git a/i18n/es/advanced/dns-overview.md b/i18n/es/advanced/dns-overview.md new file mode 100644 index 00000000..6df124fc --- /dev/null +++ b/i18n/es/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "Resumen DNS" +icon: material/dns +description: El Sistema de Nombres de Dominio es la "guía telefónica de Internet", que ayuda a tu navegador a encontrar el sitio web que buscas. +--- + +El [Sistema de Nombres de Dominio](https://es.wikipedia.org/wiki/Sistema_de_nombres_de_dominio) es el 'directorio telefónico del Internet'. El DNS traduce los nombres de dominio a direcciones IP para que los navegadores y otros servicios puedan cargar los recursos de Internet, a través de una red descentralizada de servidores. + +## ¿Qué es el DNS? + +Cuando visitas un sitio web, se devuelve una dirección numérica. Por ejemplo, cuando visitas `privacyguides.org`, la dirección `192.98.54.105` es devuelta. + +DNS ha existido desde los [primeros días](https://es.wikipedia.org/wiki/Sistema_de_nombres_de_dominio#Historia) de Internet. Las solicitudes DNS realizadas desde y hacia servidores DNS **no** son generalmente cifradas. En un entorno residencial, el cliente recibe servidores del ISP a través de [DHCP](https://es.wikipedia.org/wiki/Protocolo_de_configuraci%C3%B3n_din%C3%A1mica_de_host). + +Las solicitudes de DNS sin cifrar pueden ser fácilmente **vigiladas** y **modificadas** en tránsito. En algunas partes del mundo, a los ISP se les ordena que hagan un [filtrado de DNS](https://en.wikipedia.org/wiki/DNS_blocking) primitivo. Cuando se solicita la dirección IP de un dominio que está bloqueado, es posible que el servidor no responda o lo haga con una dirección IP diferente. Como el protocolo DNS no está encriptado, el ISP (o cualquier operador de red) puede utilizar [DPI](https://es.wikipedia.org/wiki/Inspecci%C3%B3n_profunda_de_paquete) para controlar las solicitudes. Los ISP también pueden bloquear las solicitudes en función de características comunes, independientemente del servidor DNS que se utilice. El DNS no cifrado siempre utiliza el [puerto](https://es.wikipedia.org/wiki/Puerto_de_red) 53 y siempre utiliza UDP. + +A continuación, discutimos y proporcionamos un tutorial para probar lo que un observador externo puede ver usando DNS regulares sin encriptar y [DNS encriptado](#what-is-encrypted-dns). + +### DNS Sin Encriptación + +1. Usando [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (parte del proyecto [Wireshark](https://es.wikipedia.org/wiki/Wireshark)) podemos monitorear y registrar el flujo de paquetes de Internet. Este comando registra los paquetes que cumplen las reglas especificadas: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. Entonces podemos usar [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, macOS, etc) o [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) para enviar la búsqueda DNS a ambos servidores. Software como los navegadores web hacen estas búsquedas automáticamente, a menos que estén configurados para usar DNS cifrado. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. A continuación, queremos [analizar](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) los resultados: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Si ejecutas el comando Wireshark anterior, el panel superior muestra los "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", y el panel inferior muestra todos los datos sobre el frame seleccionado. Las soluciones empresariales de filtrado y monitorización (como las adquiridas por los gobiernos) pueden realizar el proceso de forma automática, sin interacción humana, y pueden agregar esas tramas para producir datos estadísticos útiles para el observador de la red. + +| No. | Tiempo | Fuente | Destino | Protocolo | Duración | Información | +| --- | -------- | --------- | --------- | --------- | -------- | ----------------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Consulta estándar 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Respuesta de consulta estándar 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Consulta estándar 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Respuesta de consulta estándar 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Un observador podría modificar cualquiera de estos paquetes. + +## ¿Qué es "DNS cifrado"? + +DNS encriptado puede referirse a uno de un número de protocolos, los más comunes siendo: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) fue uno de los primeros métodos de encriptación de consultas DNS. DNSCrypt opera en el puerto 443 y funciona con los protocolos de transporte TCP o UDP. DNSCrypt nunca ha sido enviado al [Grupo de Trabajo de Ingeniería en Internet (IETF)](https://es.wikipedia.org/wiki/Grupo_de_Trabajo_de_Ingenier%C3%ADa_de_Internet) ni ha pasado por el proceso de ["Request for Comments" (RFC)](https://es.wikipedia.org/wiki/Request_for_Comments) por lo que no ha sido utilizado ampliamente fuera de unas pocas [implementaciones](https://dnscrypt.info/implementations). Como resultado, ha sido sustituido en gran medida por el más popular [DNS sobre HTTPS](#dns-over-https-doh). + +### DNS sobre TLS (DoT) + +[**DNS sobre TLS**](https://es.wikipedia.org/wiki/DNS_mediante_TLS) es otro método para cifrar la comunicación DNS que se define en [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). La compatibilidad se implementó por primera vez en Android 9, iOS 14 y en Linux en [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) en la versión 237. La preferencia en la industria se ha estado alejando del DoT al DoH en los últimos años, ya que el DoT es un [protocolo complejo](https://dnscrypt.info/faq/) y tiene un cumplimiento variable del RFC en todas las implementaciones que existen. DoT también opera en un puerto dedicado 853 que puede ser bloqueado fácilmente por cortafuegos restrictivos. + +### DNS sobre HTTPS (DoH) + +[**DNS sobre HTTPS**](https://es.wikipedia.org/wiki/DNS_mediante_HTTPS) como se define en [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) empaqueta las consultas en el protocolo [HTTP/2](https://es.wikipedia.org/wiki/HTTP/2) y proporciona seguridad con HTTPS. La compatibilidad se añadió por primera vez en navegadores web como Firefox 60 y Chrome 83. + +La implementación nativa de DoH apareció en iOS 14, macOS 11, Microsoft Windows y Android 13 (sin embargo, no estará habilitada [por defecto](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). El soporte general de los escritorios de Linux está a la espera de la [implementación](https://github.com/systemd/systemd/issues/8639) de systemd por lo que [la instalación de software de terceros sigue siendo necesaria](../dns.md#linux). + +## ¿Qué puede ver un tercero? + +En este ejemplo registraremos lo que sucede cuando hacemos una solicitud de DoH: + +1. En primer lugar, inicia `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. En segundo lugar, hace una petición con `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Después de hacer la solicitud, podemos detener la captura de paquetes con CTRL + C. + +4. Analiza los resultados en Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +Podemos ver el [establecimiento de la conexión](https://es.wikipedia.org/wiki/Protocolo_de_control_de_transmisi%C3%B3n#Establecimiento_de_la_conexi%C3%B3n_(negociaci%C3%B3n_en_tres_pasos)) y [enlace TLS](https://www.cloudflare.com/es-es/learning/ssl/what-happens-in-a-tls-handshake/) que ocurre con cualquier conexión encriptada. Al mirar los paquetes de "datos de aplicación" que siguen, ninguno de ellos contiene el dominio que solicitamos ni la dirección IP devuelta. + +## ¿Por qué **no debería** utilizar un DNS cifrado? + +En los lugares en los que existe el filtrado de Internet (o la censura), visitar recursos prohibidos puede tener sus propias consecuencias, que deberás tener en cuenta en tu [modelo de amenazas](../basics/threat-modeling.md). Nosotros **no** sugerimos el uso de DNS encriptados para este propósito. Usa [Tor](https://torproject.org) o una [VPN](../vpn.md) en su lugar. Si estás usando una VPN, deberías usar los servidores DNS de tu VPN. Al utilizar una VPN, ya les estás confiando toda tu actividad en la red. + +Cuando hacemos una búsqueda en el DNS, generalmente es porque queremos acceder a un recurso. A continuación, hablaremos de algunos de los métodos que pueden revelar tus actividades de navegación incluso cuando se utiliza un DNS cifrado: + +### Dirección IP + +La forma más sencilla de determinar la actividad de navegación podría ser mirar las direcciones IP a las que acceden sus dispositivos. Por ejemplo, si el observador sabe que `privacyguides.org` está en `198.98.54.105`, y tu dispositivo solicita datos de `198.98.54.105`, es muy probable que estés visitando Privacy Guides. + +Este método sólo es útil cuando la dirección IP pertenece a un servidor que sólo aloja unos pocos sitios web. Tampoco es muy útil si el sitio está alojado en una plataforma compartida (por ejemplo, Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). Tampoco es muy útil si el servidor está alojado detrás de un [proxy inverso](https://es.wikipedia.org/wiki/Proxy_inverso), lo cual es muy común en la Internet moderna. + +### Indicación del Nombre del Servidor (SNI) + +La Indicación del Nombre del Servidor se suele utilizar cuando una dirección IP aloja muchos sitios web. Esto podría ser un servicio como Cloudflare, o alguna otra protección de [ataque de denegación de servicio](https://es.wikipedia.org/wiki/Ataque_de_denegaci%C3%B3n_de_servicio). + +1. Comienza a capturar de nuevo con `tshark`. Hemos añadido un filtro con nuestra dirección IP para que no captures muchos paquetes: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Luego visitamos [https://privacyguides.org](https://privacyguides.org). + +3. Después de visitar el sitio web, queremos detener la captura de paquetes con CTRL + C. + +4. A continuación queremos analizar los resultados: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + Veremos el establecimiento de la conexión, seguido del enlace TLS para el sitio web de Privacy Guides. Alrededor del marco 5. verás un "Client Hello". + +5. Expande el triángulo ▸ junto a cada campo: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. Podemos ver el valor SNI que revela el sitio web que estamos visitando. El comando `tshark` puede darte el valor directamente para todos los paquetes que contienen un valor SNI: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Esto significa que incluso si estamos utilizando servidores "DNS cifrados", es probable que el dominio se divulgue a través de SNI. El protocolo [TLS v1.3](https://es.wikipedia.org/wiki/Seguridad_de_la_capa_de_transporte#TLS_1.3) trae consigo [Client Hello Encriptado](https://blog.cloudflare.com/encrypted-client-hello/), que evita este tipo de fugas. + +Los gobiernos, en particular de [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) y [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), ya han [empezado a bloquearlo](https://es.wikipedia.org/wiki/Server_Name_Indication#Funcionamiento_de_ESNI) o han expresado su deseo de hacerlo. Recientemente, Rusia ha [comenzado a bloquear sitios web extranjeros](https://github.com/net4people/bbs/issues/108) que utilizan el estándar [HTTP/3](https://es.wikipedia.org/wiki/HTTP/3). Esto se debe a que el protocolo [QUIC](https://es.wikipedia.org/wiki/QUIC) que forma parte de HTTP/3 requiere que `ClientHello` también esté cifrado. + +### Protocolo de comprobación del Estado de un Certificado En línea (OCSP) + +Otra forma en que tu navegador puede revelar tus actividades de navegación es con el [Protocolo de comprobación del Estado de un Certificado En línea](https://es.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Al visitar un sitio web HTTPS, el navegador puede comprobar si el [certificado](https://es.wikipedia.org/wiki/Certificado_de_clave_p%C3%BAblica) del sitio web ha sido revocado. Esto se hace generalmente a través del protocolo HTTP, lo que significa que **no** está cifrado. + +La solicitud OCSP contiene el "[número de serie](https://es.wikipedia.org/wiki/Certificado_de_clave_p%C3%BAblica#Campos_comunes)" del certificado, que es único. Se envía al "Respondedor OCSP" para comprobar su estado. + +Podemos simular lo que haría un navegador utilizando el comando [`openssl`](https://es.wikipedia.org/wiki/OpenSSL). + +1. Obtén el certificado del servidor y usa [`sed`](https://es.wikipedia.org/wiki/Sed_(inform%C3%A1tica)) para conservar sólo la parte importante y escribirla en un archivo: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Obtén el certificado intermedio. Las [Autoridades de Certificación (CA)](https://es.wikipedia.org/wiki/Autoridad_de_certificaci%C3%B3n) normalmente no firman un certificado directamente; utilizan lo que se conoce como un certificado "intermedio". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. El primer certificado en `pg_and_intermediate.cert` es en realidad el certificado del servidor del paso 1. Podemos usar `sed` de nuevo para borrar hasta la primera instancia de END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Obtén el respondedor OCSP para el certificado del servidor: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Nuestro certificado muestra el respondedor del certificado Lets Encrypt. Si queremos ver todos los detalles del certificado podemos utilizar: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Inicia la captura de paquetes: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Realiza la solicitud OCSP: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Abre la captura: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + Habrá dos paquetes con el protocolo "OCSP": una "Solicitud" y una "Respuesta". Para la "Solicitud" podemos ver el "número de serie" expandiendo el triángulo ▸ al lado de cada campo: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + Para la "Respuesta" también podemos ver el "número de serie": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. O usa `tshark` para filtrar los paquetes por el número de serie: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Si el observador de red tiene el certificado público, que está disponible públicamente, puede hacer coincidir el número de serie con ese certificado y, por lo tanto, determinar el sitio que estás visitando a partir de ese. El proceso puede automatizarse y asociar las direcciones IP con los números de serie. También es posible consultar los registros de [Certificate Transparency](https://es.wikipedia.org/wiki/Certificate_Transparency) para conocer el número de serie. + +## ¿Debería utilizar un DNS cifrado? + +Hemos elaborado este diagrama de flujo para describir cuándo *deberías* usar el DNS cifrado: + +``` mermaid +graph TB + Comienzo[Start] --> anonymous{¿Tratando de ser
anónimo?} + anonymous--> | Sí | tor(Usa Tor) + anonymous --> | No | censorship{¿Evitando la
censura?} + censorship --> | Sí | vpnOrTor(Usa una
VPN o Tor) + censorship --> | No | privacy{¿Quieres privacidad
del ISP?} + privacy --> | Sí | vpnOrTor + privacy --> | No | obnoxious{¿El ISP hace
odiosas
redirecciones?} + obnoxious --> | Sí | encryptedDNS(Usa
DNS cifrado
con terceros) + obnoxious --> | No | ispDNS{¿El ISP soporta
DNS cifrado?} + ispDNS --> | Sí | useISP(Usa
DNS cifrado
con ISP) + ispDNS --> | No | nothing(No hagas nada) +``` + +El DNS cifrado con un tercero solo debe usarse para evitar redirecciones y el [bloqueo básico de DNS](https://en.wikipedia.org/wiki/DNS_blocking) cuando puedas estar seguro de que no habrá consecuencias o estés interesado en un proveedor que realice un filtrado rudimentario. + +[Lista de servidores DNS recomendados](../dns.md ""){.md-button} + +## ¿Qué es DNSSEC? + +Las [extensiones de seguridad para el sistema de nombres de dominio](https://es.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) son una función del DNS que autentifica las respuestas a las búsquedas de nombres de dominio. No proporciona protecciones de privacidad para esas búsquedas, sino que evita que los atacantes manipulen o envenenen las respuestas a las solicitudes de DNS. + +En otras palabras, DNSSEC firma digitalmente los datos para ayudar a garantizar su validez. Para garantizar una búsqueda segura, la firma se produce en todos los niveles del proceso de búsqueda del DNS. Como resultado, todas las respuestas del DNS son de confianza. + +El proceso de firma de DNSSEC es similar al de alguien que firma un documento legal con un bolígrafo; esa persona firma con una firma única que nadie más puede crear, y un perito judicial puede mirar esa firma y verificar que el documento fue firmado por esa persona. Estas firmas digitales garantizan que los datos no han sido manipulados. + +DNSSEC implementa una política de firma digital jerárquica en todas las capas del DNS. Por ejemplo, en el caso de una búsqueda en `privacyguides.org`, un servidor DNS raíz firmaría una clave para el servidor de nombres `.org`, y el servidor de nombres `.org` firmaría entonces una clave para el servidor de nombres autoritativo `privacyguides.org`. + +Adaptado de [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) por Google y [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) por Cloudflare, ambos licensiados bajo [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## ¿Qué es la minimización de QNAME? + +Un QNAME es un "nombre cualificado", por ejemplo `privacyguides.org`. La minimización de QNAME reduce la cantidad de información enviada desde el servidor DNS al [servidor de nombres autoritativo](https://es.wikipedia.org/wiki/Servidor_de_nombres). + +En lugar de enviar todo el dominio `privacyguides.org`, la minimización de QNAME significa que el servidor DNS pedirá todos los registros que terminen en `.org`. Una descripción técnica más detallada se encuentra en [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## ¿Qué es la Subred del Cliente EDNS (ECS)? + +La [Subred de Cliente EDNS](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) es un método para que un resolvedor DNS recursivo especifique una [subred](https://es.wikipedia.org/wiki/Subred) para el [host o cliente](https://es.wikipedia.org/wiki/Cliente_(inform%C3%A1tica)) que está realizando la consulta DNS. + +Su objetivo es "acelerar" la entrega de datos dando al cliente una respuesta que pertenece a un servidor que está cerca de él, como una [red de distribución de contenidos](https://es.wikipedia.org/wiki/Red_de_distribuci%C3%B3n_de_contenidos), que se utilizan a menudo en la transmisión de vídeo y el servicio de aplicaciones web de JavaScript. + +Esta característica tiene un coste de privacidad, ya que indica al servidor DNS cierta información sobre la ubicación del cliente. diff --git a/i18n/es/advanced/payments.md b/i18n/es/advanced/payments.md new file mode 100644 index 00000000..d489def0 --- /dev/null +++ b/i18n/es/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Pagos privados +icon: material/hand-coin +--- + +Hay una razón por la que los datos sobre tus hábitos de compra se consideran el santo grial de la segmentación publicitaria: tus compras pueden filtrar un auténtico tesoro de datos sobre ti. Desgraciadamente, el sistema financiero actual es contrario a la privacidad por su propio diseño, ya que permite a los bancos, a otras empresas y a los gobiernos rastrear fácilmente las transacciones. No obstante, tienes muchas opciones a la hora de realizar pagos de forma privada. + +## Efectivo + +Durante siglos, **efectivo** ha funcionado como la principal forma de pago privado. El efectivo tiene excelentes propiedades de privacidad en la mayoría de los casos, es ampliamente aceptado en la mayoría de los países y es **fungible**, lo que significa que no es único y es completamente intercambiable. + +La legislación sobre pagos en efectivo varía según el país. En Estados Unidos, los pagos en efectivo superiores a 10.000 dólares deben declararse al IRS en el[ formulario 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). La empresa receptora está obligada a verificar el nombre, la dirección, la ocupación, la fecha de nacimiento y el número de la Seguridad Social u otro NIF del beneficiario (con algunas excepciones). Existen límites más bajos sin identificación, como 3.000 dólares o menos, para los intercambios y la transmisión de dinero. El dinero en efectivo también contiene números de serie. Casi nunca son rastreados por los comerciantes, pero pueden ser utilizados por las fuerzas de seguridad en investigaciones específicas. + +A pesar de ello, suele ser la mejor opción. + +## Tarjetas prepago y tarjetas regalo + +Es relativamente sencillo comprar tarjetas regalo y tarjetas prepago en la mayoría de los supermercados y tiendas de conveniencia con dinero en efectivo. Las tarjetas regalo no suelen tener comisión, aunque las de prepago a menudo sí, así que presta mucha atención a estas comisiones y a las fechas de caducidad. Algunos comercios pueden pedirte el DNI en la caja para reducir el fraude. + +Las tarjetas regalo suelen tener límites de hasta 200 dólares por tarjeta, pero algunas ofrecen límites de hasta 2.000 dólares por tarjeta. Las tarjetas prepago (por ejemplo, de Visa o Mastercard) suelen tener límites de hasta 1.000 dólares por tarjeta. + +Las tarjetas regalo tienen el inconveniente de estar sujetas a las políticas de los comercios, que pueden tener terribles condiciones y restricciones. Por ejemplo, algunos comercios no aceptan exclusivamente el pago con tarjetas regalo, o pueden anular el valor de la tarjeta si consideran que eres un usuario de alto riesgo. Una vez que se dispone de crédito comercial, el comerciante tiene un alto grado de control sobre este crédito. + +Las tarjetas de prepago no permiten retirar dinero de los cajeros automáticos ni realizar pagos "de igual a igual" en Venmo y aplicaciones similares. + +El efectivo sigue siendo la mejor opción para las compras en persona para la mayoría de la gente. Las tarjetas regalo pueden ser útiles por el ahorro que suponen. Las tarjetas de prepago pueden ser útiles en lugares donde no se acepta dinero en efectivo. Las tarjetas regalo y las tarjetas prepago son más fáciles de utilizar en Internet que el dinero en efectivo, y son más fáciles de adquirir con criptomonedas que con dinero en efectivo. + +### Mercados en línea + +Si tienes [criptomonedas](../cryptocurrency.md), puedes comprar tarjetas regalo en una tienda online de tarjetas de regalo. Algunos de estos servicios ofrecen opciones de verificación de identidad para límites más altos, pero también permiten cuentas con sólo una dirección de correo electrónico. Los límites básicos comienzan en 5.000-10.000 dólares al día para las cuentas básicas, y límites significativamente más altos para las cuentas verificadas por ID (si se ofrecen). + +Al comprar tarjetas regalo por Internet, suele haber un ligero descuento. Las tarjetas de prepago suelen venderse en Internet por su valor nominal o con una comisión. Si compras tarjetas prepago y tarjetas regalo con criptomonedas, deberías preferir pagar con Monero que proporciona una fuerte privacidad, más sobre esto más abajo. Pagar una tarjeta regalo con un método de pago rastreable anula los beneficios que una tarjeta regalo puede proporcionar cuando se compra con dinero en efectivo o Monero. + +- [Mercados de tarjetas regalo en línea :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Tarjetas Virtuales + +Otra forma de proteger su información de los comerciantes en línea es utilizar tarjetas virtuales de un solo uso que enmascaran sus datos bancarios o de facturación reales. Esto es útil sobre todo para protegerte de las filtraciones de datos de comerciantes, del seguimiento menos sofisticado o de la correlación de compras por parte de agencias de marketing, y del robo de datos en línea. Ellos **no** te ayudan a realizar una compra completamente anónima, ni ocultan ninguna información de la propia institución bancaria. Las entidades financieras habituales que ofrecen tarjetas virtuales están sujetas a las leyes de "Conozca a su cliente" (KYC), lo que significa que pueden requerir su DNI u otra información identificativa. + +- [Servicios de enmascaramiento de pagos recomendados :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +Estas tienden a ser buenas opciones para pagos recurrentes/de suscripción en línea, mientras que las tarjetas de regalo prepagas son preferidas para transacciones de una sola vez. + +## Criptomonedas + +Las criptomonedas son una forma digital de moneda diseñada para funcionar sin autoridades centrales como un gobierno o un banco. Mientras que *algunos* proyectos de criptodivisas pueden permitirle realizar transacciones privadas en línea, muchos utilizan una blockchain pública que no proporciona ninguna privacidad en las transacciones. Las criptomonedas también tienden a ser activos muy volátiles, lo que significa que su valor puede cambiar rápida y significativamente en cualquier momento. Por ello, en general no recomendamos utilizar criptomonedas como depósito de valor a largo plazo. Si decides utilizar criptomoneda en línea, asegúrate de conocer bien sus aspectos de privacidad de antemano, y sólo invierte cantidades cuya pérdida no sea desastrosa. + +!!! danger "Peligro" + + La gran mayoría de las criptomonedas operan en una cadena de bloques **pública**, lo que significa que cada transacción es de dominio público. Esto incluye incluso las criptomonedas más conocidas, como Bitcoin y Ethereum. Las transacciones con estas criptomonedas no deben considerarse privadas y no protegerán tu anonimato. + + Además, muchas criptomonedas, si no la mayoría, son estafas. Únicamente realice transacciones con los proyectos en los que confíe. + +### Monedas de privacidad + +Existen varios proyectos de criptomonedas que pretenden proporcionar privacidad haciendo anónimas las transacciones. Recomendamos utilizar uno que proporcione anonimato de transacciones **por defecto** para evitar errores operativos. + +- [Criptomoneda recomendada :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Las monedas de privacidad han sido objeto de un creciente escrutinio por parte de los organismos gubernamentales. En 2020, [el IRS publicó una recompensa de 625.000 dólares](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) para herramientas que puedan romper Bitcoin Lightning Network y/o la privacidad de las transacciones de Monero. En última instancia, [pagó a dos empresas](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis e Integra Fec) una suma combinada de 1,25 millones de dólares por herramientas que supuestamente lo hacen (se desconoce a qué red de criptomonedas se dirigen estas herramientas). Debido al secretismo que rodea a este tipo de herramientas, ==ninguno de estos métodos de rastreo de criptomonedas ha sido confirmado de forma independiente.== Sin embargo, es bastante probable que existan herramientas que ayuden a realizar investigaciones específicas sobre las transacciones de monedas privadas, y que éstas sólo consigan frustrar la vigilancia masiva. + +### Otras monedas (Bitcoin, Ethereum, etc.) + +La gran mayoría de los proyectos de criptomonedas utilizan una cadena de bloques pública, lo que significa que todas las transacciones son fácilmente rastreables y permanentes. Por ello, desaconsejamos encarecidamente el uso de la mayoría de las criptomonedas por motivos relacionados con la privacidad. + +Las transacciones anónimas en una blockchain pública son *teóricamente* posibles, y la wiki de Bitcoin [da un ejemplo de una transacción "completamente anónima"](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). Sin embargo, hacerlo requiere una complicada configuración que implica Tor y la "minería en solitario" de un bloque para generar criptomoneda completamente independiente, una práctica que no ha sido práctica para casi ningún entusiasta durante muchos años. + +== Tu mejor opción es evitar estas criptomonedas por completo y quedarse con una que proporcione privacidad por defecto.== Intentar utilizar otra criptomoneda está fuera del alcance de este sitio y se desaconseja encarecidamente. + +### Custodia de carteras + +En el caso de las criptomonedas existen dos tipos de monederos: los monederos con custodia y los monederos sin custodia. Los monederos custodiados son operados por empresas/intercambios centralizados, donde la clave privada de tu monedero la tiene esa empresa, y puedes acceder a ellos desde cualquier lugar normalmente con un nombre de usuario y contraseña normales. Los monederos no custodiados son monederos en los que tu controlas y gestionas las claves privadas para acceder a él. Asumiendo que mantienes las claves privadas de tu monedero seguras y con copias de seguridad, los monederos sin custodia proporcionan mayor seguridad y resistencia a la censura que los monederos con custodia, porque tu criptomoneda no puede ser robada o congelada por una empresa con custodia sobre tus claves privadas. La custodia de claves es especialmente importante cuando se trata de monedas con privacidad: Los monederos de custodia conceden a la empresa operadora la capacidad de ver tus transacciones, anulando los beneficios de privacidad de esas criptodivisas. + +### Adquisición + +Adquirir [criptomonedas](../cryptocurrency.md) como Monero de forma privada puede ser difícil. Los mercados P2P como [LocalMonero](https://localmonero.co/), una plataforma que facilita el comercio entre personas, son una opción que se puede utilizar. Si el uso de un intercambio que requiere KYC es un riesgo aceptable para ti, siempre y cuando las transacciones posteriores no puedan ser rastreadas, una opción mucho más fácil es comprar Monero en un intercambio como [Kraken](https://kraken.com/), o comprar Bitcoin / Litecoin de un intercambio KYC que luego se puede cambiar por Monero. A continuación, puedes retirar el Monero comprado a su propio monedero no custodio para utilizarlo de forma privada a partir de ese momento. + +Si sigues este camino, asegúrate de comprar Monero en momentos diferentes y en cantidades distintas a las que lo gastarás. Si compras 5.000 dólares de Monero en una bolsa y haces una compra de 5.000 dólares en Monero una hora más tarde, esas acciones podrían ser potencialmente correlacionadas por un observador externo independientemente del camino que haya tomado el Monero. Escalonar las compras y adquirir grandes cantidades de Monero por adelantado para luego gastarlas en múltiples transacciones más pequeñas puede evitar este escollo. + +## 8. Consideraciones Adicionales + +Cuando hagas un pago en persona con efectivo, asegúrate de tener en cuenta tu privacidad en persona. Las cámaras de seguridad son omnipresentes. Considere usar ropa no distintiva y una máscara facial (como una máscara quirúrgica o N95). No te inscribas en programas de recompensas ni facilites ninguna otra información sobre ti. + +Al comprar en línea, lo ideal sería que lo hicieras a través de [Tor](tor-overview.md). Sin embargo, muchos comerciantes no permiten las compras con Tor. Puedes considerar utilizar una [VPN recomendada](../vpn.md) (pagada con dinero en efectivo, tarjeta regalo o Monero), o hacer la compra desde una cafetería o biblioteca con Wi-Fi gratuito. Si vas a pedir un artículo físico que necesita ser entregado, tendrás que facilitar una dirección de entrega. Considera la posibilidad de utilizar un apartado de correos, un buzón privado o la dirección de tu trabajo. diff --git a/i18n/es/advanced/tor-overview.md b/i18n/es/advanced/tor-overview.md new file mode 100644 index 00000000..7d2cd630 --- /dev/null +++ b/i18n/es/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Resumen de Tor" +icon: 'simple/torproject' +description: Tor es una red descentralizada y gratuita diseñada para utilizar Internet con la mayor privacidad posible. +--- + +Tor es una red descentralizada y gratuita diseñada para utilizar Internet con la mayor privacidad posible. Si se utiliza correctamente, la red permite la navegación y las comunicaciones privadas y anónimas. + +## Creación de Rutas a los Servicios Clearnet + +Los "servicios Clearnet" son sitios web a los que puedes acceder con cualquier navegador, como [privacyguides.org](https://www.privacyguides.org). Tor te permite conectarte a estos sitios web de forma anónima enrutando tu tráfico a través de una red compuesta por miles de servidores gestionados por voluntarios llamados nodos (o repetidores). + +Cada vez que [te conectes a Tor](../tor.md), este elegirá tres nodos para construir una ruta a Internet-esta ruta se llama "circuito" + +
+ ![Ruta de Tor que muestra tu dispositivo conectándose a un nodo de entrada, un nodo medio y un nodo de salida antes de llegar al sitio web de destino](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Ruta de Tor que muestra tu dispositivo conectándose a un nodo de entrada, un nodo medio y un nodo de salida antes de llegar al sitio web de destino](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Ruta del circuito de Tor
+
+ +Cada uno de estos nodos tiene su propia función: + +### El nodo de entrada + +El nodo de entrada, a menudo llamado nodo de guardia, es el primer nodo al que se conecta tu cliente Tor. El nodo de entrada puede ver tu dirección IP, pero no puede ver a qué te estás conectando. + +A diferencia de los otros nodos, el cliente Tor seleccionará aleatoriamente un nodo de entrada y se quedará con él durante dos o tres meses para protegerte de ciertos ataques.[^1] + +### El nodo medio + +El nodo del medio es el segundo nodo al que se conecta tu cliente Tor. Puede ver de qué nodo procede el tráfico -el nodo de entrada- y a qué nodo se dirige a continuación. El nodo intermedio no puede, ver tu dirección IP o el dominio al que te estás conectando. + +Para cada nuevo circuito, el nodo central se selecciona aleatoriamente de entre todos los nodos Tor disponibles. + +### El nodo de salida + +El nodo de salida es el punto en el que tu tráfico web abandona la red Tor y es reenviado a su destino deseado. El nodo de salida no puede ver tu dirección IP, pero sí sabe a qué sitio te estás conectando. + +El nodo de salida será elegido al azar de entre todos los nodos Tor disponibles ejecutados con una bandera de retransmisión de salida.[^2] + +## Creación de Rutas a los Servicios Onion + +Los "Servicios Onion" (también conocidos comúnmente como "servicios ocultos") son sitios web a los que solo se puede acceder mediante el navegador Tor. Estos sitios web tienen un nombre de dominio largo generado aleatoriamente que termina en `.onion`. + +Conectarse a un Servicio Onion en Tor funciona de forma muy similar a conectarse a un servicio clearnet, pero tu tráfico se enruta a través de un total de **seis nodos** antes de llegar al servidor de destino. Sin embargo, al igual que antes, solo tres de estos nodos contribuyen a *tu* anonimato, los otros tres nodos protegen el anonimato del *Servicio Onion*, ocultando la verdadera IP y la ubicación del sitio web de la misma manera que Tor Browser oculta la tuya. + +
+ ![Ruta de Tor que muestra tu tráfico siendo enrutado a través de tus tres nodos Tor más tres nodos Tor adicionales que ocultan la identidad del sitio web](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Ruta de Tor que muestra tu tráfico siendo enrutado a través de tus tres nodos Tor más tres nodos Tor adicionales que ocultan la identidad del sitio web](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Ruta del circuito de Tor con Servicios Onion. Los nodos de la valla azul pertenecen a tu navegador, mientras que los nodos de la valla roja pertenecen al servidor, por lo que su identidad está oculta para ti.
+
+ +## Cifrado + +Tor encripta cada paquete (un bloque de datos transmitidos) tres veces con las claves del nodo de salida, medio y de entrada, en ese orden. + +Una vez que Tor ha construido un circuito, la transmisión de datos se realiza de la siguiente manera: + +1. En primer lugar: cuando el paquete llega al nodo de entrada, se elimina la primera capa de cifrado. En este paquete encriptado, el nodo de entrada encontrará otro paquete encriptado con la dirección del nodo intermedio. El nodo de entrada reenviará entonces el paquete al nodo intermedio. + +2. Segundo: cuando el nodo intermedio recibe el paquete del nodo de entrada, también elimina una capa de encriptación con su clave, y esta vez encuentra un paquete encriptado con la dirección del nodo de salida. El nodo intermedio reenviará entonces el paquete al nodo de salida. + +3. Por último, cuando el nodo de salida reciba su paquete, eliminará la última capa de cifrado con su clave. El nodo de salida verá la dirección de destino y reenviará el paquete a esa dirección. + +A continuación se presenta un diagrama alternativo que muestra el proceso. Cada nodo elimina su propia capa de encriptación, y cuando el servidor de destino devuelve los datos, el mismo proceso ocurre completamente a la inversa. Por ejemplo, el nodo de salida no sabe quién eres, pero sí sabe de qué nodo procede, por lo que añade su propia capa de encriptación y lo envía de vuelta. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Envío y recepción de datos a través de la red Tor
+
+ +Tor nos permite conectarnos a un servidor sin que nadie conozca la ruta completa. El nodo de entrada sabe quién eres, pero no a dónde vas; el nodo intermedio no sabe quién eres ni a dónde vas; y el nodo de salida sabe a dónde vas, pero no quién eres. Como el nodo de salida es el que realiza la conexión final, el servidor de destino nunca conocerá tu dirección IP. + +## Advertencias + +Aunque Tor proporciona fuertes garantías de privacidad, uno debe ser consciente de que Tor no es perfecto: + +- Los adversarios bien financiados con la capacidad de observar pasivamente la mayor parte del tráfico de la red en todo el mundo tienen la posibilidad de desanonimizar a los usuarios de Tor mediante el análisis avanzado del tráfico. Tor tampoco te protege de exponerte por error, como por ejemplo si compartes demasiada información sobre tu identidad real. +- Los nodos de salida de Tor también pueden monitorear el tráfico que pasa a través de ellos. Esto significa que el tráfico que no está encriptado, como el tráfico HTTP simple, puede ser grabado y monitoreado. Si dicho tráfico contiene información personal identificable, entonces puede desanonimizarlo a ese nodo de salida. Por lo tanto, recomendamos utilizar HTTPS sobre Tor siempre que sea posible. + +Si deseas utilizar Tor para navegar por la web, sólo recomendamos el navegador Tor Browser **oficial**-está diseñado para evitar las huellas digitales. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Recursos Adicionales + +- [Manual del usuario del navegador Tor](https://tb-manual.torproject.org) +- [¿Cómo funciona Tor? - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Servicios Onion de Tor - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: El primer repetidor en tu circuito se llama "guardia de entrada" o "guardia". Es un repetidor rápido y estable que se mantiene como el primero en tu circuito durante 2-3 meses para protegerse de un ataque conocido de ruptura del anonimato. El resto de tu circuito cambia con cada nuevo sitio web que visitas, y todos juntos estos repetidores proporcionan las protecciones de privacidad completas de Tor. Para obtener más información sobre el funcionamiento de los repetidores de protección, consulta esta [entrada del blog](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) y el [documento](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) sobre los guardias de entrada. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Bandera de repetidor: una (des)calificación de los repetidores para las posiciones de los circuitos (por ejemplo, "Guardia", "Salida", "MalaSalida"), las propiedades de los circuitos (por ejemplo, "Rápido", "Estable"), o los roles (por ejemplo, "Autoridad", "HSDir"), tal y como los asignan las autoridades de los directorios y se definen con más detalle en la especificación del protocolo del directorio. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/es/android.md b/i18n/es/android.md new file mode 100644 index 00000000..cf7af540 --- /dev/null +++ b/i18n/es/android.md @@ -0,0 +1,429 @@ +--- +title: "Android" +icon: 'simple/android' +description: Puedes sustituir el sistema operativo de tu teléfono Android por estas alternativas seguras y respetuosas con la privacidad. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Sistemas Operativos Android Privados + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Cámara de Seguridad + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Visor seguro de PDF + applicationCategory: Utilities + operatingSystem: Android +--- + +![Logotipo de Android](assets/img/android/android.svg){ align=right } + +El **proyecto de código abierto de Android** es un sistema operativo móvil de código abierto liderado por Google, que está detrás de la mayor parte de los dispositivos móviles del mundo. La mayor parte de los teléfono vendidos con Android son modificados para incluir integraciones y aplicaciones invasivas como los servicios de Google Play, así que puedes mejorar la privacidad de tu dispositivo móvil de manera significativa al reemplazar la instalación predeterminada de tu teléfono con una versión de Android sin esas características invasivas. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Página Principal } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentación} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Código Fuente" } + +Estos son los sistemas operativos Android, dispositivos y aplicaciones que recomendamos para maximizar la seguridad y privacidad de tu dispositivo móvil. Para obtener más información sobre Android: + +[Visión general de Android :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Por qué recomendamos GrapheneOS sobre CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## Derivados de AOSP + +Recomendamos instalar uno de estos sistemas operativos Android personalizados en tu dispositivo, enumerados por orden de preferencia, en función de la compatibilidad de tu dispositivo con estos sistemas operativos. + +!!! note "Nota" + + ![Logotipo de GrapheneOS](assets/img/android/grapheneos.svg#only-light){ align=right } + ![Logotipo de GrapheneOS ](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** es la mejor opción cuando se trata de privacidad y seguridad. GrapheneOS proporciona mejoras adicionales de [seguridad](https://es.wikipedia.org/wiki/Endurecimiento_(inform%C3%A1tica)) y de privacidad. + +### GrapheneOS + +!!! recommendation + + ![Logo de GrapheneOS](assets/img/android/grapheneos.svg#only-light){ align=right } + ![Logo de GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** es la mejor opción cuando se trata de privacidad y seguridad. + + GrapheneOS proporciona mejoras adicionales de seguridad (https://en.wikipedia.org/wiki/Hardening_(computing)) y privacidad. Dispone de un [asignador de memoria reforzado](https://github.com/GrapheneOS/hardened_malloc), permisos de red y de sensores, y otras [características de seguridad](https://grapheneos.org/features). GrapheneOS también incluye actualizaciones completas de firmware y compilaciones firmadas, por lo que el arranque verificado es totalmente compatible. + + [:octicons-home-16: Página Principal](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://grapheneos.org/faq/){ .card-link title=Documentación} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://grapheneos.org/donate/){ .card-link title=Contribuir } + +GrapheneOS es compatible con [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), que ejecuta [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) totalmente sandboxed como cualquier otra aplicación normal. Esto significa que puede aprovechar la mayoría de los servicios de Google Play, como [notificaciones push](https://firebase.google.com/docs/cloud-messaging/), al tiempo que le da un control total sobre sus permisos y acceso, y mientras que los contiene a un [perfil de trabajo](os/android-overview.md#work-profile) o [perfil de usuario](os/android-overview.md#user-profiles) específico de su elección. + +Los teléfonos Pixel de Google son los únicos dispositivos que actualmente cumplen los [requisitos de seguridad de hardware ](https://grapheneos.org/faq#device-support)de GrapheneOS. + +### DivestOS + +!!! recommendation + + ![Logo de DivestOS](assets/img/android/divestos.svg){ align=right } + + **DivestOS** es un soft-fork de [LineageOS](https://lineageos.org/). + DivestOS hereda muchos [dispositivos soportados](https://divestos.org/index.php?page=devices&base=LineageOS) de LineageOS. Tiene compilaciones firmadas, lo que hace posible tener [arranque verificado](https://source.android.com/security/verifiedboot) en algunos dispositivos que no son Pixel. + + [:octicons-home-16: Página Principal](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Servicio Onion" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribuir } + +DivestOS ha automatizado la vulnerabilidad del kernel ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [parcheando](https://gitlab.com/divested-mobile/cve_checker), menos bloques propietarios, y un archivo personalizado [hosts](https://divested.dev/index.php?page=dnsbl). Su WebView reforzado, [Mulch](https://gitlab.com/divested-mobile/mulch), permite [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) para todas las arquitecturas, [partición del estado de la red](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) y recibe actualizaciones fuera de banda. DivestOS también incluye parches de GrapheneOS para el kernel y habilita todas las características de seguridad del kernel disponibles a través de [endurecimiento defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Todos los kernels más recientes que la versión 3.4 incluyen [saneamiento](https://lwn.net/Articles/334747/) de página completa y todos los ~22 kernels compilados por Clang tienen [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) habilitado. + +DivestOS implementa algunos parches de endurecimiento del sistema desarrollados originalmente para GrapheneOS. DivestOS 16.0 y superior implementa los permisos de GrapheneOS [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) y SENSORS, [asignador de memoria endurecido](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constificación](https://en.wikipedia.org/wiki/Const_(computer_programming)), y parches de endurecimiento parcial [biónico](https://en.wikipedia.org/wiki/Bionic_(software)). A partir de la versión 17.1, GrapheneOS ofrece la opción de [MAC aleatoria por red ](https://en.wikipedia.org/wiki/MAC_address#Randomization), el control [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) y las opciones de reinicio automático/Wi-Fi/Bluetooth [timeout](https://grapheneos.org/features). + +DivestOS utiliza F-Droid como su tienda de aplicaciones por defecto. Normalmente, recomendaríamos evitar F-Droid debido a sus numerosos [problemas de seguridad](#f-droid). Sin embargo, hacerlo en DivestOS no es viable; los desarrolladores actualizan sus aplicaciones a través de sus propios repositorios F-Droid ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) y [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). Recomendamos deshabilitar la aplicación oficial F-Droid y usar [Neo Store](https://github.com/NeoApplications/Neo-Store/) con los repositorios DivestOS habilitados para mantener esos componentes actualizados. Para las demás aplicaciones, se siguen aplicando nuestros métodos recomendados para obtenerlas. + +!!! warning "Advertencia" + + La actualización del firmware de DivestOS [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) y el control de calidad varían según los dispositivos que soporta. Seguimos recomendando GrapheneOS en función de la compatibilidad de tu dispositivo. Para otros dispositivos, DivestOS es una buena alternativa. + + No todos los dispositivos compatibles tienen arranque verificado y algunos lo realizan mejor que otros. + +## Dispositivos Android + +Al comprar un dispositivo, recomendamos obtener uno lo más nuevo posible. El software y el firmware de los dispositivos móviles sólo son compatibles durante un tiempo limitado, por lo que comprar nuevos alarga esa vida útil todo lo posible. + +Evita comprar teléfonos a operadores de redes móviles. Estos suelen tener un **bootloader bloqueado** y no admiten [desbloqueo OEM](https://source.android.com/devices/bootloader/locking_unlocking). Estas variantes de teléfono te impedirán instalar cualquier tipo de distribución alternativa de Android. + +Ten mucho **cuidado** con la compra de teléfonos de segunda mano de los mercados en línea. Comprueba siempre la reputación del vendedor. Si el dispositivo es robado, existe la posibilidad de que [el IMEI esté en la lista negra](https://www.gsma.com/security/resources/imei-blacklisting/). También existe el riesgo de que se te asocie con la actividad del propietario anterior. + +Algunos consejos más sobre los dispositivos Android y la compatibilidad del sistema operativo: + +- No compres dispositivos que hayan alcanzado o estén cerca del final de su vida útil, las actualizaciones adicionales del firmware deben ser proporcionadas por el fabricante. +- No compres teléfonos LineageOS, OS precargados o cualquier teléfono Android sin el soporte adecuado, [Arranque verificado](https://source.android.com/security/verifiedboot) y actualizaciones de firmware. Tampoco tienes forma de comprobar si estos dispositivos han sido manipulados. +- En resumen, si un dispositivo o una distribución de Android no aparece aquí, probablemente haya una buena razón. Consulta nuestro [foro](https://discuss.privacyguides.net/) para obtener más información. + +### Google Pixel + +Los teléfonos Google Pixel son los **únicos **dispositivos que recomendamos comprar. Los teléfonos Pixel tienen una seguridad de hardware más fuerte que cualquier otro dispositivo Android actualmente en el mercado, debido al soporte AVB adecuado para sistemas operativos de terceros y los chips de seguridad [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) personalizados de Google que actúan como elemento seguro. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Se sabe que los dispositivos Google Pixel** tienen una buena seguridad y admiten correctamente [Verified Boot](https://source.android.com/security/verifiedboot), incluso al instalar sistemas operativos personalizados. + + A partir de los **Pixel 6** y **6 Pro**, los dispositivos Pixel reciben un mínimo de 5 años de actualizaciones de seguridad garantizadas, lo que asegura una vida útil mucho más larga en comparación con los 2-4 años que suelen ofrecer los OEM de la competencia. + + [:material-shopping: Tienda](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Los elementos seguros como el Titan M2 son más limitados que el entorno de ejecución confiable del procesador utilizado por la mayoría de los otros teléfonos, ya que solo se utilizan para el almacenamiento secreto, la certificación de hardware y la limitación de velocidad, no para ejecutar programas "confiables". Los teléfonos sin un Elemento Seguro tienen que utilizar el TEE para *todas* esas funciones, lo que resulta en una mayor superficie de ataque. + +Los teléfonos Google Pixel utilizan un SO TEE llamado Trusty que es [de código abierto](https://source.android.com/security/trusty#whyTrusty), a diferencia de muchos otros teléfonos. + +La instalación de GrapheneOS en un teléfono Pixel es fácil con su [instalador web](https://grapheneos.org/install/web). Si no te sientes cómodo haciéndolo tu mismo y estás dispuesto a gastar un poco más de dinero, échale un vistazo a [NitroPhone](https://shop.nitrokey.com/shop), ya que vienen con GrapheneOS, de la reputada empresa [Nitrokey](https://www.nitrokey.com/about). + +Algunos consejos más para comprar un Google Pixel: + +- Si buscas una ganga en un dispositivo Pixel, te sugerimos comprar un modelo "**a**", justo después del lanzamiento del modelo más nuevo. Los descuentos suelen estar disponibles porque Google intentará liquidar sus existencias. +- Considera la posibilidad de batir los precios y las ofertas especiales de las tiendas físicas. +- Busca en los sitios de ofertas de la comunidad en línea de tu país. Estos pueden alertarle de buenas ventas. +- Google proporciona una lista que muestra el [ciclo de soporte](https://support.google.com/nexus/answer/4457705) para cada uno de sus dispositivos. El precio por día de un dispositivo puede calcularse como: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, lo que significa que cuanto mayor sea el uso del dispositivo, menor será el coste por día. + +## Aplicaciones generales + +En este sitio recomendamos una amplia variedad de aplicaciones para Android. Las aplicaciones enumeradas aquí son exclusivas de Android y mejoran o sustituyen específicamente funciones clave del sistema. + +### Shelter + +!!! recommendation + + ![Logotipo de Shelter](assets/img/android/shelter.svg){ align=right } + + **Shelter** es una aplicación que te ayuda a aprovechar la funcionalidad perfil de trabajo de Android para aislar o duplicar aplicaciones en tu dispositivo. + + Shelter permite bloquear la búsqueda de contactos entre perfiles y compartir archivos entre perfiles a través del gestor de archivos predeterminado ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repositorio](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning "Advertencia" + + Se recomienda Shelter en lugar de [Insular](https://secure-system.gitlab.io/Insular/) e [Island](https://github.com/oasisfeng/island), ya que admite [bloqueo de búsqueda de contactos](https://secure-system.gitlab.io/Insular/faq.html). + + Al usar Shelter, está depositando toda su confianza en su desarrollador, ya que Shelter actúa como [Administrador de dispositivos](https://developer.android.com/guide/topics/admin/device-admin) para crear el perfil de trabajo, y tiene un amplio acceso a los datos almacenados en él. + +### Auditor + +!!! recommendation + + ![Logo Auditor](assets/img/android/auditor.svg#only-light){ align=right } + ![Logo Auditor ](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** es una aplicación que aprovecha las funciones de seguridad del hardware para supervisar la integridad de los dispositivos [compatibles](https://attestation.app/about#device-support). Actualmente, sólo funciona con GrapheneOS y con el sistema operativo original del dispositivo. + + [:octicons-home-16: Página Principal](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentación} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor realiza atestación y detección de intrusos por: + +- Utilizando un modelo [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) entre un *auditor* y un * auditado *, la pareja establece una clave privada en el [almacén de claves respaldado por hardware ](https://source.android.com/security/keystore/) del *auditor*. +- El *auditor* puede ser otra instancia de la aplicación Auditor o el [Servicio de atestación remota](https://attestation.app). +- El *auditor* registra el estado actual y la configuración del *auditado*. +- En caso de que se produzca una manipulación del sistema operativo del *auditado* una vez finalizado el emparejamiento, el auditor será consciente del cambio en el estado y las configuraciones del dispositivo. +- Se te avisará del cambio. + +No se envía información personal identificable al servicio de certificación. Recomendamos que te registres con una cuenta anónima y actives la atestación remota para una supervisión continua. + +Si tu [modelo de amenaza](basics/threat-modeling.md) requiere privacidad, podrías considerar el uso de [Orbot](tor.md#orbot) o una VPN para ocultar tu dirección IP del servicio de atestación. Para asegurarte de que el hardware y el sistema operativo son auténticos, [realiza una atestación local](https://grapheneos.org/install/web#verifying-installation) inmediatamente después de instalar el dispositivo y antes de cualquier conexión a Internet. + +### Cámara de Seguridad + +!!! recommendation + + ![Logo de Secure Camera](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Logo de Secure camera](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** es una aplicación de cámara centrada en la privacidad y la seguridad que puede capturar imágenes, vídeos y códigos QR. Las extensiones de proveedor de CameraX (Retrato, HDR, Visión nocturna, Retoque facial y Auto) también son compatibles con los dispositivos disponibles. + + [:octicons-repo-16: Repositorio](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Las principales características de privacidad incluyen: + +- Eliminación automática de los metadatos [Exif](https://en.wikipedia.org/wiki/Exif) (activada por defecto) +- Uso de la nueva API [Media](https://developer.android.com/training/data-storage/shared/media), por lo que no se requieren [permisos de almacenamiento ](https://developer.android.com/training/data-storage) +- No se requiere permiso de micrófono a menos que desees grabar sonido + +!!! note "Nota" + + Actualmente no se eliminan los metadatos de los archivos de vídeo, pero está previsto hacerlo. + + Los metadatos de orientación de la imagen no se borran. Si habilitas la ubicación (en la cámara segura), * * tampoco se eliminará * *. Si quieres borrarlo más tarde tendrás que utilizar una aplicación externa como [ExifEraser](data-redaction.md#exiferaser). + +### Visor seguro de PDF + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** es un visor de PDF basado en [pdf.js](https://en.wikipedia.org/wiki/PDF.js) que no requiere permisos. El PDF se introduce en un [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(desarrollo_software)) [webview](https://developer.android.com/guide/webapps/webview). Esto significa que no necesita permiso para acceder directamente a contenidos o archivos. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) se utiliza para garantizar que las propiedades de JavaScript y de estilo dentro de WebView sean enteramente de contenido estático. + + [:octicons-repo-16: Repositorio](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obteniendo Aplicaciones + +### Tienda de aplicaciones GrapheneOS + +La tienda de aplicaciones de GrapheneOS está disponible en [GitHub](https://github.com/GrapheneOS/Apps/releases). Soporta Android 12 o superior y es capaz de actualizarse a sí mismo. La tienda de aplicaciones cuenta con aplicaciones independientes creadas por el proyecto GrapheneOS, como [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera)y [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). Si estás buscando estas aplicaciones, te recomendamos que las obtengas desde la tienda de aplicaciones de GrapheneOS en lugar de la Play Store, ya que las aplicaciones en su tienda están firmadas por la propia firma del proyecto de GrapheneOS a la que Google no tiene acceso. + +### Aurora Store + +La tienda de Google Play requiere una cuenta de Google para iniciar sesión, lo que no es ideal para la privacidad. Eso se puede evitar utilizando un cliente alternativo, como Aurora Store. + +!!! recommendation + + ![Logo Aurora Store](assets/img/android/aurora-store. ebp){ align=right } + + **Aurora Store** es un cliente de Google Play Store que no requiere de una cuenta de Google, Servicios Google Play, o microG para descargar aplicaciones. + + [:octicons-home-16: Página del proyecto](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store no te permite descargar aplicaciones de pago con su función de cuenta anónima. Opcionalmente, puedes iniciar sesión con tu cuenta de Google en Aurora Store para descargar aplicaciones que hayas comprado, lo cuál da acceso a Google a la lista de aplicaciones que instales, sin embargo, todavía mantienes el beneficio de que no sea requerido el cliente completo de Google Play y de los Servicios de Google Play o microG en el dispositivo. + +### Manualmente con notificaciones RSS + +Para aplicaciones lanzadas en plataformas como GitHub y GitLab, es posible que puedas añadir un feed RSS a tu [agregador de noticias](/news-aggregators) que te ayudará a llevar un seguimiento de novedades. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![Cambios en APKs](./assets/img/android/rss-changes-light.png#only-light) ![Cambios en APKs](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +En GitHub, utilizando [Secure Camera](#secure-camera) como ejemplo navegarías a su [página de lanzamientos](https://github.com/GrapheneOS/Camera/releases) y añadirías `.atom` a la URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +En GitLab, utilizando [Aurora Store](#aurora-store) como ejemplo, irías a su [repositorio de proyecto](https://gitlab.com/AuroraOSS/AuroraStore) y añadirías `/-/tags?format=atom` a la URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Comprobando Firmas de las APK + +Si descargas archivos APK para instalar manualmente, puedes verificar su firma con la herramienta [`apksigner`](https://developer.android.com/studio/command-line/apksigner), que es parte de Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Instala [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Descarga las [herramientas de línea de comandos de Android Studio](https://developer.android.com/studio#command-tools). + +3. Extrae el archivo descargado: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Ejecuta el comando de verificación de firmas: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. Los hashes resultantes pueden compararse con otra fuente. Algunos desarrolladores como Signal [muestran las firmas](https://signal.org/android/apk/) en su sitio web. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![Logotipo de F-Droid](assets/img/android/f-droid.svg){ align=right width=120px } + +==Nosotros **no** recomendamos F-Droid como forma de obtener aplicaciones.== F-Droid se recomienda a menudo como una alternativa a Google Play, particularmente en la comunidad de privacidad. La opción de añadir repositorios de terceros y no limitarse al jardín amurallado de Google ha dado lugar a su popularidad. Además, F-Droid tiene [compilaciones reproducibles](https://f-droid.org/en/docs/Reproducible_Builds/) para algunas aplicaciones y está dedicado a software libre y de código abierto. Sin embargo, hay [notables problemas](https://privsec.dev/posts/android/f-droid-security-issues/) con el cliente oficial de F-Droid, su control de calidad y cómo construyen, firman y entregan paquetes. + +Debido a su proceso de compilación de aplicaciones, las aplicaciones en el repositorio oficial de F-Droid suelen quedarse atrás en las actualizaciones. Los mantenedores de F-Droid también reutilizan IDs de paquetes mientras firman aplicaciones con sus propias claves, lo que no es ideal ya que le da al equipo F-Droid la máxima confianza. + +Otros repositorios populares de terceros, como [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alivian algunas de estas preocupaciones. El repositorio de IzzyOnDroid se construye directamente desde GitHub y es lo mejor para los repositorios propios de los desarrolladores. Sin embargo, no es algo que podamos recomendar, ya que las aplicaciones suelen ser [eliminadas](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) de ese repositorio cuando llegan al repositorio principal de F-Droid. Si bien esto tiene sentido (ya que el objetivo de ese repositorio en particular es alojar aplicaciones antes de que sean aceptadas en el repositorio principal de F-Droid), puede dejarte con aplicaciones instaladas que ya no reciben actualizaciones. + +Dicho esto, los repositorios [F-Droid](https://f-droid.org/en/packages/) y [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) albergan innumerables aplicaciones, por lo que pueden ser una herramienta útil para buscar y descubrir aplicaciones de código abierto que luego puedes descargar a través de Play Store, Aurora Store, o consiguiendo el APK directamente del desarrollador. Es importante tener en cuenta que algunas aplicaciones de estos repositorios no se han actualizado en años y pueden depender de bibliotecas no compatibles, entre otras cosas, lo que supone un riesgo potencial para la seguridad. Deberías utilizar tu mejor criterio cuando busques nuevas aplicaciones mediante este método. + +!!! note "Nota" + + En algunos raros casos, el desarrollador de una aplicación sólo la distribuirá a través de F-Droid ([Gadgetbridge](https://gadgetbridge.org/) es un ejemplo de ello). Si realmente necesitas una aplicación como esa, te recomendamos que utilices [Neo Store](https://github.com/NeoApplications/Neo-Store/) en lugar de la aplicación oficial F-Droid para obtenerla. + +## Criterios + +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que te familiarices con esta lista, antes de decidir utilizar un proyecto y realizar tu propia investigación para asegurarte de que es la elección ideal para ti. + +!!! example "Esta sección es nueva" + + Estamos trabajando para establecer criterios definidos para cada sección de nuestro sitio, y esto puede estar sujeto a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +### Sistema Operativo + +- Debe ser software de código abierto. +- Debe soportar el bloqueo del cargador de arranque con soporte de clave AVB personalizada. +- Debe recibir las principales actualizaciones de Android dentro de 0-1 meses desde su lanzamiento. +- Debe recibir actualizaciones de las funciones de Android (versión menor) en un plazo de 0 a 14 días desde su lanzamiento. +- Debe recibir parches de seguridad periódicos en un plazo de 0 a 5 días desde su publicación. +- **No **debe estar "rooteado" de serie. +- **No** debe tener habilitados los servicios de Google Play por defecto. +- **No** debe requerir modificación del sistema para soportar Google Play Services. + +### Dispositivos + +- Debe ser compatible con al menos uno de nuestros sistemas operativos personalizados recomendados. +- Debe venderse actualmente nuevo en las tiendas. +- Debe recibir un mínimo de 5 años de actualizaciones de seguridad. +- Debe tener un hardware de elementos seguros dedicado. + +### Aplicaciones + +- Las aplicaciones en esta página no deben ser aplicables a ninguna otra categoría de software en el sitio. +- Las aplicaciones generales deben ampliar o sustituir las funciones básicas del sistema. +- Las aplicaciones deben recibir actualizaciones y mantenimiento periódicos. diff --git a/i18n/es/assets/img/account-deletion/exposed_passwords.png b/i18n/es/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/es/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/es/assets/img/android/rss-apk-dark.png b/i18n/es/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/es/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/es/assets/img/android/rss-apk-light.png b/i18n/es/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/es/assets/img/android/rss-apk-light.png differ diff --git a/i18n/es/assets/img/android/rss-changes-dark.png b/i18n/es/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/es/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/es/assets/img/android/rss-changes-light.png b/i18n/es/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/es/assets/img/android/rss-changes-light.png differ diff --git a/i18n/es/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/es/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..a66f53a9 --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Su + + Dispositivo + + + + Enviando datos a un sitio web + + + + + Recibiendo datos de un sitio web + + + + + Su + + Dispositivo + + + + Entrada + + + + + Medio + + + + + Salida + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entrada + + + + + Medio + + + + + Salida + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/how-tor-works/tor-encryption.svg b/i18n/es/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..e36efa8a --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Su + + Dispositivo + + + + Enviando datos a un sitio web + + + + + Recibiendo datos de un sitio web + + + + + Su + + Dispositivo + + + + Entrada + + + + + Medio + + + + + Salida + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entrada + + + + + Medio + + + + + Salida + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/how-tor-works/tor-path-dark.svg b/i18n/es/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..81f5ae3c --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Tu + Dispositivo + + + + Entrada + + + + + Medio + + + + + Salida + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/es/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..3787b56f --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Su + + + Dispositivo + + + + + + Guardia + + + Repetidor + + + Repetidor + + + + + oculto...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Encuentro + + + Repetidor + + + + + Entrada + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/es/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..ccf4609e --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Su + + + Dispositivo + + + + + + Guardia + + + Repetidor + + + Repetidor + + + + + oculto...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Encuentro + + + Repetidor + + + + + Entrada + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/how-tor-works/tor-path.svg b/i18n/es/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..d340730d --- /dev/null +++ b/i18n/es/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Tu + Dispositivo + + + + Entrada + + + + + Medio + + + + + Salida + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/es/assets/img/multi-factor-authentication/fido.png b/i18n/es/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..d4b678fd Binary files /dev/null and b/i18n/es/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/es/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/es/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..2dc08ae9 Binary files /dev/null and b/i18n/es/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/es/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/es/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/es/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/es/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/es/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/es/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/es/basics/account-creation.md b/i18n/es/basics/account-creation.md new file mode 100644 index 00000000..5b03cf8c --- /dev/null +++ b/i18n/es/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Creación de cuenta" +icon: 'material/account-plus' +description: Crear cuentas en línea es prácticamente una necesidad en Internet, sigue estos pasos para asegurarte de mantener tu privacidad. +--- + +A menudo la gente se inscribe en servicios sin pensar. Tal vez sea un servicio de streaming para que puedas ver ese nuevo show del que todo el mundo habla, o una cuenta que te da un descuento para tu lugar de comida rápida favorito. Sea cual sea el caso, debes tener en cuenta las implicaciones que tednrá para tus datos ahora y más adelante. + +Hay riesgos asociados con cada nuevo servicio que utilices. Las filtraciones de datos, la revelación de información de clientes a terceros o el acceso a datos por parte de empleados deshonestos son posibilidades que deben tenerse en cuenta a la hora de facilitar tu información. Tienes que estar seguro de que puedes confiar en el servicio, por eso no recomendamos almacenar datos valiosos en nada, excepto en los productos más maduros y que han sido puestos profundamente a prueba. Por lo general, se trata de servicios que ofrecen E2EE y han sido sometidos a una auditoría criptográfica. Una auditoría aumenta las garantías de que el producto se diseñó sin problemas de seguridad notorios causados por un desarrollador inexperto. + +También puede ser difícil eliminar las cuentas en algunos servicios. En ocasiones, [sobrescribir los datos](account-deletion.md#overwriting-account-information) asociados a una cuenta puede ser posible, pero en otros casos el servicio guardará un historial completo de los cambios realizados en la cuenta. + +## Términos del servicio y Política de privacidad + +Los ToS (Términos del Servicio) son las normas que usted se compromete a respetar al utilizar el servicio. En los servicios más grandes, estas normas suelen aplicarse mediante sistemas automatizados. A veces, estos sistemas automatizados pueden cometer errores. Por ejemplo, pueden expulsarte o bloquearte la cuenta en algunos servicios por utilizar una VPN o un número VOIP. Recurrir estos bloqueos suele ser difícil, y además implica un proceso automatizado que no siempre funciona bien. Esta es una de las razones por las que no sugerimos utilizar Gmail para el correo electrónico, por ejemplo. El correo electrónico es crucial para acceder a otros servicios a los que estés inscrito. + +La Política de Privacidad es la forma en que el servicio dice que utilizará tus datos y vale la pena leerla para que entiendas cómo se utilizarán tus datos. Una empresa u organización puede no estar legalmente obligada a seguir todo lo que contiene la política (depende de la jurisdicción). Te recomendamos que tengas una idea de cuál es tu legislación local y qué le permite recopilar a un proveedor. + +Te recomendamos que busques términos concretos como "recopilación de datos", "análisis de datos", "cookies", "anuncios" o servicios de "terceros". A veces podrás optar por no participar en la recopilación de datos o no compartirlos, pero lo mejor es elegir un servicio que respete tu privacidad desde el principio. + +Ten en cuenta que también estás depositando tu confianza en la empresa u organización y en que cumplirán su propia política de privacidad. + +## Métodos de autenticación + +Usualmente hay varias maneras para registrarse, cada una tiene sus propias ventajas y desventajas. + +### Correo electrónico y contraseña + +La manera más común de crear una nueva cuenta es utilizando una dirección de correo electrónico y una contraseña. Cuando se utiliza este método, se debe utilizar un gestor de contraseñas y seguir las [mejores prácticas](passwords-overview.md) respecto a las contraseñas. + +!!! tip "Consejo" + + ¡También se puede usar un gestor de contraseñas para organizar otros métodos de autenticación! Solo añade la nueva entrada y completa los espacios apropiados, puedes agregar notas para cosas como las preguntas de seguridad o una clave de respaldo. + +Usted es responsable de gestionar sus credenciales de ingreso. Para mayor seguridad, se puede configurar la [autenticación multifactor](multi-factor-authentication.md) en las cuentas. + +[Gestores de contraseñas recomendados](../passwords.md ""){.md-button} + +#### Alias de correo electrónico + +Si no se quiere utilizar una dirección real de correo electrónico en un servicio, se cuenta con la opción de utilizar un alias. Estos los describimos con mayores detalles en nuestra página con recomendaciones de servicios de correo electrónico. Básicamente, los servicios de alias permiten generar nuevas direcciones de correo que reenvían todos los correos a la dirección principal. Esto puede ayudar a prevenir el rastreo a través de múltiples servicios y ayudar a gestionar los correos de mercadeo que algunas veces vienen con el proceso de registro. Estos pueden ser filtrados automáticamente basándose en el alias al que son enviados. + +Si un servicio es hackeado, puede que usted comience a recibir correos engañosos o basura en la dirección que utilizó para registrarse. Al utilizar un único alias para cada servicio, se puede identificar cual servicio fue hackeado. + +[Servicios recomendados de alias de correo electrónico](../email.md#email-aliasing-services ""){.md-button} + +### Inicio de sesión único + +!!! note "Nota" + + Estamos hablando del inicio de sesión único para uso personal, no para usuarios empresariales. + +El inicio de sesión único (SSO) es un método de autenticación que permite registrarse en un servicio sin compartir mucha información, si es que se comparte alguna. Siempre que veas algo parecido a "Inicie sesión con *nombre del proveedor*" en un formulario de registro, se trata de SSO. + +Cuando elijas el inicio de sesión único en un sitio web, te mostrará la página de inicio de sesión de tu proveedor de SSO y, a continuación, se conectará tu cuenta. No se compartirá tu contraseña, pero sí algunos datos básicos (puedes revisarlos durante la solicitud de inicio de sesión). Este proceso es necesario cada vez que quieres iniciar sesión en la misma cuenta. + +Las principales ventajas son: + +- **Seguridad**: no hay riesgo de verse implicado en una [violación de datos ](https://en.wikipedia.org/wiki/Data_breach) porque el sitio web no almacena tus credenciales. +- **Facilidad de uso**: varias cuentas se gestionan con un solo inicio de sesión. + +Pero hay desventajas: + +- **Privacidad**: un proveedor de SSO conocerá los servicios que utilizas. +- **Centralización**: si tu cuenta SSO se ve comprometida o no puedes iniciar sesión en ella, todas las demás cuentas conectadas a ella se verán afectadas. + +SSO puede ser especialmente útil en aquellas situaciones en las que podrías beneficiarte de una integración más profunda entre servicios. Por ejemplo, uno de esos servicios puede ofrecer SSO para los demás. Nuestra recomendación es limitar el SSO sólo donde lo necesites y proteger la cuenta principal con [MFA](multi-factor-authentication.md). + +Todos los servicios que utilicen SSO serán tan seguros como tu cuenta SSO. Por ejemplo, si deseas proteger una cuenta con una clave de hardware, pero ese servicio no admite claves de hardware, puedes proteger tu cuenta SSO con una clave de hardware y ahora tendrás esencialmente MFA por hardware en todas tus cuentas. Vale la pena señalar, sin embargo, que una autenticación débil en tu cuenta SSO significa que cualquier cuenta vinculada a ese inicio de sesión también será débil. + +### Número de teléfono + +Recomendamos evitar los servicios que exigen un número de teléfono para darse de alta. Un número de teléfono puede identificarte en múltiples servicios y, dependiendo de los acuerdos de intercambio de datos, esto hará que su uso sea más fácil de rastrear, sobre todo si uno de esos servicios es violado, ya que el número de teléfono **no** suele estar encriptado. + +Si puedes, evita dar tu número de teléfono real. Algunos servicios permiten el uso de números VOIP, pero a menudo activan los sistemas de detección de fraude y provocan el bloqueo de la cuenta, por lo que no lo recomendamos para cuentas importantes. + +En muchos casos, tendrás que facilitar un número desde el que puedas recibir SMS o llamadas, sobre todo cuando hagas compras internacionales, por si hay algún problema con tu pedido en el control fronterizo. Es habitual que los servicios utilicen tu número como método de verificación; ¡no dejes que te bloqueen una cuenta importante por haber querido pasarte de listo y dar un número falso! + +### Nombre de usuario y contraseña + +Algunos servicios permiten registrarse sin utilizar una dirección de correo electrónico y sólo exigen que establezcas un nombre de usuario y una contraseña. Estos servicios pueden proporcionar un mayor anonimato cuando se combinan con una VPN o Tor. Ten en cuenta que para estas cuentas lo más probable es que no haya **ninguna forma de recuperar tu cuenta** en caso de que olvides tu nombre de usuario o contraseña. diff --git a/i18n/es/basics/account-deletion.md b/i18n/es/basics/account-deletion.md new file mode 100644 index 00000000..07b81f46 --- /dev/null +++ b/i18n/es/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Eliminación de Cuenta" +icon: 'material/account-remove' +description: Es fácil acumular un gran número de cuentas de Internet, aquí tienes algunos consejos sobre cómo reducir tu colección. +--- + +Con el tiempo, puede ser fácil acumular varias cuentas en línea, muchas de las cuales puede que ya no utilices. Eliminar estas cuentas que no utilizas es un paso importante para recuperar tu privacidad, ya que las cuentas inactivas son vulnerables a las filtraciones de datos. Una filtración de datos se da cuando la seguridad de un servicio se ve comprometida y la información protegida es vista, transmitida o robada por actores no autorizados. Desafortunadamente, las filtraciones de datos son [demasiado comunes](https://haveibeenpwned.com/PwnedWebsites) en estos días, por lo que practicar una buena higiene digital es la mejor manera de minimizar el impacto que tienen en tu vida. El objetivo de esta guía es ayudarte a atravesar el fastidioso proceso de eliminación de cuentas para mejorar tu presencia en línea, lo que es a menudo dificultado por [un diseño engañoso](https://www.deceptive.design/). + +## Buscar cuentas antiguas + +### Administrador de contraseñas + +Si tienes un gestor de contraseñas que has utilizado durante toda tu vida digital, esta parte será muy fácil. A menudo, incluyen funcionalidad integrada para detectar si tus credenciales fueron expuestas en una filtración de datos, como el [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/) (Reporte de filtración de datos) de Bitwarden. + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Incluso si no has usado explícitamente un gestor de contraseñas antes, es probable que hayas usado el de tu navegador o el de tu teléfono sin darte cuenta. Por ejemplo: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) y [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Los sistemas operativos también suelen tener un gestor de contraseñas que puede ayudarte a recuperar contraseñas que has olvidado: + +- Windows [Administrador de credenciales](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Contraseñas](https://support.apple.com/en-us/HT211145) +- iOS [Contraseñas](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, los cuales se pueden acceder a través de [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) o [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Correo Electrónico + +Si no utilizaste un gestor de contraseñas en el pasado o crees que tienes cuentas que nunca se añadieron a tu gestor de contraseñas, otra opción es buscar en la(s) cuenta(s) de correo electrónico en las que crees que te has registrado. En tu cliente de correo electrónico, busca palabras clave como "verificar" o "bienvenida" Casi siempre que se crea una cuenta en línea, el servicio envía un enlace de verificación o un mensaje introductorio a tu correo electrónico. Esta puede ser una buena manera de encontrar cuentas antiguas y olvidadas. + +## Eliminando Cuentas Antiguas + +### Inicio de Sesión + +Para eliminar tus cuentas antiguas, primero tendrás que asegurarte de que puedes accederlas. De nuevo, si la cuenta estaba en tu gestor de contraseñas, este paso es fácil. Si no, puedes intentar adivinando tu contraseña. Si no es así, suele haber opciones para recuperar el acceso a tu cuenta, normalmente disponibles a través de un enlace "olvido de contraseña" en la página de inicio de sesión. También es posible que las cuentas que has abandonado ya hayan sido eliminadas—a veces los servicios eliminan todas las cuentas antiguas. + +Cuando intentes recuperar el acceso, si el sitio devuelve un mensaje de error diciendo que el correo electrónico no está asociado a una cuenta, o nunca recibe un enlace de restablecimiento después de múltiples intentos, entonces no tienes una cuenta con esa dirección de correo electrónico y debes probar con otra. Si no puedes averiguar cuál dirección de correo electrónico usaste, o ya no tienes acceso a ese correo, puedes intentar contactando el servicio de atención al cliente del servicio. Desafortunadamente, no hay garantía de que puedas recuperar el acceso a tu cuenta. + +### GDPR (solamente residentes del EEE) + +Los residentes del EEE tienen derechos adicionales en relación con la supresión de datos especificados en [el artículo 17](https://www.gdpr.org/regulation/article-17.html) del GDPR. Si es aplicable para ti, lee la política de privacidad del servicio para encontrar información sobre cómo ejercer tu derecho de eliminación. Leer la política de privacidad puede ser importante, ya que algunos servicios tienen una opción de "Borrar Cuenta" que solamente desactiva tu cuenta y para la eliminación real tienes que tomar acción adicional. A veces, la eliminación real puede implicar llenar formularios, enviar un correo electrónico al responsable de la protección de datos del servicio, o incluso demostrar tu residencia en el EEE. Si planeas seguir este camino, **no** sobrescribas la información de tu cuenta; es posible que se requiera tu identidad como residente del EEE. Ten en cuenta que la ubicación del servicio no importa; el GDPR se aplica a cualquiera que preste servicios a usuarios europeos. Si el servicio no respeta tu derecho de supresión de datos, puedes ponerte en contacto con tu [Autoridad de Protección de Datos](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_es) y puedes tener derecho a una compensación monetaria. + +### Sobrescribir la información de la cuenta + +En algunas situaciones en la que planeas abandonar una cuenta, puede tener sentido sobrescribir la información de la cuenta con datos falsos. Una vez que te hayas asegurado de que puedes iniciar sesión, cambia toda la información de tu cuenta por información falsificada. El motivo es que muchos sitios conservan la información que tenías anteriormente incluso después de la eliminación de la cuenta. Lo que se desea es que sobrescriban la información anterior con los datos más recientes que hayas ingresado. Sin embargo, no hay garantía de que no haya copias de seguridad con la información anterior. + +Para el correo electrónico de la cuenta, crea una nueva cuenta de correo electrónico alternativa a través de tu proveedor de elección o crea un alias utilizando un [servicio de alias de correo electrónico](/email/#email-aliasing-services). Una vez que hayas terminado, podrás eliminar tu dirección de correo electrónico alternativa. No recomendamos utilizar proveedores de correo electrónico temporales, ya que a menudo es posible reactivar correos electrónicos temporales. + +### Eliminar + +Puedes consultar en [JustDeleteMe](https://justdeleteme.xyz) las instrucciones para eliminar la cuenta de un servicio específico. Algunos sitios tendrán amablemente una opción de "Borrar Cuenta", mientras que otros llegarán hasta obligarte a hablar con un agente de soporte. El proceso de eliminación puede variar de un sitio a otro, siendo imposible la eliminación de la cuenta en algunos. + +Para los servicios que no permiten la eliminación de cuentas, lo mejor que puedes hacer es falsificar toda tu información como se mencionó anteriormente y fortalecer la seguridad de la cuenta. Para ello, habilita [MFA](basics/multi-factor-authentication) y cualquier característica de seguridad adicional ofrecida. Además, cambia la contraseña a una generada aleatoriamente que sea el tamaño máximo permitido (un [administrador de contraseñas](/passwords/#local-password-managers) puede ser útil para esto). + +Si tienes la certeza de que se ha eliminado toda la información que te importa, puedes olvidarte con seguridad de esta cuenta. Si no es así, puede ser una buena idea mantener las credenciales almacenadas con tus otras contraseñas y de vez en cuando volver a iniciar sesión para restablecer la contraseña. + +Aunque puedas eliminar una cuenta, no hay garantía de que toda tu información sea eliminada. De hecho, algunas empresas están obligadas por ley a conservar cierta información, particularmente cuando está relacionada con transacciones financieras. La mayoría de las veces, lo que ocurre con tus datos está fuera de tu control cuando se trata de sitios web y servicios en la nube. + +## Evita Cuentas Nuevas + +Como dice el refrán, "una onza de prevención vale más que una libra de cura." Cuando te sientas tentado a crear una nueva cuenta, pregúntate "¿realmente lo necesito? ¿Puedo lograr lo que necesito sin una cuenta?" A menudo puede ser mucho más difícil eliminar una cuenta que crearla. E incluso después de borrar o cambiar la información de tu cuenta, puede haber una versión en caché de un tercero, como en el [Internet Archive](https://archive.org/). Evita la tentación cuando puedas, ¡tu futuro yo te lo agradecerá! diff --git a/i18n/es/basics/common-misconceptions.md b/i18n/es/basics/common-misconceptions.md new file mode 100644 index 00000000..3d7e03f9 --- /dev/null +++ b/i18n/es/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Conceptos Erróneos Comunes" +icon: 'material/robot-confused' +description: La privacidad no es un tema sencillo, y es fácil dejarse llevar por afirmaciones de marketing y otras desinformaciones. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: '¿Es el software de código abierto intrínsecamente seguro?' + acceptedAnswer: + "@type": Answer + text: | + El hecho de que el código fuente esté disponible y la forma en que se licencia el software no afecta intrínsecamente a su seguridad en modo alguno. El software de código abierto tiene el potencial de ser más seguro que el software propietario, pero no hay absolutamente ninguna garantía de que así sea. Cuando evalúes software, debes fijarte en la reputación y seguridad de cada herramienta de forma individual. + - + "@type": Question + name: '¿Puede aumentar la privacidad cambiar la confianza a otro proveedor?' + acceptedAnswer: + "@type": Answer + text: | + Hablamos mucho de "transferir la confianza" cuando hablamos de soluciones como las VPNs (las cuales transfieren la confianza que depositas en tu ISP al proveedor de VPN). Aunque esto protege tus datos de navegación de tu proveedor de internet específicamente, el proveedor de VPN que elijas sigue teniendo acceso a tus datos de navegación: Tus datos no están completamente protegidos de todas las partes. + - + "@type": Question + name: '¿Son las soluciones centradas en la privacidad intrínsecamente fiables?' + acceptedAnswer: + "@type": Answer + text: | + Enfocándote exclusivamente en las políticas de privacidad y en el mercadeo de una herramienta o proveedor puede impedirte a ver sus debilidades. Cuando estés buscando una solución más privada, deberías determinar cuál es el problema subyacente y encontrar soluciones técnicas a ese problema. Por ejemplo, es posible que quieras evitar Google Drive, ya que da acceso a Google a todos tus datos. El problema subyacente en este caso es la falta de E2EE, por lo que deberías asegurarte de que el proveedor al que te cambias realmente implementa E2EE, o utiliza una herramienta (como Cryptomator) que proporciona E2EE a cualquier proveedor de servicios en la nube. Cambiar a un proveedor "centrado en la privacidad" (que no implementa E2EE) no resuelve tu problema: esto solo cambia la confianza de Google a ese proveedor. + - + "@type": Question + name: '¿Qué grado de complejidad debe tener mi modelo de amenazas?' + acceptedAnswer: + "@type": Answer + text: | + A menudo vemos a gente que describe modelos de amenaza a la privacidad que son excesivamente complejos. A menudo, estas soluciones incluyen problemas como muchas cuentas de correo electrónico diferentes o configuraciones complicadas con muchas partes móviles y condiciones. Las respuestas suelen responder a "¿Cuál es la mejor manera de hacer X?" + Encontrar la "mejor" solución para uno mismo no significa necesariamente que se busque una solución infalible con docenas de condiciones: suele ser difícil trabajar con estas soluciones de forma realista. Como hemos comentado anteriormente, la seguridad a menudo viene a expensas de la comodidad. +--- + +## "El software de código abierto es siempre seguro" o "El software propietario es más seguro" + +Estos mitos provienen de varios prejuicios, pero el hecho de que el código fuente esté disponible y la forma en que se licencie el software no afecta intrínsecamente a su seguridad de ninguna manera. ==El software de código abierto tiene el *potencial* de ser más seguro que el software propietario, pero no hay ninguna garantía de que sea así.== Cuando evalúes el software, debes examinar la reputación y la seguridad de cada herramienta de forma individual. + +El software de código abierto *puede* ser auditado por terceros, y a menudo es más transparente sobre las vulnerabilidades potenciales que sus contrapartes propietarias. También te permite revisar el código y desactivar cualquier funcionalidad sospechosa que encuentres. Sin embargo, *a menos que lo hagas*, no hay garantía de que el código haya sido evaluado alguna vez, especialmente en los proyectos de software más pequeños. El proceso de desarrollo abierto también ha sido explotado en ocasiones para introducir nuevas vulnerabilidades incluso en proyectos aún más grandes.[^1] + +Por otro lado, el software propietario es menos transparente, pero eso no implica que no sea seguro. Los grandes proyectos de software propietario pueden ser auditados internamente y por agencias de terceros, y los investigadores de seguridad independientes pueden seguir encontrando vulnerabilidades con técnicas como la ingeniería inversa. + +Para evitar decisiones sesgadas, es *vital* que evalúes los estándares de privacidad y seguridad del software que utilizas. + +## "Transferir la confianza puede aumentar la privacidad" + +Hablamos mucho de "transferir la confianza" cuando hablamos de soluciones como las VPNs (las cuales transfieren la confianza que depositas en tu ISP al proveedor de VPN). Aunque esto protege tus datos de navegación de tu proveedor de internet *específicamente*, el proveedor de VPN que elijas sigue teniendo acceso a tus datos de navegación: Tus datos no están completamente protegidos de todas las partes. Esto significa que: + +1. Hay que ser prudente a la hora de elegir un proveedor al que confiar. +2. Aun así, deberías utilizar otras técnicas, como E2EE, para proteger tus datos por completo. Simplemente desconfiar de un proveedor para confiar en otro no es proteger tus datos. + +## "Las soluciones centradas en la privacidad son inherentemente fiables" + +Enfocándote exclusivamente en las políticas de privacidad y en el mercadeo de una herramienta o proveedor puede impedirte a ver sus debilidades. Cuando estés buscando una solución más privada, deberías determinar cuál es el problema subyacente y encontrar soluciones técnicas a ese problema. Por ejemplo, es posible que quieras evitar Google Drive, ya que da acceso a Google a todos tus datos. El problema subyacente en este caso es la falta de E2EE, por lo que deberías asegurarte de que el proveedor al que te cambias realmente implementa E2EE, o utiliza una herramienta (como [Cryptomator](../encryption.md#cryptomator-cloud)) que proporciona E2EE a cualquier proveedor de servicios en la nube. Cambiar a un proveedor "centrado en la privacidad" (que no implementa E2EE) no resuelve tu problema: esto solo cambia la confianza de Google a ese proveedor. + +Las políticas de privacidad y las prácticas empresariales de los proveedores que elijas son muy importantes, pero deben considerarse secundarias frente a las garantías técnicas de tu privacidad: No deberías cambiar la confianza a otro proveedor cuando la confianza en un proveedor no es un requisito en absoluto. + +## "Lo complicado es mejor" + +A menudo vemos a gente que describe modelos de amenaza a la privacidad que son excesivamente complejos. A menudo, estas soluciones incluyen problemas como muchas cuentas de correo electrónico diferentes o configuraciones complicadas con muchas partes móviles y condiciones. Las respuestas suelen responder a "¿Cuál es la mejor manera de hacer *X*?" + +Encontrar la "mejor" solución para uno mismo no significa necesariamente que se busque una solución infalible con docenas de condiciones: suele ser difícil trabajar con estas soluciones de forma realista. Como hemos comentado anteriormente, la seguridad a menudo viene a expensas de la comodidad. A continuación, te ofrecemos algunos consejos: + +1. ==Las acciones tienen que servir a un propósito concreto:== piensa en cómo hacer lo que quieres con el menor número de acciones. +2. ==Eliminar los puntos de fallo humanos:== Fallamos, nos cansamos y olvidamos cosas. Para mantener la seguridad, evita depender de condiciones y procesos manuales que tengas que recordar. +3. ==Utiliza el nivel adecuado de protección para lo que pretendes.== A menudo vemos recomendaciones de las llamadas soluciones de aplicación de la ley o a prueba de citaciones. Estas a menudo requieren conocimientos especializados y generalmente no es lo que la gente quiere. No tiene sentido construir un intrincado modelo de amenaza para el anonimato si puede ser fácilmente desanonimizado por un simple descuido. + +Así que, ¿cómo podría verse esto? + +Uno de los modelos de amenaza más claros es aquel en el que la gente *sabe quién eres* y otro en el que no. Siempre habrá situaciones en las que debes declarar tu nombre legal y otras en las que no es necesario. + +1. **Identidad conocida** - Una identidad conocida se utiliza para cosas en las que debes declarar tu nombre. Hay muchos documentos legales y contratos en los que se requiere una identidad legal. Esto puede abarcar desde la apertura de una cuenta bancaria, la firma de un contrato de arrendamiento de una propiedad, la obtención de un pasaporte, las declaraciones de aduana al importar artículos o cualquier otro trámite con tu Gobierno. Por lo general, estas cosas conducirán a credenciales como tarjetas de crédito, controles de calificación crediticia, números de cuenta y, posiblemente, direcciones físicas. + + No sugerimos usar una VPN o Tor para ninguna de estas cosas, ya que tu identidad ya es conocida por otros medios. + + !!! tip "Consejo" + + Al comprar en línea, el uso de un [casillero de paquetes](https://en.wikipedia.org/wiki/Parcel_locker) puede ayudar a mantener la privacidad de tu dirección física. + +2. **Identidad desconocida** - Una identidad desconocida podría ser un seudónimo estable que utilizas con regularidad. No es anónimo porque no cambia. Si formas parte de una comunidad en línea, es posible que desees mantener un personaje que los demás conozcan. Este seudónimo no es anónimo porque, si se vigila durante el tiempo suficiente, los detalles sobre el propietario pueden revelar más información, como su forma de escribir, sus conocimientos generales sobre temas de interés, etc. + + Es posible que desees utilizar una VPN para esto, para enmascarar tu dirección IP. Las transacciones financieras son más difíciles de enmascarar: Podrías considerar el uso de criptomonedas anónimas, como [Monero](https://www.getmonero.org/). El cambio a una moneda alternativa también puede ayudar a disfrazar dónde se originó tu moneda. Por lo general, los intercambios requieren que el KYC (conoce a tu cliente) se complete antes de que te permitan cambiar moneda fiduciaria a cualquier tipo de criptomoneda. Las opciones de encuentros locales también pueden ser una solución; sin embargo, suelen ser más caras y, a veces, también requieren KYC. + +3. **Identidad anónima** - Incluso con experiencia, las identidades anónimas son difíciles de mantener durante largos periodos de tiempo. Deben ser identidades a corto plazo y de corta duración que roten regularmente. + + Usar Tor puede ayudar con esto. También cabe destacar que es posible un mayor anonimato mediante la comunicación asíncrona: La comunicación en tiempo real es vulnerable al análisis de los patrones de escritura (es decir, más de un párrafo de texto, distribuido en un foro, por correo electrónico, etc.) + +[^1]: Un ejemplo notable de esto es [el incidente de 2021 en el que investigadores de la Universidad de Minnesota introdujeron tres vulnerabilidades en el proyecto de desarrollo del kernel de Linux](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/es/basics/common-threats.md b/i18n/es/basics/common-threats.md new file mode 100644 index 00000000..ba73a4ae --- /dev/null +++ b/i18n/es/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Amenazas comunes" +icon: 'material/eye-outline' +description: Tu modelo de amenaza es personal, pero éstas son algunas de las cosas que preocupan a muchos visitantes de este sitio. +--- + +En términos generales, clasificamos nuestras recomendaciones en las [amenazas](threat-modeling.md) u objetivos que se aplican a la mayoría de las personas. ==Puede que no te preocupe ninguna, una, varias o todas estas posibilidades==, y las herramientas y servicios que utilices dependerán de cuáles sean tus objetivos. Es posible que también tengas amenazas específicas fuera de estas categorías, ¡lo cual está perfectamente bien! Lo importante es desarrollar una comprensión de los beneficios y las deficiencias de las herramientas que elijas utilizar, porque prácticamente ninguna de ellas te protegerá de todas las amenazas. + +- :material-incognito: Anonimato - Proteger tu actividad en línea de tu identidad real, protegiendote de las personas que están tratando de descubrir *tu* identidad específicamente. +- :material-target-account: Ataques dirigidos - Estar protegido de los hackers u otros actores maliciosos que están tratando de acceder a *tus* datos o dispositivos específicamente. +- :material-bug-outline: Ataques pasivos - Estar protegido de cosas como el malware, las filtraciones de datos y otros ataques que se realizan contra muchas personas a la vez. +- :material-server-network: Proveedores de servicios - Proteger tus datos de los proveedores de servicios (por ejemplo, con E2EE, que hace que tus datos sean ilegibles para el servidor). +- :material-eye-outline: Vigilancia masiva - Protección contra las agencias gubernamentales, organizaciones, sitios web y servicios que trabajan juntos para rastrear tus actividades. +- :material-account-cash: Capitalismo de la vigilancia - Protegerse de las grandes redes de publicidad, como Google y Facebook, así como de una miríada de otros recolectores de datos de terceros. +- :material-account-search: Exposición pública - Limitar la información sobre ti que es accesible en línea, para los motores de búsqueda o el público en general. +- :material-close-outline: Censura - Evitar el acceso censurado a la información o ser censurado uno mismo al hablar en línea. + +Algunas de estas amenazas pueden ser más importantes para ti que otras, dependiendo de tus preocupaciones específicas. Por ejemplo, un desarrollador de software con acceso a datos valiosos o críticos puede estar preocupado principalmente por :material-target-account: Ataques dirigidos, pero probablemente siga queriendo proteger sus datos personales de ser barridos por los programas de :material-eye-outline: Vigilancia masiva. Del mismo modo, muchas personas pueden estar preocupadas principalmente por la :material-account-search: Exposición pública de sus datos personales, pero aún así deben tener cuidado con los problemas centrados en la seguridad, como los :material-bug-outline: Ataques pasivos-como el malware que afecta a sus dispositivos. + +## Anonimato vs. Privacidad + +:material-incognito: Anonimato + +El anonimato se confunde a menudo con la privacidad, pero son conceptos distintos. Mientras que la privacidad es un conjunto de decisiones que tomas sobre cómo se utilizan y comparten tus datos, el anonimato es la completa disociación de tus actividades en línea de tu identidad real. + +Los denunciantes y los periodistas, por ejemplo, pueden tener un modelo de amenaza mucho más extremo que requiere el anonimato total. Eso no sólo es ocultar lo que hacen, los datos que tienen y no ser hackeados por actores maliciosos o gobiernos, sino también ocultar por completo quiénes son. A menudo sacrificarán cualquier tipo de comodidad si eso significa proteger su anonimato, privacidad o seguridad, porque sus vidas podrían depender de ello. La mayoría de la gente no necesita ir tan lejos. + +## Seguridad y privacidad + +:material-bug-outline: Ataques pasivos + +La seguridad y la privacidad también se confunden a menudo, porque se necesita seguridad para obtener cualquier apariencia de privacidad: El uso de herramientas -incluso si son privadas por diseño- es inútil si pueden ser fácilmente explotadas por atacantes que luego liberen tus datos. Sin embargo, lo contrario no es necesariamente cierto: el servicio más seguro del mundo *no es necesariamente* privado. El mejor ejemplo de esto es confiar los datos a Google, que, dada su escala, ha tenido pocos incidentes de seguridad al emplear a expertos en seguridad líderes en la industria para asegurar su infraestructura. Aunque Google proporciona servicios muy seguros, muy pocas personas considerarían que sus datos son privados en los productos gratuitos de consumo de Google (Gmail, YouTube, etc.) + +En lo que respecta a la seguridad de las aplicaciones, generalmente no sabemos (y a veces no podemos) si el software que utilizamos es malicioso, o podría llegar a serlo algún día. Incluso en el caso de los desarrolladores más fiables, generalmente no hay garantía de que su software no tenga una vulnerabilidad grave que pueda ser explotada posteriormente. + +Para minimizar el daño que una pieza maliciosa de software *podría hacer*, deberías emplear la seguridad por compartimentación. Por ejemplo, esto podría darse en la forma de usar diferentes ordenadores para diferentes trabajos, usar máquinas virtuales para separar diferentes grupos de aplicaciones relacionadas, o usar un sistema operativo seguro con un fuerte enfoque en el aislamiento de aplicaciones y el control de acceso obligatorio. + +!!! tip "Consejo" + + Los sistemas operativos móviles suelen tener un mejor aislamiento de aplicaciones que los sistemas operativos de escritorio: Las aplicaciones no pueden obtener acceso a la raíz y requieren permiso para acceder a los recursos del sistema. + + Los sistemas operativos de escritorio generalmente se retrasan en el aislamiento adecuado. ChromeOS tiene capacidades de aislamiento similares a las de Android, y macOS tiene un control total de los permisos del sistema (y los desarrolladores pueden optar por el aislamiento para las aplicaciones). Sin embargo, estos sistemas operativos transmiten información de identificación a sus respectivos OEM. Linux tiende a no enviar información a los proveedores de sistemas, pero tiene poca protección contra los exploits y las aplicaciones maliciosas. Esto puede mitigarse un poco con distribuciones especializadas que hacen un uso significativo de máquinas virtuales o contenedores, como Qubes OS. + +:material-target-account: Ataques dirigidos + +Los ataques dirigidos contra una persona concreta son más problemáticos de tratar. Los ataques más comunes son el envío de documentos maliciosos por correo electrónico, la explotación de vulnerabilidades (por ejemplo, en los navegadores y sistemas operativos) y los ataques físicos. Si esto te preocupa, deberías emplear estrategias de mitigación de amenazas más avanzadas. + +!!! tip "Consejo" + + Por su diseño, los **navegadores web**, los **clientes de correo electrónico** y las **aplicaciones de oficina** suelen ejecutar código no fiable, enviado por terceros. Ejecutar múltiples máquinas virtuales -para separar aplicaciones como estas de su sistema anfitrión, así como entre sí- es una técnica que puedes utilizar para mitigar la posibilidad de que un exploit en estas aplicaciones comprometa el resto de tu sistema. Por ejemplo, tecnologías como Qubes OS o Microsoft Defender Application Guard en Windows proporcionan métodos convenientes para hacerlo. + +Si te preocupan los **ataques físicos** deberías utilizar un sistema operativo con una implementación de arranque seguro verificado, como Android, iOS, macOS o [Windows (con TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). También deberías asegurarte de que tu disco esté encriptado y de que el sistema operativo utiliza un TPM o Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) o [Element](https://developers.google.com/android/security/android-ready-se) para limitar los intentos de introducir la frase de contraseña de encriptación. Deberías evitar compartir tu ordenador con personas que no sean de tu confianza, ya que la mayoría de los sistemas operativos de escritorio no cifran los datos por separado para cada usuario. + +## Privacidad de los proveedores de servicios + +:material-server-network: Proveedores de servicios + +Vivimos en un mundo en el que casi todo está conectado a Internet. Nuestros mensajes "privados", correos electrónicos e interacciones sociales suelen almacenarse en un servidor, en algún lugar. Generalmente, cuando envías un mensaje a alguien, este se almacena en un servidor, y cuando tu amigo quiere leer el mensaje, el servidor se lo muestra. + +El problema obvio de esto es que el proveedor de servicios (o un hacker que haya comprometido el servidor) puede acceder a tus conversaciones cuando y como quiera, sin que tú lo sepas. Esto se aplica a muchos servicios comunes, como la mensajería SMS, Telegram y Discord. + +Afortunadamente, E2EE puede aliviar este problema encriptando las comunicaciones entre tú y los destinatarios deseados antes de que se envíen al servidor. La confidencialidad de tus mensajes está garantizada, suponiendo que el proveedor de servicios no tenga acceso a las claves privadas de ninguna de las partes. + +!!! note "Nota sobre el cifrado basado en la web" + + En la práctica, la eficacia de las diferentes implementaciones de E2EE varía. Las aplicaciones, como [Signal](../real-time-communication.md#signal), se ejecutan de forma nativa en tu dispositivo, y cada copia de la aplicación es la misma en diferentes instalaciones. Si el proveedor de servicios introdujera un [backdoor](https://es.wikipedia.org/wiki/Puerta_trasera) en su aplicación -en un intento de robar tus claves privadas- podría ser detectado posteriormente con [ingeniería inversa](https://es.wikipedia.org/wiki/Ingenier%C3%Ada_inversa). + + Por otro lado, las implementaciones E2EE basadas en la web, como el webmail de Proton Mail o *Web Vault* de Bitwarden, dependen de que el servidor sirva dinámicamente código JavaScript al navegador para manejar la criptografía. Un servidor malicioso puede dirigirse a ti y enviarte un código JavaScript malicioso para robar tu clave de cifrado (y sería extremadamente difícil de notar). Dado que el servidor puede elegir servir diferentes clientes de la web a diferentes personas -incluso si te diste cuenta del ataque- sería increíblemente difícil probar la culpabilidad del proveedor. + + Por lo tanto, siempre que sea posible, hay que utilizar aplicaciones nativas en lugar de clientes web. + +Incluso con E2EE, los proveedores de servicios aún pueden hacerte un perfil basado en **metadatos**, que generalmente no están protegidos. Aunque el proveedor de servicios no puede leer tus mensajes, sí puede observar cosas importantes, como con quién hablas, la frecuencia con la que les envías mensajes y cuándo sueles estar activo. La protección de los metadatos es bastante infrecuente, y -si está dentro de tu [modelo de amenazas](threat-modeling.md)- deberías prestar mucha atención a la documentación técnica del software que estás utilizando para ver si hay alguna minimización o protección de los metadatos. + +## Programas de vigilancia masiva + +:material-eye-outline: Vigilancia masiva + +La vigilancia masiva es el intrincado esfuerzo por controlar el "comportamiento, muchas actividades o información" de toda una población (o de una fracción sustancial de ella).[^1] Suele referirse a programas gubernamentales, como los que [reveló Edward Snowden en 2013](https://es.wikipedia.org/wiki/Revelaciones_sobre_la_red_de_vigilancia_mundial_(2013-2015)). Sin embargo, también puede ser llevada a cabo por empresas, ya sea en nombre de organismos gubernamentales o por iniciativa propia. + +!!! abstract "Atlas de Vigilancia" + + Si quiere saber más sobre los métodos de vigilancia y cómo se aplican en su ciudad, también puede echar un vistazo al [Atlas of Surveillance](https://atlasofsurveillance.org/) de la [Electronic Frontier Foundation](https://www.eff.org/). + + En Francia puede consultar el sitio [Technolopolice website](https://technopolice.fr/villes/), mantenido por la asociación sin ánimo de lucro La Quadrature du Net. + +Los gobiernos suelen justificar los programas de vigilancia masiva como medios necesarios para combatir el terrorismo y prevenir la delincuencia. Sin embargo, al vulnerar los derechos humanos, se utiliza con mayor frecuencia para atacar desproporcionadamente a grupos minoritarios y disidentes políticos, entre otros. + +!!! quote "ACLU: [*La lección de privacidad del 11 de septiembre: La vigilancia masiva no es el camino a seguir*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Ante [las revelaciones de Edward Snowden sobre programas gubernamentales como [PRISM](https://es.wikipedia.org/wiki/PRISM) y [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], los funcionarios de inteligencia también admitieron que la NSA llevaba años recopilando en secreto registros sobre prácticamente todas las llamadas telefónicas de los estadounidenses: quién llama a quién, cuándo se hacen esas llamadas y cuánto duran. Este tipo de información, cuando es recopilada por la NSA día tras día, puede revelar detalles increíblemente sensibles sobre la vida y las asociaciones de las personas, como si han llamado a un pastor, a un proveedor de aborto, a un consejero de adicciones o a una línea directa de suicidio. + +A pesar de la creciente vigilancia masiva en Estados Unidos, el gobierno ha descubierto que los programas de vigilancia masiva como Section 215 han tenido "poco valor único" con respecto a la detención de delitos reales o complots terroristas, con esfuerzos que duplican en gran medida los propios programas de vigilancia selectiva del FBI.[^2] + +En línea, puedes ser rastreado a través de varios métodos: + +- Tu dirección IP +- Cookies del navegador +- Los datos que envías a los sitios web +- La huella digital de tu navegador o dispositivo +- Correlación del método de pago + +\[Esta lista no es exhaustiva]. + +Si te preocupan los programas de vigilancia masiva, puedes utilizar estrategias como compartimentar tus identidades en línea, mezclarte con otros usuarios o, siempre que sea posible, simplemente evitar proporcionar información que te identifique. + +:material-account-cash: Capitalismo de Vigilancia + +> El capitalismo de vigilancia es un sistema económico centrado en la captura y mercantilización de datos personales con el propósito principal de obtener ganancias.[^3] + +Para muchas personas, el seguimiento y la vigilancia por parte de empresas privadas es una preocupación creciente. Las redes publicitarias omnipresentes, como las operadas por Google y Facebook, se extienden por Internet mucho más allá de los sitios que controlan, rastreando tus acciones a lo largo del camino. El uso de herramientas como los bloqueadores de contenido para limitar las solicitudes de red a sus servidores y la lectura de las políticas de privacidad de los servicios que utiliza pueden ayudarte a evitar a muchos adversarios básicos (aunque no puede evitar por completo el rastreo).[^4] + +Además, incluso empresas ajenas a la industria de *AdTech* o de seguimiento pueden compartir tu información con los [corredores de datos](https://es.wikipedia.org/wiki/Broker_de_informaci%C3%B3n) (como Cambridge Analytica, Experian o Datalogix) u otras partes. No puedes asumir automáticamente que tus datos están seguros sólo porque el servicio que utilizas no entra dentro del típico modelo de negocio de AdTech o de seguimiento. La mayor protección contra la recopilación de datos por parte de las empresas es encriptar u ofuscar tus datos siempre que sea posible, dificultando que los diferentes proveedores puedan correlacionar los datos entre sí y construir un perfil sobre ti. + +## Limitación de la información pública + +:material-account-search: Exposición pública + +En los sitios en los que compartes información, es muy importante comprobar la configuración de privacidad de tu cuenta para limitar la difusión de esos datos. Por ejemplo, activa el "modo privado" en tus cuentas si tienes la opción: Esto garantiza que tu cuenta no sea indexada por los motores de búsqueda y que no pueda ser vista sin tu permiso. + +- [Mira nuestra guía sobre la eliminación de cuentas :material-arrow-right-drop-circle:](account-deletion.md) + +Si ya has enviado tu información real a sitios que no deberían tenerla, considera la posibilidad de utilizar tácticas de desinformación, como enviar información ficticia relacionada con esa identidad en línea. Esto hace que tu información real sea indistinguible de la falsa. + +La censura en línea puede ser llevada a cabo (en diversos grados) por actores que incluyen gobiernos totalitarios, administradores de redes y proveedores de servicios. Esto hace que tu información real sea indistinguible de la falsa. + +## Evitar la censura + +:material-close-outline: Censura + +La censura en las plataformas corporativas es cada vez más común, ya que plataformas como Twitter y Facebook ceden a la demanda del público, a las presiones del mercado y a las de los organismos gubernamentales. Estos esfuerzos por controlar la comunicación y restringir el acceso a la información serán siempre incompatibles con el derecho humano a la Libertad de Expresión.[^5] + +La censura en las plataformas corporativas es cada vez más común, ya que plataformas como Twitter y Facebook ceden a la demanda del público, a las presiones del mercado y a las de los organismos gubernamentales. Las presiones gubernamentales pueden ser peticiones encubiertas a las empresas, como la de la Casa Blanca [solicitando la retirada](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) de un vídeo provocativo de YouTube, o abiertamente, como la del gobierno chino exigiendo a las empresas que se adhieran a un estricto régimen de censura. + +Las personas preocupadas por la amenaza de la censura pueden utilizar tecnologías como [Tor](../advanced/tor-overview.md) para eludirla, y apoyar plataformas de comunicación resistentes a la censura como [Matrix](../real-time-communication.md#element), que no tiene una autoridad de cuentas centralizada que pueda cerrar cuentas arbitrariamente. + +!!! tip "Consejo" + + Si bien evadir la censura en sí misma puede ser fácil, ocultar el hecho de que lo estás haciendo puede ser muy problemático. + + Deberías considerar qué aspectos de la red puede observar tu adversario y si tienes una justificación verosímil para tus acciones. Por ejemplo, el uso de [DNS cifrado](../advanced/dns-overview.md#what-is-encrypted-dns) puede ayudarte a eludir sistemas de censura rudimentarios basados en DNS, pero no puede ocultar realmente lo que visitas a tu ISP. Una VPN o Tor puede ayudar a ocultar lo que estás visitando de los administradores de red, pero no puede ocultar que estás utilizando esas redes en primer lugar. Los transportes conectables (como Obfs4proxy, Meek, o Shadowsocks) pueden ayudarte a evadir cortafuegos que bloquean protocolos VPN comunes o Tor, pero tus intentos de evasión aún pueden ser detectados por métodos como sondeo o [inspección profunda de paquetes](https://es.wikipedia.org/wiki/Inspección_profunda_de_paquete). + +Siempre debes tener en cuenta los riesgos de intentar saltarse la censura, las posibles consecuencias y lo sofisticado que puede ser el adversario. Debe ser precavido con la selección del software y tener un plan de respaldo en caso de que te pillen. + +[^1]: Wikipedia: [*Vigilancia masiva*](https://es.wikipedia.org/wiki/Vigilancia_masiva) y [*Vigilancia*](https://es.wikipedia.org/wiki/Vigilancia). +[^2]: Junta de Supervisión de la Privacidad y las Libertades Civiles de los Estados Unidos: [*Informe sobre el Programa de Registros Telefónicos llevado a cabo bajo la Sección 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Capitalismo de vigilancia*](https://es.wikipedia.org/wiki/Capitalismo_de_vigilancia) +[^4]: "[Enumerar la maldad](https://www.ranum.com/security/computer_security/editorials/dumb/)" (o, "enumerar todas las cosas malas que conocemos"), como hacen muchos bloqueadores de anuncios y programas antivirus, no protege adecuadamente de las amenazas nuevas y desconocidas porque aún no se han añadido a la lista de filtros. También deberías emplear otras técnicas de mitigación. +[^5]: Naciones Unidas: [*La Declaración Universal de Derechos Humanos*](https://www.un.org/es/about-us/universal-declaration-of-human-rights). diff --git a/i18n/es/basics/email-security.md b/i18n/es/basics/email-security.md new file mode 100644 index 00000000..f6fb9396 --- /dev/null +++ b/i18n/es/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Seguridad del correo electrónico +icon: material/email +description: El correo electrónico es intrínsecamente inseguro en muchos aspectos, y éstas son algunas de las razones por las que no es nuestra primera opción para las comunicaciones seguras. +--- + +El correo electrónico es una forma de comunicación insegura por defecto. Puedes mejorar la seguridad de tu correo electrónico con herramientas como OpenPGP, que añaden cifrado de extremo a extremo a tus mensajes, pero OpenPGP sigue teniendo una serie de inconvenientes en comparación con el cifrado de otras aplicaciones de mensajería, y algunos datos del correo electrónico nunca pueden cifrarse de forma inherente debido a cómo está diseñado el correo electrónico. + +En consecuencia, el correo electrónico se utiliza mejor para recibir correos electrónicos transaccionales (como notificaciones, correos de verificación, restablecimiento de contraseñas, etc.) de los servicios en los que te registras en línea, no para comunicarte con otras personas. + +## Descripción de la encriptación del correo electrónico + +La forma estándar de añadir E2EE a los correos electrónicos entre diferentes proveedores de correo electrónico es utilizando OpenPGP. Existen diferentes implementaciones del estándar OpenPGP, siendo las más comunes [GnuPG](https://es.wikipedia.org/wiki/GNU_Privacy_Guard) y [OpenPGP.js](https://openpgpjs.org). + +Hay otro estándar que es popular entre las empresas llamada [S/MIME](https://es.wikipedia.org/wiki/S/MIME), sin embargo, requiere un certificado emitido por una [Autoridad de certificación](https://es.wikipedia.org/wiki/Autoridad_de_certificaci%C3%B3n) (no todos emiten certificados S/MIME). Tiene soporte en [Google Workplace](https://support.google.com/a/topic/9061730?hl=es&%3Bref_topic=9061731) y [Outlook para Web o Exchange Server 2016, 2019](https://support.microsoft.com/es-es/office/cifrar-mensajes-mediante-s-mime-en-outlook-en-la-web-878c79fc-7088-4b39-966f-14512658f480?ui=en-us&rs=en-us&ad=us). + +Incluso si utilizas OpenPGP, no admite el [secreto perfecto hacia adelante](https://es.wikipedia.org/wiki/Perfect_forward_secrecy), lo que significa que si alguna vez se roba tu clave privada o la del destinatario, todos los mensajes anteriores cifrados con ella se expondrán. Es por eso que recomendamos [servicios de mensajería instantáneos](../real-time-communication.md) que implementan el secreto perfecto hacia adelante por sobre el correo electrónico para las comunicaciones de persona a persona siempre que sea posible. + +### ¿Qué clientes de correo electrónico admiten E2EE? + +Los proveedores de correo electrónico que permiten utilizar protocolos de acceso estándar como IMAP y SMTP pueden utilizarse con cualquiera de los clientes de correo electrónico [que recomendamos](../email-clients.md). Dependiendo del método de autenticación, esto puede conducir a la disminución de la seguridad si el proveedor o el cliente de correo electrónico no soporta OATH o una aplicación puente debido a que la [autenticación multifactor](multi-factor-authentication.md) no es posible con la autenticación de contraseña simple. + +### ¿Cómo puedo proteger mis claves privadas? + +Una tarjeta inteligente (como una [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) o una [Nitrokey](https://www.nitrokey.com)) funciona recibiendo un mensaje de correo electrónico cifrado desde un dispositivo (teléfono, tableta, ordenador, etc.) que ejecuta un cliente de correo electrónico/correo web. El mensaje es entonces descifrado por la tarjeta inteligente y el contenido descifrado es enviado de vuelta al dispositivo. + +Es ventajoso que el descifrado ocurra en la tarjeta inteligente para evitar la posible exposición de tu clave privada a un dispositivo comprometido. + +## Descripción general de los metadatos de correo electrónico + +Los metadatos del correo electrónico se almacenan en la [cabecera del mensaje](https://es.wikipedia.org/wiki/Correo_electr%C3%B3nico#Escritura_del_mensaje) del correo electrónico e incluye algunas cabeceras visibles que puedes haber visto como: `Para`, `De`, `Cc`, `Fecha`, `Asunto`. También hay una serie de encabezados ocultos incluidos por muchos clientes y proveedores de correo electrónico que pueden revelar información sobre tu cuenta. + +El software del cliente puede usar metadatos de correo electrónico para mostrar de quién es un mensaje y a qué hora se recibió. Los servidores pueden utilizarlo para determinar dónde debe enviarse un mensaje de correo electrónico, [entre otros fines](https://es.wikipedia.org/wiki/Correo_electr%C3%B3nico#Escritura_del_mensaje) que no siempre son transparentes. + +### ¿Quién puede ver los metadatos del correo electrónico? + +Los metadatos del correo electrónico están protegidos de observadores externos con [STARTTLS](https://es.wikipedia.org/wiki/STARTTLS) protegiéndolos de observadores externos, pero aún pueden ser vistos por tu software de cliente de correo electrónico (o webmail) y cualquier servidor que retransmita el mensaje de ti a cualquier destinatario, incluyendo tu proveedor de correo electrónico. A veces, los servidores de correo electrónico también utilizan servicios de terceros para protegerse del spam, que generalmente también tienen acceso a tus mensajes. + +### ¿Por qué los metadatos no pueden ser E2EE? + +Los metadatos del correo electrónico son cruciales para la funcionalidad más básica del correo electrónico (de dónde viene y a dónde tiene que ir). E2EE no estaba integrado originalmente en los protocolos de correo electrónico, sino que requería un software adicional como OpenPGP. Dado que los mensajes OpenPGP todavía tienen que funcionar con los proveedores de correo electrónico tradicionales, no puede cifrar los metadatos del correo electrónico, sino sólo el cuerpo del mensaje. Esto significa que, incluso cuando se utiliza OpenPGP, los observadores externos pueden ver mucha información sobre tus mensajes, como a quién estás enviando correos electrónicos, las líneas de asunto, cuándo estás enviando correos, etc. diff --git a/i18n/es/basics/multi-factor-authentication.md b/i18n/es/basics/multi-factor-authentication.md new file mode 100644 index 00000000..d8f44d5c --- /dev/null +++ b/i18n/es/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Autenticación de Múltiples Factores" +icon: 'material/two-factor-authentication' +description: La MFA es un mecanismo de seguridad fundamental para proteger sus cuentas en línea, pero algunos métodos son más eficaces que otros. +--- + +**La autenticación multifactorial** (**MFA**) es un mecanismo de seguridad que requiere pasos adicionales a la introducción del nombre de usuario (o correo electrónico) y la contraseña. El método más común son los códigos de tiempo limitado que puedes recibir de un SMS o una aplicación. + +Normalmente, si un hacker (o adversario) es capaz de averiguar tu contraseña, entonces obtendrá acceso a la cuenta a la que pertenece esa contraseña. Una cuenta con MFA obliga al hacker a tener tanto la contraseña (algo que *conoces*) como un dispositivo de tu propiedad (algo que *tienes*), como tu teléfono. + +Los métodos MFA varían en seguridad, pero se basan en la premisa de que cuanto más difícil sea para un atacante acceder a tu método MFA, mejor. Algunos ejemplos de métodos MFA (de más débil a más fuerte) incluyen SMS, códigos de correo electrónico, notificaciones push de aplicaciones, TOTP, Yubico OTP y FIDO. + +## Comparación de métodos MFA + +### SMS o correo electrónico MFA + +Recibir códigos OTP por SMS o correo electrónico es una de las formas más débiles de asegurar tus cuentas con MFA. Obtener un código por correo electrónico o SMS se aleja de la idea de "algo que *tienes*", porque hay una gran variedad de formas en las que un hacker podría [tomar tu número de teléfono](https://es.wikipedia.org/wiki/SIM_swapping) o acceder a tu correo electrónico sin tener acceso físico a ninguno de tus dispositivos. Si una persona no autorizada obtuviera acceso a tu correo electrónico, podría utilizar ese acceso tanto para restablecer tu contraseña como para recibir el código de autenticación, lo que le daría pleno acceso a tu cuenta. + +### Notificaciones Push + +La MFA por notificación push consiste en el envío de un mensaje a una aplicación de tu teléfono en el que se te pide que confirmes el inicio de sesión de una nueva cuenta. Este método es mucho mejor que el de los SMS o el correo electrónico, ya que un atacante normalmente no podría obtener estas notificaciones push sin tener un dispositivo ya conectado, lo que significa que tendría que comprometer uno de tus otros dispositivos primero. + +Todos cometemos errores, y existe el riesgo de que aceptes el intento de inicio de sesión por accidente. Las autorizaciones de inicio de sesión mediante notificaciones push suelen enviarse a *todos* tus dispositivos a la vez, ampliando la disponibilidad del código MFA si tienes muchos dispositivos. + +La seguridad de las notificaciones push MFA depende tanto de la calidad de la aplicación como del componente del servidor y de la confianza del desarrollador que la produce. La instalación de una aplicación también puede requerir que aceptes privilegios invasivos que concedan acceso a otros datos de tu dispositivo. Una aplicación individual también requiere que tengas una aplicación específica para cada servicio que puede no requerir una contraseña para abrirse, a diferencia de una buena aplicación generadora de TOTP. + +### Contraseñas de un solo uso basado en tiempo (TOTP) + +El TOTP es una de las formas más comunes de MFA disponibles. Cuando se configura el TOTP, generalmente se requiere escanear un [código QR](https://es.wikipedia.org/wiki/C%C3%B3digo_QR) que establece un "[secreto compartido](https://es.wikipedia.org/wiki/Secreto_compartido)" con el servicio que se pretende utilizar. El secreto compartido está asegurado dentro de los datos de la aplicación de autenticación, y a veces está protegido por una contraseña. + +El código de tiempo limitado se deriva entonces del secreto compartido y de la hora actual. Como el código sólo es válido durante un corto periodo de tiempo, sin acceso al secreto compartido, un adversario no puede generar nuevos códigos. + +Si tienes una llave de seguridad de hardware con soporte para TOTP (como una YubiKey con [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), recomendamos que almacenes tus "secretos compartidos" en el equipo. El hardware como el YubiKey se desarrolló con la intención de que el "secreto compartido" fuera difícil de extraer y copiar. Una YubiKey tampoco está conectada al Internet, a diferencia de un teléfono con una aplicación TOTP. + +A diferencia de [WebAuthn](#fido-fast-identity-online), TOTP no ofrece protección contra [Phishing](https://es.wikipedia.org/wiki/Phishing) o ataques de reutilización. Si un adversario obtiene un código válido de ti, puede utilizarlo tantas veces como quiera hasta que caduque (generalmente 60 segundos). + +Un adversario podría crear un sitio web para imitar un servicio oficial en un intento de engañarte para que des tu nombre de usuario, contraseña y código TOTP actual. Si el adversario utiliza esas credenciales registradas puede ser capaz de entrar en el servicio real y secuestrar la cuenta. + +Aunque no es perfecto, TOTP es lo suficientemente seguro para la mayoría de la gente, y cuando las [llaves de seguridad de hardware](../multi-factor-authentication.md#hardware-security-keys) no son compatibles las [aplicaciones de autenticación](../multi-factor-authentication.md#authenticator-apps) siguen siendo una buena opción. + +### Llaves de seguridad de hardware + +La YubiKey almacena los datos en un chip de estado sólido resistente a las manipulaciones, al que es [imposible acceder](https://security.stackexchange.com/a/245772) de forma no destructiva sin un costoso proceso y un laboratorio forense. + +Estas claves suelen ser multifuncionales y ofrecen varios métodos de autenticación. A continuación se presentan los más comunes. + +#### Yubico OTP + +Yubico OTP es un protocolo de autenticación típicamente implementado en llaves de seguridad de hardware. Cuando decidas utilizar Yubico OTP, la clave generará un ID público, un ID privado y una clave secreta que se cargará en el servidor Yubico OTP. + +Para entrar en un sitio web, basta con tocar físicamente la clave de seguridad. La llave de seguridad emulará un teclado e imprimirá una contraseña de un solo uso en el campo de la contraseña. + +El servicio enviará entonces la contraseña de un solo uso al servidor Yubico OTP para validación. Se incrementa un contador tanto en la llave como en el servidor de validación de Yubico. La OTP sólo puede utilizarse una vez, y cuando se produce una autenticación con éxito, el contador se incrementa, lo que impide la reutilización de la OTP. Yubico proporciona un [documento detallado](https://developers.yubico.com/OTP/OTPs_Explained.html) sobre el proceso. + +
+ ![Yubico OTP](/assets/img/multi-factor-authentication/yubico-otp.png) +
+ +El uso de Yubico OTP tiene algunas ventajas y desventajas en comparación con TOTP. + +El servidor de validación de Yubico es un servicio basado en la nube, y estás confiando en que Yubico almacena los datos de forma segura y no los perfila. El ID público asociado con Yubico OTP se reutiliza en todos los sitios web y podría ser otra vía para que terceros te perfilen. Al igual que TOTP, Yubico OTP no proporciona resistencia al phishing. + +Si tu modelo de amenaza requiere que tengas diferentes identidades en diferentes sitios web, **no** utilices Yubico OTP con la misma clave de seguridad de hardware entre esos sitios web ya que el ID público es único para cada clave de seguridad. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) incluye una serie de estándares, primero fue U2F y después [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) el cual incluye el estándar web [WebAuthn](https://es.wikipedia.org/wiki/WebAuthn). + +U2F y FIDO2 se refieren al [Protocolo Cliente-Autenticador](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), que es el protocolo entre la clave de seguridad y el ordenador, como un portátil o un teléfono. Complementa a WebAuthn, que es el componente utilizado para autenticarse con el sitio web (la "parte dependiente") en el que estás intentando de iniciar sesión. + +WebAuthn es la forma más segura y privada de autenticación de segundo factor. Si bien la experiencia de autenticación es similar a Yubico OTP, la clave no imprime una contraseña de una sola vez y se valida con un servidor de terceros. En su lugar, utiliza [criptografía de clave pública](https://es.wikipedia.org/wiki/Criptograf%C3%Ada_asim%C3%A9trica) para la autenticación. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +Cuando creas una cuenta, la clave pública se envía al servicio, luego cuando inicias sesión, el servicio requerirá que "firmes" algunos datos con tu clave privada. La ventaja de esto es que el servicio no almacena nunca los datos de la contraseña, por lo que no hay nada que un adversario pueda robar. + +Esta presentación habla de la historia de la autenticación de contraseñas, los tropiezos (como la reutilización de contraseñas) y el debate de los estándares FIDO2 y [WebAuthn](https://webauthn.guide). + +
+ +
+ +FIDO2 y WebAuthn tienen propiedades de seguridad y privacidad superiores en comparación con cualquier método MFA. + +Por lo general, para los servicios web se utiliza con WebAuthn, que es una parte de las [recomendaciones W3C](https://es.wikipedia.org/wiki/World_Wide_Web_Consortium#Recomendaci%C3%B3n_de_W3C_(REC)). Utiliza autenticación de clave pública y es más segura que los secretos compartidos utilizados en los métodos OTP y TOTP de Yubico, ya que incluye el nombre de origen (normalmente, el nombre del dominio) durante la autenticación. La certificación se proporciona para protegerte del phishing, ya que te ayuda a determinar que estás utilizando el servicio auténtico y no una copia falsa. + +A diferencia de Yubico OTP, WebAuthn no utiliza ningún ID público, entonces la clave **no** es identificable a través de diferentes sitios web. Tampoco utiliza ningún servidor de nube de terceros para la autenticación. Toda la comunicación se completa entre la clave y el sitio web en el que estás iniciando sesión. FIDO también utiliza un contador que se incrementa cuando se utiliza para evitar la reutilización de la sesión y llaves clonadas. + +Si un sitio web o servicio es compatible con WebAuthn para la autenticación, es muy recomendable que lo utilices sobre cualquier otra forma de MFA. + +## Recomendaciones Generales + +Tenemos estas recomendaciones generales: + +### ¿Qué método debería usar? + +Al configurar tu método MFA, ten en cuenta que es tan seguro como el método de autenticación más débil que utilices. Esto significa que es importante que sólo utilices el mejor método de MFA disponible. Por ejemplo, si ya estás utilizando TOTP, deberías desactivar la MFA por correo electrónico y SMS. Si ya estás usando FIDO2/WebAuthn, no deberías estar usando Yubico OTP o TOTP en tu cuenta. + +### Copias de seguridad + +Siempre debes tener copias de seguridad de tu método MFA. Las llaves de seguridad de hardware pueden perderse, ser robadas o simplemente dejar de funcionar con el tiempo. Se recomienda tener un par de llaves de seguridad de hardware con el mismo acceso a tus cuentas en lugar de una sola. + +Cuando utilices TOTP con una aplicación de autenticación, asegúrate de hacer una copia de seguridad de tus claves de recuperación o de la propia aplicación, o de copiar los "secretos compartidos" a otra instancia de la aplicación en un teléfono diferente o a un contenedor cifrado (por ejemplo, [VeraCrypt](../encryption.md#veracrypt)). + +### Configuración Inicial + +Cuando compres una llave de seguridad, es importante que cambies las credenciales por defecto, configures la protección por contraseña de la llave y actives la confirmación táctil si tu llave es compatible con ella. Los productos como el YubiKey tienen múltiples interfaces con credenciales separadas para cada uno de ellos, por lo que debes repasar cada interfaz y configurar la protección también. + +### Correo electrónico y SMS + +Si tienes que utilizar el correo electrónico para MFA, asegúrate de que la propia cuenta de correo electrónico está protegida con un método MFA adecuado. + +Si usas MFA de SMS, utiliza un operador que no cambie tu número de teléfono a una nueva tarjeta SIM sin acceso a la cuenta, o usa un número VoIP dedicado de un proveedor con seguridad similar para evitar un [ataque de duplicación de SIM](https://es.wikipedia.org/wiki/SIM_swapping). + +[Herramientas de MFA que recomendamos](../multi-factor-authentication.md ""){.md-button} + +## Más lugares para configurar MFA + +Además de proteger tus inicios de sesión del sitio web, la autenticación de múltiples factores también se puede utilizar para proteger tus inicios de sesión locales, claves SSH o incluso bases de datos de contraseñas. + +### Windows + +Yubico tiene un [Proveedor de credenciales](https://learn.microsoft.com/es-es/windows/win32/secauthn/credential-providers-in-windows) dedicado que añade la autenticación Challenge-Response para el flujo de inicio de sesión con nombre de usuario + contraseña para las cuentas locales de Windows. Si tienes una YubiKey con soporte de autenticación Challenge-Response, echa un ojo a la [Guía de configuración de Yubico Login para Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), que te permitirá configurar MFA en tu computadora Windows. + +### macOS + +macOS tiene [soporte nativo](https://support.apple.com/es-es/guide/deployment/depd0b888248/web) para la autenticación con tarjetas inteligentes (PIV). Si tienes una tarjeta inteligente o una llave de seguridad de hardware compatible con la interfaz PIV como la YubiKey, te recomendamos que sigas la documentación de tu tarjeta inteligente/vendedor de seguridad de hardware y configures la autenticación de segundo factor para tu ordenador macOS. + +Yubico tiene una guía [Uso de tu YubiKey como una tarjeta inteligente en macOS](https://support.yubico.com/hc/en-us/articles/360016649059) que puede ayudarte a configurar tu YubiKey en macOS. + +Después de configurar tu tarjeta inteligente/clave de seguridad, te recomendamos que ejecutes este comando en el Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +El comando evitará que un adversario se salte la MFA al arrancar el ordenador. + +### Linux + +!!! warning "Advertencia" + + Si el nombre de host de tu sistema cambia (por ejemplo, debido al DHCP), no podrás iniciar sesión. Es vital que configures un nombre de host adecuado para tu ordenador antes de seguir esta guía. + +El módulo `pam_u2f` en Linux puede proporcionar autenticación de dos factores para iniciar sesión en las distribuciones Linux más populares. Si tienes una llave de seguridad de hardware compatible con U2F, puedes configurar la autenticación MFA para tu inicio de sesión. Yubico tiene una guía [Guía de inicio de sesión en Ubuntu Linux - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) que debería funcionar en cualquier distribución. Sin embargo, los comandos del gestor de paquetes—como `"apt-get"`—y los nombres de los paquetes pueden ser diferentes. Esta guía **no** le aplica a Qubes OS. + +### Qubes OS + +Qubes OS tiene soporte para la autenticación Challenge-Response con YubiKeys. Si tienes una YubiKey con soporte de autenticación Challenge-Response, échale un ojo a la [documentación de YubiKey](https://www.qubes-os.org/doc/yubikey/) de Qubes OS si quieres configurar MFA en Qubes OS. + +### SSH + +#### Llaves de Seguridad + +MFA de SSH podría configurarse utilizando varios métodos de autenticación diferentes que son populares con las claves de seguridad de hardware. Te recomendamos que consultea la [documentación](https://developers.yubico.com/SSH/) de Yubico sobre cómo configurarlo. + +#### Contraseñas de un solo uso basado en tiempo (TOTP) + +MFA de SSH también se puede configurar utilizando TOTP. DigitalOcean ha proporcionado un tutorial [Cómo Configurar la Autenticación Multifactor para SSH en Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). La mayoría de las cosas deberían ser las mismas independientemente de la distribución, sin embargo los comandos del gestor de paquetes—como `"apt-get"`—y los nombres de los paquetes pueden diferir. + +### KeePass (y KeePassXC) + +Las bases de datos de KeePass y KeePassXC pueden ser aseguradas utilizando Challenge-Response o HOTP como segundo factor de autenticación. Yubico ha proporcionado un documento para KeePass [Usando tu YubiKey con KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) y también hay uno en el sitio web de [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa). diff --git a/i18n/es/basics/passwords-overview.md b/i18n/es/basics/passwords-overview.md new file mode 100644 index 00000000..7d912a9c --- /dev/null +++ b/i18n/es/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introducción a las contraseñas" +icon: 'material/form-textbox-password' +description: Estos son algunos consejos y trucos para crear las contraseñas más seguras y mantener a salvo tus cuentas. +--- + +Las contraseñas son una parte esencial de nuestra vida digital cotidiana. Las utilizamos para proteger nuestras cuentas, nuestros dispositivos y nuestros secretos. A pesar de ser a menudo lo único que nos separa de un adversario que busca nuestra información privada, no se piensa mucho en ellas, lo que a menudo lleva a la gente a utilizar contraseñas que pueden ser fácilmente adivinadas o forzadas. + +## Buenas prácticas + +### Utilice contraseñas únicas para cada servicio + +Imagínate por un momento esta situación: te suscribes con el mismo correo y contraseña en múltiples servicios online. Si alguno de esos proveedores de servicios es malicioso, o su servicio tiene una filtración de datos que expone tu contraseña en un formato sin encriptar, todo lo que los malos actores deben hacer es probar esa combinación de correo electrónico y contraseña, a través de múltiples servicios populares hasta obtener un resultado. No importa lo fuerte que sea esa contraseña, porque ya la tienen. + +Esto es llamado [suplantación de identidad](https://en.wikipedia.org/wiki/Credential_stuffing), y es una de las formas comunes en que las cuentas son comprometidas por malos actores. Para evitar esto, asegúrate de que nunca reutilices tus contraseñas. + +### Utilizar contraseñas generadas aleatoriamente + +===**Nunca** debes confiar en ti mismo para inventar una buena contraseña.== Recomendamos utilizar [contraseñas generadas aleatoriamente](#passwords) o [frases de contraseña](#diceware-passphrases) con suficiente entropía para proteger tus cuentas y dispositivos. + +Todos nuestros [gestores recomendados de contraseñas](../passwords.md) incluyen un generador integrado de contraseñas que puedes usar. + +### Rotación de contraseñas + +Debes evitar cambiar frecuentemente las contraseñas que debes recordar (como la contraseña maestra de tu gestor de contraseñas), a menos que tengas alguna razón para creer que ha sido comprometida, porque cambiarla con mucha frecuencia te expone al riesgo de olvidarla. + +Cuando se trata de contraseñas que no tienes que recordar (como las contraseñas almacenadas en tu gestor de contraseñas), si tu [modelo de amenazas](threat-modeling.md) lo requiere, recomendamos revisar las cuentas importantes (especialmente las cuentas que no utilizan autenticación multifactor) y cambiar tu contraseña cada dos meses, en caso de que se hayan visto comprometidas en una filtración de datos que aún no se haya hecho pública. La mayoría de los gestores de contraseñas permiten fijar una fecha de caducidad para facilitar su gestión. + +!!! tip "Comprobando violaciones de datos" + + Si su gestor de contraseñas te permite comprobar si hay contraseñas comprometidas, asegúrate de hacerlo y cambia inmediatamente cualquier contraseña que pueda haber quedado expuesta en una filtración de datos. Alternativamente, podrías seguir el [feed de Últimos Alcances de Pwned](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) con la ayuda de un [agregador de noticias](../news-aggregators.md). + +## Creando contraseñas fuertes + +### Contraseñas + +Muchos servicios imponen ciertos criterios a las contraseñas, incluida una longitud mínima o máxima, así como los caracteres especiales que pueden utilizarse. Debes utilizar el generador de contraseñas integrado en tu gestor de contraseñas para crear contraseñas tan largas y complejas como te permita el servicio, incluyendo letras mayúsculas y minúsculas, números y caracteres especiales. + +Si necesitas una contraseña que puedas memorizar, te recomendamos [frases de contraseña de diceware](#diceware-passphrases). + +### Frases de contraseña de Diceware + +Diceware es un método para crear contraseñas fáciles de recordar, pero difíciles de adivinar. + +Las frases de contraseña Diceware son una gran opción cuando necesitas memorizar o introducir manualmente tus credenciales, como para la contraseña maestra de tu gestor de contraseñas o la contraseña de cifrado de tu dispositivo. + +Un ejemplo de una frase de contraseña de diceware es `lápiz blando diecisiete resistente a la solidez visible`. + +Para generar una frase de contraseña diceware utilizando dados reales, sigue estos pasos: + +!!! note "Nota" + + Estas instrucciones asumen que estás usando [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) para generar la frase de contraseña, que requiere cinco tiradas de dados por palabra. Otras listas de palabras pueden requerir más o menos tiradas por palabra, y pueden necesitar una cantidad diferente de palabras para alcanzar la misma entropía. + +1. Tira un dado de seis caras cinco veces y anota el número después de cada tirada. + +2. Por ejemplo, digamos que sacas `2-5-2-6-6`. Busque en la gran lista de palabras de [EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) la palabra que corresponde a `25266`. + +3. Encontrará la palabra `encriptar`. Escribe esa palabra. + +4. Repite este proceso hasta que tu frase de contraseña tenga tantas palabras como necesites, que deberás separar con un espacio. + +!!! warning "Importante" + + **No** debes volver a tirar las palabras hasta que consigas una combinación que te guste. El proceso debe ser completamente aleatorio. + +Si no tienes acceso a dados reales o prefieres no utilizarlos, puedes utilizar el generador de contraseñas integrado en tu gestor de contraseñas, ya que la mayoría de ellos tienen la opción de generar frases de contraseña diceware además de contraseñas normales. + +Te recomendamos que utilices la gran lista de palabras de [EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) para generar tus frases de contraseña diceware, ya que ofrece exactamente la misma seguridad que la lista original, a la vez que contiene palabras más fáciles de memorizar. También hay [otras listas de palabras en diferentes idiomas](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), si no quieres que tu frase de contraseña esté en inglés. + +??? note "Explicación de la entropía y la fuerza de las frases de contraseña diceware" + + Para demostrar lo fuertes que son las frases de contraseña diceware, utilizaremos la frase de contraseña de siete palabras antes mencionada (`viewable fastness reluctant squishy seventeen shown pencil`) y [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) como ejemplo. + + Una métrica para determinar la fuerza de una frase de contraseña diceware es cuánta entropía tiene. La entropía por palabra en una frase de contraseña diceware se calcula como $\text{log}_2(\text{WordsInList})$ y la entropía global de la frase de contraseña se calcula como $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Por lo tanto, cada palabra de la lista mencionada da como resultado ~12,9 bits de entropía ($\text{log}_2(7776)$), y una frase de contraseña de siete palabras derivada de ella tiene ~90,47 bits de entropía ($\text{log}_2(7776^7)$). + + La [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contiene 7776 palabras únicas. Para calcular la cantidad de frases de contraseña posibles, todo lo que tenemos que hacer es $\text{WordsInList}^\text{WordsInPhrase}$, o en nuestro caso, $7776^7$. + + Pongamos todo esto en perspectiva: Una frase de siete palabras utilizando la gran lista de palabras de la EFF (https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) es una de las ~1.719.070.799.748.422.500.000.000.000 frases posibles. + + Por término medio, se necesita probar el 50% de todas las combinaciones posibles para adivinar su frase. Teniendo esto en cuenta, incluso si tu adversario es capaz de realizar ~1.000.000.000.000 de intentos por segundo, aún tardaría ~27.255.689 años en adivinar tu frase de contraseña. Esto es así incluso si las siguientes cosas son ciertas: + + - Tu adversario sabe que has utilizado el método diceware. + - Tu adversario conoce la lista de palabras específica que utilizaste. + - Tu adversario sabe cuántas palabras contiene tu frase de contraseña. + +En resumen, las frases de contraseña diceware son tu mejor opción cuando necesitas algo que sea fácil de recordar *y* excepcionalmente fuerte. + +## Almacenamiento de contraseñas + +### Gestores de Contraseñas + +La mejor forma de almacenar tus contraseñas es utilizar un gestor de contraseñas. Permiten almacenar las contraseñas en un archivo o en la nube y protegerlas con una única contraseña maestra. De esta forma, sólo tendrás que recordar una contraseña segura, que te permita acceder al resto. + +Hay muchas buenas opciones para elegir, tanto basadas en la nube como locales. Elige uno de nuestros gestores de contraseñas recomendados y utilízalo para establecer contraseñas seguras en todas tus cuentas. Le recomendamos que proteja su gestor de contraseñas con una frase de contraseña [diceware](#diceware-passphrases) compuesta por al menos siete palabras. + +[Lista de gestores de contraseñas recomendados](../passwords.md ""){.md-button} + +!!! warning "No coloques tus contraseñas y tokens TOTP dentro del mismo gestor de contraseñas" + + Cuando utilices códigos TOTP como [autenticación multifactor](../multi-factor-authentication.md), la mejor práctica de seguridad es mantener tus códigos TOTP en una [app separada](../multi-factor-authentication.md#authenticator-apps). + + Almacenar tus tokens TOTP en el mismo lugar que tus contraseñas, aunque cómodo, reduce las cuentas a un único factor en caso de que un adversario acceda a tu gestor de contraseñas. + + Además, no recomendamos almacenar códigos de recuperación de un solo uso en su gestor de contraseñas. Deberían almacenarse por separado, por ejemplo en un contenedor cifrado en un dispositivo de almacenamiento fuera de línea. + +### Copias de seguridad + +Debes almacenar una copia de seguridad [cifrada](../encryption.md) de tus contraseñas en varios dispositivos de almacenamiento o en un proveedor de almacenamiento en la nube. Esto puede ayudarte a acceder a tus contraseñas si le ocurre algo a tu dispositivo principal o al servicio que estás utilizando. diff --git a/i18n/es/basics/threat-modeling.md b/i18n/es/basics/threat-modeling.md new file mode 100644 index 00000000..649644c3 --- /dev/null +++ b/i18n/es/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "¿Qué son los modelos de amenaza?" +icon: 'material/target-account' +description: Equilibrar la seguridad, privacidad y usabilidad es una de las primeras y más difíciles tareas a las que te enfrentarás en tu camino de privacidad. +--- + +Equilibrar la seguridad, privacidad y usabilidad es una de las primeras y más difíciles tareas a las que te enfrentarás en tu camino de privacidad. Todo es un intercambio: Entre más seguro algo es, más restrictivo o inconveniente suele ser, etc. A menudo, gente encuentra que el problema con las herramientas que ven recomendadas es que son demasiado difíciles de comenzar a usar! + +Si quisieras utilizar las herramientas **más** seguras disponibles, tendrías que sacrificar *mucha* usabilidad. Y, aun así, ==nunca nada es totalmente seguro.== Hay **alta** seguridad, pero nunca **plena** seguridad. Por eso es que los modelos de amenaza son importantes. + +**Entonces, ¿qué son estos modelos de amenaza?** + +==Un modelo de amenazas es una lista de las amenazas más probables a tus esfuerzos de seguridad y privacidad.== Dado que es imposible protegerte contra **cada** ataque/atacante, debes centrarte en las **amenazas más probables**. En seguridad informática, una amenaza es un acontecimiento que podría socavar tus esfuerzos por mantenerte privado y seguro. + +Centrarte en las amenazas que te importan reduce tu pensamiento sobre la protección que necesitas, para que puedas elegir las herramientas adecuadas para el trabajo. + +## Creando de Tu Modelo de Amenaza + +Para identificar lo que podría ocurrirle a las cosas que valora y determinar de quién necesitas protegerlas, deberías responder estas cinco preguntas: + +1. ¿Qué quiero proteger? +2. ¿De quién quiero protegerlo? +3. ¿Qué tan probable será que necesite protegerlo? +4. ¿Qué tan graves serían las consecuencias si fallo? +5. ¿Cuánto esfuerzo estoy dispuesto a dedicar para prevenir posibles consecuencias? + +### ¿Qué quiero proteger? + +Un "activo" es algo que valoras y quieres proteger. En el contexto de la seguridad digital, un activo es usualmente algún tipo de información. Por ejemplo, tus correos electrónicos, listas de contactos, mensajes instantáneos, ubicación y archivos son todos posibles activos. Tus dispositivos también podrían ser activos. + +*Haz una lista de tus activos: datos que guardas, dónde se guardan, quién tiene acceso a ellos y qué impide que otros los accedan.* + +### ¿De quién quiero protegerlo? + +Para responder a esta pregunta, es importante identificar quién podría querer suponer una amenaza para usted o su información. ==Una persona o entidad que supone una amenaza para sus activos es un "adversario". ==Ejemplos de adversarios potenciales son tu jefe, tu ex pareja, tu competencia empresarial, tu gobierno o un hacker en una red pública. + +*Haz una lista de tus adversarios o de aquellos que podrían querer apoderarse de tus activos. Su lista puede incluir individuos, una agencia gubernamental o empresas.* + +Dependiendo de quiénes sean tus adversarios, en algunas circunstancias, esta lista podría ser algo que quisieras destruir después de que hayas terminado de planificar la seguridad. + +### ¿Qué tan probable será que necesite protegerlo? + +==El riesgo es la probabilidad de que una determinada amenaza contra un determinado activo se produzca realmente. ==Va de la mano con la capacidad. Aunque tu proveedor de telefonía móvil tiene la capacidad de acceder a todos tus datos, el riesgo de que publiquen tus datos privados en Internet para dañar tu reputación es bajo. + +Es importante distinguir entre lo que podría ocurrir y la probabilidad de que ocurra. Por ejemplo, existe la amenaza de que su edificio se derrumbe, pero el riesgo de que esto ocurra es mucho mayor en San Francisco (donde los terremotos son habituales) que en Estocolmo (donde no lo son). + +La evaluación de los riesgos es un proceso personal y subjetivo. Muchas personas consideran que ciertas amenazas son inaceptables sin importar la probabilidad de que se produzcan porque la mera presencia de la amenaza con cualquier probabilidad no merece la pena. En otros casos, las personas ignoran algunos altos riesgos porque no ven la amenaza como un problema. + +*Anote qué amenazas va a tomar en serio y cuáles pueden ser demasiado raras o demasiado inofensivas (o demasiado difíciles de combatir) como para preocuparse por ellas.* + +### ¿Qué tan graves serían las consecuencias si fallo? + +Hay muchas maneras de que un adversario pueda acceder a sus datos. Por ejemplo, un adversario puede leer sus comunicaciones privadas mientras pasan por la red, o puede borrar o corromper sus datos. + +==Los motivos de los adversarios son muy diferentes, al igual que sus tácticas. ==Un gobierno que intenta evitar la propagación de un vídeo que muestra la violencia policial está contento si simplemente elimina o reduce la disponibilidad de ese vídeo. Por el contrario, un opositor político puede querer acceder a contenido secreto y publicarlo sin que usted lo sepa. + +La planificación de la seguridad implica comprender las consecuencias que podría tener el hecho de que un adversario consiga acceder a uno de sus activos. Para determinar esto, debe considerar la capacidad de su adversario. Por ejemplo, tu proveedor de telefonía móvil tiene acceso a todos tus registros de telefónicos. Un hacker en una red Wi-Fi abierta puede acceder a sus comunicaciones no cifradas. Su gobierno podría tener capacidades más fuertes. + +*Escriba lo que su adversario podría querer hacer con sus datos privados.* + +### ¿Cuánto esfuerzo estoy dispuesto a dedicar para prevenir posibles consecuencias? + +==Hay una opción perfecta para la seguridad.== No todos tienen las mismas prioridades, preocupaciones o acceso a los recursos. Su evaluación de riesgos le permitirá planificar la estrategia adecuada para usted, equilibrando la comodidad, el coste y la privacidad. + +Por ejemplo, un abogado que representa a un cliente en un caso de seguridad nacional puede estar dispuesto a hacer mayores esfuerzos para proteger las comunicaciones sobre ese caso, como el uso de correo electrónico cifrado, que una madre que envía regularmente a su hija vídeos divertidos de gatos por correo electrónico. + +*Anote las opciones que tiene a su disposición para ayudar a mitigar sus amenazas únicas. Tenga en cuenta si tiene limitaciones financieras, técnicas o sociales.* + +### Pruébalo tú mismo: Protegiendo tus pertenencias + +Estas preguntas pueden aplicarse a una amplia variedad de situaciones, tanto en línea como fuera de línea. Como demostración genérica de cómo funcionan estas preguntas, vamos a construir un plan para mantener tu casa y tus posesiones a salvo. + +**¿Qué quiere proteger? (O bien, *¿qué tiene que vale la pena proteger?*)** +: + +Sus activos pueden incluir joyas, aparatos electrónicos, documentos importantes o fotos. + +**¿De quién quiere protegerlo?** +: + +Sus adversarios pueden ser ladrones, compañeros de piso o invitados. + +**¿Qué probabilidad hay de que tenga que protegerlo?** +: + +¿Su vecindario un historial de robos? ¿Cuán fiables son tus compañeros de habitación o invitados? ¿Cuáles son las capacidades de sus adversarios? ¿Cuáles son los riesgos que debe tener en cuenta? + +**¿Cómo de graves son las consecuencias si fallas?** +: + +¿Tienes cualquier cosa en tu casa que no puedas reemplazar? ¿Tienes el tiempo o el dinero para reemplazar esas cosas? ¿Tienes un seguro que cubra los bienes robados de tu hogar? + +**¿Cuánto esfuerzo estás dispuesto a dedicar para prevenir estas consecuencias?** +: + +¿Estás dispuesto a comprar una caja fuerte para documentos confidenciales? ¿Puedes permitirte comprar una cerradura de alta calidad? ¿Tiene tiempo para abrir una caja de seguridad en tu banco local y mantener tus objetos de valor allí? + +Solo una vez que te hayas hecho estas preguntas estarás en posición para evaluar qué medidas tomar. Si tus posesiones son valiosas, pero la probabilidad de un robo es baja, quizás no quieras invertir demasiado en una cerradura. Pero, si la probabilidad de un robo es alta, querrás conseguir la mejor cerradura del mercado y considerar añadir un sistema de seguridad. + +Elaborar un plan de seguridad te ayudará a comprender las amenazas que te son propias y a evaluar tus activos, tus adversarios y las capacidades de ellos, junto con la probabilidad de los riesgos a los que te enfrentas. + +## Lecturas Adicionales + +Para las personas quienes desean aumentar su privacidad y seguridad en línea, hemos recopilado una lista de amenazas comunes a las que se enfrentan nuestros visitantes o de objetivos que tienen nuestros visitantes, para darles un poco de inspiración y demostrar la base de nuestras recomendaciones. + +- [Objetivos Comunes y Amenazas :material-arrow-right-drop-circle:](common-threats.md) + +## Fuentes + +- [EFF Defensa Personal de Vigilancia: Tu Plan de Seguridad](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/es/basics/vpn-overview.md b/i18n/es/basics/vpn-overview.md new file mode 100644 index 00000000..e11aa615 --- /dev/null +++ b/i18n/es/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: Vista general de VPN +icon: material/vpn +description: Las Redes Privadas Virtuales desplazan el riesgo de tu proveedor de Internet a un tercero quien confías. Debes tener en cuenta estas cosas. +--- + +Las redes privadas virtuales son una forma de ampliar el extremo de tu red para que salga por otro lugar en el mundo. Un ISP puede ver el flujo de tráfico de Internet que entra y sale de tu dispositivo de terminación de red (es decir, el módem). + +Los protocolos de cifrado como HTTPS se utilizan habitualmente en Internet, por lo que no puedan ser capaces de ver exactamente lo que estés publicando o leyendo, pero pueden hacerse una idea de los [dominios que solicitas](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +Una VPN puede ayudar, ya que puede trasladar la confianza a un servidor en otro lugar del mundo. Como resultado, el ISP solamente ve que estás conectado a una VPN y nada sobre la actividad que le estás pasando. + +## ¿Yo debería usar una VPN? + +**Sí**, a menos que ya estés usando Tor. Una VPN hace dos cosas: trasladar los riesgos de tu proveedor de servicios de Internet a sí mismo y ocultar tu IP de un servicio de terceros. + +Las VPNs no pueden encriptar datos fuera de la conexión entre tu dispositivo y el servidor VPN. Los proveedores de VPN pueden ver y modificar tu tráfico del mismo modo que tu proveedor de Internet podría. Y no hay forma en absoluto de verificar las políticas de "no registro" de un proveedor de VPN. + +Sin embargo, sí ocultan tu IP real de un servicio de terceros, siempre que no haya fugas de IP. Te ayudan a mezclarte con los demás y a mitigar el seguimiento basado en la IP. + +## ¿Cuándo no debería usar una VPN? + +El uso de una VPN casos donde estés utilizando tu [identidad conocida](common-threats.md#common-misconceptions) probablemente no será útil. + +Si lo haces, puede activar sistemas de detección de spam y fraude, por ejemplo si te conectas al sitio web de tu banco. + +## ¿Qué pasa con la encriptación? + +El cifrado que ofrecen los proveedores de VPN se realiza entre tus dispositivos y sus servidores. Garantiza que este enlace específico es seguro. Esto supone un paso adelante respecto al uso de proxies no cifrados, en los que un adversario en la red puede interceptar las comunicaciones entre tus dispositivos y dichos proxies y modificarlas. Sin embargo, el cifrado entre tus aplicaciones o navegadores con los proveedores de servicios no se gestiona mediante este cifrado. + +Para mantener la privacidad y seguridad de lo que haces en los sitios web que visitas, debes utilizar HTTPS. Esto mantendrá tus contraseñas, tokens de sesión y consultas a salvo del proveedor de VPN. Considera la posibilidad de activar "HTTPS en todas partes" en tu navegador para mitigar los ataques de degradación como [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## ¿Debo utilizar DNS cifrado con una VPN? + +A menos que tu proveedor de VPN aloje los servidores DNS cifrados, **no**. Usar DOH/DOT (o cualquier otra forma de DNS encriptado) con servidores de terceros simplemente añadirá más entidades en las que confiar y no hace **absolutamente nada** para mejorar tu privacidad/seguridad. Tu proveedor de VPN aún puede ver qué sitios web visitas basándose en las direcciones IP y otros métodos. En lugar de confiar únicamente en tu proveedor de VPN, ahora confías tanto en el proveedor de VPN como en el proveedor de DNS. + +Una razón común para recomendar DNS cifrado es que ayuda contra el spoofing de DNS. Sin embargo, tu navegador ya debería estar buscando [certificados TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) con **HTTPS** y advertirte al respecto. Si no estás utilizando **HTTPS**, entonces un adversario todavía puede simplemente modificar cualquier cosa que no sean tus consultas DNS y el resultado final será similar. + +No hace falta decir que **no deberías usar DNS encriptados con Tor**. Esto dirigiría todas tus peticiones DNS a través de un único circuito y permitiría al proveedor de DNS cifrado desanonimizarte. + +## ¿Debería usar Tor *y* una VPN? + +Al usar una VPN con Tor, estás creando esencialmente un nodo de entrada permanente, a menudo con un rastro de dinero adjunto. Esto no te proporciona ningún beneficio adicional, a la vez que aumenta drásticamente la superficie de ataque de tu conexión. Si deseas ocultar el uso de Tor a tu ISP o a tu gobierno, Tor tiene una solución incorporada para eso: los puentes Tor. [Lee más sobre los puentes Tor y por qué no es necesario usar una VPN](../advanced/tor-overview.md). + +## ¿Y si necesito anonimato? + +Las VPN no pueden proporcionar anonimato. Tu proveedor de VPN aún verá tu dirección IP real, y a menudo tiene un rastro de dinero que puede vincularse directamente a ti. No puedes confiar en las políticas de "no registro" para proteger tus datos. Usa [Tor](https://www.torproject.org/) en vez. + +## ¿Qué pasa con los proveedores de VPN que proporcionan nodos Tor? + +No utilices esa función. El punto de usar Tor es que no confías en tu proveedor de VPN. Actualmente Tor solamente soporta el protocolo [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol). [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (utilizado en [WebRTC](https://en.wikipedia.org/wiki/WebRTC) para compartir voz y vídeo, el nuevo protocolo [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) y otros paquetes serán descartados. Para compensar por esto, los proveedores de VPN suelen enrutar todos los paquetes no TCP a través de su servidor VPN (tu primer salto). Este es el caso con [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Adicionalmente, al usar esta configuración de Tor sobre VPN, no tienes control sobre otras funciones importantes de Tor como [Dirección de Destino Aislada](https://www.whonix.org/wiki/Stream_Isolation) (usando un circuito Tor diferente para cada dominio que visitas). + +La función debe verse como una forma conveniente de acceder a la Red Tor, no para permanecer anónimo. Para anonimato adecuado, usa el navegador Tor, TorSocks o una puerta de enlace Tor. + +## ¿Cuándo son útiles las VPNs? + +Una VPN puede seguir siéndote útil en una variedad de escenarios, por ejemplo: + +1. Ocultando tu tráfico de **sólo** tu proveedor de servicios de Internet. +1. Ocultando tus descargas (como los torrents) de tu ISP y a las organizaciones antipiratería. +1. Ocultando tu IP de sitios web y servicios de terceros, evitando el rastreo basado en IP. + +Para situaciones como estas, o si tienes otra razón de peso, los proveedores de VPN que hemos enumerado anteriormente son los que consideramos más fiables. Sin embargo, utilizar un proveedor de VPN aun significa que estás *confiando* en el proveedor. En casi cualquier otro escenario deberías estar usando una herramienta segura**-por diseño** como Tor. + +## Fuentes y Lecturas Complementarias + +1. [VPN - una narrativa muy precaria](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) por Dennis Schubert +1. [Visión General de la Red Tor](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["¿Necesito una VPN?"](https://www.doineedavpn.com), una herramienta desarrollada por IVPN para desafiar el mercadeo agresivo de las VPN ayudando las personas a decidir si una VPN es adecuada para ellas. + +## Información Relacionada con las VPNs + +- [El Problema con los Sitios de Revisión de VPNs y de Privacidad](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Investigación de Aplicaciones de VPN Gratuita](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Propietarios ocultos de VPN revelados: 101 productos VPN administrados por solo 23 empresas](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [Esta empresa china está secretamente detrás de 24 aplicaciones populares que buscan permisos peligrosos](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/es/calendar.md b/i18n/es/calendar.md new file mode 100644 index 00000000..2a104b00 --- /dev/null +++ b/i18n/es/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Sincronización de Calendario" +icon: material/calendar +description: Calendarios contienen algunos de tus datos más sensibles; usa productos que apliquen el cifrado en reposo. +--- + +Los calendarios contienen algunos de sus datos más sensibles; utilice productos que implementen E2EE en reposo para evitar que un proveedor pueda leerlos. + +## Tutanota + +!!! recommendation + + ![Logotipo de Tutanota](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Logotipo de Tutanota](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** ofrece un calendario gratuito y cifrado en todas las plataformas compatibles. Entre sus características se incluyen: E2EE automático de todos los datos, funciones de uso compartido, funcionalidad de importación/exportación, autenticación multifactor y [more](https://tutanota.com/calendar-app-comparison/). + + Las funciones de calendarios múltiples y uso compartido ampliado están limitadas a los suscriptores de pago. + + [:octicons-home-16: Inicio](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Calendario de Proton + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** es un servicio de calendario encriptado disponible para los miembros de Proton a través de clientes web o móviles. Entre sus características se incluyen: E2EE automático de todos los datos, funciones para compartir, funcionalidad de importación/exportación y [more](https://proton.me/support/proton-calendar-guide). Los usuarios de la versión gratuita tienen acceso a un único calendario, mientras que los suscriptores de pago pueden crear hasta 20 calendarios. La funcionalidad de uso compartido extendido también se limita a los suscriptores de pago. + + [:octicons-home-16: Inicio](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criterios + +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que te familiarices con esta lista, antes de decidir utilizar un proyecto y realizar tu propia investigación para asegurarte de que es la elección ideal para ti. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +### Cualificaciones mínimas + +- Debe sincronizar y almacenar la información con E2EE para garantizar que los datos no sean visibles para el proveedor de servicios. + +### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Debe integrarse con las aplicaciones nativas de calendario y gestión de contactos del sistema operativo, si procede. diff --git a/i18n/es/cloud.md b/i18n/es/cloud.md new file mode 100644 index 00000000..a404d821 --- /dev/null +++ b/i18n/es/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Almacenamiento en la Nube" +icon: material/file-cloud +description: Muchos proveedores de almacenamiento en la nube exigen que confíes plenamente en que no mirarán tus archivos. Estas son alternativas privadas. +--- + +Muchos proveedores de almacenamiento en la nube exigen que confíes plenamente en que no mirarán tus archivos. Las alternativas enumeradas a continuación eliminan la necesidad de confianza mediante la implementación de E2EE seguros. + +Si estas alternativas no se ajustan a tus necesidades, te sugerimos que busques utilizar un software de encriptación como [Cryptomator](encryption.md#cryptomator-cloud) con otro proveedor en la nube. Utilizar Cryptomator junto con **cualquier** proveedor de la nube(incluidos estos) puede ser una buena idea para reducir el riesgo de fallos de cifrado en los clientes nativos de un proveedor. + +??? question "¿Buscas Nextcloud?" + + Nextcloud es [todavía una herramienta recomendada](productivity.md) para el autoalojamiento de una suite de gestión de archivos, sin embargo no recomendamos proveedores de almacenamiento Nextcloud de terceros por el momento, porque no [recomendamos](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) la funcionalidad E2EE integrada de Nextcloud para usuarios domésticos. + +## Proton Drive + +!!! recommendation + + ![Logo de Proton Drive](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** es un proveedor suizo de almacenamiento cifrado en la nube del popular proveedor de correo electrónico cifrado [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Inicio](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +La aplicación web Proton Drive ha sido auditada de forma independiente por Securitum en [2021](https://proton.me/blog/security-audit-all-proton-apps), no se han facilitado todos los detalles, pero la carta de certificación de Securitum afirma lo siguiente: + +> Los auditores identificaron dos vulnerabilidades de baja gravedad. Además, se notificaron cinco recomendaciones generales. Al mismo tiempo, confirmamos que no se detectaron problemas de seguridad importantes durante el pentest. + +Los nuevos clientes móviles de Proton Drive aún no han sido auditados públicamente por un tercero. + +## Tresorit + +!!! recommendation + + ![Logo de Tresorit](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** es un proveedor húngaro de almacenamiento cifrado en la nube fundado en 2011. Tresorit es propiedad de Swiss Post, el servicio postal nacional de Suiza. + + [:octicons-home-16: Inicio](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentación} + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit ha recibido varias auditorías de seguridad independientes: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] [Certificación](https://www.certipedia.com/quality_marks/9108644476) de conformidad por TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Pruebas de penetración de Computest + - Esta revisión evaluó la seguridad del cliente web Tresorit, la aplicación Android, la aplicación Windows y la infraestructura asociada. + - Computest descubrió dos vulnerabilidades que ya han sido resueltas. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Pruebas de penetración de Ernst & Young. + - En esta revisión se analizó el código fuente completo de Tresorit y se validó que la implementación coincide con los conceptos descritos en el [libro blanco](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf) de Tresorit. + - Ernst & Young probó además los clientes web, móvil y de escritorio: "Los resultados de las pruebas no encontraron ninguna desviación de las afirmaciones de confidencialidad de datos de Tresorit". + +También han recibido el Sello de Confianza Digital, una certificación de la [Iniciativa Digital Suiza](https://www.swiss-digital-initiative.org/digital-trust-label/) que exige superar [35 criterios](https://digitaltrust-label.swiss/criteria/) relacionados con la seguridad, la privacidad y la fiabilidad. + +## Criterios + +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que te familiarices con esta lista, antes de decidir utilizar un proyecto y realizar tu propia investigación para asegurarte de que es la elección ideal para ti. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Hay muchos factores que se consideran y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +### Requisitos Mínimos + +- Debe aplicar el cifrado de extremo a extremo. +- Debe ofrecer un plan gratuito o un periodo de prueba. +- Debe ser compatible con la autenticación multifactor TOTP o FIDO2, o con los inicios de sesión Passkey. +- Debe ofrecer una interfaz web que admita funciones básicas de gestión de archivos. +- Debe permitir exportar fácilmente todos los archivos/documentos. +- Debe utilizar un cifrado estándar auditado. + +### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Los clientes deben ser de código abierto. +- Los clientes deben ser auditados en su totalidad por un tercero independiente. +- Debe ofrecer clientes nativos para Linux, Android, Windows, macOS e iOS. + - Estos clientes deben integrarse con las herramientas nativas del sistema operativo para los proveedores de almacenamiento en la nube, como la integración de la aplicación Files en iOS, o la funcionalidad DocumentsProvider en Android. +- Debe permitir compartir archivos fácilmente con otros usuarios. +- Debe ofrecer al menos funciones básicas de previsualización y edición de archivos en la interfaz web. + +[^1]: [El cumplimiento de la norma ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 se refiere al sistema de gestión de la seguridad de la información de la empresa [](https://en.wikipedia.org/wiki/Information_security_management) y abarca la venta, el desarrollo, el mantenimiento y la asistencia de sus servicios en la nube. diff --git a/i18n/es/cryptocurrency.md b/i18n/es/cryptocurrency.md new file mode 100644 index 00000000..a847bee7 --- /dev/null +++ b/i18n/es/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Criptomonedas +icon: material/bank-circle +--- + +Realizar pagos en línea es uno de los principales desafíos para la privacidad. Estas criptomonedas le brindan privacidad a sus transacciones (algo que **no** está garantizado por la mayoría de las criptomonedas), permitiéndole tener una alta comprensión de cómo hacer pagos privados correctamente. Le recomendamos encarecidamente que primero lea nuestro apartado de pagos antes de realizar cualquier compra: + +[Hacer pagos privados: :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger "Peligro" + + Muchas, si no la mayoría de los proyectos de criptomonedas son estafas. Únicamente realice transacciones con los proyectos en los que confíe. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** utiliza una cadena de bloques (blockchain) con tecnologías que mejoran la privacidad. Cada transacción realizada con Monero, oculta el monto de la transacción, las direcciones de envío y recepción, además del origen de los fondos sin ningún intermediario, convirtiéndola en una opción ideal para los novatos en las criptomonedas. + + [:octicons-home-16: Página principal](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +Con Monero, los observadores externos no pueden descifrar las direcciones transaccionales de Monero, los montos de las transacciones, el balance de las direcciones, o el historial de transacciones. + +Para una mejor privacidad, se debe asegurar de utilizar una billetera no monitorizada donde la clave de visualización permanece en el dispositivo. Esto significa que solo usted tiene la capacidad de gastar sus fondos, además de ver las transacciones entrantes y salientes. Si usted utiliza una billetera monitoreada, el proveedor puede ver **todo** lo que hace; si utiliza una billetera "ligera" donde el proveedor retiene su clave privada de visualización, el proveedor puede ver casi todo lo que hace. Algunas billeteras no monitoreadas son: + +- [Cliente oficial de Monero](https://getmonero.org/downloads) (Escritorio) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet soporta múltiples criptomonedas. Una versión de Cake Wallet que únicamente soporta Monero puede obtenerse desde [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Escritorio) +- [Monerujo](https://www.monerujo.io/) (Android) + +Para obtener un nivel máximo de privacidad (incluso con una billetera monitoreada), usted debe ejecutar su propio nodo de Monero. Al utilizar el nodo de otra persona, usted expondrá alguna información a dicha persona, como la dirección IP que utiliza para conectarse, las marcas de tiempo que sincroniza su billetera, y las transacciones que realiza desde su billetera (aunque no hay otros detalles sobre esas transacciones). Alternativamente, usted puede conectarse al nodo de Monero de otra persona a través de Tor o i2p. + +En agosto de 2021, CipherTrace [anunció](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) mejores capacidades de rastreo de Monero para agencias gubernamentales. Publicaciones públicas muestran cómo la Red de Ejecución de Delitos Financieros del Departamento de Tesorería del Gobierno de los Estados Unidos [licenció](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) el módulo CipherTrace de Monero a finales de 2022. + +La privacidad del gráfico transaccional de Monero está limitada por sus firmas de anillo relativamente pequeñas, especialmente contra ataques dirigidos. Las características de privacidad de Monero también han sido [cuestionadas](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) por algunos investigadores de seguridad, y una serie de vulnerabilidades graves han sido encontradas y corregidas en el pasado, haciendo que los reclamos de organizaciones como CipherTrace no están descartadas. Mientras es poco probable que las herramientas de vigilancia masiva de Monero existan como lo hacen para Bitcoin y otras, es seguro que las herramientas de rastreo ayudan en las investigaciones dirigidas. + +En última instancia, Monero es el principal candidato para una criptomoneda amigable con la privacidad, pero sus argumentos de privacidad **no** han sido definitivamente comprobados de una manera u otra. Más tiempo e investigación es requerida para encontrar los puntos donde Monero es lo suficientemente resistente a los ataques como para proporcionar la privacidad adecuada. + +## Criterios + +**Por favor, tome en cuenta que no estamos asociados con ninguno de los proyectos que recomendamos. ** En adición a [nuestros criterios base](about/criteria.md), hemos desarrollado un claro conjunto de requisitos que nos permiten brindar recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de elegir utilizar un proyecto y realizar su propia investigación para asegurarse que es la elección ideal para usted. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna pregunta sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no consideramos algo, cuando una recomendación no está listada aquí. Hay muchos factores considerados y discutidos cuando recomendamos un proyecto, y documentamos cada uno como un trabajo en proceso. + +- Las criptomonedas deben brindar transacciones privadas o imposibles de rastrear por defecto. diff --git a/i18n/es/data-redaction.md b/i18n/es/data-redaction.md new file mode 100644 index 00000000..6c3347a5 --- /dev/null +++ b/i18n/es/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Redacción de Datos y Metadatos" +icon: material/tag-remove +description: Utiliza estas herramientas para eliminar metadatos como la ubicación GPS y otros datos identificativos de las fotos y archivos que compartas. +--- + +Cuando compartas archivos, asegúrate de remover los metadatos asociados. Archivos de imagen comúnmente incluyen datos [Exif](https://en.wikipedia.org/wiki/Exif). Fotos a veces incluyen hasta coordenadas GPS en los metadatos del archivo. + +## Equipo de escritorio + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** es un software gratuito que permite eliminar los metadatos de archivos de imagen, audio, torrent y documentos. Proporciona tanto una herramienta de línea de comandos como una interfaz gráfica de usuario a través de una [extensión para Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), el gestor de archivos por defecto de [GNOME](https://www.gnome.org), y [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), el gestor de archivos por defecto de [KDE](https://kde.org). + + En Linux, existe una herramienta gráfica de terceros [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) basada en MAT2 y está [disponible en Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repositorio](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentación} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Móvil + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** es una moderna aplicación de borrado de metadatos de imagen sin permisos para Android. + + Actualmente admite archivos JPEG, PNG y WebP. + + [:octicons-repo-16: Repositorio](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +Los metadatos que son eliminados dependen del tipo de archivo de la imagen: + +* **JPEG**: Los metadatos ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP serán eliminados si existen. +* **PNG**: Los metadatos ICC Profile, Exif y XMP serán eliminados si existen. +* **WebP**: Los metadatos ICC Profile, Exif y XMP serán eliminados si existen. + +Tras procesar las imágenes, ExifEraser te proporciona un informe completo sobre lo que se ha eliminado exactamente de cada imagen. + +La aplicación ofrece múltiples formas de borrar los metadatos de las imágenes. Estas son: + +* Puede compartir una imagen de otra aplicación con ExifEraser. +* A través de la propia aplicación, puedes seleccionar una sola imagen, varias imágenes a la vez o incluso un directorio entero. +* Cuenta con una opción de "Cámara", que utiliza la aplicación de cámara de tu sistema operativo para tomar una foto, y luego elimina los metadatos de la misma. +* Te permite arrastrar fotos desde otra aplicación a ExifEraser cuando ambas están abiertas en modo de pantalla dividida. +* Por último, te permite pegar una imagen desde el portapapeles. + +### Metapho (iOS) + +!!! recommendation + + ![Logo de Metapho](assets/img/data-redaction/metapho. pg){ align=right } + + **Metapho** es un visor simple y limpio para metadatos de fotos como fecha, nombre de archivo, tamaño, modelo de cámara, velocidad de obturación y ubicación. + + [:octicons-home-16: Inicio](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Politica de privacidad" } + + ??? downloads "Descargas" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![Logotipo de PrivacyBlur](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** es una aplicación gratuita que permite difuminar partes sensibles de las imágenes antes de compartirlas en Internet. + + [:octicons-home-16: Inicio](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning "Advertencia" + + No se debe **nunca** utilizar el desenfoque para redactar [texto en imágenes](https://bishopfox.com/blog/unredacter-tool-never-pixelation). Si desea redactar texto en una imagen, dibuje un recuadro sobre el texto. Para ello, te sugerimos aplicaciones como [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Línea de comandos + +### ExifTool + +!!! recommendation + + ![Logotipo de ExifTool](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** es la biblioteca perl original y la aplicación de línea de comandos para leer, escribir y editar meta información (Exif, IPTC, XMP y más) en una amplia variedad de formatos de archivo (JPEG, TIFF, PNG, PDF, RAW y más). + + Suele ser un componente de otras aplicaciones de eliminación de Exif y se encuentra en la mayoría de los repositorios de las distribuciones de Linux. + + [:octicons-home-16: Inicio](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Borrar datos de un directorio de archivos" + + ```bash + exiftool -all= *.extensión_archivo + ``` + +## Criterios + +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que te familiarices con esta lista, antes de decidir utilizar un proyecto y realizar tu propia investigación para asegurarte de que es la elección ideal para ti. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Las aplicaciones desarrolladas para sistemas operativos de código abierto deben ser de código abierto. +- Las aplicaciones deben ser gratuitas y no incluir anuncios ni otras limitaciones. diff --git a/i18n/es/desktop-browsers.md b/i18n/es/desktop-browsers.md new file mode 100644 index 00000000..a9ebe6ed --- /dev/null +++ b/i18n/es/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Navegadores de Escritorio" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Recomendaciones de Navegadores de Escritorio Privados + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/es/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://es.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://es.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +Estas son nuestras recomendaciones de navegadores web para computadoras y las configuraciones para la navegación estándar/no anónima por Internet. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +Si necesita navegar por Internet de forma anónima, debería utilizar [Tor](tor.md). We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** brinda una configuración fuerte de privacidad como la [Protección de Rastreo Mejorada](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), que puede ayudar con el bloqueo de varios [tipos de rastreadores](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Página Principal](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentación} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning "Advertencia" + Firefox incluye un [token de descarga](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) único en las descargas del sitio web de Mozilla y utiliza la telemetría de Firefox para enviar el token. El token **no** se incluye en las versiones de [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Configuración Recomendada + +Estas opciones se encuentran en :material-menu: → **Ajustes** → **Privacidad y seguridad**. + +##### Protección antirrastreo mejorada + +- [x] Seleccione **Estricto** Protección de seguimiento mejorada + +Esto le protege bloqueando los rastreadores de redes sociales, las secuencias de comandos de huellas digitales (ten en cuenta que esto no le protege de *todas* las huellas digitales), los criptomineros, las cookies de rastreo de sitios cruzados y algunos otros contenidos de rastreo. ETP protege contra muchas amenazas comunes, pero no bloquea todas las vías de rastreo porque está diseñado para tener un impacto mínimo o nulo en la usabilidad del sitio. + +##### Desinfectar al cerrar + +Si deseas seguir conectado a determinados sitios, puede permitir excepciones en **Cookies y datos del sitio** → **Administrar excepciones....** + +- [x] Marque **Eliminar cookies y datos del sitio cuando se cierra Firefox** + +Esto le protege de las cookies persistentes, pero no le protege de las cookies adquiridas durante una sesión de navegación. Cuando esta opción está activada, es posible limpiar fácilmente las cookies del navegador simplemente reiniciando Firefox. Puedes establece excepciones por sitio, si desea permanecer conectado a un sitio concreto que visite con frecuencia. + +##### Buscar sugerencias + +- [ ] Desmarque **Proporcionar sugerencias de búsqueda** + +Es posible que las funciones de sugerencia de búsqueda no estén disponibles en su región. + +Las sugerencias de búsqueda envían todo lo que escribe en la barra de direcciones al motor de búsqueda predeterminado, independientemente de si realiza una búsqueda real. Desactivar las sugerencias de búsqueda le permite controlar con mayor precisión los datos que envía al proveedor de su motor de búsqueda. + +##### Telemetría + +- [ ] Desmarque **Permitir que Firefox envíe infromación técnica y de interacción a Mozilla** +- [ ] Desmarque **Permitir Firefox para instalar y ejecutar estudios** +- [ ] Desmarque **Permitir que Firefox envié informes de fallos acumulados en tu nombre** + +> Firefox envía datos sobre su versión e idioma de Firefox; sistema operativo del dispositivo y configuración del hardware; memoria, información básica sobre fallos y errores; resultado de procesos automatizados como actualizaciones, navegación segura y activación. Cuando Firefox envía datos, su dirección IP se recoge temporalmente como parte de los registros de nuestro servidor. + +Además, el servicio Firefox Accounts recoge [algunos datos técnicos](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). Si usa una cuenta de Firefox, puede excluir: + +1. Abra la [configuración de su perfil en accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Desmarque **Recopilación y uso de datos** > **Ayuda a mejorar Cuentas de Firefox** + +##### Modo solo HTTPS + +- [x] Seleccione **Habilitar el modo solo HTTPS en todas las ventanas** + +Esto evita que se conecte involuntariamente a un sitio web en texto plano HTTP. Los sitios sin HTTPS son poco comunes hoy en día, por lo que esto debería tener poco o ningún impacto en su navegación diaria. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) permite que sus datos de navegación (historial, marcadores, etc.) sean accesibles en todos sus dispositivos y los protege con E2EE. + +### Arkenfox (avanzado) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +El [proyecto Arkenfox](https://github.com/arkenfox/user.js) proporciona un conjunto de opciones cuidadosamente consideradas para Firefox. Si [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) utilizar Arkenfox, unas [pocas opciones](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) son subjetivamente estrictas y/o pueden hacer que algunos sitios web no funcionen correctamente - [lo que puede cambiar fácilmente](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) para adaptarse a sus necesidades. Nosotros **recomendamos encarecidamente** que lea su [wiki ](https://github.com/arkenfox/user.js/wiki)(lamentablemente solo en inglés). Arkenfox también permite el soporte de [contenedores](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users). + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Logo de Brave](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** incluye un bloqueador de contenidos integrado y [funciones de privacidad](https://brave.com/privacy-features/), muchas de las cuales están activadas por defecto. + + Brave se basa en el proyecto de navegador web Chromium, por lo que debería resultar familiar y tener mínimos problemas de compatibilidad con sitios web. + + [:octicons-home-16: Página Principal](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servicio Onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. Desaconsejamos el uso de la versión Flatpak de Brave, ya que sustituye el sandbox de Chromium por el de Flatpak, que es menos efectivo. Además, el paquete no es mantenido por Brave Software, Inc. + +### Configuración Recomendada + +Estas opciones se encuentran en :material-menu: → **Configuración**. + +##### Protecciones + +Brave incluye algunas medidas anti-fingerprinting en su función de [Escudos](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Sugerimos configurar estas opciones [globalmente](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) en todas las páginas que visite. + +Las opciones de los escudos pueden reducirse según las necesidades de cada sitio, pero por defecto recomendamos configurar lo siguiente: + +
+ +- [x] Seleccione **Impedir que los sitios obtengan mis huellas digitales en función de mis preferencias de idioma** +- [x] Selecciona * * Agresivo * * en Bloqueo de rastreadores y anuncios + + ??? advertencia "Use listas de filtros predeterminadas" + Brave le permite seleccionar filtros de contenido adicionales dentro de la página interna `brave://adblock`. Le aconsejamos que no utilice esta función; en su lugar, mantenga las listas de filtros predeterminadas. El uso de listas adicionales le hará destacar entre los demás usuarios de Brave y también puede aumentar la superficie de ataque si hay un exploit en Brave y se añade una regla maliciosa a una de las listas que utiliza. + +- [x] (Opcional) Seleccione **Bloquear Scripts** (1) +- [x] Seleccione **Estricto, puede dañar los sitios** en Bloquear huellas digitales + +
+ +1. Esta opción proporciona una funcionalidad similar a los [modos de bloqueo ](https://github.com/gorhill/uBlock/wiki/Blocking-mode)avanzados de uBlock Origin o la extensión [NoScript](https://noscript.net/). + +##### Bloqueo de RRSS + +- [ ] Desmarque todos los componentes de redes sociales + +##### Privacidad y seguridad + +
+ +- [x] Selecciona **Desactivar UDP no proxy** en [Política de gestión de IP de WebRTC](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Desmarca **Utilizar los servicios de Google para la mensajería push** +- [ ] Desmarca **Permitir análisis de productos que preservan la privacidad (P3A)** +- ¡[ ] Desmarcar **Enviar automáticamente ping de uso diario a Brave** +- [ ] Desmarca **Enviar automáticamente informes de diagnóstico** +- [x] Selecciona **Usar siempre conexiones seguras** en el menú **Seguridad** +- [ ] Desmarca **Ventana privada con Tor** (1) + + !!! consejo "Desinfectar al cerrar" + - [x] Selecciona **Borrar cookies y datos de sitios al cerrar todas las ventanas** en el menú *Cookies y otros datos de sitios* + + Si deseas permanecer conectado a un sitio concreto que visitas con frecuencia, puedes establecer excepciones por sitio en la sección *Comportamientos personalizados*. + +
+ +1. Brave **no** es tan resistente a las huellas dactilares como Tor Browser y mucha menos gente usa Brave con Tor, así que usted destacará. Cuando se requiera un [fuerte anonimato](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) utilice [Tor Browser ](tor.md#tor-browser). + +##### Extensiones + +Desactive las extensiones integradas que no utilice en **Extensiones** + +- [ ] Desmarca **Hangouts** +- [ ] Desmarca **WebTorrent** + +##### Web3 + +
+ +- [x] Selecciona Deshabilitado en Método para resolver los recursos IPFS (1) + +
+ +1. El Sistema de Archivos InterPlanetario (IPFS) es una red descentralizada, de igual a igual, para almacenar y compartir datos en un sistema de archivos distribuido. A menos que utilice la función, desactívela. + +##### Ajustes Adicionales + +En el menú *Sistema* + +
+ +- [ ] Desmarca **Seguir ejecutando aplicaciones en segundo plano al cerrar Brave** para desactivar las aplicaciones en segundo plano (1) + +
+ +1. Esta opción no está presente en todas las plataformas. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permite que sus datos de navegación (historial, marcadores, etc.) sean accesibles en todos sus dispositivos sin necesidad de una cuenta y los protege con E2EE. + +## Recursos Adicionales + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. Sin embargo, uBlock Origin puede resultarte útil si valoras la funcionalidad de bloqueo de contenidos. + +### uBlock Origin + +!!! recommendation + + ![logo de uBlock Origin](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** es un popular bloqueador de contenidos que puede ayudarte a bloquear anuncios, rastreadores y scripts de huellas digitales. + + [:octicons-repo-16: Repositorio](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +Te sugerimos que sigas la [documentación del desarrollador](https://github.com/gorhill/uBlock/wiki/Blocking-mode) y elijas uno de los "modos". Las listas de filtros adicionales pueden afectar al rendimiento y [pueden aumentar la superficie de ataque](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Otras listas + +Estas son algunas otras [listas de filtros](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) que puedes considerar añadir: + +- [x] Selecciona **Privacidad** > **AdGuard URL Tracking Protection** +- Añade [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criterios + +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que te familiarices con esta lista, antes de decidir utilizar un proyecto y realizar tu propia investigación para asegurarte de que es la elección ideal para ti. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +### Requisitos Mínimos + +- Debe ser software de código abierto. +- Admite actualizaciones automáticas. +- Recibe actualizaciones del motor en 0-1 días desde la publicación de la versión anterior. +- Disponible para iOS, macOS y Windows. +- Cualquier cambio necesario para que el navegador respete más la privacidad no debería afectar negativamente a la experiencia del usuario. +- Bloquea las cookies de terceros por defecto. +- Admite la [partición de estados](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) para mitigar el rastreo entre sitios.[^1] + +### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Incluye funciones integradas de bloqueo de contenidos. +- Admite la compartimentación de cookies (como [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Soporta Progressive Web Apps. + Las PWA permiten instalar determinados sitios web como si fueran apps nativas en su ordenador. Esto puede tener ventajas sobre la instalación de aplicaciones basadas en Electron, porque usted se beneficia de las actualizaciones de seguridad periódicas de su navegador. +- No incluye funciones adicionales (bloatware) que no afectan a la privacidad del usuario. +- No recopila telemetría por defecto. +- Ofrece la implementación de un servidor de sincronización de código abierto. +- Por defecto usa un [motor de búsqueda privado](search-engines.md). + +### Extensión de Criterios + +- No debe replicar la funcionalidad integrada del navegador o del sistema operativo. +- Debe afectar directamente a la privacidad del usuario, es decir, no debe limitarse a proporcionar información. + +[^1]: La implementación de Brave se detalla en [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/es/desktop.md b/i18n/es/desktop.md new file mode 100644 index 00000000..c120593b --- /dev/null +++ b/i18n/es/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Escritorio/PC" +icon: simple/linux +description: Las distribuciones de Linux se recomiendan comúnmente para la protección de la privacidad y la libertad del software. +--- + +Las distribuciones de Linux se recomiendan comúnmente para la protección de la privacidad y la libertad del software. Si aún no utiliza Linux, a continuación le sugerimos que pruebe algunas distribuciones, así como algunos consejos generales para mejorar la privacidad y la seguridad que son aplicables a muchas distribuciones de Linux. + +- [Vista General de Linux :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Distribuciones Tradicionales + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** es nuestra distribución recomendada para la gente nueva en Linux. Fedora suele adoptar tecnologías más recientes antes que otras distribuciones, por ejemplo, [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). Estas nuevas tecnologías suelen venir acompañadas de mejoras en la seguridad, la privacidad y la usabilidad en general. + + [:octicons-home-16: Página Principal](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentación} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribuir} + +Fedora tiene un ciclo de lanzamientos semicontinuo. Mientras que algunos paquetes como [GNOME](https://www.gnome.org) quedan congelados hasta la siguiente versión de Fedora, la mayoría de los paquetes (incluido el kernel) se actualizan con frecuencia durante toda la vida útil de la versión. Cada versión de Fedora recibe soporte durante un año, con una nueva versión cada 6 meses. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** es una distribución estable con actualización continua. + + openSUSE Tumbleweed cuenta con un sistema de [actualización transaccional](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) que utiliza [Btrfs](https://en.wikipedia.org/wiki/Btrfs) y [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) para garantizar que las copias instantáneas se puedan revertir en caso de que haya algún problema. + + [:octicons-home-16: Página Principal](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentación} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribuir } + +Tumbleweed sigue un modelo de actualización continua en el que cada actualización se publica como una copia instantánea de la distribución. Al actualizar el sistema, se descarga una nueva copia instantánea. Cada copia instantánea es sometida a una serie de pruebas automatizadas por [openQA](https://openqa.opensuse.org) para garantizar su calidad. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** es una distribución ligera del estilo "hágalo usted mismo" (DIY), lo que significa que sólo obtiene lo que instala. Para obtener más información, consulte su [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Página Principal](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentación} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribuir } + +Arch Linux tiene un ciclo de actualización continuo. No existe un calendario fijo de lanzamientos y los paquetes se actualizan con mucha frecuencia. + +Al ser una distribución DIY, se espera que usted [configure y mantenga](os/linux-overview.md#arch-based-distributions) su sistema por su cuenta. Arch dispone de un [instalador oficial](https://wiki.archlinux.org/title/Archinstall) para facilitar el proceso de instalación. + +Gran parte de los [paquetes de Arch Linux](https://reproducible.archlinux.org) son [reproducibles](https://reproducible-builds.org). + +## Distribuciones Inmutables + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** y **Fedora Kinoite** son variantes inmutables de Fedora con un fuerte enfoque en los flujos de trabajo en contenedores. Silverblue viene con el entorno de escritorio [GNOME](https://www.gnome.org/) mientras que Kinoite viene con [KDE](https://kde.org/). Silverblue y Kinoite siguen el mismo calendario de lanzamientos que Fedora Workstation, beneficiándose de las mismas actualizaciones rápidas y manteniéndose muy cerca del upstream. + + [:octicons-home-16: Página Principal](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentación} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribuir } + +Silverblue (y Kinoite) difieren de Fedora Workstation en que sustituyen el gestor de paquetes [DNF](https://fedoraproject.org/wiki/DNF) por una alternativa mucho más avanzada llamada [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). El gestor de paquetes `rpm-ostree` funciona descargando una imagen base para el sistema, y luego superponiendo paquetes sobre ella en un árbol de commit como el de [git](https://es.wikipedia.org/wiki/Git). Cuando se actualice el sistema, se descargará una nueva imagen de base y las superposiciones se aplicarán a esa nueva imagen. + +Una vez completada la actualización, se reiniciará el sistema con la nueva implementación. `rpm-ostree` mantiene dos implementaciones del sistema para que pueda revertir fácilmente si algo se rompe en la nueva implementación. También existe la opción de anclar más implementaciones según sea necesario. + +[Flatpak](https://www.flatpak.org) es el método principal de instalación de paquetes en estas distribuciones, ya que `rpm-ostree` sólo está pensado para superponer paquetes que no pueden permanecer dentro de un contenedor sobre la imagen base. + +Como alternativa a Flatpaks, existe la opción de [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) para crear contenedores [Podman](https://podman.io) con un directorio raíz compartido con el sistema operativo anfitrión e imitar un entorno Fedora tradicional, lo cual es una [característica útil](https://containertoolbx.org) para el desarrollador exigente. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS es una distribución independiente basada en el gestor de paquetes Nix y centrada en la reproducibilidad y la fiabilidad. + + [:octicons-home-16: Página Principal](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentación} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribuir } + +El gestor de paquetes de NixOS guarda cada versión de cada paquete en una carpeta diferente del **almacén Nix**. Debido a esto, puede tener diferentes versiones del mismo paquete instalado en su sistema. Después de escribir el contenido del paquete en la carpeta, ésta pasa a ser de sólo lectura. + +NixOS también proporciona actualizaciones atómicas; primero descarga (o construye) los paquetes y archivos para la nueva generación del sistema y luego cambia a ella. Hay diferentes maneras de cambiar a una nueva generación; puede decirle a NixOS que la active después de reiniciar o puede cambiar a ella durante el tiempo de ejecución. También puede *probar* la nueva generación cambiando a ella durante el tiempo de ejecución, pero sin establecerla como la generación actual del sistema. Si algo en el proceso de actualización se rompe, puede simplemente reiniciar y automáticamente y volver a una versión que funcione de su sistema. + +El gestor de paquetes Nix utiliza un lenguaje puramente funcional -que también se llama Nix- para definir paquetes. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (la fuente principal de paquetes) se encuentra en un único repositorio de GitHub. También puede definir sus propios paquetes en el mismo idioma e incluirlos fácilmente en su configuración. + +Nix es un gestor de paquetes basado en el código fuente; si no hay ningún paquete preconstruido disponible en la caché de binarios, Nix simplemente construirá el paquete desde el código fuente usando su definición. Construye cada paquete en un entorno aislado *puro*, que es lo más independiente posible del sistema anfitrión, lo que hace que los binarios sean reproducibles. + +## Distribuciones Enfocadas en el Anonimato + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** está basado en [Kicksecure](https://www.whonix.org/wiki/Kicksecure), una bifurcación de Debian centrada en la seguridad. Su objetivo es proporcionar privacidad, seguridad y anonimato en Internet. Whonix se utiliza mejor junto con [Qubes OS](#qubes-os). + + [:octicons-home-16: Página principal](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Servicio Onion" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentación} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribuir } + +Whonix está pensado para funcionar como dos máquinas virtuales: una "Estación de Trabajo" y una "Puerta de Enlace" Tor. Todas las comunicaciones desde la Estación de Trabajo deben pasar por la puerta de enlace Tor. Esto significa que incluso si la Estación de Trabajo se ve comprometida por algún tipo de malware, la verdadera dirección IP permanece oculta. + +Algunas de sus características incluyen Tor Stream Isolation, [anonimización de pulsaciones](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [swap encriptado ](https://github.com/Whonix/swap-file-creator), y un asignador de memoria endurecido. + +Las futuras versiones de Whonix probablemente incluirán [políticas AppArmor para todo el sistema](https://github.com/Whonix/apparmor-profile-everything) y un lanzador de aplicaciones en entorno aislado [](https://www.whonix.org/wiki/Sandbox-app-launcher) para confinar completamente todos los procesos del sistema. + +Whonix se utiliza mejor [junto con Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix tiene varias [desventajas](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) cuando se compara con otros hipervisores. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** es un sistema operativo basado en Debian que enruta todas las comunicaciones a través de Tor, y que puede arrancar en casi cualquier ordenador desde un DVD, una memoria USB o una tarjeta SD. Utiliza [Tor](tor.md) para preservar la privacidad y el anonimato a la vez que elude la censura, y no deja rastro de sí mismo en el ordenador en el que se utiliza una vez apagado. + + [:octicons-home-16: Página Principal](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentación} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribuir } + +Tails es genial contra el análisis forense debido a la amnesia (lo que significa que no se escribe nada en el disco); sin embargo, no es una distribución endurecida como Whonix. Carece de muchas de las funciones de anonimato y seguridad que tiene Whonix y se actualiza con mucha menos frecuencia (sólo una vez cada seis semanas). Un sistema Tails comprometido por malware puede potencialmente eludir el proxy transparente permitiendo que el usuario sea desanonimizado. + +Tails incluye [uBlock Origin](desktop-browsers.md#ublock-origin) en el Navegador Tor por defecto, lo que potencialmente puede facilitar a los adversarios la toma de huellas digitales de los usuarios de Tails. Las máquinas virtualesd de [Whonix](desktop.md#whonix) pueden ser más a prueba de fugas, sin embargo no son amnésicas, lo que significa que los datos pueden ser recuperados de su dispositivo de almacenamiento. + +Tails está diseñado para formatearse por completo después de cada reinicio. [El almacenamiento persistente](https://tails.boum.org/doc/persistent_storage/index.en.html) cifrado puede configurarse para almacenar algunos datos entre reinicios. + +## Distribuciones Enfocadas en la Seguridad + +### Qubes OS + +!!! recommendation + + ![Logotipo de Qubes OS](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** es un sistema operativo de código abierto diseñado para proporcionar una fuerte seguridad para el uso de escritorio. Qubes se basa en Xen, el Sistema de Ventanas X y Linux, y puede ejecutar la mayoría de las aplicaciones Linux y utilizar la mayoría de los controladores de Linux. + + [:octicons-home-16: Página Principal](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Vista General](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Servicio Onion" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentación } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribuir } + +Qubes OS es un sistema operativo basado en Xen destinado a proporcionar una fuerte seguridad para la informática de escritorio a través de máquinas virtuales (MVs) seguras, también conocidas como *Qubes*. + +El sistema operativo Qubes OS asegura el ordenador aislando subsistemas (por ejemplo, redes, USB, etc.) y aplicaciones en máquinas virtuales separadas. Si una parte del sistema se ve comprometida, es probable que el aislamiento adicional proteja al resto del sistema. Para obtener más detalles, consulte las [Preguntas Frecuentes](https://www.qubes-os.org/faq/) de Qubes. + +## Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +Nuestros sistemas operativos recomendados: + +- Deben ser de código abierto. +- Deben recibir actualizaciones periódicas de software y del núcleo de Linux. +- Las distribuciones Linux deben ser compatibles con [Wayland](os/linux-overview.md#Wayland). +- Debe soportar el cifrado de disco completo durante la instalación. +- No debe congelar las publicaciones periódicas durante más de 1 año. Nosotros [no recomendamos](os/linux-overview.md#release-cycle) versiones de distribución "Long Term Support (Soporte a Largo Plazo)" o "stable (estable)" para uso de escritorio. +- Debe ser compatible con una amplia variedad de hardware. diff --git a/i18n/es/dns.md b/i18n/es/dns.md new file mode 100644 index 00000000..52944ca2 --- /dev/null +++ b/i18n/es/dns.md @@ -0,0 +1,139 @@ +--- +title: "Resolvedores de DNS" +icon: material/dns +description: Estos son algunos proveedores de DNS cifrado a los que recomendamos cambiar para reemplazar la configuración por defecto de tu proveedor de servicios de internet. +--- + +Un DNS encriptado con servidores de terceros solo debe utilizarse para evitar el [bloqueo de DNS básico](https://en.wikipedia.org/wiki/DNS_blocking) cuándo puedas estar seguro de que no habrá ningunas consecuencias. Un DNS encriptado no te ayudará a esconder ninguna de tu actividad en línea. + +[Aprende más sobre DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Proveedores Recomendados + +| Proveedor de DNS | Política de Privacidad | Protocolos | Registro | ECS | Filtrado | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | ------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Texto claro
DoH/3
DoT
DNSCrypt | Algún[^1] | No | Basado en la elección del servidor. La lista de filtros siendo utilizada se puede encontrar aquí. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Algún[^2] | No | Basado en la elección del servidor. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Opcional[^3] | No | Basado en la elección del servidor. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Basado en la elección del servidor. La lista de filtro que se está utilizando se puede encontrar aquí. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Opcional [^5] | Opcional | Basado en la elección del servidor. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Texto claro
DoH
DoT
DNSCrypt | Algún[^6] | Opcional | Según la elección del servidor, bloqueo de Malware por defecto. | + +## Criterio + +**Ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten proporcionar recomendaciones objetivas. Te sugerimos que te familiarices con esta lista antes de elegir usar un proyecto, y que lleves a cabo tu propia investigación para asegurarte de que es la elección correcta para ti. + +!!! Ejemplo "Esta sección es nueva" + + Estamos trabajando para establecer criterios definidos para cada sección de nuestro sitio, y esto puede estar sujeto a cambios. Si tienes alguna pregunta sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos considerado algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Hay muchos factores que se consideran y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Debe soportar [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [Minimización QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- Permitir que [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) sea desactivado. +- Preferir soporte [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) o soporte de dirección geográfica. + +## Compatibilidad con Sistemas Operativos Nativos + +### Android + +Android 9 y superiores soportan DNS sobre TLS. Los ajustes se pueden encontrar en: **Configuración** → **Red & Internet** → **DNS privado**. + +### Dispositivos Apple + +Las últimas versiones de iOS, iPadOS, tvOS y macOS, soportan tanto DoT como DoH. Ambos protocolos son soportados nativamente a través de [configuración de perfiles ](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) o a través de la [API de configuración DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +Tras la instalación de un perfil de configuración o de una aplicación que utilice la API de configuración de DNS, se puede seleccionar la configuración de DNS. Si una VPN está activa, la resolución dentro del túnel VPN utilizará la configuración DNS de la VPN y no la configuración de todo el sistema. + +#### Perfiles Firmados + +Apple no proporciona una interfaz nativa para crear perfiles DNS encriptados. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) es una herramienta no oficial para crear tus propios perfiles DNS encriptados, aunque no estarán firmados. Son preferibles los perfiles firmados; la firma valida el origen de un perfil y ayuda a garantizar su integridad. Los perfiles de configuración firmados reciben la etiqueta verde de "Verificado". Para más información sobre la firma de código, consulte [Acerca de la firma de código](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Perfiles firmados** son ofrecidos por [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), y [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info "Información" + + `systemd-resolved`, que muchas distribuciones Linux utilizan para realizar sus búsquedas DNS, todavía no [soporta DoH](https://github.com/systemd/systemd/issues/8639). Si quieres usar DoH, necesitarás instalar un proxy como [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) y [configurarlo](https://wiki. rchlinux.org/title/Dnscrypt-proxy) para obtener todas las consultas DNS de la resolución del sistema y reenviarlas sobre HTTPS. + +## Proxies DNS Encriptados + +El software de proxy de DNS encriptado proporciona un proxy local para que el resolver DNS [no encriptado](advanced/dns-overview.md#unencrypted-dns) lo reenvíe. Típicamente se utiliza en plataformas que no soportan de forma nativa el [DNS encriptado](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![Logo de RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![Logo de RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** es un cliente Android de código abierto que soporta [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) y DNS Proxy junto con el almacenamiento en caché de las respuestas DNS, el registro local de las consultas DNS y también se puede utilizar como cortafuegos. + + [:octicons-home-16: Página Principal](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![logo dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** es un proxy DNS con soporte para [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), y [DNS Anonimizado](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "Advertencia" "La función DNS anonimizada [**no**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonimiza otro tráfico de red." + + [:octicons-repo-16: Repositorio](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Código fuente" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Soluciones autoalojadas + +Una solución DNS autoalojada es útil para proporcionar filtrado en plataformas controladas, como Smart TV y otros dispositivos IoT, ya que no se necesita software del lado del cliente. + +### AdGuard Home + +!!! recommendation + + ![Logo de AdGuard Home](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** es un código abierto [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) que utiliza [filtrado DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) para bloquear contenido web no deseado, como anuncios. + + AdGuard Home cuenta con una interfaz web pulida para ver información y gestionar el contenido bloqueado. + + [:octicons-home-16: Página de Inicio](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Código fuente" } + +### Pi-hole + +!!! recommendation + + ![Logo de Pi-hole](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** es un código abierto [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) que utiliza [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) para bloquear contenidos web no deseados, como la publicidad. + + Pi-hole está diseñado para alojarse en una Raspberry Pi, pero no se limita a dicho hardware. El software cuenta con una interfaz web fácil de usar para ver los datos y gestionar los contenidos bloqueados. + + [:octicons-home-16: Página de Inicio](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribuir } + +[^1]: AdGuard almacena métricas de rendimiento agregadas de sus servidores DNS, es decir, el número de solicitudes completas a un servidor en particular, el número de solicitudes bloqueadas, y la velocidad de procesamiento de solicitudes. También guardan y almacenan la base de datos de dominios solicitados dentro de las últimas 24 horas. "Necesitamos esta información para identificar y bloquear nuevos rastreadores y amenazas". "También registramos cuántas veces se ha bloqueado tal o cual rastreador. Necesitamos esta información para eliminar normas obsoletas de nuestros filtros". [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare recopila y almacena únicamente los datos de consulta DNS limitados que se envían al resolver 1.1.1.1. El servicio de resolución 1.1.1.1 no registra datos personales, y el grueso de los limitados datos de consulta no identificables personalmente se almacena solo durante 25 horas. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: El Control D solo registra los resolvers Premium con perfiles DNS personalizados. Los resolvers libres no registran datos. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: El servicio DNS de Mullvad está disponible tanto para suscriptores como para no suscriptores de Mullvad VPN. Su política de privacidad afirma explícitamente que no registran solicitudes DNS de ninguna manera. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS puede proporcionar información y funciones por consentimiento previo. Puedes elegir los tiempos de retención y las ubicaciones de almacenamiento de los registros que desees conservar. Si no se solicita específicamente, no se registra ningún dato. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 recopila algunos datos con fines de monitorización y respuesta ante amenazas. Esos datos pueden remezclarse y compartirse, por ejemplo, con fines de investigación sobre seguridad. Quad9 no colecciona ni registra direcciones IP ni otros datos que consideren personalmente identificables. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/es/email-clients.md b/i18n/es/email-clients.md new file mode 100644 index 00000000..37722384 --- /dev/null +++ b/i18n/es/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Clientes de Correo Electrónico" +icon: material/email-open +description: Estos clientes de correo electrónico respetan la privacidad y admiten el cifrado de correo electrónico OpenPGP. +--- + +Nuestra lista de recomendaciones contiene clientes de correo electrónico que soportan [OpenPGP](encryption.md#openpgp) y una autenticación fuerte como [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth le permite utilizar la [Autenticación Multifactor](basics/multi-factor-authentication.md) y previene el robo de cuentas. + +??? warning "El correo electrónico no proporciona el secreto de reenvío" + + Cuando se utiliza una tecnología de cifrado de extremo a extremo (E2EE, por sus siglas en inglés) como OpenPGP, el correo aún tendrá algunos [metadatos](email.md#email-metadata-overview) que no son encriptados en el encabezado del correo. + + OpenPGP tampoco soporta '[forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy)', lo que significa que si la clave privada del receptor es robada, todos los mensajes encriptados previamente con esta se encontrarán expuestos: [¿Cómo puedo proteger mis claves privadas?](basics/email-security.md) Considere utilizar un medio que brinde 'forward secrecy': + + [Comunicación en tiempo real](real-time-communication.md){ .md-button } + +## Multiplataforma + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** es un cliente gratuito, de código abierto y multiplataforma, de correo electrónico, grupos de noticias y chat (XMPP, IRC, Twitter), desarrollado por la comunidad Thunderbird, y previamente por la Fundación Mozilla. + + [:octicons-home-16: Página Principal](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentación} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Configuración Recomendada + +Recomendamos cambiar algunas de estas configuraciones para que Thunderbird sea un poco más privado. + +Estas opciones se encuentran en :material-menu: → **Ajustes** → **Privacidad y seguridad**. + +##### Contenido web + +- [ ] Desmarque **Recordar sitios web y enlaces que he visitado** +- [ ] Desmarque **Aceptar cookies de los sitios** + +##### Telemetría + +- [ ] Desmarque **Permitir a Thunderbird enviar datos técnicos y de interacción a Mozilla** + +#### Thunderbird-user.js (avanzado) + +[`thunderbird-user.js`](https://github.om/HorlogeSkynet/thunderbird-user.js), es un conjunto de opciones de configuración cuyo objetivo es desactivar el mayor número posible de funciones de navegación web dentro de Thunderbird con el fin de reducir la superficie y mantener la privacidad. Algunos de los cambios son adaptados desde el [proyecto Arkenfox](https://github.com/arkenfox/user.js). + +## Plataforma Específica + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** está incluido en macOS y puede ampliarse para que sea compatible con OpenPGP con [GPG Suite](encryption.md#gpg-suite), que añade la posibilidad de enviar correo electrónico cifrado con PGP. + + [:octicons-home-16: Página Principal](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentación} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** es un cliente de correo electrónico de pago diseñado para que el cifrado de extremo a extremo sea perfecto, con funciones de seguridad como el bloqueo biométrico de aplicaciones. + + [:octicons-home-16: Página Principal](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentación} + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning "Advertencia" + + Canary Mail acaba de lanzar un cliente para Windows y Android, aunque no creemos que sea tan estable como su homólogo para iOS y Mac. + +Canary Mail es de código cerrado. Lo recomendamos debido a las pocas opciones que hay para clientes de correo electrónico en iOS que soporten PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** es una aplicación de correo electrónico mínima, de código abierto, que utiliza estándares abiertos (IMAP, SMTP, OpenPGP) con un bajo consumo de datos y batería. + + [:octicons-home-16: Página Principal](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** es una aplicación de gestión de información personal que proporciona funciones integradas de correo, calendario y libreta de direcciones. Evolution cuenta con una amplia [documentation](https://help.gnome.org/users/evolution/stable/) para ayudarle a empezar. + + [:octicons-home-16: Página Principal](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentación} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** es una aplicación de correo independiente que soporta buzones POP3 e IMAP, pero sólo soporta push mail para IMAP. + + En el futuro, K-9 Mail será el cliente [de marca oficial](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird para Android. + + [:octicons-home-16: Página de Inicio](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning "Advertencia" + + Al responder a alguien de una lista de correo, la opción "responder" también puede incluir la lista de correo. Para obtener más información, consulte (https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** es una aplicación de gestión de información personal (PIM) del proyecto [KDE](https://kde.org). Ofrece un cliente de correo, una libreta de direcciones, un organizador y un cliente RSS. + + [:octicons-home-16: Página Principal](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentación} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Navegador) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** es una extensión de navegador que permite el intercambio de correos electrónicos cifrados siguiendo el estándar de cifrado OpenPGP. + + [:octicons-home-16: Página Principal](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** es un lector de correo de línea de comandos de código abierto (o MUA) para Linux y BSD. Es una bifurcación de [Mutt](https://en.wikipedia.org/wiki/Mutt_ (email_client)) con funciones adicionales. + + NeoMutt es un cliente basado en texto que tiene una curva de aprendizaje pronunciada. Sin embargo, es muy personalizable. + + [:octicons-home-16: Página Principal](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +### Requisitos Mínimos + +- Las aplicaciones desarrolladas para sistemas operativos de código abierto deben ser de código abierto. +- No debe recolectar telemetría, o debe tener una manera fácil de deshabilitar toda la telemetría. +- Debe soportar el cifrado de mensajes OpenPGP. + +### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Debe ser de código abierto. +- Debe ser multiplataforma. +- No debe recopilar ninguna telemetría por defecto. +- Debe soportar OpenPGP de forma nativa, es decir, sin extensiones. +- Debe soportar el almacenamiento local de correos electrónicos encriptados con OpenPGP. diff --git a/i18n/es/email.md b/i18n/es/email.md new file mode 100644 index 00000000..7d122e4c --- /dev/null +++ b/i18n/es/email.md @@ -0,0 +1,503 @@ +--- +title: "Servicios de Correo Electrónico" +icon: material/email +description: Estos proveedores de correo electrónico ofrecen un lugar estupendo para almacenar tus correos de forma segura, y muchos ofrecen encriptación OpenPGP inter operable con otros proveedores. +--- + +Correo electrónico es prácticamente una necesidad para utilizar cualquier servicio en línea, sin embargo, no lo recomendamos para las conversaciones de persona a persona. En vez de utilizar el correo electrónico para comunicarte con otras personas, considera utilizar un servicio de mensajería instantánea que soporte el secreto hacia adelante. + +[Servicios de Mensajería Instantánea Recomendados](real-time-communication.md ""){.md-button} + +Para todo lo demás, recomendamos una variedad de proveedores de correo electrónico basados en modelos sostenibles, además de características de seguridad y privacidad integradas. + +- [Proveedores de Correo Electrónico Compatibles con OpenPGP :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Otros Proveedores Encriptados :material-arrow-right-drop-circle:](#more-providers) +- [Servicios de Alias de Correo Electrónico :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Opciones Autoalojadas :material-arrow-right-drop-circle:](#self-hosting-email) + +## Servicios Compatibles con OpenPGP + +Estos proveedores soportan el encriptacion/desencriptacion OpenPGP nativamente y el estándar Web Key Directory (WKD), lo que permite que los correos electrónicos E2EE sean independientes del proveedor. Por ejemplo, un usuario de Proton Mail podría enviar un mensaje E2EE a un usuario de Mailbox.org, o podrías recibir notificaciones encriptadas con OpenPGP desde servicios de Internet que lo soporten. + +
+ +- ![Logo Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Logo Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! advertencia + + Al utilizar una tecnología de encriptación E2EE como OpenPGP, los correos aún tendrán algunos metadatos que no son encriptados en el encabezado del correo. Lee más sobre los [metadatos de correo electrónico](basics/email-security.md#email-metadata-overview). + + OpenPGP tampoco soporta el secreto hacia Adelante, lo que significa si la clave privada de cualquiera de los destinatarios es robada, todos los mensajes encriptados previamente con ella, serán expuestos. [¿Cómo puedo proteger mis claves privadas?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Logo Proton Mail](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** es un servicio de correo electrónico con un enfoque en privacidad, encriptación, seguridad, y la facilidad de uso. Han estado en operación desde **2013**. Proton AG tiene su sede en Ginebra, Suiza. Cuentas inician con 500 MB de almacenamiento en su plan gratuito. + + [:octicons-home-16: Página de inicio](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Servicio Onion" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Las cuentas gratuitas tienen algunas limitaciones, como no poder buscar texto en el contenido, y no tener acceso a [Proton Mail Bridge](https://proton.me/mail/bridge), que es requerido para utilizar un [cliente recomendado de correo electrónico para escritorio](email-clients.md) (como Thunderbird). Cuentas pagas incluyen funciones como Proton Mail Bridge, almacenamiento adicional, y soporte para dominios personalizados. Una [carta de certificación](https://proton.me/blog/security-audit-all-proton-apps) fue proporcionada para las aplicaciones de Proton Mail el 9 de noviembre de 2021 por [Securitum](https://research.securitum.com). + +Si tienes el plan Proton Unlimited, Business o Visionary, también obtendrás [SimpleLogin](#simplelogin) Premium gratis. + +Proton Mail tiene informes de errores internos que **no** comparten con terceros. Puede desactivarse en: **Ajustes** > **Ir a Ajustes** > **Cuenta** > **Seguridad y privacidad** > **Enviar informes de fallos**. + +#### :material-check:{ .pg-green } Dominios Personalizados y Alias + +Suscriptores de pago de Proton Mail pueden utilizar su propio dominio con el servicio o una direcciones [catch-all](https://proton.me/support/catch-all). Proton Mail también soporta [subdireccionamiento](https://proton.me/support/creating-aliases), que es útil para las personas que no quieren comprar un dominio. + +#### :material-check:{ .pg-green } Métodos de pago privados + +Proton Mail [acepta](https://proton.me/support/payment-options) dinero en efectivo por correo, además de tarjeta de crédito/débito estándar, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), y pagos por PayPal. + +#### :material-check:{ .pg-green } Seguridad de Cuenta + +Proton Mail es compatible con TOTP [autenticación de dos factores](https://proton.me/support/two-factor-authentication-2fa) y [ llaves de seguridad de hardware](https://proton.me/support/2fa-security-key) que utilizan los estándares FIDO2 o U2F. El uso de una llave de seguridad de hardware requiere configurar primero la autenticación TOTP de dos factores. + +#### :material-check:{ .pg-green } Seguridad de Datos + +Proton Mail tiene [encriptacion de cero acceso](https://proton.me/blog/zero-access-encryption) en reposo para tus correos electrónicos y [calendarios](https://proton.me/news/protoncalendar-security-model). Datos asegurados con encriptación de cero-acceso son solamente accesibles por ti. + +Cierta información almacenada en [Proton Contacts](https://proton.me/support/proton-contacts), como nombres y direcciones de correo electrónico, no está protegida con encriptación de cero-acceso. Los campos de contacto que admiten encriptación de cero-acceso, como los números de teléfono, se indican con un icono de candado. + +#### :material-check:{ .pg-green } Encriptación de Correo Electrónico + +Proton Mail ha [integrado la encriptación OpenPGP](https://proton.me/support/how-to-use-pgp) en su webmail. Los correos electrónicos a otras cuentas de Proton Mail se encriptan automáticamente, y la encriptación a direcciones que no sean de Proton Mail con una clave OpenPGP pueden ser habilitados fácilmente en la configuración de tu cuenta. También le permiten encriptar [mensajes a direcciones que no sean de Proton Mail](https://proton.me/support/password-protected-emails) sin necesidad de que se suscriban a una cuenta de Proton Mail o utilicen software como OpenPGP. + +Proton Mail también soporta el descubrimiento de claves públicas a través de HTTP desde su [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Esto permite las personas quienes no utilizan Proton Mail a encontrar fácilmente las claves OpenPGP de las cuentas de Proton Mail, para E2EE entre proveedores. + + +#### :material-information-outline:{ .pg-blue } Cancelación de Cuenta + +Si tienes una cuenta de pago y tu factura [no esta paga](https://proton.me/support/delinquency) después de 14 días, no podrá acceder a tus datos. Transcurridos 30 días, tu cuenta se convertirá en morosa y no recibirás correo entrante. Seguirás siendo facturando durante este periodo. + +#### :material-information-outline:{ .pg-blue }: Funcionalidad Adicional + +Proton Mail ofrece una cuenta "Ilimitada" por €9,99 euros al mes, que también permite acceder a Proton VPN además de proporcionar múltiples cuentas, dominios, alias, y 500 GB de almacenamiento. + +Proton Mail no ofrece la función de legado digital. + +### Mailbox.org + +!!! recommendation + + ![Logo de Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** es un servicio de correo electrónico centrado en ser seguro, sin publicidad, y alimentado de forma privada con energía 100% ecológica. Han estado en operación desde 2014. Mailbox.org tiene su sede en Berlín, Alemania. Cuentas empiezan con 2 GB de almacenamiento, que se puede ampliar según sea necesario. + + [:octicons-home-16: Página de inicio](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentación} + + ??? downloads "Descargas' + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Dominios Personalizados y Alias + +Mailbox.org te permite utilizar tu propio dominio y admite las direcciones [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). Mailbox.org también es compatible con [subdireccionamiento](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), lo que es útil si no desea comprar un dominio. + +#### :material-check:{ .pg-green } Métodos Privados de Pago + +Mailbox.org no acepta criptomonedas debido a que su procesador de pagos BitPay suspendió sus operaciones en Alemania. Sin embargo, aceptan Efectivo por correo, pago en efectivo a cuenta bancaria, transferencia bancaria, tarjeta de crédito, PayPal y un par de procesadores específicos alemanes: paydirekt y Sofortüberweisung. + +#### :material-check:{ .pg-green } Seguridad de Cuenta + +Mailbox.org soporta [autenticación de doble factor](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) solo para su correo web. Puedes utilizar TOTP o una [Yubikey](https://en.wikipedia.org/wiki/YubiKey) a través de [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Estándares web como [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) aún no son soportados. + +#### :material-information-outline:{ .pg-blue } Seguridad de Datos + +Mailbox.org permite encriptación del correo entrante usando su [buzón encriptado](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). Nuevos mensajes que recibas se encriptaran inmediatamente con tu clave pública. + +Sin embargo, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), la plataforma de software utilizada por Mailbox.org, [no soporta](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) el cifrado de tu libreta de direcciones y calendario. Una [opción independiente](calendar.md) puede ser más apropiada para esa información. + +#### :material-check:{ .pg-green } Encriptación de Correo Electrónico + +Mailbox.org tiene [encriptación integrada](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) en su correo web, lo que simplifica el envío de mensajes a personas con claves públicas OpenPGP. También permiten que [destinatarios remotos desencripten un correo electrónico](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) en los servidores de Mailbox.org. Esta característica es útil cuando el destinatario remoto no tiene OpenPGP y no puede descifrar una copia del correo electrónico en su propio buzón de correo. + +Mailbox.org también admite el descubrimiento de claves públicas a través de HTTP desde su [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Esto permite que personas afuera de Mailbox.org encuentren fácilmente las claves OpenPGP de las cuentas de Mailbox.org, para E2EE entre proveedores. + +#### :material-information-outline:{ .pg-blue } Cancelación de Cuenta + +Tu cuenta se convertirá en una cuenta de usuario restringida cuando finalice tu contrato, después de [30 días se eliminará irrevocablemente](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Funcionalidad Adicional + +Puedes acceder a tu cuenta de Mailbox.org a través de IMAP/SMTP utilizando su [servicio .onion](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). Sin embargo, no se puede acceder a su interfaz de correo web a través de su servicio .onion y es posible que se produzcan errores de certificado TLS. + +Todas las cuentas vienen con un almacenamiento limitado en la nube que [puede ser encriptado](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org también ofrece el alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), que impone el cifrado TLS en la conexión entre servidores de correo; de lo contrario, el mensaje no se enviará en absoluto. Mailbox.org también admite [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) además de protocolos de acceso estándar como IMAP y POP3. + +Mailbox.org tiene una función de legado digital para todos los planes. Puedes elegir si deseas que alguno de tus datos se transmita a los herederos, siempre que lo soliciten y aporten tu testamento. Alternativamente, puedes designar a una persona por su nombre y dirección. + +## Más Proveedores + +Estos proveedores almacenan tus correos electrónicos con cifrado de cero-conocimiento, lo que los convierte en excelentes opciones para mantener seguros tus correos electrónicos almacenados. Sin embargo, no admiten normas de cifrado inter operables para las comunicaciones E2EE entre proveedores. + +
+ +- ![Logotipo de StartMail](assets/img/email/startmail.svg#only-light){ .twemoji }![Logotipo de StartMail](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Logotipo de Tutanota](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![Logotipo de StartMail](assets/img/email/startmail.svg#only-light){ align=right } + ![Logotipo de StartMail](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** es un servicio de correo electrónico centrado en la seguridad y la privacidad mediante el uso del cifrado estándar OpenPGP. StartMail ha estado en operación desde 2014 y tiene su sede en Boulevard 11, Zeist Países Bajos. Cuentas empiezan con 10GB. Ofrecen una prueba de 30 días. + + [:octicons-home-16: Página de inicio](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentación} + + ??? downloads "Descargas" + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Dominios Personalizados y Alias + +Cuentas personales pueden utilizar alias[ personalizados o rápidos](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases). [Dominios personalizados](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) también están disponibles. + +#### :material-alert-outline:{ .pg-orange } Métodos Privados de Pago + +StartMail acepta Visa, MasterCard, American Express y Paypal. StartMail también dispone de otras[opciones de pago](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) como [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (actualmente sólo para cuentas Personales) y Débito Directo SEPA para cuentas de más de un año. + +#### :material-check:{ .pg-green } Seguridad de Cuenta + +StartMail soporta la autenticación de doble factor TOTP [para webmail solamente](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). No permiten la autenticación con llave de seguridad U2F. + +#### :material-information-outline:{ .pg-blue } Seguridad de Datos + +StartMail dispone de [encriptación de cero acceso en reposo](https://www.startmail.com/en/whitepaper/#_Toc458527835), utilizando su sistema de "bóveda de usuario". Cuando ingresas, se abre la bóveda y el correo electrónico se traslada a la bóveda fuera de la cola, donde se desencripta con la clave privada correspondiente. + +StartMail admite la importación de [contactos](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts), sin embargo, solo se puede acceder a ellos en el correo web y no a través de protocolos como [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Los contactos tampoco se almacenan utilizando el cifrado de conocimiento cero. + +#### :material-check:{ .pg-green } Cifrado de correo electrónico + +StartMail tiene [cifrado integrado](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) en su correo web, lo que simplifica el envío de mensajes cifrados con claves públicas OpenPGP. Sin embargo, no son compatibles con el estándar Web Key Directory, lo que hace que el descubrimiento de la clave pública de un buzón de correo Startmail sea más difícil para otros proveedores de correo electrónico o clientes. + +#### :material-information-outline:{ .pg-blue } Cancelación de la cuenta + +Al vencimiento de la cuenta, StartMail eliminará permanentemente su cuenta después de [6 meses en 3 fases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Funciones adicionales + +StartMail permite el proxy de imágenes dentro de los correos electrónicos. Si permite que se cargue la imagen remota, el remitente no sabrá cuál es su dirección IP. + +StartMail no ofrece una función de legado digital. + +### Tutanota + +!!! recommendation + + ![Logo de Tutanota](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** es un servicio de correo electrónico centrado en la seguridad y la privacidad mediante el uso de cifrado. Tutanota lleva en funcionamiento desde **2011** y tiene su sede en Hannover, Alemania. Las cuentas empiezan con 1Gb de almacenamiento con su plan gratuito. + + [:octicons-home-16: Página Principal](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota no es compatible con el[protocolo IMAP](https://tutanota.com/faq/#imap) ni con el uso de[clientes de correo electrónico](email-clients.md)de terceros, y tampoco podrás añadir [cuentas de correo electrónico externas](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) a la aplicación Tutanota. Ni [importación de correo electrónico](https://github.com/tutao/tutanota/issues/630) ni [subcarpetas](https://github.com/tutao/tutanota/issues/927) son actualmente compatibles, aunque esto [está previsto que se cambie](https://tutanota.com/blog/posts/kickoff-import). Los correos electrónicos se pueden exportar [individualmente o por selección masiva](https://tutanota.com/howto#generalMail) por carpeta, lo que puede resultar incómodo si tiene muchas carpetas. + +#### :material-check:{ .pg-green } Dominios personalizados y alias + +Las cuentas de pago de Tutanota pueden usar hasta 5 [alias](https://tutanota.com/faq#alias) y [dominios personalizados](https://tutanota.com/faq#custom-domain). Tutanota no permite la [subdirección (más direcciones)](https://tutanota.com/faq#plus), pero puede utilizar un [catch-all](https://tutanota.com/howto#settings-global) con un dominio personalizado. + +#### :material-information-outline:{ .pg-blue } Métodos de pago privados + +Tutanota solo acepta directamente tarjetas de crédito y PayPal, sin embargo, la [criptomoneda](cryptocurrency.md) se puede usar para comprar tarjetas de regalo a través de su [asociación](https://tutanota.com/faq/#cryptocurrency) con Proxystore. + +#### :material-check:{ .pg-green } Seguridad de las cuentas + +Tutanota soporta [autenticación de dosble factor](https://tutanota.com/faq#2fa) con TOTP o U2F. + +#### :material-check:{ .pg-green } Seguridad de los datos + +Tutanota dispone de [cifrado de acceso cero en reposo](https://tutanota.com/faq#what-encrypted) para sus correos electrónicos, [contactos de la libreta de direcciones](https://tutanota.com/faq#encrypted-address-book), y [calendarios](https://tutanota.com/faq#calendar). Esto significa que sólo tú puedes leer los mensajes y otros datos almacenados en tu cuenta. + +#### :material-information-outline:{ .pg-blue } Cifrado de correo electrónico + +Tutanota [no utiliza OpenPGP](https://www.tutanota.com/faq/#pgp). Las cuentas de Tutanota sólo pueden recibir correos electrónicos cifrados de cuentas de correo electrónico que no son de tutanota cuando se envían a través de un [buzón temporal de Tutanota](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Cancelación de la cuenta + +Tutanota eliminará [las cuentas gratuitas inactivas](https://tutanota.com/faq#inactive-accounts) después de seis meses. Puedes reutilizar una cuenta gratuita desactivada si pagas. + +#### :material-information-outline:{ .pg-blue } Funciones adicionales + +Tutanota ofrece la versión empresarial [a las organizaciones sin ánimo de lucro](https://tutanota.com/blog/posts/secure-email-for-non-profit) de forma gratuita o con un importante descuento. + +Tutanota también tiene una función para empresas llamada [Secure Connect](https://tutanota.com/secure-connect/). Esto garantiza que el contacto del cliente con la empresa utilice E2EE. La función cuesta 240 €/año. + +Tutanota no ofrece la función de legado digital. + +## Servicios de alias de correo + +Un servicio de alias de correo electrónico le permite generar fácilmente una nueva dirección de correo electrónico para cada sitio web en el que se registre. Los alias de correo electrónico que genera se reenvían a una dirección de correo electrónico de su elección, ocultando tanto su dirección de correo electrónico "principal" como la identidad de su proveedor de correo electrónico. El verdadero alias de correo electrónico es mejor que el direccionamiento plus, comúnmente utilizado y admitido por muchos proveedores, que permite crear alias como tunombre+[anythinghere]@ejemplo.com, porque los sitios web, los anunciantes y las redes de seguimiento pueden eliminar trivialmente cualquier cosa después del signo + para conocer tu verdadera dirección de correo electrónico. + +
+ +- ![Logo de AnonAddy](assets/img/email/anonaddy.svg#only-light){ .twemoji }![Logo deAnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![Logo de SimpleLogin](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +El alias de correo electrónico puede servir de salvaguarda en caso de que su proveedor de correo electrónico deje de funcionar. En ese caso, puedes redirigir fácilmente tus alias a una nueva dirección de correo electrónico. A su vez, sin embargo, estás depositando tu confianza en que el servicio de alias siga funcionando. + +Utilizar un servicio dedicado de alias de correo electrónico también tiene una serie de ventajas sobre un alias general en un dominio personalizado: + +- Los alias pueden activarse y desactivarse individualmente cuando los necesites, evitando que los sitios web te envíen correos electrónicos al azar. +- Las respuestas se envían desde la dirección de alias, ocultando tu dirección de correo electrónico real. + +También tienen una serie de ventajas sobre los servicios de "correo electrónico temporal": + +- Los alias son permanentes y pueden volver a activarse si necesitas recibir algo como un restablecimiento de contraseña. +- Los correos electrónicos se envían a tu buzón de confianza en lugar de ser almacenados por el proveedor de alias. +- Los servicios de correo electrónico temporal suelen tener buzones públicos a los que puede acceder cualquiera que conozca la dirección, los alias son privados para ti. + +Nuestras recomendaciones de alias de correo electrónico son proveedores que le permiten crear alias en dominios que ellos controlan, así como en su(s) propio(s) dominio(s) personalizado(s) por una módica cuota anual. También pueden ser autoalojados si desea el máximo control. Sin embargo, utilizar un dominio personalizado puede tener inconvenientes relacionados con la privacidad: Si eres la única persona que utiliza tu dominio personalizado, tus acciones pueden ser fácilmente rastreadas a través de sitios web simplemente mirando el nombre del dominio en la dirección de correo electrónico e ignorando todo lo que hay antes del signo arroba (@). + +Utilizar un servicio de alias requiere confiar, tanto a tu proveedor de correo electrónico como a tu proveedor de alias, tus mensajes sin cifrar. Algunos proveedores mitigan esto ligeramente con el cifrado automático PGP, que reduce el número de partes en las que tienes que confiar de dos a una al cifrar los correos entrantes antes de que lleguen a tu proveedor de buzón final. + +### AnonAddy + +!!! recommendation + + ![Logo de AnonAddy](assets/img/email/anonaddy.svg#only-light){ align=right } + ![Logo de AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** te permite crear 20 alias de dominio en un dominio compartido de forma gratuita, o alias "estándar" ilimitados que son menos anónimos. + + [:octicons-home-16: Página Principal](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +El número de alias compartidos (que terminan en un dominio compartido como @anonaddy.me) que puedes crear está limitado a 20 en el plan gratuito de AnonAddy y a 50 en su plan de 12 $/año. Puedes crear un número ilimitado de alias estándar (que terminan en un dominio como @[username].anonaddy.com o un dominio personalizado en los planes de pago), sin embargo, como se ha mencionado anteriormente, esto puede ir en detrimento de la privacidad porque la gente puede relacionar trivialmente tus alias estándar basándose únicamente en el nombre de dominio. Hay disponibles alias compartidos ilimitados por 36 $/año. + +Funciones gratuitas destacables: + +- [x] 20 Alias compartidos +- [x] Alias estándar ilimitados +- [ ] No hay respuestas salientes +- [x] 2 Buzones de destinatarios +- [x] Cifrado PGP automático + +### SimpleLogin + +!!! recommendation + + ![Logo de Simplelogin](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** es un servicio gratuito que proporciona alias de correo electrónico en una variedad de nombres de dominio compartidos, y opcionalmente proporciona características de pago como alias ilimitados y dominios personalizados. + + [:octicons-home-16: Página Principal](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin fue [adquirida por Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) a partir del 8 de abril de 2022. Si utiliza Proton Mail para su buzón principal, SimpleLogin es una gran elección. Como ambos productos pertenecen ahora a la misma empresa, ahora sólo tiene que confiar en una única entidad. También esperamos que SimpleLogin se integre más estrechamente con las ofertas de Proton en el futuro. SimpleLogin sigue siendo compatible con el reenvío a cualquier proveedor de correo electrónico de su elección. Securitum [auditado](https://simplelogin.io/blog/security-audit/) SimpleLogin a principios de 2022 y todos los problemas [fueron resueltos](https://simplelogin.io/audit2022/web.pdf). + +Puedes vincular tu cuenta SimpleLogin en la configuración con tu cuenta Proton. Si tienes el plan Proton Unlimited, Business o Visionary, tendrás SimpleLogin Premium gratis. + +Funciones gratuitas destacables: + +- [x] 10 Alias compartidos +- [x] Respuestas ilimitadas +- [x] 1 buzón de destinatario + +## Correo de auto-alojamiento + +Los administradores de sistemas avanzados pueden plantearse crear su propio servidor de correo electrónico. Los servidores de correo requieren atención y un mantenimiento continuo para mantener la seguridad y la fiabilidad de la entrega del correo. + +### Soluciones de software combinadas + +!!! recommendation + + ![Logo de Mailcow](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** es un servidor de correo más avanzado perfecto para aquellos con un poco más de experiencia en Linux. Tiene todo lo que necesitas en un contenedor Docker: Un servidor de correo con soporte DKIM, antivirus, monitorización de spam, webmail, ActiveSync con SOGo y administración basada en web con soporte 2FA. + + [:octicons-home-16: Página Principal](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribuir } + +!!! recommendation + + ![Logo de Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** es un script de configuración automatizada para desplegar un servidor de correo en Ubuntu. Su objetivo es facilitar a los usuarios la instalación de su propio servidor de correo. + + [:octicons-home-16: Página Principal](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Código Fuente" } + +Para un enfoque más manual, hemos seleccionado estos dos artículos: + +- [Configuración de un servidor de correo con OpenSMTPD, Dovecot y Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [Cómo gestionar tu propio servidor de correo](https://www.c0ffee.net/blog/mail-server-guide/) (agosto de 2017) + +## Criterios + +**Tenga en cuenta que no estamos afiliados a ninguno de los proveedores que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos para cualquier proveedor de Email que desee ser recomendado, incluyendo la implementación de las mejores prácticas de la industria, tecnología moderna y más. Le sugerimos que se familiarice con esta lista antes de elegir un proveedor de correo electrónico, y que realice su propia investigación para asegurarse de que el proveedor de correo electrónico que elija sea la opción adecuada para usted. + +### Tecnología + +Consideramos que estas características son importantes para ofrecer un servicio seguro y óptimo. Debe considerar si el proveedor tiene las características que necesita. + +**Mínimo para calificar:** + +- Cifra los datos de las cuentas de correo electrónico en reposo con cifrado de acceso cero. +- Capacidad de exportación como [Mbox](https://en.wikipedia.org/wiki/Mbox) o .eml individual con [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) estándar. +- Permitir a los usuarios utilizar su propio [nombre de dominio](https://en.wikipedia.org/wiki/Domain_name). Los nombres de dominio personalizados son importantes para los usuarios porque les permiten mantener su agencia del servicio, en caso de que éste se estropee o sea adquirido por otra empresa que no dé prioridad a la privacidad. +- Operaciones en infraestructura propia, es decir, no construidas sobre proveedores de servicios de correo electrónico de terceros. + +**Mejor caso:** + +- Cifra todos los datos de la cuenta (contactos, calendarios, etc.) en reposo con cifrado de acceso cero. +- Cifrado integrado de correo web E2EE/PGP proporcionado como una conveniencia. +- Compatibilidad con [WKD](https://wiki.gnupg.org/WKD) para permitir un mejor descubrimiento de claves OpenPGP públicas a través de HTTP. Los usuarios de GnuPG pueden obtener una clave escribiendo: `gpg --locate-key usuario_ejemplo@ejemplo.com` +- Soporte para un buzón temporal para usuarios externos. Esto es útil cuando quieres enviar un correo electrónico encriptado, sin enviar una copia real a tu destinatario. Estos correos electrónicos suelen tener una vida útil limitada y luego se eliminan automáticamente. Tampoco requieren que el destinatario configure ninguna criptografía como OpenPGP. +- Disponibilidad de los servicios del proveedor de correo electrónico a través de un [ servicio onion](https://en.wikipedia.org/wiki/.onion). +- Soporte de [subdireccionamiento](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- Funcionalidad Catch-all o alias para aquellos que poseen sus propios dominios. +- Utilización de protocolos estándar de acceso al correo electrónico como IMAP, SMTP o [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Los protocolos de acceso estándar garantizan que los clientes puedan descargar fácilmente todo su correo electrónico en caso de que quieran cambiar de proveedor. + +### Privacidad + +Preferimos que nuestros proveedores recomendados recojan la menor cantidad de datos posible. + +**Mínimo para calificar:** + +- Proteger la dirección IP del remitente. Filtrarlo para que no aparezca en el campo de cabecera `Recibido`. +- No requiera información personal identificable (PII) aparte de un nombre de usuario y una contraseña. +- Política de privacidad que cumple los requisitos definidos por el GDPR +- No debe estar alojado en los Estados Unidos debido a [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) que aún tiene [que ser reformado](https://epic.org/ecpa/). + +**Mejor caso:** + +- Acepte [opciones de pago anónimas](advanced/payments.md) ([criptomonedas](cryptocurrency.md), efectivo, tarjetas regalo, etc.) + +### Seguridad + +Los servidores de correo electrónico manejan muchos datos sensibles. Esperamos que los proveedores adopten las mejores prácticas de la industria para proteger a sus miembros. + +**Mínimo para calificar:** + +- Protección del correo web con 2FA, como TOTP. +- Cifrado de acceso cero, basado en el cifrado en reposo. El proveedor no disponga de las claves de descifrado de los datos que posee. Esto evita que un empleado deshonesto filtre datos a los que tiene acceso o que un adversario remoto divulgue datos que ha robado al obtener acceso no autorizado al servidor. +- Compatible con [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). +- No haya errores o vulnerabilidades TLS cuando se perfilan con herramientas como [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/)o [Qualys SSL Labs](https://www.ssllabs.com/ssltest); esto incluye errores relacionados con el certificado y parámetros DH débiles, como los que llevaron a [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- Una preferencia de suite de servidor (opcional en TLSv1.3) para suites de cifrado potentes que soporten forward secrecy y encriptación autenticada. +- Una política válida [MTA-STS](https://tools.ietf.org/html/rfc8461) y [TLS-RPT](https://tools.ietf.org/html/rfc8460). +- Registros válidos de [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities). +- Registros válidos [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) y [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail). +- Tenga un registro y una política adecuados de [DMARC](https://en.wikipedia.org/wiki/DMARC) o use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) para la autenticación. Si se utiliza la autenticación DMARC, la política debe establecerse en `rechazar` o `cuarentena`. +- Una preferencia de conjunto de servidores de TLS 1.2 o posterior y un plan para [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [Envío de SMTPS](https://en.wikipedia.org/wiki/SMTPS), suponiendo que se utiliza SMTP. +- Estándares de seguridad del sitio web tales como: + - [Seguridad de transporte estricta HTTP](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Integridad de subrecurso](https://en.wikipedia.org/wiki/Subresource_Integrity) si se cargan cosas desde dominios externos. +- Debe admitir la visualización de [Encabezados de mensaje](https://en.wikipedia.org/wiki/Email#Message_header), ya que es una característica forense crucial para determinar si un correo electrónico es un intento de phishing. + +**Mejor caso:** + +- Soporte para autenticación de hardware, ej. U2F y [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F y WebAuthn son más seguros ya que utilizan una clave privada almacenada en un dispositivo de hardware del lado del cliente para autenticar a las personas, a diferencia de un secreto compartido que se almacena en el servidor web y en el lado del cliente cuando se utiliza TOTP. Además, U2F y WebAuthn son más resistentes al phishing ya que su respuesta de autenticación se basa en el [nombre de dominio](https://en.wikipedia.org/wiki/Domain_name) autenticado. +- [Registro de recursos de autorización de autoridad de certificación (CAA) de DNS](https://tools.ietf.org/html/rfc6844) además del soporte de DANE. +- Implementación de la [cadena recibida autenticada (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), esto es útil para las personas que publican en listas de correo [RFC8617](https://tools.ietf.org/html/rfc8617). +- Programas de recompensa de errores y/o un proceso coordinado de divulgación de vulnerabilidades. +- Estándares de seguridad del sitio web tales como: + - [Política de seguridad de contenido (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Confianza + +No confiarías tus finanzas a alguien con una identidad falsa, así que ¿por qué confiarle tus datos de Internet? Exigimos a nuestros proveedores recomendados que hagan pública su propiedad o liderazgo. También nos gustaría ver informes de transparencia frecuentes, especialmente en lo que se refiere a cómo se gestionan las solicitudes del gobierno. + +**Mínimo para calificar:** + +- Liderazgo o propiedad de cara al público. + +**Mejor caso:** + +- Liderazgo de cara al público. +- Informes de transparencia frecuentes. + +### Marketing + +Con los proveedores de correo electrónico que recomendamos nos gusta ver el marketing responsable. + +**Mejor caso:** + +- Debe autoalojar las analíticas (no Google Analytics, Adobe Analytics, etc.). El sitio del proveedor también debe cumplir con [DNT (Do Not Track, sin rastreo)](https://en.wikipedia.org/wiki/Do_Not_Track) para las personas que deseen darse de baja. + +No debe tener ningún tipo de marketing que sea irresponsable: + +- Reclamaciones de "cifrado irrompible" El cifrado debe usarse con la intención de que no sea secreto en el futuro cuando exista la tecnología para descifrarlo. +- Haciendo garantías de proteger el anonimato al 100%. Cuando alguien afirma que algo es 100% significa que no hay certeza de fracaso. Sabemos que la gente puede desanonimizarse fácilmente de varias maneras, por ejemplo: + +- Reutilizar información personal, por ejemplo (cuentas de correo electrónico, seudónimos únicos, etc.) que accedieron sin software de anonimato (Tor, VPN, etc.) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Mejor Caso:** + +- Documentación clara y fácil de leer. Esto incluye cosas como configurar 2FA, clientes de correo electrónico, OpenPGP, etc. + +### Funcionalidad Adicional + +Aunque no son exactamente requisitos, hay algunos otros factores de conveniencia o privacidad que hemos analizado para determinar qué proveedores recomendar. diff --git a/i18n/es/encryption.md b/i18n/es/encryption.md new file mode 100644 index 00000000..6e6dd157 --- /dev/null +++ b/i18n/es/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Software de Cifrado" +icon: material/file-lock +description: El cifrado de los datos es la única forma de controlar quién puede acceder a ellos. Estas herramientas le permiten cifrar sus correos electrónicos y cualquier otro archivo. +--- + +El cifrado de los datos es la única forma de controlar quién puede acceder a ellos. Si actualmente no está utilizando software de cifrado para su disco duro, correos electrónicos o archivos, debería elegir una opción aquí. + +## Multiplataforma + +Las opciones enumeradas aquí son multiplataforma y excelentes para crear copias de seguridad cifradas de sus datos. + +### Cryptomator (Nube) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** es una solución de cifrado diseñada para guardar archivos de forma privada en cualquier proveedor en la nube. Le permite crear bóvedas que se almacenan en una unidad virtual, cuyo contenido está cifrado y sincronizado con su proveedor de almacenamiento en la nube. + + [:octicons-home-16: Página Principal](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Política de privacidad" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator utiliza el cifrado AES-256 para cifrar tanto los archivos como los nombres de los archivos. Cryptomator no puede cifrar metadatos como las marcas de la fecha de acceso, modificación y creación, ni el número y tamaño de los archivos y carpetas. + +Algunas bibliotecas criptográficas de Cryptomator han sido [auditadas](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) por Cure53. El alcance de las bibliotecas auditadas incluye: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) y [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). La auditoría no se extendió a [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), que es una biblioteca utilizada por Cryptomator para iOS. + +La documentación de Cryptomator detalla su intención con respecto a su [objetivo de seguridad](https://docs.cryptomator.org/en/latest/security/security-target/), [arquitectura de seguridad](https://docs.cryptomator.org/en/latest/security/architecture/), y [mejores prácticas](https://docs.cryptomator.org/en/latest/security/best-practices/) para su uso con más detalle. + +### Picocrypt (Archivo) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** es una herramienta de cifrado pequeña y simple que proporciona un cifrado moderno. Picocrypt utiliza el cifrado seguro XChaCha20 y la función de derivación de clave Argon2id para proporcionar un alto nivel de seguridad. Utiliza los módulos x/crypto estándar de Go para sus funciones de cifrado. + + [:octicons-repo-16: Repositorio](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disco) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** es una utilidad de software gratuito con el código fuente disponible que se utiliza para el cifrado sobre la marcha. Puede crear un disco cifrado virtual dentro de un archivo, cifrar una partición o cifrar todo el dispositivo de almacenamiento con autenticación previa al arranque. + + [:octicons-home-16: Página Principal](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentación} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt es una bifurcación del proyecto TrueCrypt ya descontinuado. Según sus desarrolladores, se implementaron mejoras de seguridad y se abordaron los problemas planteados por la auditoría inicial del código de TrueCrypt. + +Al cifrar con VeraCrypt, tiene la opción de seleccionar entre diferentes [funciones hash](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). Le sugerimos **únicamente** seleccionar [SHA-512](https://en.wikipedia.org/wiki/SHA-512) y seleccionar el [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) como cifrado de bloque. + +Truecrypt ha sido [auditado un buen número de veces](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), y VeraCrypt también ha sido [auditado de manera separada](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Cifrado de Disco Completo del Sistema Operativo + +Los sistemas operativos modernos incluyen [FDE](https://es.wikipedia.org/wiki/Cifrado_de_disco) y tendrán un[criptoprocesador seguro](https://es.wikipedia.org/wiki/Procesador_criptogr%C3%A1fico_seguro). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** es la solución de cifrado de volumen completo incluida con Microsoft Windows. La razón principal por la que lo recomendamos, es por su [uso de TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), una empresa forense, ha escrito sobre ello en [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentación} + +BitLocker es [únicamente compatible](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) en las versiones Pro, Enterprise y Education de Windows. Se puede habilitar en las ediciones Home siempre que cumplan con los requisitos previos. + +??? example "Habilitación de BitLocker en Windows Home" + + Para habilitar BitLocker en las ediciones "Home" de Windows, debe tener particiones formateadas con una [tabla de partición GUID](https://es.wikipedia.org/wiki/Tabla_de_particiones_GUID) y tener un módulo TPM (v1.2, 2.0+) dedicado. + + 1. Abra un símbolo del sistema y verifique el formato de la tabla de particiones de su unidad con el siguiente comando. Debería ver "**GPT**" listado bajo "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Ejecute este comando (en un símbolo del sistema ejecutado como administrador) para verificar su versión de TPM. Debería ver `2.0` o `1.2` junto a `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Acceda a [Opciones avanzadas de inicio](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). Debe reiniciar mientras pulsa la tecla F8 antes de que se inicie Windows y entrar en el símbolo del sistema ** en **Solucionar problemas** → **Opciones avanzadas** → **Símbolo del sistema**. + + 4. Inicie sesión con su cuenta de administrador y escriba esto en el símbolo del sistema para iniciar el cifrado: + + ``` + manage-bde -on c: -used + ``` + + 5. Cierre el símbolo del sistema y continúe con el arranque normal de Windows. + + 6. Abra un símbolo del sistema como administrador y ejecute los siguientes comandos: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip "Consejo" + + Haga una copia de seguridad de `BitLocker-Recovery-Key.txt` en su escritorio para un dispositivo de almacenamiento independiente. La pérdida de este código de recuperación puede resultar en la pérdida de datos. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** es la solución de cifrado de volúmenes sobre la marcha integrada en macOS. FileVault se recomienda porque [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) las capacidades de seguridad de hardware presentes en un SoC Apple Silicon o un Chip de Seguridad T2. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentación} + +Recomendamos almacenar una clave de recuperación local en un lugar seguro en lugar de utilizar su cuenta de iCloud para la recuperación. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** es el método FDE por defecto para Linux. Puede utilizarse para cifrar volúmenes completos, particiones o crear contenedores cifrados. + + [:octicons-home-16: Página Principal](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentación} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Código Fuente" } + +??? ejemplo "Creación y apertura de contenedores cifrados" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Apertura de contenedores cifrados + Recomendamos abrir contenedores y volúmenes con `udisksctl` ya que utiliza [Polkit](https://en.wikipedia.org/wiki/Polkit). La mayoría de los gestores de archivos, como los incluidos en los entornos de escritorio más populares, pueden desbloquear archivos cifrados. Herramientas como [udiskie](https://github.com/coldfix/udiskie) pueden ejecutarse en la bandeja del sistema y proporcionar una interfaz de usuario útil. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! nota "Recuerde hacer una copia de seguridad de las cabeceras de volumen" + + Le recomendamos que siempre haga [copias de seguridad de las cabeceras LUKS](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) en caso de fallo parcial de la unidad. Esto se puede hacer con: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Basado en Navegador + +El cifrado basado en navegador puede ser útil cuando necesita cifrar un archivo pero no puede instalar software o aplicaciones en su dispositivo. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** es una aplicación web que proporciona cifrado seguro de archivos del lado del cliente en su navegador. También puede ser autoalojado y es útil si necesita cifrar un archivo pero no puede instalar ningún software en su dispositivo debido a políticas organizativas. + + [:octicons-globe-16: Sitio Web](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Puede encontrar los métodos de donación en la parte inferior del sitio web" } + +## Línea de Comandos + +Las herramientas con interfaces de línea de comandos son útiles para integrar scripts de shell. + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** es una herramienta de cifrado y firma de archivos gratuita y de código abierto que hace uso de algoritmos criptográficos modernos y seguros. Pretende ser una versión mejorada de [age](https://github.com/FiloSottile/age) y [Minisign](https://jedisct1.github.io/minisign/) para ofrecer una alternativa sencilla y más fácil a GPG. + + [:octicons-home-16: Página Principal](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** es un empaquetador de shell de línea de comandos para LUKS. Admite esteganografía a través de [herramientas de terceros](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Página Principal](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribuir } + +## OpenPGP + +OpenPGP es a veces necesario para tareas específicas como la firma digital y el cifrado de correo electrónico. PGP tiene muchas funciones y es [complejo](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) ya que existe desde hace mucho tiempo. Para tareas como firmar o cifrar archivos, sugerimos las opciones anteriores. + +Al cifrar con PGP, tiene la opción de configurar diferentes opciones en su archivo `gpg.conf`. Recomendamos utilizar las opciones estándar especificadas en las preguntas frecuentes de los usuarios de [GnuPG](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! consejo "Utilice future defaults al generar una clave" + + Al [generar claves](https://www.gnupg.org/gph/en/manual/c14.html) sugerimos usar el comando `future-default` ya que esto instruirá a GnuPG a usar criptografía moderna como [Curve25519](https://es.wikipedia.org/wiki/Curve25519#Popularidad) y [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GNUPG** es una alternativa con licencia GPL a la suite de software criptográfico PGP. GnuPG cumple con [RFC 4880](https://tools.ietf.org/html/rfc4880), que es la especificación actual del IETF de OpenPGP. El proyecto GnuPG ha estado trabajando en un [borrador actualizado](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) en un intento de modernizar OpenPGP. GnuPG forma parte del proyecto de software GNU de la Fundación para el Software Libre y ha recibido un importante [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) del gobierno alemán. + + [:octicons-home-16: Página Principal](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentación} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** es un paquete para Windows de [Intevation y g10 Code](https://gpg4win.org/impressum.html). Incluye [varias herramientas](https://gpg4win.org/about.html) que pueden ayudarle a utilizar GPG en Microsoft Windows. El proyecto fue iniciado y originalmente [financiado por](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) la Oficina Federal de Seguridad de la Información (BSI) de Alemania en 2005. + + [:octicons-home-16: Página Principal](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentación} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! nota + + Sugerimos [Canary Mail](email-clients.md#canary-mail) para utilizar PGP con el correo electrónico en dispositivos iOS. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** proporciona soporte OpenPGP para [Apple Mail](email-clients.md#apple-mail) y macOS. + + Recomendamos echar un vistazo a sus [Primeros pasos](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) y [Base de conocimientos](https://gpgtools.tenderapp.com/kb) para obtener ayuda. + + [:octicons-home-16: Página Principal](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** es una implementación de GnuPG para Android. Es comúnmente requerido por clientes de correo como [K-9 Mail](email-clients.md#k-9-mail) y [FairEmail](email-clients.md#fairemail) y otras aplicaciones Android para proporcionar soporte de cifrado. Cure53 completó una [auditoría de seguridad](https://www.openkeychain.org/openkeychain-3-6) de OpenKeychain 3.6 en octubre de 2015. Los detalles técnicos sobre la auditoría y las soluciones de OpenKeychain pueden consultarse [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Página Principal](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +### Requisitos Mínimos + +- Las aplicaciones de cifrado multiplataforma deben ser de código abierto. +- Las aplicaciones de cifrado de archivos deben permitir el descifrado en Linux, macOS y Windows. +- Las aplicaciones de cifrado de discos externos deben permitir el descifrado en Linux, macOS y Windows. +- Las aplicaciones de cifrado de disco interno (OS) deben ser multiplataforma o estar integradas en el sistema operativo de forma nativa. + +### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Las aplicaciones de cifrado del sistema operativo (FDE) deben utilizar seguridad de hardware como un TPM o Secure Enclave. +- Las aplicaciones de cifrado de archivos deben ser compatibles con plataformas móviles, ya sean propias o de terceros. diff --git a/i18n/es/file-sharing.md b/i18n/es/file-sharing.md new file mode 100644 index 00000000..cf691dd3 --- /dev/null +++ b/i18n/es/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "Compartición y sincronización de archivos" +icon: material/share-variant +description: Descubra cómo puede compartir de manera privada sus archivos entre sus dispositivos, con sus amigos y familia, o de manera anónima en línea. +--- + +Descubra cómo puede compartir de manera privada sus archivos entre sus dispositivos, con sus amigos y familia, o de manera anónima en línea. + +## Programas para compartir archivos + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** es una bifurcación del programa Firefox Send (descontinuado por Mozilla), que permite enviar archivos a otras personas mediante un enlace. Los archivos son encriptados en su dispositivo, lo que no permite que sean leídos por el servidor y, opcionalmente, también pueden protegerse por una contraseña. El responsable de mantener Send ofrece una [instancia pública](https://send.vis.ee/). Puede usitlizar otras instancias públicas o puede hospedar Send usted mismo. + + [:octicons-home-16: Página principal](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send puede utilizarse a través de su interfaz web o mediante la herremienta de comandos [ffsend](https://github.com/timvisee/ffsend). Si usted es familiar con la línea de comandos y envía archivos frecuentemente, recomendamos utilizar el cliente CLI para evitar la encriptación basada en JavaScript. Usted puede especificar la bandera `--host` para utilizar un servidor en específico: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** es una herramienta de código abierto que permite compartir de manera segura y anónima un archivo de cualquier tamaño. Funciona iniciando un servidor web accesible como un servicio onion de Tor, con un enlace indescifrable que se puede compartir con los receptores para descargar o enviar archivos. + + [:octicons-home-16: Página principal](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? descargas + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criterios + +**Por favor, tome en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** En adición a [nuestros criterios estándares](about/criteria.md), hemos desarrollado un claro conjunto de requisitos para permitirnos brindar recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista antes de optar por utilizar un proyecto, y realizar su propia investigación para asegurarse que es la elección adecuada. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna pregunta sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no consideramos algo al hacer nuestras recomendaciones, si no se encuentra listado aquí. Hay múltiples factores considerados y discutidos cuando recomendamos un proyecto, y documentar cada uno es un trabajo en progreso. + +- No debe almacenar información sin encriptar en un servidor remoto. +- Debe ser un programa de código abierto. +- Debe tener clientes para Linux, macOS y Winwos; o tener una interfaz web. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** es un sistema operativo diseñado para correr en una [computadora de placa única (SBC, por sus siglas en inglés)](https://en.wikipedia.org/wiki/Single-board_computer). El propósito es facilitar la configuración de aplicaciones que requieran un servidor y se puedan alojar por usted mismo. + + [:octicons-home-16: Página principal](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## Sincronización de archivos + +### Nextcloud (Cliente-Servidor) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** es un conjunto de programas gratuitos y de código abierto, para la creación de su propio servicio de almacenamiento de archivos en un servidor privado que usted controle. + + [:octicons-home-16: Página principal](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Peligro" + + No recomendamos utilizar la [aplicación con cifrado de extremo a extremo](https://apps.nextcloud.com/apps/end_to_end_encryption) para Nextcloud, porque puede causar la pérdida de datos; esta es considerada como altamente experimental y no debe utilizarse en entornos de producción. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** es una herramienta de sincronización continua de archivos peer-to-peer de código abierto. Es utilizada para sincronizar archivos entre dos o más dispositivos sobre la red local o el Internet. Syncthing no utiliza un servidor centralizado, este utiliza el [Protocolo de Intercambio de Bloques](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) para transferir los datos entre dispositivos. Todos los datos son encriptados utilizando TLS. + + [:octicons-home-16: Página principal](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criterios + +**Por favor, tome en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** En adición a [nuestros criterios estándares](about/criteria.md), hemos desarrollado un claro conjunto de requisitos para permitirnos brindar recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista antes de optar por utilizar un proyecto, y realizar su propia investigación para asegurarse que es la elección adecuada. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +#### Requisitos Mínimos + +- No debe requerir un servidor de terceros remoto o en la nube. +- Debe ser software de código abierto. +- Debe tener clientes para Linux, macOS y Winwos; o tener una interfaz web. + +#### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Dispone de clientes móviles para iOS y Android, que al menos permiten previsualizar los documentos. +- Admite la copia de seguridad de fotos desde iOS y Android, y opcionalmente admite la sincronización de archivos/carpetas en Android. diff --git a/i18n/es/financial-services.md b/i18n/es/financial-services.md new file mode 100644 index 00000000..bf6a90c4 --- /dev/null +++ b/i18n/es/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Servicios Financieros +icon: material/bank +--- + +Realizar pagos en línea es uno de los principales desafíos para la privacidad. Estos servicios pueden ayudarle a proteger su privacidad frente a los comercios y otros rastreadores, siempre que conozca bien cómo realizar pagos privados de forma eficaz. Le recomendamos encarecidamente que primero lea nuestro apartado de pagos antes de realizar cualquier compra: + +[Hacer Pagos Privados: :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Servicios de Enmascaramiento de Pagos + +Hay una serie de servicios que ofrecen "tarjetas de débito virtuales" que puede utilizar con comercios en línea sin revelar sus datos bancarios o de facturación reales en la mayoría de los casos. Es importante tener en cuenta que estos servicios financieros **no** son anónimos y están sujetos a las leyes de "Conozca a su cliente" (KYC) y pueden requerir su DNI u otra información identificativa. Estos servicios son útiles principalmente para protegerle de las filtraciones de datos de los comercios, del seguimiento menos sofisticado o de la correlación de compras por parte de las agencias de marketing y del robo de datos en línea; y **no** para realizar una compra de forma totalmente anónima. + +!!! consejo "Compruebe su banco actual" + + Muchos bancos y proveedores de tarjetas de crédito ofrecen funciones nativas de tarjeta virtual. Si ya utiliza uno que ofrezca esta opción, debería utilizarlo en lugar de las siguientes recomendaciones en la mayoría de los casos. De este modo, no estará confiando su información personal a varias personas. + +### Privacy.com (EE. UU.) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + El plan gratuito de **Privacy.com** le permite crear hasta 12 tarjetas virtuales al mes, establecer límites de gasto en esas tarjetas y cerrarlas al instante. Su plan de pago le permite crear hasta 36 tarjetas al mes, obtener un 1% de reembolso en las compras y ocultar la información de la transacción de su banco. + + [:octicons-home-16: Página Principal](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentación} + +Privacy.com facilita por defecto a su banco información sobre los comercios en los que compra. Su función de pago "discreet merchants" oculta la información de los comercios a su banco, de modo que su banco sólo ve que se ha realizado una compra en Privacy.com, pero no dónde se ha gastado el dinero. Sin embargo, esto no es infalible y, por supuesto, Privacy.com sigue teniendo conocimiento de los comercios en los que gasta dinero. + +### MySudo (EE. UU., De Pago) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** proporciona hasta 9 tarjetas virtuales dependiendo del plan que contrate. Sus planes de pago incluyen además funciones que pueden ser útiles para realizar compras en privado, como números de teléfono virtuales y direcciones de correo electrónico, aunque normalmente recomendamos otros [proveedores de alias de correo electrónico](email.md) para un uso extenso del alias de correo electrónico. + + [:octicons-home-16: Página Principal](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentación} + +### Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de elegir utilizar un proyecto y realizar su propia investigación para asegurarse que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Permite la creación de múltiples tarjetas que funcionan como un escudo entre el comercio y sus finanzas personales. +- Las tarjetas no deben exigirle que facilite al comercio información precisa sobre la dirección de facturación. + +## Mercados en Línea de Tarjetas Regalo + +Estos servicios le permiten comprar tarjetas de regalo para una gran variedad de comercios en línea con [criptomonedas](cryptocurrency.md). Algunos de estos servicios ofrecen opciones de verificación de identidad para límites más altos, pero también permiten cuentas con sólo una dirección de correo electrónico. Los límites básicos suelen comenzar en 5.000-10.000 dólares al día para las cuentas básicas, y límites significativamente más altos para las cuentas verificadas mediante un documento identificativo (si se ofrecen). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** le permite comprar tarjetas regalo y productos relacionados con Monero. Las compras en comercios de EE. UU. están disponibles en la aplicación móvil de Cake Wallet, mientras que la aplicación web de Cake Pay incluye una amplia selección de comercios de todo el mundo. + + [:octicons-home-16: Página Principal](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentación} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (disponible en EE.UU., Canadá y Reino Unido) le permite comprar tarjetas regalo para una gran variedad de comercios. + + [:octicons-home-16: Página Principal](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentación} + +### Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de elegir utilizar un proyecto y realizar su propia investigación para asegurarse que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Acepta pagos en [una criptomoneda recomendada](cryptocurrency.md). +- No exige identificación. diff --git a/i18n/es/frontends.md b/i18n/es/frontends.md new file mode 100644 index 00000000..c4f3b9d1 --- /dev/null +++ b/i18n/es/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Interfaces de usuario" +icon: material/flip-to-front +description: Estas interfaces de código abierto para diversos servicios de Internet le permiten acceder a los contenidos sin JavaScript ni otras molestias. +--- + +A veces, los servicios intentarán obligarle a registrarse mediante el bloqueo al acceso a los contenidos con molestas ventanas emergentes. También pueden fallar si no se activa JavaScript. Estas interfaces pueden permitirle eludir estas restricciones. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** es una interfaz gratuita y de código abierto para [Odysee](https://odysee.com/) (LBRY) que también es autoalojable. + + Existen varias instancias públicas, algunas de las cuales disponen de soporte para servicios onion [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repositorio](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Instancias Públicas"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Código Fuente" } + +!!! advertencia + + Librarian no proporciona un proxy para los vídeos por defecto. Los vídeos vistos a través de Librarian seguirán realizando conexiones directas a los servidores de Odysee (por ejemplo, 'odycdn.com'); sin embargo, algunas instancias pueden habilitar el proxy, lo que se detallaría en la política de privacidad de la instancia. + +!!! consejo + + Librarian es útil si quiere ver contenido LBRY en el móvil sin telemetría obligatoria y si quiere desactivar JavaScript en su navegador, como es el caso de [Tor Browser](https://www.torproject.org/) en el nivel de seguridad Más Seguro. + +Al autoalojarse, es importante que otras personas utilicen también su instancia para poder integrarse. Debería tener cuidado con dónde y cómo aloja Librarian, ya que el uso de otras personas se vinculará a su alojamiento. + +Cuando utilice una instancia de Librarian, asegúrese de leer la política de privacidad de esa instancia específica. Las instancias de Librarian pueden ser modificadas por sus propietarios y, por lo tanto, pueden no reflejar la política por defecto. Las instancias de Librarian presentan una "etiqueta nutricional de privacidad" para ofrecer una visión general de su política. Algunas instancias tienen direcciones Tor .onion que pueden otorgar cierta privacidad siempre y cuando sus consultas de búsqueda no contengan PII (Información Personal Identificable). + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** es una interfaz gratuita y de código abierto para [Twitter](https://twitter.com) que también es autoalojable. + + Existen varias instancias públicas, algunas de las cuales disponen de soporte para servicios onion [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repositorio](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Instancias Públicas"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribuir } + +!!! consejo + + Nitter es útil si quiere navegar por el contenido de Twitter sin tener que iniciar sesión y si quieres desactiva JavaScript en su navegador, como es el caso de [Tor Browser](https://www.torproject.org/) en el nivel de seguridad Más Seguro. También le permite [crear canales RSS para Twitter](news-aggregators.md#twitter). + +Al autoalojarse, es importante que otras personas utilicen también su instancia para poder integrarse. Debería tener cuidado con dónde y cómo aloja Nitter, ya que el uso de otras personas se vinculará a su alojamiento. + +Cuando utilice una instancia de Nitter, asegúrese de leer la política de privacidad de esa instancia específica. Las instancias de Nitter pueden ser modificadas por sus propietarios y, por tanto, pueden no reflejar la política por defecto. Algunas instancias tienen direcciones Tor .onion que pueden otorgar cierta privacidad siempre y cuando sus consultas de búsqueda no contengan PII (Información Personal Identificable). + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + *ProxiTok** es una interfaz gratuita y de código abierto para el sitio web [TikTok](https://www.tiktok.com) que también es autoalojable. + + Existen varias instancias públicas, algunas de las cuales disponen de soporte para servicios onion [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repositorio](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Instancias Públicas"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Código Fuente" } + +!!! consejo + + PorxiTok es útil si quiere desactivar JavaScript en su navegador como en el navegador [Tor](https://www.torproject.org/) en la configuración de seguridad Más Segura. + +Al autoalojarse, es importante que otras personas utilicen también su instancia para poder integrarse. Debería tener cuidado con dónde y cómo aloja Nitter, ya que el uso de otras personas se vinculará a su alojamiento. + +Cuando utilice una instancia de ProxiTok, asegúrese de leer la política de privacidad de esa instancia específica. Las instancias de ProxiTok pueden ser modificadas por sus propietarios y, por tanto, pueden no reflejar su política asociada. Algunas instancias tienen direcciones Tor .onion que pueden otorgar cierta privacidad siempre y cuando sus consultas de búsqueda no contengan PII (Información Personal Identificable). + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** es una aplicación de escritorio gratuita y de código abierto para [YouTube](https://youtube.com). Al usar FreeTube, su lista de suscripciones y sus listas de reproducción se guardan localmente en su dispositivo. + + Por defecto, FreeTube bloquea todos los anuncios de YouTube. Además, FreeTube se integra opcionalmente con [SponsorBlock](https://sponsor.ajay.app) para ayudarle a saltar segmentos de vídeo patrocinados. + + [:octicons-home-16: Página Principal](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! advertencia + + Al utilizar FreeTube, su dirección IP puede seguir siendo conocida por YouTube, [Invidious](https://instances.invidious.io), o [SponsorBlock](https://sponsor.ajay.app/) dependiendo de su configuración. Considere la posibilidad de utilizar una [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** es un reproductor de vídeo gratuito y de código abierto orientado a la privacidad para iOS, tvOS y macOS para [YouTube](https://youtube.com). Al usar Yattee, su lista de suscripciones se guarda localmente en su dispositivo. + + Necesitará realizar algunos [pasos adicionales](https://gonzoknows.com/posts/Yattee/) antes de poder usar Yattee para ver YouTube, debido a las restricciones de la App Store. + + [:octicons-home-16: Página Principal](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! advertencia + + Al utilizar Yattee, su dirección IP puede seguir siendo conocida por YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances/) o [SponsorBlock](https://sponsor.ajay.app/) dependiendo de su configuración. Considere la posibilidad de utilizar una [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +Por defecto, Yattee bloquea todos los anuncios de YouTube. Además, Yattee se integra opcionalmente con [SponsorBlock](https://sponsor.ajay.app) para ayudarle a saltar segmentos de vídeo patrocinados. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** es una aplicación Android gratuita y de código abierto para [YouTube](https://youtube.com) que utiliza la API [Piped](#piped). + + LibreTube le permite almacenar su lista de suscripciones y listas de reproducción localmente en su dispositivo Android, o en una cuenta de su instancia de Piped preferida, lo que le permite acceder a ellas sin problemas desde otros dispositivos. + + [:octicons-home-16: Página Principal](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! advertencia + + Al usar LibreTube, su dirección IP será visible para la instancia [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) que elija y/o [SponsorBlock](https://sponsor.ajay.app/) dependiendo de su configuración. Considere la posibilidad de utilizar una [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +Por defecto, LibreTube bloquea todos los anuncios de YouTube. Además, Libretube utiliza [SponsorBlock](https://sponsor.ajay.app) para ayudarle a saltarse los segmentos de vídeo patrocinados. Puede configurar completamente los tipos de segmentos que SponsorBlock omitirá, o desactivarlo por completo. También hay un botón en el propio reproductor de vídeo para desactivarlo para un vídeo específico si lo desea. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** es una aplicación Android gratuita y de código abierto para [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com) y [PeerTube](https://joinpeertube.org/) (1). + + Su lista de suscripciones y sus listas de reproducción se guardan localmente en su dispositivo Android. + + [:octicons-home-16: Página Principal](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Contribuir} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. La instancia por defecto es [FramaTube](https://framatube.org/), sin embargo, se pueden añadir más a través de **Ajustes** → **Contenido** → **Instancias de PeerTube** + +!!! Advertencia + + Al utilizar NewPipe, su dirección IP será visible para los proveedores de vídeo utilizados. Considere la posibilidad de utilizar una [VPN](vpn.md) o [Tor](https://www.torproject.org) si su [modelo de amenaza](basics/threat-modeling.md) requiere ocultar su dirección IP. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** es una interfaz gratuita y de código abierto para [YouTube](https://youtube.com) que además es autoalojable. + + Existen varias instancias públicas, algunas de las cuales disponen de soporte para servicios onion [Tor](https://www.torproject.org). + + [:octicons-home-16: Página Principal](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Instancias Públicas"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribuir } + +!!! advertencia + + Invidious no proporciona un proxy para los vídeos por defecto. Los vídeos que se vean a través de Invidious seguirán realizando conexiones directas a los servidores de Google (ej. 'googlevideo.com'); sin embargo, algunas instancias admiten el proxy de vídeo; basta con habilitar *Proxy videos* en la configuración de las instancias o añadir `&local=true` a la URL. + +!!! consejo + + Invidious es útil si quiere desactivar JavaScript en su navegador como en el navegador [Tor](https://www.torproject.org/) en la configuración de seguridad Msás Segura. No proporciona privacidad por sí mismo y no se recomienda entrar con ninguna cuenta. + +Al autoalojarse, es importante que otras personas utilicen también su instancia para poder integrarse. Debería tener cuidado con dónde y cómo aloja Invidious, ya que el uso de otras personas se vinculará a su alojamiento. + +Cuando utilice una instancia de Invidious, asegúrese de leer la política de privacidad de esa instancia específica. Las instancias de Invidious pueden ser modificadas por sus propietarios y, por lo tanto, pueden no reflejar su política de privacidad asociada. Algunas instancias tienen direcciones Tor .onion que pueden otorgar cierta privacidad siempre y cuando sus consultas de búsqueda no contengan PII (Información Personal Identificable). + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** es una interfaz gratuita y de código abierto para [YouTube](https://youtube.com) que además es autoalojable. + + Piped requiere JavaScript para funcionar y existen varias instancias públicas. + + [:octicons-repo-16: Repositorio](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Instancias Públicas"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribuir } + +!!! consejo + + Piped es útil si desea utilizar [SponsorBlock](https://sponsor.ajay.app) sin instalar una extensión o acceder a contenidos restringidos por edad sin una cuenta. No proporciona privacidad por sí mismo y no se recomienda entrar con ninguna cuenta. + +Al autoalojarse, es importante que otras personas utilicen también su instancia para poder integrarse. Debería tener cuidado con dónde y cómo aloja Piped, ya que el uso de otras personas se vinculará a su alojamiento. + +Cuando utilice una instancia de Piped, asegúrese de leer la política de privacidad de esa instancia específica. Las instancias de Piped pueden ser modificadas por sus propietarios y, por tanto, pueden no reflejar su política de privacidad asociada. + +## Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +Las interfaces de usuario recomendadas... + +- Deben ser software de código abierto. +- Deben ser autoalojables. +- Deben ofrecer todas las funciones básicas del sitio web a los usuarios anónimos. + +Sólo consideramos interfcaes de usuario para sitios web que... + +- Normalmente no son accesibles sin JavaScript. diff --git a/i18n/es/index.md b/i18n/es/index.md new file mode 100644 index 00000000..9534c07d --- /dev/null +++ b/i18n/es/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.es.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## ¿Por qué debería importarme? + +##### "No tengo nada que ocultar. ¿Por qué debería preocuparme por mi privacidad?” + +Al igual que el derecho al matrimonio interracial, el sufragio femenino, la libertad de expresión y muchos otros, nuestro derecho a la privacidad no siempre ha sido respetado. En varias dictaduras, sigue sin serlo. Generaciones anteriores a las nuestras lucharon por nuestro derecho a la privacidad. ==La privacidad es un derecho humano, inherente a todes nosotres, == al que tenemos derecho (sin discriminación). + +No deberías confundir privacidad con secretismo. Sabemos lo que pasa en el cuarto de baño, pero aún así cierras la puerta. Esto se debe a que quieres privacidad, no secretismo. **Todo el mundo** tiene algo que proteger. La privacidad es algo que nos hace humanos. + +[:material-target-account: Amenazas frecuentes en el internet](basics/common-threats.md ""){.md-button.md-button--primary} + +## ¿Qué debo hacer? + +##### Primero, necesitas hacer un plan + +Intentar proteger todos tus datos de todo el mundo y en todo momento es impráctico, caro y agotador. ¡Pero no te preocupes! La seguridad es un proceso, si piensas con antelación, podrás elaborar un plan adecuado para ti. La seguridad no es solo sobre las herramientas que utilizas o el software que descargas. Más bien, empieza por entender las amenazas únicas a las que te enfrentas, y cómo puedes contrarrestarlas. + +==Este proceso de identificación de amenazas y definición de contramedidas se llama **modelado de amenazas**==, y constituye la base de todo buen plan de seguridad y privacidad. + +[:material-book-outline: Aprende más sobre el modelado de amenazas](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## ¡Te necesitamos! Aquí está cómo involucrarse: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Únete a nuestro foro" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Síguenos en Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribuye a este sitio web" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Ayuda a traducir este sitio web" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chatea con nosotros en Matrix" } +[:material-information-outline:](about/index.md){ title="Conócenos mejor" } +[:material-hand-coin-outline:](about/donate.md){ title="Apoya el proyecto" } + +Es importante que un sitio web como Privacy Guides se mantenga siempre actualizado. Necesitamos que nuestra audiencia vigile las actualizaciones de software para las aplicaciones listadas en nuestro sitio y también sigan las últimas noticias sobre proveedores que recomendamos. Es difícil mantenerse al día con el ritmo rápido de Internet, pero intentamos lo mejor. Si detectas un error, crees que un proveedor no debe ser listado, notas que falta un proveedor calificado, crees que un plugin de navegador ya no es la mejor opción, o descubres cualquier otro problema, por favor háznoslo saber. diff --git a/i18n/es/kb-archive.md b/i18n/es/kb-archive.md new file mode 100644 index 00000000..c17f11f6 --- /dev/null +++ b/i18n/es/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: Archivo BC +icon: material/archive +description: Algunas páginas que solían estar en nuestra base de conocimientos ahora se pueden encontrar en nuestro blog. +--- + +# Páginas Movidas al Blog + +Algunas páginas que solían estar en nuestra base de conocimientos ahora se pueden encontrar en nuestro blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Endurecimiento de la Configuración de Signal](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Refuerzo del Sistema](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Sandboxing de Aplicaciones](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Borrado Seguro de Datos](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integración de la Eliminación de Metadatos](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [Guía de Configuración de iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/es/meta/brand.md b/i18n/es/meta/brand.md new file mode 100644 index 00000000..5c5acfdb --- /dev/null +++ b/i18n/es/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Lineamientos de marca +--- + +El nombre de la página es **Privacy Guides** y **no** debe ser cambiado a: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +El nombre del subreddit es **r/PrivacyGuides** o **el subreddit de Privacy Guides**. + +Lineamientos adicionales de marca pueden encontrarse en [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Marca registrada + +"Privacy Guides" y el logo del escudo son marcas registradas por Jonah Aragon, el uso ilimitado es otorgado al proyecto de Privacy Guides. + +Sin renuncias a ninguno de sus derechos, Privacy Guides no asesora a terceros sobre el alcance de sus derechos de propiedad intelectual. Privacy Guides no permite o autoriza el uso de ninguna de sus marcas de ninguna manera, donde es probable que se cause confusión al implicar la asociació o el patrocinio de Privacy Guides. Si tiene conocimiento de algún uso de este tipo, por favor contacte a Jonah Aragon en jonah@privacyguides.org. Consulte a su asesor jurídico si tiene preguntas. diff --git a/i18n/es/meta/git-recommendations.md b/i18n/es/meta/git-recommendations.md new file mode 100644 index 00000000..a1b642b5 --- /dev/null +++ b/i18n/es/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Recomendaciones de Git +--- + +Si realizas cambios en este sitio web en el editor web de GitHub.com directamente, no deberías tener que preocuparte por esto. Si estás desarrollando localmente y/o eres un editor de sitios web a largo plazo (¡que probablemente deberías estar desarrollando localmente!), ten en cuenta estas recomendaciones. + +## Activa la firma de compromiso de claves SSH + +Puedes utilizar una clave SSH existente para firmar, o [crear una nueva](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configura tu cliente Git para que firme commits y etiquetas por defecto (elimina `--global` para que solo firme por defecto para este repositorio): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copia tu clave pública SSH a tu portapapeles, por ejemplo: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Configura tu clave SSH para firmar en Git con el siguiente comando, sustituyendo la última cadena entre comillas por la clave pública de tu portapapeles: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Asegúrate de que [añades tu clave SSH a tu cuenta de GitHub](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **como Clave de firma** (en lugar de o además de como Clave de autenticación). + +## Rebase en Git pull + +Usa `git pull --rebase` en lugar de `git pull` al mover cambios de GitHub a tu máquina local. De esta forma, tus cambios locales estarán siempre "encima" de los últimos cambios en GitHub, y evitarás las confirmaciones de fusión (que no están permitidas en este repositorio). + +Puedes establecer que éste sea el comportamiento por defecto: + +``` +git config --global pull.rebase true +``` + +## Rebase de `main` antes de enviar un PR + +Si estás trabajando en tu propia rama, ejecuta estos comandos antes de enviar un PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/es/meta/uploading-images.md b/i18n/es/meta/uploading-images.md new file mode 100644 index 00000000..bcd604ad --- /dev/null +++ b/i18n/es/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Subiendo imágenes +--- + +He aquí un par de normas generales para contribuir a las Guías de privacidad: + +## Imágenes + +- **Preferimos** las imágenes SVG, pero si no existen podemos utilizar imágenes PNG + +Los logotipos de empresa tienen un tamaño de lienzo de: + +- 128x128px +- 384x128px + +## Optimización + +### PNG + +Utiliza [OptiPNG](https://sourceforge.net/projects/optipng/) para optimizar la imagen PNG: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Explora](https://github.com/scour-project/scour) todas las imágenes SVG. + +En Inkscape: + +1. Archivo Guardar como... +2. Establecer tipo a SVG optimizado (*.svg) + +En la pestaña **Opciones**: + +- **Número de cifras significativas para las coordenadas** > **5** +- [x] Activar **Acortar valores de color** +- [x] Activar **Convertir atributos CSS a atributos XML** +- [x] Activar **Colapsar grupos** +- [x] Activar **Crear grupos para atributos similares** +- [ ] Desactivar **Conservar datos del editor** +- [ ] Desactivar **Mantener definiciones no referenciadas** +- [x] Activar **Solucionar errores del renderizador** + +En la pestaña **Salida SVG** bajo **Opciones de documento**: + +- [ ] Desactivar **Eliminar la declaración XML** +- [x] Activar **Eliminar metadatos** +- [x] Activar **Eliminar comentarios** +- [x] Activar **Imágenes rasterizadas incrustadas** +- [x] Activar **Activar viewboxing** + +En la **salida SVG** bajo **Pretty-printing**: + +- [ ] Desactivar **Formato de salida con saltos de línea y sangría** +- **Caracteres de sangría** > Seleccionar **Espacio** +- **Profundidad de sangría** > **1** +- [ ] Desactivar **Eliminar el atributo "xml:space" del elemento SVG raíz** + +En la pestaña **IDs**: + +- [x] Activar **Eliminar ID no utilizados** +- [ ] Desactivar **Acortar IDs** +- **Prefijo de IDs acortadas con** > `dejar en blanco` +- [x] Activar **Conservar ID creados manualmente que no terminen con dígitos** +- **Conservar los siguientes IDs** > `dejar en blanco` +- **Conservar IDs que empiezan por** > `dejar en blanco` + +#### CLI + +Lo mismo puede conseguirse con el comando [Scour](https://github.com/scour-project/scour): + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/es/meta/writing-style.md b/i18n/es/meta/writing-style.md new file mode 100644 index 00000000..fa5313da --- /dev/null +++ b/i18n/es/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Estilo de escritura +--- + +Privacy Guides está redactada en inglés americano, por lo que, en caso de duda, deberá consultar las [normas de estilo APA](https://apastyle.apa.org/style-grammar-guidelines/grammar). + +En general, las [directrices federales sobre lenguaje sencillo de Estados Unidos ](https://www.plainlanguage.gov/guidelines/) ofrecen una buena visión general de cómo escribir de forma clara y concisa. A continuación destacamos algunas notas importantes de estas directrices. + +## Escribir para nuestro público + +El [público](https://www.plainlanguage.gov/guidelines/audience/) previsto de las guías de privacidad es principalmente promedio, adultos que utilizan la tecnología. No simplifique el contenido como si se dirigiera a una clase de secundaria, pero tampoco abuse de terminología complicada sobre conceptos con los que los usuarios medios de ordenadores no estarían familiarizados. + +### Abordar sólo lo que la gente quiere saber + +La gente no necesita artículos demasiado complejos y poco relevantes para ellos. Averigua qué quiere que la gente consiga al escribir un artículo y sólo incluya esos detalles. + +> Explica a tu audiencia por qué el material es importante para ellos. Di: "Si quieres una beca de investigación, esto es lo que tienes que hacer". O: "Si quieres explotar carbón federal, esto es lo que debes saber". O: "Si estás planeando un viaje a Ruanda, lee esto primero". + +### Dirigirse directamente a las personas + +Escribimos *para* una gran variedad de personas, pero escribimos *para* la persona que realmente lo lee. Utiliza el "tú" para dirigirte directamente al lector. + +> Más que ninguna otra técnica, el uso del "tú" atrae a los usuarios hacia la información y la hace relevante para ellos. +> +> Cuando utilizas el "tú" para dirigirte a los usuarios, es más probable que entiendan cuál es su responsabilidad. + +Fuente: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Evitar "usuarios" + +Evite llamar a la gente "usuarios", en favor de "personas", o una descripción más específica del grupo de personas para el que está escribiendo. + +## Organizar los contenidos + +La organización es clave. El contenido debe fluir de la información más importante a la menos importante, y utilizar encabezados tanto como sea necesario para separar lógicamente las distintas ideas. + +- Limita el documento a alrededor de cinco o seis secciones. Los documentos largos deberían dividirse en páginas separadas. +- Marca ideas importantes con **negrita** o *cursiva*. + +Fuente: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Comienza con una frase del tema + +> Si le dices a tu lector sobre qué va a leer, es menos probable que tenga que volver a leer tu párrafo. Los títulos ayudan, pero no bastan. Establece un contexto para tu público antes de proporcionarle los detalles. +> +> A menudo escribimos como pensamos, poniendo primero nuestras premisas y luego nuestra conclusión. Puede que sea la forma natural de desarrollar pensamientos, pero terminamos con la frase del tema al final del apartado. Muévelo hacia delante y haz que los usuarios sepan hacia dónde vas. No haga que los lectores retengan mucha información en la cabecera antes de ir al grano. + +Fuente: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Elige tus palabras con cuidado + +> Las palabras importan. Son los elementos básicos de la comunicación escrita y oral. No compliques las cosas utilizando jerga, términos técnicos o abreviaturas que la gente no entenderá. + +Deberíamos intentar evitar las abreviaturas en la medida de lo posible, pero la tecnología está llena de ellas. En general, escribe la abreviatura/acrónimo la primera vez que se utilice en una página y añádela al archivo del glosario de abreviaturas cuando se utilice repetidamente. + +> Kathy McGinty ofrece instrucciones irónicas para enriquecer tus frases sencillas y directas: +> +> > No se puede eludir el hecho de que se considera muy importante señalar que una serie de diversos estudios aplicables disponibles ipso facto han identificado en general el hecho de que el empleo nocturno adecuado adicional podría normalmente mantener a los adolescentes juveniles fuera de las vías públicas durante las horas nocturnas, incluyendo pero no limitándose al tiempo anterior a la medianoche en las noches entre semana y/o a las 2 de la madrugada. los fines de semana. +> +> Y el original, utilizando palabras más fuertes y sencillas: +> +> > Más trabajos nocturnos mantendrían a los jóvenes alejados de las calles. + +## Sé conciso + +> Las palabras innecesarias hacen perder el tiempo al público. Escribir bien es como conversar. Omita la información que el público no necesita saber. Esto puede resultar difícil como experto en la materia, por lo que es importante que alguien vea la información desde la perspectiva de la audiencia. + +Fuente: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Mantener el texto conversacional + +> Los verbos son el combustible de la escritura. Dan fuerza y dirección a tus frases. Animan la escritura y la hacen más interesante. +> +> Los verbos indican al público lo que debe hacer. Asegúrate de que queda claro quién hace qué. + +### Utilizar la voz activa + +> La voz activa deja claro quién debe hacer qué. Elimina la ambigüedad sobre las responsabilidades. No "Hay que hacerlo", sino "Debes hacerlo". + +Fuente: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Utiliza "debes" para los requisitos + +> - "debes" para una obligación +> - "No debes" para una prohibición +> - "Puedes" para una acción discrecional +> - "Deberías" para una recomendación diff --git a/i18n/es/mobile-browsers.md b/i18n/es/mobile-browsers.md new file mode 100644 index 00000000..7b69a0cc --- /dev/null +++ b/i18n/es/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Navegadores Móviles" +icon: material/cellphone-information +description: Estos navegadores son los que recomendamos actualmente para la navegación estándar/no anónima por Internet en su teléfono. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +Estos son nuestras recomendaciones actuales sobre navegadores web para móviles y configuraciones para la navegación estándar/no anónima por Internet. Si necesita navegar por Internet de forma anónima, debería utilizar [Tor](tor.md). En general, recomendamos mantener las extensiones al mínimo; tienen acceso privilegiado dentro de su navegador, requieren que confíe en el desarrollador, pueden hacerle [destacar](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), y [debilitar](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) el aislamiento del sitio. + +## Android + +En Android, Firefox es incluso menos seguro que las alternativas basadas en Chromium: El motor de Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), aún no soporta el aislamiento de sitios [](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) ni habilitar [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** incluye un bloqueador de contenidos integrado y [funciones de privacidad](https://brave.com/privacy-features/), muchas de las cuales están activadas por defecto. + + Brave se basa en el proyecto de navegador web Chromium, por lo que debería resultar familiar y tener mínimos problemas de compatibilidad con sitios web. + + [:octicons-home-16: Página Principal](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servicio Onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Código Fuente" } + + ??? notas de descarga + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Configuración Recomendada + +Tor Browser es la única manera de navegar por Internet de forma verdaderamente anónima. Cuando use Brave, Le recomendamos cambiar los siguiente ajustes para proteger su privacidad de ciertas partes, pero todos los navegadores que no sean [Tor Browser](tor.md#tor-browser) serán rastreables por *alguien* en un sentido u otro. + +Estas opciones se pueden encontrar en :material-menu: → **Configuración** → **Protecciones y privacidad de Brave** + +##### Escudos + +Brave incluye algunas medidas anti-fingerprinting en su función de [Escudos](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Sugerimos configurar estas opciones [globalmente](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) en todas las páginas que visite. + +##### Valores generales predeterminados de los escudos de Brave + +Las opciones de los escudos pueden reducirse según las necesidades de cada sitio, pero por defecto recomendamos configurar lo siguiente: + +
+ +- [x] Seleccione **Agresivo** en Bloquear rastreadores y anuncios + +??? advertencia "Usar listas de filtros predeterminadas" + Brave le permite seleccionar filtros de contenido adicionales dentro de la página interna `brave://adblock`. Desaconsejamos el uso de esta función; en su lugar, mantenga las listas de filtros por defecto. El uso de listas adicionales le hará destacar entre los demás usuarios de Brave y también puede aumentar la superficie de ataque si hay un exploit en Brave y se añade una regla maliciosa a una de las listas que utiliza. + +- [x] Seleccione **Mejorar conexiones a HTTPS** +- [x] Seleccione **Usar siempre conexiones seguras** +- [x] (Opcional) Seleccione **Bloquear Scripts** (1) +- [x] Seleccione **Estricto, puede dañar los sitios** en **Bloquear fingerprinting** + +
+ +1. Esta opción proporciona una funcionalidad similar a los [modos de bloqueo ](https://github.com/gorhill/uBlock/wiki/Blocking-mode)avanzados de uBlock Origin o la extensión [NoScript](https://noscript.net/). + +##### Borrar datos de navegación + +- [x] Seleccione **Borrar datos al salir** + +##### Bloqueo de redes sociales + +- [ ] Desmarque todos los componentes de redes sociales + +##### Otros ajustes de privacidad + +
+ +- [x] Seleccione **Desactivar UDP sin proxy** en [Política de gestión de IP de WebRTC](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Desmarque **Permite a los sitios comprobar si tienes métodos de pago guardados** +- [ ] Desmarque **Puerta de enlace IPFS** (1) +- [x] Seleccione **Cerrar pestañas al salir** +- [ ] Desmarque **Permitir estadísticas de productos que preservan la privacidad (P3A)** +- [ ] Desmarque **Enviar informes de diagnóstico automáticamente** +- [ ] Desmarque **Enviar automáticamente el ping diario de uso a Brave** + +
+ +1. El Sistema de Archivos InterPlanetario (IPFS) es una red descentralizada, de igual a igual, para almacenar y compartir datos en un sistema de archivos distribuido. A menos que utilice la función, desactívela. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permite que sus datos de navegación (historial, marcadores, etc.) sean accesibles en todos sus dispositivos sin necesidad de una cuenta y los protege con E2EE. + +## iOS + +En iOS, cualquier aplicación que puede navegar en internet está [limitada](https://developer.apple.com/app-store/review/guidelines) a utilizar un sistema que provee Apple, [llamado WebKit](https://developer.apple.com/documentation/webkit), por lo que hay pocos motivos para utilizar un navegador de terceros. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** es el navegador predeterminado en iOS. Incluye [funciones de privacidad](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) como Protección Inteligente de Seguimiento, Informe de Privacidad, pestañas aisladas de Navegación Privada, Retransmisión Privada de iCloud y actualizaciones automáticas de HTTPS. + + [:octicons-home-16: Página Principal](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentación} + +#### Configuración Recomendada + +Estas opciones se encuentran en :gear: **Ajustes** → **Safari** → **Privacidad y seguridad**. + +##### Prevención del rastreo entre sitios web + +- [x] Activa **Evitar el seguimiento cruzado de sitios** + +Esto habilita la [Protección de Seguimiento Inteligente (ITP)](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp) de WebKit. La función ayuda a proteger contra el rastreo no deseado utilizando el aprendizaje automático en el dispositivo para detener a los rastreadores. La ITP protege contra muchas amenazas comunes, pero no bloquea todas las vías de rastreo porque está diseñada para no interferir con la usabilidad del sitio web. + +##### Informe de privacidad + +El Informe de privacidad proporciona una instantánea de los rastreadores de sitios cruzados a los que actualmente se les impide elaborar perfiles en el sitio web que está visitando. También puede mostrar un informe semanal para mostrar qué rastreadores se han bloqueado a lo largo del tiempo. + +Se puede acceder al Informe de privacidad a través del menú Configuración de la página. + +##### Medición de anuncios para preservar la privacidad + +- [ ] Desactiva **Medición de anuncios para preservar la privacidad** + +La medición de los clics en los anuncios ha utilizado tradicionalmente una tecnología de seguimiento que vulnera la intimidad del usuario. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) es una función de WebKit y un estándar web propuesto para permitir a los anunciantes medir la eficacia de las campañas web sin comprometer la privacidad del usuario. + +La función tiene pocos problemas de privacidad por sí misma, así que aunque puede optar por dejarla activada, consideramos que el hecho de que se desactive automáticamente en Navegación Privada es un indicador para desactivar la función. + +##### Navegación privada siempre activa + +Abre Safari y pulsa el botón Pestañas, situado en la parte inferior derecha. A continuación, despliegua la lista Grupos de pestañas. + +- [x] Selecciona **Privado** + +El modo de Navegación Privada de Safari ofrece protecciones de privacidad adicionales. La Navegación Privada utiliza una nueva sesión [efímera](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) para cada pestaña, lo que significa que las pestañas están aisladas unas de otras. La Navegación Privada también ofrece otras pequeñas ventajas de privacidad, como no enviar la dirección de una página web a Apple cuando se utiliza la función de traducción de Safari. + +Ten en cuenta que la Navegación Privada no guarda cookies ni datos de sitios web, por lo que no podrás permanecer conectado a los sitios. Esto puede ser un inconveniente. + +##### iCloud Sync + +La sincronización del historial de Safari, los grupos de pestañas, las pestañas de iCloud y las contraseñas guardadas son E2EE. Sin embargo, por defecto, los marcadores [no](https://support.apple.com/en-us/HT202303) lo son. Apple puede descifrarlos y acceder a ellos de acuerdo con su [política de privacidad](https://www.apple.com/legal/privacy/en-ww/). + +Puedes activar E2EE para tus favoritos y descargas de Safari activando [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Vaya a su **Nombre de ID de Apple → iCloud → Protección de datos avanzada**. + +- [x] Activa **Protección de datos avanzada** + +Si utilizas iCloud con la Protección de Datos Avanzada desactivada, también te recomendamos que compruebes que la ubicación de descarga predeterminada de Safari está configurada como local en tu dispositivo. Esta opción se encuentra en :gear: **Ajustes** → **Safari** → **General** → **Descargas**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard para iOS** es una extensión de bloqueo de contenidos gratuita y de código abierto para Safari que utiliza la [Content Blocker API] nativa (https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard para iOS tiene algunas funciones premium; sin embargo, el bloqueo de contenidos estándar de Safari es gratuito. + + [:octicons-home-16: Página Principal](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentació} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Las listas de filtros adicionales ralentizan las cosas y pueden aumentar su superficie de ataque, así que aplique sólo lo que necesite. + +## Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +### Requisitos Mínimos + +- Debe admitir actualizaciones automáticas. +- Debe recibir actualizaciones del motor en 0-1 días desde la publicación de la versión anterior. +- Cualquier cambio necesario para que el navegador respete más la privacidad no debería afectar negativamente a la experiencia del usuario. +- Los navegadores Android deben utilizar el motor Chromium. + - Por desgracia, Mozilla GeckoView sigue siendo menos seguro que Chromium en Android. + - Los navegadores de iOS están limitados a WebKit. + +### Extensión de Criterios + +- No debe replicar la funcionalidad integrada del navegador o del sistema operativo. +- Debe afectar directamente a la privacidad del usuario, es decir, no debe limitarse a proporcionar información. diff --git a/i18n/es/multi-factor-authentication.md b/i18n/es/multi-factor-authentication.md new file mode 100644 index 00000000..84d88410 --- /dev/null +++ b/i18n/es/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Autenticadores de Múltiples Factores" +icon: 'material/two-factor-authentication' +description: Estas herramientas le ayudan a proteger sus cuentas de Internet con la autenticación multifactor sin enviar sus secretos a terceros. +--- + +## Llaves de Seguridad + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + Las **YubiKeys** están entre las llaves de seguridad más populares. Algunos modelos de YubiKey tienen un gran rango de caracteristicas como: [2ndo Factor Universal (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 WebAuthn](https://es.wikipedia.org/wiki/WebAuthn), [Yubico OTP](https://developers.yubico.com/OTP/), [PIV](https://en.wikipedia.org/wiki/FIPS_201), [OpenPGP](https://developers.yubico.com/PGP/) y autenticación [TOTP and HOTP](https://developers.yubico.com/OATH/). + + Una de las ventajas de la YubiKey es que una llave puede hacer casi todo (YubiKey 5) lo que se podría esperar de una llave de seguridad. Le animamos a que realice el [quiz](https://www.yubico.com/quiz/) antes de comprarla para asegurarse de que su elección es la correcta. + + [:octicons-home-16: Página Principal](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentación} + +La [tabla de comparación](https://www.yubico.com/store/compare/) muestra las características y cómo se comparan las YubiKeys. Le recomendamos que seleccione las llaves de las YubiKey 5 Series. + +Las YubiKeys se pueden programar utilizando [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) o [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). Para gestionar los códigos TOTP, puede utilizar [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). Todos los clientes de Yubico son de código abierto. + +Para los modelos que soportan HOTP y TOTP, hay 2 ranuras en la interfaz OTP que pueden utilizarse para HOTP y 32 ranuras para almacenar secretos TOTP. Estos secretos se almacenan cifrados en la llave y nunca se exponen a los dispositivos a los que se conectan. Una vez que se ha proporcionado una semilla (secreto compartido) a Yubico Authenticator, éste sólo proporcionará los códigos de seis dígitos, pero nunca la semilla. Este modelo de seguridad ayuda a limitar lo que un atacante puede hacer si compromete uno de los dispositivos que ejecutan Yubico Authenticator y hace que la YubiKey sea resistente a un atacante físico. + +!!! advertencia + El firmware de YubiKey no es de código abierto y no es actualizable. Si desea características en versiones de firmware más nuevas, o si hay una vulnerabilidad en la versión de firmware que está utilizando, tendría que comprar una nueva llave. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** tiene una clave de seguridad capaz de [FIDO2 y WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) llamada **Nitrokey FIDO2**. Para obtener compatibilidad con PGP, deberá adquirir una de sus otras llaves, como la **Nitrokey Start**, la **Nitrokey Pro 2** o la **Nitrokey Storage 2**. + + [:octicons-home-16: Página Principal](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentación} + +La [tabla de comparación](https://www.nitrokey.com/#comparison) muestra las características y cómo se comparan los modelos de las Nitrokey. La **Nitrokey 3** listada tendrá un conjunto de características combinadas. + +Los modelos de Nitrokey se pueden configurar usando la [aplicación de Nitrokey](https://www.nitrokey.com/download). + +Para los modelos que admiten HOTP y TOTP, hay 3 ranuras para HOTP y 15 para TOTP. Algunas Nitrokeys pueden actuar como administrador de contraseñas. Pueden almacenar 16 credenciales diferentes y cifrarlas utilizando la misma contraseña que la interfaz OpenPGP. + +!!! advertencia + + Aunque las Nitrokeys no revelan los secretos HOTP/TOTP al dispositivo al que están conectadas, el almacenamiento HOTP y TOTP **no** está cifrado y es vulnerable a ataques físicos. Si desea almacenar con HOTP o TOTP estos secretos, le recomendamos encarecidamente que utilice un Yubikey en su lugar. + +!!! advertencia + + El restablecimiento de la interfaz OpenPGP en una Nitrokey también hará la base de datos de contraseñas [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +La Nitrokey Pro 2, la Nitrokey Storage 2 y la próxima Nitrokey 3 admiten la verificación de la integridad del sistema para portátiles con el firmware [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/). + +El firmware de Nitrokey es de código abierto, a diferencia del de YubiKey. El firmware de los modelos NitroKey modernos (excepto el de la **NitroKey Pro 2**) se puede actualizar. + +### Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +#### Requisitos Mínimos + +- Debe utilizar módulos de seguridad de hardware de alta calidad y resistentes a la manipulación. +- Debe ser compatible con la última especificación FIDO2. +- No debe permitir la extracción de claves privadas. +- Los dispositivos que cuesten más de 35$ deben soportar el manejo de OpenPGP y S/MIME. + +#### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Debe estar disponible en formato USB-C. +- Debe estar disponible con NFC. +- Debe soportar el almacenamiento de secretos TOTP. +- Debe soportar actualizaciones seguras de firmware. + +## Aplicaciones de Autenticación + +Las Aplicaciones de Autenticación implementan un estándar de seguridad adoptado por el Grupo de Trabajo de Ingeniería de Internet (IETF) llamado **Contraseñas de un solo uso basadas en el tiempo** o **TOTP**. Se trata de un método en el que los sitios web comparten un secreto con usted que es utilizado por su aplicación de autenticación para generar un código de seis dígitos (normalmente) basado en la hora actual, que introduce al iniciar sesión para que el sitio web lo compruebe. Normalmente, estos códigos se regeneran cada 30 segundos, y una vez que se genera uno nuevo, el anterior queda inutilizado. Incluso si un pirata informático consigue un código de seis dígitos, no hay forma de que invierta ese código para obtener el secreto original ni de que pueda predecir cuáles serán los códigos futuros. + +Recomendamos encarecidamente que utilice aplicaciones TOTP para móviles en lugar de alternativas de escritorio, ya que Android e iOS tienen mejor seguridad y aislamiento de aplicaciones que la mayoría de los sistemas operativos de escritorio. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** es una aplicación gratuita, segura y de código abierto para gestionar sus tokens de verificación en 2 pasos para los servicios en línea. + + [:octicons-home-16: Página Principal](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** es un cliente de contraseñas nativo, ligero y seguro basado en tiempo (TOTP) & basado en contador (HOTP) para iOS. Raivo OTP ofrece una copia de seguridad opcional de iCloud & sync. Raivo OTP también está disponible para macOS en forma de aplicación de barra de estado, sin embargo la aplicación para Mac no funciona de forma independiente a la aplicación para iOS. + + [:octicons-home-16: Página Principal](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Source code must be publicly available. +- No debe requerir conexión a Internet. +- No debe sincronizarse con un servicio de sincronización/copia de seguridad en la nube de terceros. + - Es aceptable el soporte de sincronización E2EE** Opcional** con herramientas nativas del sistema operativo, por ejemplo, sincronización cifrada a través de iCloud. diff --git a/i18n/es/news-aggregators.md b/i18n/es/news-aggregators.md new file mode 100644 index 00000000..23458dab --- /dev/null +++ b/i18n/es/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "Lectores de noticias" +icon: octicons/rss-24 +description: Estos clientes para la lectura de noticias le permiten estar al día con sus páginas de noticias favoritas, utilizando estándares de Internet como RSS. +--- + +Un [lector de noticias](https://en.wikipedia.org/wiki/News_aggregator) es una manera de estar al día con sus páginas de noticias favoritas. + +## Clientes + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** es un lector de fuentes de noticias que es parte del proyecto [KDE](https://kde.org). Este incluye una búsqueda rápida, funcionalidades avanzadas de archivado y un navegador interno para facilitar la lectura de las noticias. + + [:octicons-home-16: Página Principal](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentación} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** es un cliente RSS moderno para Android que tiene muchas [features](https://gitlab.com/spacecowboy/Feeder#features) y funciona bien con carpetas de fuentes RSS. Es compatible con [RSS](https://es.wikipedia.org/wiki/RSS), [Atom](https://es.wikipedia.org/wiki/Atom_(formato_de_redifusi%C3%B3n)), [RDF](https://es.wikipedia.org/wiki/RDF/XML) y [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repositorio](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** es un lector de noticias seguro y multiplataforma que cuenta con útiles funciones de privacidad, como la eliminación de cookies al salir, estrictas [políticas de seguridad de contenidos (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) y soporte para proxy, lo que significa que puede utilizarlo a través de [Tor](tor.md). + + [:octicons-home-16: Página Principal](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** es un lector de noticias de [RSS](https://es.wikipedia.org/wiki/RSS) y [Atom](https://es.wikipedia.org/wiki/Atom_(formato_de_redifusi%C3%B3n)) para [GNOME](https://www.gnome.org). Tiene una interfaz sencilla y es bastante rápido. + + [:octicons-home-16: Página Principal](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** es un lector de noticias basado en web que puede alojar usted mismo. Es compatible con [RSS](https://es.wikipedia.org/wiki/RSS), [Atom](https://es.wikipedia.org/wiki/Atom_(formato_de_redifusi%C3%B3n)), [RDF](https://es.wikipedia.org/wiki/RDF/XML) y [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Página Principal](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribuit } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** es un lector de fuentes gratuito y de código abierto para macOS e iOS centrado en un diseño y unas funciones nativos. Es compatible con los formatos de fuente típicos, así como con las fuentes de Twitter y Reddit. + + [:octicons-home-16: Página Principal](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** es un lector de fuentes RSS/Atom para la consola de texto. Es una bifurcación de [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter) mantenida activamente. Es muy ligero e ideal para su uso a través de [Secure Shell](https://es.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Página Principal](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Código Fuente" } + +## Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Debe ser software de código abierto. +- Debe funcionar localmente, es decir, no debe ser un servicio en la nube. + +## Soporte RSS para Redes Sociales + +Algunos servicios de redes sociales también admiten RSS, aunque esto no se suele anunciar. + +### Reddit + +Reddit le permite suscribirse a subreddits a través de RSS. + +!!! ejemplo + Sustituya `subreddit_name` por el subreddit al que desee suscribirse. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Utilizando cualquiera de las [instancias](https://github.com/zedeus/nitter/wiki/Instances) de Nitter puede suscribirse fácilmente mediante RSS. + +!!! ejemplo + 1. Elija una instancia y ponga `nitter_instance`. + 2. Sustituya `twitter_account` por el nombre de la cuenta. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +Puede suscribirse a los canales de YouTube sin iniciar sesión ni asociar la información de uso con su cuenta de Google. + +!!! ejemplo + + Para suscribirse a un canal de YouTube con un cliente RSS, busque primero su [código de canal](https://support.google.com/youtube/answer/6180214), sustituya el `[ID DEl CANAL]` a continuación: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[ID DEL CANAL] + ``` diff --git a/i18n/es/notebooks.md b/i18n/es/notebooks.md new file mode 100644 index 00000000..c5e0c5ab --- /dev/null +++ b/i18n/es/notebooks.md @@ -0,0 +1,119 @@ +--- +title: "Blocs de Notas" +icon: material/notebook-edit-outline +description: Estas aplicaciones encriptadas para tomar notas te permiten hacer un seguimiento de tus apuntes sin cedérselos a terceros. +--- + +Mantén el control de tus notas y diarios sin darlos a un tercero. + +Si actualmente utilizas una aplicación como Evernote, Google Keep o Microsoft OneNote, te sugerimos que elijas aquí una alternativa que soporte [Cifrado de extremo a extremo (E2EE)](https://es.wikipedia.org/wiki/Cifrado_de_extremo_a_extremo). + +## Basado en la nube + +### Joplin + +!!! recommendation + + ![Logotipo de Joplin](/assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** es una aplicación gratuita, de código abierto y con todas las funciones para tomar notas y hacer tareas, que puede manejar un gran número de notas markdown organizadas en cuadernos y etiquetas. Ofrece encriptación de extremo a extremo y puede sincronizar a través de Nextcloud, Dropbox y más. También ofrece una fácil importación desde Evernote y notas en texto plano. + + [Visita joplinapp.org](https://joplinapp.org/){ .md-button .md-button--primary } + + **Descargas** + - [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-firefox-browser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjfek) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:pg-f-droid: F-Droid](https://f-droid.org/es/packages/net.cozic.joplin) + - [:fontawesome-brands-android: Android](https://joplinapp.org/#mobile-applications) + - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin) descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin no admite la protección mediante contraseña/PIN de la[ propia aplicación ni de las notas y cuadernos individuales](https://github.com/laurent22/joplin/issues/289). Sin embargo, tus datos están encriptados en tránsito y en la ubicación de sincronización utilizando tu clave maestra. Desde enero de 2023, Joplin admite el bloqueo biométrico de aplicaciones para [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) e [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Logotipo de Standard Notes](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** es una aplicación de notas simple y privada que hace que tus notas sean fáciles y estén disponibles dondequiera que estés. Ofrece E2EE en todas las plataformas y una potente experiencia de escritorio con temas y editores personalizados. También ha sido [auditada de forma independiente (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Página Principal](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** es un editor de documentos E2EE de código abierto basado en web y una aplicación de almacenamiento de fotos. Cryptee es una PWA, lo que significa que funciona perfectamente en todos los dispositivos modernos sin necesidad de aplicaciones nativas para cada plataforma. + + [:octicons-home-16: Página Principal](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Código Fuente" } + + ??? descargas + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee ofrece 100MB de almacenamiento gratuito, con opciones de pago si necesitas más. La inscripción no requiere correo electrónico ni otros datos personales. + +## Blocs de Notas Locales + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** es un [modo principal](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) para GNU Emacs. Org-mode sirve para tomar notas, mantener listas de tareas pendientes, planificar proyectos y crear documentos con un sistema de texto plano rápido y eficaz. La sincronización es posible con las herramientas [sincronización de archivos](file-sharing.md#file-sync). + + [:octicons-home-16: Página Principal](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentación} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribuir } + +## Criterios + +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten proporcionar recomendaciones objetivas. Te sugerimos que te familiarices con esta lista antes de elegir usar un proyecto, y que lleves a cabo tu propia investigación para asegurarte de que es la elección correcta para ti. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Los clientes deben ser de código abierto. +- Cualquier funcionalidad de sincronización en la nube debe ser E2EE. +- Debe permitir exportar documentos a un formato estándar. + +### Mejor Caso + +- La funcionalidad de copia de seguridad/sincronización local debe soportar el cifrado. +- Las plataformas basadas en la nube deben permitir compartir documentos. diff --git a/i18n/es/os/android-overview.md b/i18n/es/os/android-overview.md new file mode 100644 index 00000000..9f5e4bdb --- /dev/null +++ b/i18n/es/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Visión general de Android +icon: simple/android +description: Android es un sistema operativo de código abierto con fuertes medidas de seguridad, lo que lo convierte en nuestra primera opción para teléfonos. +--- + +Android es un sistema operativo seguro el cuál tiene [aislamiento de las aplicaciones](https://source.android.com/security/app-sandbox), [arranque verificado](https://source.android.com/security/verifiedboot) (AVB), y un robusto sistema de control de [permisos](https://developer.android.com/guide/topics/permissions/overview). + +## Elegir una distribución de Android + +Cuando compras un celular Android, el sistema operativo por defecto suele venir con una integración invasiva con aplicaciones y servicios que no son parte del [Android Open Source Project](https://source.android.com/). Un ejemplo de ello son los servicios de Google Play, el cual tiene permisos irrevocables a tus archivos, almacenamiento de contactos, registros de llamadas, mensajes SMS, ubicación, cámara, micrófono, identificadores de hardware, etc. Estas aplicaciones y servicios aumentan la superficie de ataque de tu dispositivo y son la fuente de varios problemas de privacidad en Android. + +Este problema puede ser solucionado al usar una distribución modificada de Android la cual no contenga tal integración invasiva. Desafortunadamente, varias distribuciones modificadas de Android suelen violar el modelo de seguridad de Android al no soportar características críticas de seguridad como el AVB, protección de reversión, actualizaciones del firmware, etc. Algunas distribuciones también incluyen compilaciones [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) las cuales exponen root vía [ADB](https://developer.android.com/studio/command-line/adb) y requieren políticas [más permisivas](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) de SELinux para acomodar las características de depuración, lo que resulta en una superficie de ataque aún más grande y un modelo de seguridad debilitado. + +Idealmente, cuando escojas una distribución de Android, deberías asegurarte de que mantenga el modelo de seguridad de Android. Al menos, la distribución debería tener compilaciones de producción, soporte para AVB, protección de reversión, actualizaciones oportunas del firmware y el sistema operativo, y tener a SELinux en [modo de cumplimiento](https://source.android.com/security/selinux/concepts#enforcement_levels). Todas nuestras distribuciones recomendadas para Android cumplen con estos criterios. + +[Nuestras recomendaciones del sistema Android :material-arrow-right:](../android.md ""){.md-button} + +## Evita el Rooting + +Hacer [Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) en celulares Android puede debilitar la seguridad significativamente debido que debilita el [modelo completo de seguridad de Android](https://es.wikipedia.org/wiki/Android#Seguridad,_privacidad_y_vigilancia). Esto puede debilitar la privacidad en caso de que haya un exploit que sea asistido por la seguridad debilitada. Los métodos de rooteo más comunes involucran la manipulación directa de la partición de arranque, haciendo que sea imposible realizar con éxito el arranque verificado. Las aplicaciones que requieren root también modificarán la partición del sistema, lo que significa que el arranque verificado tendría que permanecer deshabilitado. Tener el root expuesto directamente en la interfaz del usuario también incrementa la [superficie de ataque](https://en.wikipedia.org/wiki/Attack_surface) de tu dispositivo y puede asistir en la [escalada de privilegios](https://es.wikipedia.org/wiki/Escalada_de_privilegios) de vulnerabilidades y omisiones de la política de SELinux. + +Los bloqueadores de anuncios que modifican el [archivo hosts](https://es.wikipedia.org/wiki/Archivo_hosts) (AdAway) y los cortafuegos (AFWall+) que requieren acceso root persistente son peligrosos y no deberían ser usados. Tampoco son la forma correcta de resolver sus propósitos. Para el bloqueo de anuncios sugerimos usar soluciones de bloqueo de servidor como un [DNS](../dns.md) encriptado o una [VPN](../vpn.md) en su lugar. RethinkDNS, TrackerControl y AdAway en modo no raíz ocuparán la ranura VPN (mediante el uso de una VPN de bucle local) que le impide utilizar servicios de mejora de la privacidad como Orbot o un servidor VPN real. + +AFWall+ funciona basado en el enfoque del [filtrado de paquetes](https://es.wikipedia.org/wiki/Cortafuegos_(inform%C3%A1tica)#Primera_generaci%C3%B3n_%E2%80%93_cortafuegos_de_red:_filtrado_de_paquetes) el cual puede ser omitido en algunas situaciones. + +No creemos que los sacrificios de seguridad realizados al rootear un teléfono merezcan la pena por los cuestionables beneficios de privacidad de esas aplicaciones. + +## Arranque verificado + +El [arranque verificado](https://source.android.com/security/verifiedboot) es una parte importante del modelo de seguridad de Android. Proviene de protección contra ataques [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack), persistencia del malware, y se asegura que las actualizaciones de seguridad no puedan ser desactualizadas gracias a la [protección de reversión](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 y superior se han alejado del cifrado de disco completo por un cifrado más flexible [basado en archivos](https://source.android.com/security/encryption/file-based). Tus datos se encriptan utilizando claves de encriptación únicas, y los archivos del sistema operativo se dejan sin encriptar. + +El arranque verificado garantiza la integridad de los archivos del sistema operativo, evitando así que un adversario con acceso físico pueda manipular o instalar malware en el dispositivo. En el improbable caso de que el malware pueda explotar otras partes del sistema y obtener un acceso privilegiado más alto, el arranque verificado evitará y revertirá los cambios en la partición del sistema al reiniciar el dispositivo. + +Desgraciadamente, los fabricantes de equipos originales (OEM) solo están obligados a dar soporte al arranque verificado en su distribución de Android de serie. Solo unos pocos fabricantes de equipos originales, como Google, admiten la inscripción de claves AVB modificadas en sus dispositivos. Además, algunos derivados de AOSP como LineageOS o /e/ OS no admiten arranque verificado, incluso en hardware con soporte de arranque verificado para sistemas operativos de terceros. Nosotros recomendamos que compruebe la compatibilidad **antes** de comprar un nuevo dispositivo. Los derivados de AOSP que no soportan el arranque verificado **no son** recomendados. + +Muchos OEMs también han roto la implementación del Arranque Verificado que tienes que conocer más allá de su marketing. Por ejemplo, los Fairphone 3 y 4 no son seguros por defecto, ya que el [bootloader de serie confía en la clave de firma pública AVB](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). Esto rompe el arranque verificado en un dispositivo Fairphone de fábrica, ya que el sistema arrancará sistemas operativos Android alternativos como (como /e/) [sin ninguna advertencia](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) sobre el uso del sistema operativo personalizado. + +## Actualizaciones de firmware + +Las actualizaciones de firmware son fundamentales para mantener la seguridad y, sin ellas, tu dispositivo no puede ser seguro. Los fabricantes de equipos originales tienen acuerdos de asistencia con sus socios para proporcionar los componentes de código cerrado durante un periodo de asistencia limitado. Estos se detallan en los [boletines de seguridad mensuales de Android](https://source.android.com/security/bulletin). + +Dado que los componentes del teléfono, como el procesador y las tecnologías de radio, dependen de componentes de código cerrado, las actualizaciones deben ser proporcionadas por los respectivos fabricantes. Por lo tanto, es importante que compres un dispositivo dentro de un ciclo de soporte activo. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) y [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) dan soporte a sus dispositivos por un período de 4 años, mientras que los productos más baratos suelen tener un ciclo de soporte más corto. Con la introducción del [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google ahora hace su propio SoC y van a ofrecer un mínimo de 5 años de soporte. + +Los dispositivos EOL que ya no son compatibles con el fabricante del SoC no pueden recibir actualizaciones de firmware de los proveedores OEM o de los distribuidores Android posteriores al mercado. Esto significa que los problemas de seguridad con esos dispositivos permanecerán sin solucionar. + +Fairphone, por ejemplo, comercializa sus dispositivos con 6 años de soporte. Sin embargo, el SoC (Qualcomm Snapdragon 750G en el Fairphone 4) tiene una fecha de caducidad considerablemente más corta. Esto significa que las actualizaciones de seguridad de firmware de Qualcomm para el Fairphone 4 terminarán en septiembre de 2023, independientemente de que Fairphone siga publicando actualizaciones de seguridad de software. + +## Versiones de Android + +Es importante no usar una versión de Android al [final de su vida útil](https://endoflife.date/android). Las versiones más recientes de Android no solo reciben actualizaciones de seguridad para el sistema operativo, sino también actualizaciones importantes para mejorar la privacidad. Por ejemplo, [antes de Android 10](https://developer.android.com/about/versions/10/privacy/changes), cualquier aplicación con el permiso [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) podía acceder a números de serie únicos y sensibles como el [IMEI](https://es.wikipedia.org/wiki/IMEI), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), el [IMSI](https://es.wikipedia.org/wiki/IMSI) de tu tarjeta SIM, mientras que ahora deben ser aplicaciones del sistema para poder hacerlo. Las aplicaciones del sistema sólo las proporciona el OEM o la distribución de Android. + +## Permisos de Android + +Los [permisos en Android](https://developer.android.com/guide/topics/permissions/overview) te dan control sobre que pueden acceder las aplicaciones. Google regularmente hace [mejoras](https://developer.android.com/about/versions/11/privacy/permissions) en el sistema de permisos en cada versión sucesiva. Todas las aplicaciones que instales están estrictamente [aisladas](https://source.android.com/security/app-sandbox), por lo que no es necesario instalar ninguna aplicación de antivirus. + +Un smartphone con la última versión de Android siempre será más seguro que un smartphone antiguo con un antivirus que hayas pagado. Es mejor no pagar por un antivirus y ahorrar para comprar un nuevo smartphone como un Google Pixel. + +Android 10: + +- [Almacenamiento Específico](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) te da más control sobre tus archivos y puede limitar lo que puede acceder al [almacenamiento externo](https://developer.android.com/training/data-storage#permissions). Las aplicaciones pueden tener un directorio específico en el almacenamiento externo, así como la capacidad de almacenar tipos específicos de archivos allí. +- Acceso más estricto a la [ubicación del dispositivo](https://developer.android.com/about/versions/10/privacy/changes?hl=es-419#app-access-device-location) introduciendo el permiso `ACCESS_BACKGROUND_LOCATION`. Esto impide que las aplicaciones accedan a la ubicación cuando se ejecutan en segundo plano sin permiso expreso del usuario. + +Android 11: + +- [Permisos únicos](https://developer.android.com/about/versions/11/privacy/permissions?hl=es-419#one-time) que te permite conceder un permiso a una aplicación una sola vez. +- [Restablecimiento automático de permisos](https://developer.android.com/about/versions/11/privacy/permissions?hl=es-419#auto-reset), que restablece [los permisos de tiempo de ejecución](https://developer.android.com/guide/topics/permissions/overview?hl=es-419#runtime) que se concedieron al abrir la aplicación. +- Permisos detallados para acceder a funciones relacionadas con el [número de teléfono](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers). + +Android 12: + +- Un permiso para conceder sólo la [ubicación aproximada](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Reinicio automático de [aplicaciones hibernadas](https://developer.android.com/about/versions/12/behavior-changes-12?hl=es-419#app-hibernation). +- [Auditoría de acceso a los datos](https://developer.android.com/about/versions/12/behavior-changes-12?hl=es-419#data-access-auditing) que facilita determinar qué parte de una aplicación está realizando un tipo específico de acceso a los datos. + +Android 13: + +- Un permiso para [acceso wifi cercano](https://developer.android.com/about/versions/13/behavior-changes-13?hl=es-419#nearby-wifi-devices-permission). Las direcciones MAC de los puntos de acceso WiFi cercanos eran una forma popular de que las aplicaciones rastrearan la ubicación de un usuario. +- Más [permisos de contenido multimedia detallados](https://developer.android.com/about/versions/13/behavior-changes-13?hl=es-419#granular-media-permissions), lo que significa que puedes conceder acceso sólo a imágenes, vídeos o archivos de audio. +- El uso en segundo plano de los sensores requiere ahora el permiso [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission). + +Una aplicación puede solicitar un permiso para una función específica que tenga. Por ejemplo, cualquier aplicación que pueda escanear códigos QR necesitará el permiso de la cámara. Algunas aplicaciones pueden solicitar más permisos de los necesarios. + +[Exodus](https://exodus-privacy.eu.org/) puede ser útil para comparar aplicaciones con fines similares. Si una aplicación requiere muchos permisos y tiene un montón de publicidad y analíticas, probablemente sea un mal signo. Recomendamos consultar cada uno de los rastreadores y leer sus descripciones, en lugar de limitarse a **contar el total** y asumir que todos los elementos enumerados son iguales. + +!!! warning "Advertencia" + + Si una aplicación es principalmente un servicio basado en web, el seguimiento puede producirse en el lado del servidor. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) indica que "no hay rastreadores", pero lo cierto es que sí rastrea los intereses y el comportamiento de los usuarios en todo el sitio. Las aplicaciones pueden eludir la detección si no utilizan las bibliotecas de código estándar producidas por la industria publicitaria, aunque esto es poco probable. + +!!! note "Nota" + + Las aplicaciones que respetan la privacidad, como [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/), pueden mostrar algunos rastreadores como [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). Esta biblioteca incluye [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) que puede proporcionar [notificaciones push](https://es.wikipedia.org/wiki/Tecnología_push) en las aplicaciones. Este [es el caso](https://fosstodon.org/@bitwarden/109636825700482007) con Bitwarden. Esto no significa que Bitwarden utilice todas las funciones analíticas que ofrece Google Firebase Analytics. + +## Acceso a medios + +Unas cuantas aplicaciones te permiten "compartir" un archivo con ellos para la carga de medios. Si quieres, por ejemplo, tuitear una foto a Twitter, no le des acceso a tus "medios y fotos", porque entonces tendrá acceso a todas tus fotos. En su lugar, ve a tu gestor de archivos (documentsUI), mantén la imagen y compártela en Twitter. + +## Perfiles de usuario + +Los perfiles de usuario múltiples pueden ser encontrados en **Ajustes** → **Sistema** → **Usuarios múltiples** y son la manera más simple de aislar en Android. + +Con los perfiles de usuario, puedes imponer restricciones a un perfil específico, como: realizar llamadas, usar SMS o instalar aplicaciones en el dispositivo. Cada perfil se cifra con su propia clave de cifrado y no puede acceder a los datos de ningún otro perfil. Incluso el propietario del dispositivo no puede ver los datos de otros perfiles sin conocer su contraseña. Los perfiles de usuario múltiples son un método más seguro de aislamiento. + +## Perfil de trabajo + +Los [perfiles de trabajo](https://support.google.com/work/android/answer/6191949) son otra manera de aislar aplicaciones individuales y pueden ser más convenientes que usar perfiles de usuario separados. + +Se requiere una aplicación de **controlador de dispositivo** como [Shelter](#recommended-apps) para crear un perfil de trabajo sin una MDM empresarial, a menos que estés utilizando un sistema operativo Android personalizado que incluya uno. + +El perfil de trabajo depende de un controlador de dispositivo para funcionar. Características como el *transbordador de archivos* y el *bloqueo de búsqueda de contactos* o cualquier tipo de característica de aislamiento debe ser implementada por el controlador. También debes confiar plenamente en la aplicación del controlador del dispositivo, ya que tiene acceso completo a tus datos dentro del perfil de trabajo. + +Este método es generalmente menos seguro que un perfil de usuario secundario; sin embargo, le permite la comodidad de ejecutar aplicaciones tanto en el trabajo y perfiles personales simultáneamente. + +## "Killswitch" de un VPN + +Android 7 y superiores soportan un VPN killswitch y está disponible sin necesidad de instalar aplicaciones de terceros. Esta función puede evitar fugas si la VPN está desconectada. Se puede encontrar en :gear: **Ajustes** → **Red e internet** → **VPN** → :gear: → **Bloquear conexiones sin VPN**. + +## Cambios globales + +Los dispositivos Android modernos tienen interruptores globales para desactivar los servicios de Bluetooth y de localización. Android 12 introdujo interruptores para la cámara y el micrófono. Cuando no estén en uso, recomendamos desactivar estas funciones. Las aplicaciones no pueden usar las funciones desactivadas (incluso si se les concede un permiso individual) hasta que se reactiven. + +## Google + +Si está utilizando un dispositivo con servicios de Google, ya sea su sistema operativo de stock o un sistema operativo que utiliza Google Play Services de forma segura como GrapheneOS, hay una serie de cambios adicionales que puede realizar para mejorar su privacidad. Seguimos recomendando evitar los servicios de Google por completo, o limitar los servicios de Google Play a un perfil específico de usuario/trabajo combinando un controlador de dispositivo como *Shelter* con Google Play aislado de GrapheneOS. + +### Programa de Protección Avanzada + +Si tienes una cuenta de Google sugerimos que te inscribas en el [Programa de protección avanzada](https://landing.google.com/advancedprotection/). Está disponible sin costo a cualquiera que tenga dos o más llaves de seguridad de hardware con soporte para [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online). + +El Programa de protección avanzada proporciona una supervisión de amenazas mejorada y permite: + +- Autenticación de dos factores más estricta; por ejemplo: que [FIDO](/security/multi-factor-authentication/#fido-fast-identity-online) **deba** ser usado y restringe el uso de [SMS OTPs](/security/multi-factor-authentication/#sms-or-email-mfa), [TOTP](/security/multi-factor-authentication.md#time-based-one-time-password-totp), y [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Solo las aplicaciones de Google y de terceros verificadas pueden acceder a los datos de la cuenta +- Escaneo de correos electrónicos inminentes en las cuentas de Gmail contra los intentos de [phishing](https://es.wikipedia.org/wiki/Phishing#T%C3%A9cnicas_de_phishing) +- Más estricto [escaneo seguro del navegador](https://www.google.com/chrome/privacy/whitepaper.html#malware) con Google Chrome +- Proceso de recuperación más estricto para cuentas con credenciales perdidas + + Si no usas los servicios de Google Play aislados (común en los sistemas operativos por defecto), el programa de protección avanzada también viene con [beneficios adicionales](https://support.google.com/accounts/answer/9764949?hl=en) como: + +- No permitir la instalación de aplicaciones fuera de la Google Play Store, la tienda de aplicaciones del proveedor del sistema operativo, o vía [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Escaneo automático obligatorio con [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Advertencia sobre aplicaciones no verificadas + +### Actualizaciones del sistema de Google Play + +En el pasado, las actualizaciones de seguridad de Android tenían que ser enviadas por el proveedor del sistema operativo. Android se ha vuelto más modular a partir de Android 10, y Google puede impulsar las actualizaciones de seguridad para **algunos** componentes del sistema vía los servicios de Google Play privilegiados. + +Si tienes un dispositivo EOL (end-of-life) incluido con Android 10 o superior y no puedes ejecutar ninguno de nuestros sistemas operativos recomendados en tu dispositivo, es probable que te resulte mejor seguir con tu instalación de Android OEM (a diferencia de un sistema operativo que no aparece aquí, como LineageOS o /e/ OS). Esto te permitirá recibir **algunos** arreglos de seguridad de Google, mientras que no viola el modelo de seguridad de Android al usar un derivado de Android inseguro y aumentando tu superficie de ataque. Aún así, te recomendamos que actualices a un dispositivo compatible lo antes posible. + +### ID de publicidad + +Todos los dispositivos con los servicios de Google Play instalados automáticamente generan un [ID de publicidad](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) usado para la publicidad dirigida. Deshabilite esta función para limitar los datos recopilados sobre usted. + +En las distribuciones de Android con los [servicios de Google Play aislados](https://grapheneos.org/usage#sandboxed-google-play), ve a :gear: **Ajustes** → **Aplicaciones** → **Google Play aislado** → **Ajustes de Google** → **Anuncios**, y selecciona *Eliminar el ID de publicidad*. + +En las distribuciones de Android con servicios privilegiados de Google Play (como los sistemas operativos de serie), la configuración puede estar en una de varias ubicaciones. Revisa + +- :gear: **Ajustes** → **Google** → **Anuncios** +- :gear: **Ajustes** → **Privacidad** → **Anuncios** + +Te van a dar la opción de eliminar tu ID de publicidad o *Optar por no recibir anuncios basados en intereses*, esto varía según la distribución OEM de Android. Si se presenta la opción de eliminar el ID de publicidad eso sería lo ideal. Si no es así, asegúrate de optar por no participar y restablecer tu ID de publicidad. + +### SafetyNet y Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) y el [Play Integrity APIs](https://developer.android.com/google/play/integrity) son generalmente usados para [aplicaciones bancarias](https://grapheneos.org/usage#banking-apps). Muchas aplicaciones bancarias funcionarán bien en GrapheneOS con los servicios de Google Play aislados, sin embargo, algunas aplicaciones no financieras tienen sus propios mecanismos anti-manipulación que pueden fallar. GrapheneOS pasa con éxito el chequeo `basicIntegrity`, pero no el check de certificación `ctsProfileMatch`. Los dispositivos con Android 8 o posterior tienen soporte de certificación de hardware que no se puede omitir sin claves filtradas o vulnerabilidades graves. + +En cuanto a Google Wallet, no lo recomendamos debido a su [política de privacidad](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), la cual dicta que debes optar por excluirte si no quieres que tu calificación crediticia y tu información personal sea compartido con los servicios de marketing afiliados. diff --git a/i18n/es/os/linux-overview.md b/i18n/es/os/linux-overview.md new file mode 100644 index 00000000..a31a34e8 --- /dev/null +++ b/i18n/es/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Vista general de Linux +icon: simple/linux +description: Linux es una alternativa de sistema operativo de escritorio de código abierto y centrado en la privacidad, pero no todas las distribuciones son iguales. +--- + +Es una creencia popular que los programas de [código abierto](https://en.wikipedia.org/wiki/Open-source_software) son seguros porque su código fuente está disponible. Siempre hay una expectativa de que la verificación comunitaria sucede regularmente; sin embargo, [este no siempre es el caso](https://seirdy.one/posts/2022/02/02/floss-security/). Depende de varios factores, como la actividad del proyecto, la experiencia de los desarrolladores, el nivel de rigor aplicado a las [revisiones del código](https://en.wikipedia.org/wiki/Code_review), y la frecuencia con la que se presta atención a partes específicas del [código](https://en.wikipedia.org/wiki/Codebase) que pueden permanecer intactas durante años. + +De momento, Linux de escritorio tiene algunas áreas que pueden ser mejoradas al ser comparadas con sus contrapartes propietarias, por ejemplo: + +- Una cadena verificada de inicio, como el [Inicio Seguro](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) de Apple (con el [enclave seguro](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), el [Arranque Verificado](https://source.android.com/security/verifiedboot) de Android, el [Arranque Verificado](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot) de ChromeOS, o el [proceso de inicio](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) de Windows con [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). Estas características y tecnologías de hardware pueden ayudar a prevenir la manipulación persistente ocasionada por algún malware o [ataque de 'evil-maid'](https://en.wikipedia.org/wiki/Evil_Maid_attack). +- Una fuerte solución de aislamiento como la que se encuentra en [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md) y [Android](https://source.android.com/security/app-sandbox). Las soluciones de aislamiento utilizadas comúnmente de Linux como [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) y [Firejail](https://firejail.wordpress.com/), aún tienen mucho por recorrer. +- Fuertes [mitigaciones de vulnerabilidades](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations). + +A pesar de estos inconvenientes, las distribuciones Linux de escritorio son geniales si quieres: + +- Evitar la telemetría que, regularmente, viene con los sistemas operativos propietarios. +- Mantener la ['libertad del software'](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms). +- Tener sistemas enfocados en la privacidad como [Whonix](https://www.whonix.org) o [Tails](https://tails.boum.org/). + +Nuestra página generalmente utiliza el término "Linux" para describir las distribuciones Linux de escritorio. Otros sistemas operativos que también utilizan el kernel de Linux como ChromeOS, Android y Qubes OS no se discuten aquí. + +[Nuestras recomendaciones de Linux: :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Elegir tu distribución + +No todas las distribuciones Linux son iguales. Mientras nuestra página con recomendaciones de Linux no fue creada para ser una fuente autorizada para decidir cuál distribución debes utilizar, hay algunos aspectos que debes considerar al elegir cuál distribución usar. + +### Ciclo de lanzamiento + +Recomendamos encarecidamente que elijas las distribuciones que permanecen cerca a los lanzamientos estables, comúnmente denominadas como distribuciones de lanzamiento continuo. Esto se debe a que las distribuciones de lanzamiento de ciclo congelado, normalmente no actualizan las versiones de sus paquetes y se encuentran detrás en actualizaciones de seguridad. + +Para las distribuciones congeladas como [Debian](https://www.debian.org/security/faq#handling), se espera que los encargados de mantener los paquetes adapten los parches para corregir vulnerabilidades, en lugar de actualizar el software a la "siguiente versión" lanzada por el desarrollador original. Algunos arreglos de seguridad [no](https://arxiv.org/abs/2105.14565) reciben un [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (programas de menor popularidad) del todo y no llegan a la distribución con este modelo de parches. Por ello, a veces las correcciones de seguridad son pospuestas hasta la siguiente versión importante. + +No creemos que retener paquetes y aplicar los parches provisionales sea una buena idea, porque se aleja de la forma en que el desarrollador se pudo asegurar que el software funcione. [Richard Brown](https://rootco.de/aboutme/) tiene una presentación sobre esto: + +
+ +
+ +### Actualizaciones tradicionales vs. Atómicas + +Tradicionalmente, las distribuciones de Linux se actualizan secuencialmente, actualizando los paquetes deseados. Las actualizaciones tradicionales, como las utilizadas en las distribuciones basadas en Fedora, Arch Linux y Debian, son menos confiables, si un error se produce al actualizar. + +Las distribuciones de actualizaciones Atómicas, aplican las actualizaciones en su totalidad o no del todo. Normalmente, los sistemas de actualización transaccional también son atómicos. + +Un sistema de actualización transaccional crea una instantánea que se realiza antes y después de haber aplicado una actualización. Si una actualización falla en cualquier momento (debido a situaciones como fallas de electricidad), la actualización puede revertirse fácilmente al "último estado bueno conocido". + +El método de actualizaciones Atómicas es utilizado para distribuciones inmutables como Silverblue, Tumbleweed y NixOS, y puede obtener confiabilidad con este modelo. [Adam Šamalik](https://twitter.com/adsamalik) brinda una presentación sobre cómo `rpm-ostree` funciona con Silverblue: + +
+ +
+ +### Distribuciones "enfocadas en la seguridad" + +A menudo existe cierta confusión entre las distribuciones "enfocadas en la privacidad" y las distribuciones "pentesting". Una búsqueda rápida para "la distribución más segura de Linux" suele arrojar resultados como Kali Linux, Black Arch y Parrot OS. Estas distribuciones son distribuciones de pruebas de penetración ofensivas que incluyen herramientas para probar otros sistemas. Estas no incluyen ninguna "seguridad adicional" o mitigaciones defensivas destinadas a un uso regular. + +### Distribuciones basadas en Arch Linux + +Las distribuciones basadas en Arch no son recomendables para los que se inician en Linux, (independientemente de la distribución) ya que requieren un [mantenimiento regular del sistema](https://wiki.archlinux.org/title/System_maintenance). Arch no dispone de un mecanismo de actualización de la distribución para las opciones de software subyacentes. Por ello, hay que estar al tanto de las tendencias actuales y adoptar las tecnologías a medida que van sustituyendo a las prácticas más antiguas. + +Para un sistema seguro, también se espera que tenga suficientes conocimientos de Linux para configurar correctamente la seguridad de su sistema, como la adopción de un sistema [de control de acceso obligatorio](https://en.wikipedia.org/wiki/Mandatory_access_control), la configuración de listas negras de [módulos del kernel](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security), el endurecimiento de los parámetros de arranque, la manipulación de parámetros[ sysctl](https://en.wikipedia.org/wiki/Sysctl), y saber qué componentes necesitan como [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Cualquiera que utilice el repositorio de usuarios de Arch [(AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **debe** estar cómodo en auditar PKGBUILDs que instalan desde ese servicio. Los paquetes AUR son contenidos producidos por la comunidad y no se examinan de ninguna manera, por lo que son vulnerables a los ataques a la cadena de suministro de software, como de hecho ha sucedido en [en el pasado](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR debe utilizarse siempre con moderación y, a menudo, hay muchos malos consejos en diversas páginas que dirigen a la gente a utilizar ciegamente [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) sin suficiente advertencia. Se aplican advertencias similares al uso de Archivos de Paquetes Personales (PPA) de terceros en distribuciones basadas en Debian o Proyectos Comunitarios (COPR) en Fedora. + +Si tienes experiencia con Linux y deseas utilizar una distribución basada en Arch, sólo recomendamos Arch Linux de línea principal, no cualquiera de sus derivados. Desaconsejamos específicamente estos dos derivados de Arch: + +- **Manjaro**: Esta distribución retiene los paquetes durante 2 semanas para asegurarse de que sus propios cambios no se rompan, no para asegurarse de que el flujo ascendente sea estable. Cuando se utilizan paquetes AUR, suelen compilarse con las últimas [bibliotecas](https://en.wikipedia.org/wiki/Library_(computing)) de los repositorios de Arch. +- **Garuda**: Utilizan [Chaotic-AUR](https://aur.chaotic.cx/) que compila automáticamente y a ciegas paquetes del AUR. No existe ningún proceso de verificación que garantice que los paquetes AUR no sufran ataques en la cadena de suministro. + +### Kicksecure + +Aunque recomendamos encarecidamente no utilizar distribuciones obsoletas como Debian, existe un sistema operativo basado en Debian que ha sido reforzado para ser mucho más seguro que las distribuciones típicas de Linux: [Kicksecure](https://www.kicksecure.com/). Kicksecure, en términos demasiado simplificados, es un conjunto de scripts, configuraciones y paquetes que reducen sustancialmente la superficie de ataque de Debian. Cubre muchas recomendaciones de privacidad y seguridad por defecto. + +### Kernel Linux-libre y distribuciones "Libre" + +Recomendamos encarecidamente no utilizar **** el kernel Linux-libre, ya que [elimina las mitigaciones de seguridad](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) y [suprime las advertencias del kernel](https://news.ycombinator.com/item?id=29674846) sobre microcódigo vulnerable por razones ideológicas. + +## Recomendaciones Generales + +### Cifrado de unidad + +La mayoría de las distribuciones de Linux tienen una opción dentro de su instalador para habilitar [LUKS](../encryption.md#linux-unified-key-setup) FDE. Si esta opción no se configura en el momento de la instalación, tendrá que hacer una copia de seguridad de sus datos y volver a instalar, ya que el cifrado se aplica después de [particionar el disco](https://en.wikipedia.org/wiki/Disk_partitioning), pero antes de formatear [el sistema de archivos](https://en.wikipedia.org/wiki/File_system). También te sugerimos que borres de forma segura tu dispositivo de almacenamiento: + +- [Borrado seguro de datos :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Considera el uso de [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) o [swap cifrado](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) en lugar de swap sin cifrar para evitar posibles problemas de seguridad con los datos sensibles que se graben en el [espacio swap ](https://en.wikipedia.org/wiki/Memory_paging)(espacio de intercambio). Las distribuciones basadas en Fedora [utilizan ZRAM por defecto](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +Recomendamos utilizar un entorno de escritorio compatible con el protocolo de visualización [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)), ya que se ha desarrollado [teniendo en cuenta](https://lwn.net/Articles/589147/) la seguridad. Su predecesor, [X11](https://en.wikipedia.org/wiki/X_Window_System), no soporta el aislamiento GUI, permitiendo que todas las ventanas [graben pantalla, registren e inyecten entradas en otras ventanas](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), haciendo inútil cualquier intento de sandboxing. Aunque hay opciones para hacer X11 anidado como [Xpra](https://en.wikipedia.org/wiki/Xpra) o [Xephyr](https://en.wikipedia.org/wiki/Xephyr), a menudo vienen con consecuencias negativas en el rendimiento y no son convenientes de configurar y no son preferibles sobre Wayland. + +Afortunadamente, entornos comunes como [GNOME](https://www.gnome.org), [KDE](https://kde.org), y el gestor de ventanas [Sway](https://swaywm.org) tienen soporte para Wayland. Algunas distribuciones como Fedora y Tumbleweed lo utilizan por defecto, y es posible que otras lo hagan en el futuro, ya que X11 está en modo de [mantenimiento duro](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). Si estás utilizando uno de esos entornos es tan fácil como seleccionar la sesión "Wayland" en el gestor de pantalla del escritorio ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +Estamos **en contra** de usar entornos de escritorio o gestores de ventanas que no tengan soporte para Wayland, como Cinnamon (por defecto en Linux Mint), Pantheon (por defecto en Elementary OS), MATE, Xfce e i3. + +### Firmware propietario (actualizaciones de microcódigo) + +Las distribuciones de Linux como las que son [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) o DIY (Arch Linux) no vienen con las actualizaciones de [ microcódigo](https://en.wikipedia.org/wiki/Microcode) propietarias que a menudo parchean las vulnerabilidades. Algunos ejemplos notables de estas vulnerabilidades incluyen [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), y otras [vulnerabilidades de hardware](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +Nosotros **recomendamos encarecidamente** que instale las actualizaciones del microcódigo, ya que su CPU ya está ejecutando el microcódigo propietario de fábrica. Tanto Fedora como openSUSE tienen las actualizaciones de microcódigo aplicadas por defecto. + +### Actualizaciones + +La mayoría de las distribuciones de Linux instalan automáticamente las actualizaciones o le recuerdan que debe hacerlo. Es importante mantener el sistema operativo actualizado para que el software esté parcheado cuando se detecte una vulnerabilidad. + +Algunas distribuciones (especialmente las dirigidas a usuarios avanzados) son más básicas y esperan que hagas las cosas tú mismo (por ejemplo, Arch o Debian). Será necesario ejecutar manualmente el "gestor de paquetes" (`apt`, `pacman`, `dnf`, etc.) para recibir actualizaciones de seguridad importantes. + +Además, algunas distribuciones no descargan automáticamente las actualizaciones de firmware. Para eso necesitarás instalar [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Ajustes de privacidad + +### Aleatorización de direcciones Mac + +Muchas distribuciones Linux de escritorio (Fedora, openSUSE, etc.) vienen con [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), para configurar los ajustes de Ethernet y Wi-Fi. + +Es posible [aleatorizar](https://fedoramagazine.org/randomize-mac-address-nm/) la [dirección MAC](https://en.wikipedia.org/wiki/MAC_address) cuando se utiliza NetworkManager. Esto proporciona un poco más de privacidad en las redes Wi-Fi, ya que hace más difícil rastrear dispositivos específicos en la red a la que estás conectado. [**No**](https://papers.mathyvanhoef.com/wisec2016.pdf) te hace anónimo. + +Recomendamos cambiar la configuración a **aleatoria** en lugar de **estable**, como se sugiere en el [artículo](https://fedoramagazine.org/randomize-mac-address-nm/). + +Si estás utilizando [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), necesitarás configurar [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) que habilitará [RFC 7844 (Perfiles de anonimato para clientes DHCP)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +No tiene mucho sentido aleatorizar la dirección MAC para las conexiones Ethernet, ya que un administrador del sistema puede encontrarte mirando el puerto que estás utilizando en el [conmutador de red](https://en.wikipedia.org/wiki/Network_switch). La aleatorización de las direcciones MAC Wi-Fi depende del soporte del firmware de la Wi-Fi. + +### Otros identificadores + +Hay otros identificadores del sistema con los que conviene tener cuidado. Deberías pensar en esto para ver si se aplica a tu [modelo de amenaza](../basics/threat-modeling.md): + +- **Nombres de host:** El nombre de host de tu sistema se comparte con las redes a las que te conectas. Debes evitar incluir términos identificativos como tu nombre o tu sistema operativo en tu nombre de host, en su lugar, cíñete a términos genéricos o cadenas de caracteres aleatorias. +- **Nombres de usuario:** Del mismo modo, tu nombre de usuario se utiliza de diversas maneras en todo el sistema. Considera la posibilidad de utilizar términos genéricos como "usuario" en lugar de tu nombre real. +- **ID de máquina:**Durante la instalación se genera un ID de máquina único que se almacena en tu dispositivo. Considera [configurarlo en un ID genérico](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### Contador de sistema + +El Proyecto Fedora [cuenta](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) cuántos sistemas únicos acceden a sus réplicas utilizando una variable [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) en lugar de un ID único. Fedora hace esto para determinar la carga y aprovisionar mejores servidores para las actualizaciones cuando sea necesario. + +Esta [opción](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) está actualmente desactivada por defecto. Recomendamos añadir `countme=false` en `/etc/dnf/dnf.conf` por si se habilita en el futuro. En sistemas que utilizan `rpm-ostree` como Silverblue, la opción countme se desactiva enmascarando el temporizador [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/). + +openSUSE también utiliza un [ID único](https://en.opensuse.org/openSUSE:Statistics) para contar los sistemas, que puede desactivarse borrando el archivo `/var/lib/zypp/AnonymousUniqueId`. diff --git a/i18n/es/os/qubes-overview.md b/i18n/es/os/qubes-overview.md new file mode 100644 index 00000000..5b476586 --- /dev/null +++ b/i18n/es/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Visión General de Qubes" +icon: simple/qubesos +description: Qubes es un sistema operativo basado en el aislamiento de aplicaciones dentro de máquinas virtuales para una mayor seguridad. +--- + +[**Qubes OS**](../desktop.md#qubes-os) es un sistema operativo que utiliza el hipervisor [Xen](https://en.wikipedia.org/wiki/Xen) para proporcionar una fuerte seguridad para la informática de escritorio a través de máquinas virtuales aisladas. Cada VM se denomina *Qube* y puedes asignar a cada Qube un nivel de confianza en función de su finalidad. Ya que Qubes OS proporciona seguridad mediante el uso de aislamiento, y sólo permite acciones por caso, es lo contrario de la [enumeración de maldad](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## ¿Cómo funciona Qubes OS? + +Qubes utiliza la [compartimentación](https://www.qubes-os.org/intro/) para mantener el sistema seguro. Qubes son creados de plantillas, las predeterminadas siendo para Fedora, Debian y [Whonix](../desktop.md#whonix). Qubes OS también te permite crear máquinas virtuales de un solo uso [desechables](https://www.qubes-os.org/doc/how-to-use-disposables/). + +![Arquitectura Qubes](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Arquitectura, Crédito: Qué es Qubes OS Introducción
+ +Cada aplicación Qubes tiene un [borde de color](https://www.qubes-os.org/screenshots/) que puede ayudarte a seguir la pista de la máquina virtual en la que se está ejecutando. Podrías, por ejemplo, usar un color específico para tu navegador bancario, mientras usas un color diferente para un navegador general no confiado. + +![Borde coloreado](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Bordes de ventana de Qubes, Crédito: Capturas de pantalla de Qubes
+ +## ¿Por qué utilizar Qubes? + +Qubes OS es útil si tu [modelo de amenazas](../basics/threat-modeling.md) requiere una fuerte compartimentación y seguridad, como por ejemplo si crees que vas a abrir archivos no confiables de fuentes no confiables. Una razón típica para utilizar Qubes OS es abrir documentos de fuentes desconocidas. + +Qubes OS utiliza [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (es decir, un "AdminVM") para controlar otras VMs invitadas o Qubes en el SO anfitrión. Otras máquinas virtuales muestran ventanas de aplicaciones individuales dentro del entorno de escritorio de Dom0. Permite codificar por colores las ventanas en función de los niveles de confianza y ejecutar aplicaciones que pueden interactuar entre sí con un control muy granular. + +### Copiar y pegar texto + +Puedes [copiar y pegar texto](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) utilizando `qvm-copy-to-vm` o las instrucciones siguientes: + +1. Pulsa **Ctrl+C** para decirle a la máquina virtual en la que estás que quieres copiar algo. +2. Pulsa **Ctrl+Shift+C** para indicar a la VM que ponga este búfer a disposición del portapapeles global. +3. Pulsa **Ctrl+Shift+V** en la máquina virtual de destino para que el portapapeles global esté disponible. +4. Pulsa **Ctrl+V** en la máquina virtual de destino para pegar el contenido en el búfer. + +### Intercambio de archivos + +Para copiar y pegar archivos y directorios (carpetas) de una VM a otra, puedes utilizar la opción **Copiar a otra AppVM...** o **Mover a otra AppVM...**. La diferencia es que la opción **Mover** borrará el archivo original. Cualquiera de las dos opciones protegerá tu portapapeles de ser filtrado a cualquier otro Qubes. Esto es más seguro que la transferencia de archivos con air-gap, porque un ordenador con air-gap seguirá viéndose obligado a analizar particiones o sistemas de archivos. Esto no es necesario con el sistema de copia inter-qube. + +??? info "AppVMs o qubes no tienen sus propios sistemas de archivos" + + Puedes [copiar y mover archivos](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) entre Qubes. Al hacerlo, los cambios no son inmediatos y pueden deshacerse fácilmente en caso de accidente. + +### Interacciones inter-VM + +El framework [qrexec](https://www.qubes-os.org/doc/qrexec/) es una parte central de Qubes que permite la comunicación de máquinas virtuales entre dominios. Está construido sobre la librería Xen *vchan*, que facilita el [aislamiento a través de políticas](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Recursos Adicionales + +Para obtener información adicional, te animamos a consultar las extensas páginas de documentación de Qubes OS que se encuentran en el [sitio web Qubes OS](https://www.qubes-os.org/doc/). Copias offline se pueden descargar desde el [repositorio de documentación ](https://github.com/QubesOS/qubes-doc)de Qubes OS. + +- Fondo Tecnológico Abierto: [*Posiblemente el sistema operativo más seguro del mundo*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Compartimentación del software frente a separación física*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Particionando mi vida digital en dominios de seguridad*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Artículos Relacionados*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/es/passwords.md b/i18n/es/passwords.md new file mode 100644 index 00000000..7c6e219e --- /dev/null +++ b/i18n/es/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Administradores de Contraseñas" +icon: material/form-textbox-password +description: Los administradores de contraseñas le permiten almacenar y administrar de forma segura contraseñas y otras credenciales. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Administrador de contraseñas + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Administrador de contraseñas + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Administrador de contraseñas + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Administrador de contraseñas + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Administrador de contraseñas + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Administrador de contraseñas + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Administrador de contraseñas + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Manténgase seguro y protegido en línea con un gestor de contraseñas cifrado y de código abierto. + +[Introducción a las Contraseñas :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Los administradores de contraseñas integrados en programas como navegadores y sistemas operativos a veces no son tan buenos como los programas de administración de contraseñas específicos. La ventaja de un administrador de contraseñas incorporado es una buena integración con el software, pero a menudo puede ser muy simple y carecer de características de privacidad y seguridad que las ofertas independientes tienen. + + Por ejemplo, el administrador de contraseñas de Microsoft Edge no ofrece E2EE. El administrador de contraseñas de Google tiene [optional](https://support.google.com/accounts/answer/11350823) E2EE, y [Apple 's](https://support.apple.com/en-us/HT202303) ofrece E2EE de forma predeterminada. + +## Basado en la nube + +Estos administradores de contraseñas sincronizan sus contraseñas con un servidor en la nube para facilitar el acceso desde todos sus dispositivos y ofrecer seguridad frente a la pérdida de dispositivos. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** es un administrador de contraseñas gratuito y de código abierto. Su objetivo es resolver los problemas de gestión de contraseñas para individuos, equipos y organizaciones empresariales. Bitwarden es una de las soluciones más fáciles y seguras para almacenar todas sus contraseñas e inicios de sesión manteniéndolos convenientemente sincronizados entre todos sus dispositivos. + + [:octicons-home-16: Página Principal](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden también cuenta con [Bitwarden Send](https://bitwarden.com/products/send/), que permite compartir texto y archivos de forma segura con [cifrado de extremo a extremo](https://bitwarden.com/help/send-encryption). Se puede solicitar una [contraseña](https://bitwarden.com/help/send-privacy/#send-passwords) junto con el enlace de envío. Bitwarden Send también cuenta con [borrado automático](https://bitwarden.com/help/send-lifespan). + +Necesita el [Plan Premium](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) para poder compartir archivos. El plan gratuito sólo permite compartir texto. + +El código del lado del servidor de Bitwarden es [de código abierto](https://github.com/bitwarden/server), por lo que si no desea utilizar la nube de Bitwarden, puede alojar fácilmente su propio servidor de sincronización Bitwarden. + +**Vaultwarden** es una implementación alternativa del servidor de sincronización de Bitwarden escrito en Rust y compatible con los clientes oficiales de Bitwarden, perfecto para la implementación autoalojada donde ejecutar el servicio oficial de recursos pesados podría no ser ideal. Si usted está buscando autoalojar Bitwarden en su propio servidor, es casi seguro que desee utilizar Vaultwarden en lugar del código del servidor oficial de Bitwarden. + +[:octicons-repo-16: Repositorio de Vaultwarden](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentación} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Código Fuente" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribuir } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** es un administrador de contraseñas con un fuerte enfoque en la seguridad y la facilidad de uso, que le permite almacenar contraseñas, tarjetas de crédito, licencias de software y cualquier otra información sensible en una bóveda digital segura. Su bóveda es alojada en los servidores de 1Password por una [cuota mensual](https://1password.com/sign-up/). 1Password es [audited](https://support.1password.com/security-assessments/) de forma regular y ofrece una atención al cliente excepcional. 1Password es de código cerrado; sin embargo, la seguridad del producto está exhaustivamente documentada en su [libro blanco de seguridad](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Página Principal](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentación} + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Tradicionalmente, **1Password** ha ofrecido la mejor experiencia de usuario entre los administradores de contraseñas para personas que utilizan macOS e iOS; sin embargo, ahora ha logrado la paridad de funciones en todas las plataformas. Cuenta con muchas funciones orientadas a las familias y a las personas menos técnicas, así como con funcionalidades avanzadas. + +Su bóveda de 1Password está protegida tanto con su contraseña maestra como con una clave de seguridad aleatoria de 34 caracteres para cifrar sus datos en los servidores. Esta clave de seguridad añade una capa de protección a sus datos, ya que estos están asegurados con una alta entropía independientemente de su contraseña maestra. Muchas otras soluciones de administración de contraseñas dependen totalmente de la fortaleza de su contraseña maestra para proteger sus datos. + +Una ventaja que 1Password tiene sobre Bitwarden es su soporte de primera clase para clientes nativos. Mientras que Bitwarden relega muchas funciones, especialmente las de gestión de cuentas, a su interfaz web, 1Password hace que casi todas las funciones estén disponibles en sus clientes nativos para móvil o escritorio. Los clientes de 1Password también tienen una interfaz de usuario más intuitiva, lo que facilita su uso y navegación. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** es un administrador de contraseñas gratuito y de código abierto alemán, centrado en la gestión de contraseñas para equipos. Psono permite compartir de forma segura contraseñas, archivos, marcadores y correos electrónicos. Todos los secretos están protegidos por una contraseña maestra. + + [:octicons-home-16: Página Principal](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentación} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Código Fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono proporciona una amplia documentación para su producto. El cliente web para Psono puede ser autoalojado; alternativamente, puede elegir la Community Edition completa o la Enterprise Edition con funciones adicionales. + +### Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +#### Requisitos Mínimos + +- Debe utilizar E2EE sólido, basado en estándares/moderno. +- Debe contar con prácticas de encriptación y seguridad minuciosamente documentadas. +- Debe tener una auditoría publicada de una tercera parte independiente y de buena reputación. +- Toda telemetría no esencial debe ser opcional. +- No debe recopilar más IIP de la necesaria a efectos de facturación. + +#### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- La telemetría debe ser opcional (desactivada por defecto) o no recopilarse en absoluto. +- Debe ser de código abierto y razonablemente autoalojable. + +## Almacenamiento Local + +Estas opciones le permiten administrar una base de datos de contraseñas cifradas localmente. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** es una bifurcación comunitaria de KeePassX, un port nativo multiplataforma de KeePass Password Safe, con el objetivo de extenderlo y mejorarlo con nuevas características y correcciones de errores para proporcionar un administrador de contraseñas de código abierto rico en características, multiplataforma y moderno. + + [:octicons-home-16: Página Principal](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC almacena sus datos de exportación como archivos [CSV](https://es.wikipedia.org/wiki/Valores_separados_por_comas). Esto puede significar la pérdida de datos si importa este archivo a otro administrador de contraseñas. Le aconsejamos que compruebe cada registro manualmente. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** es un administrador de contraseñas ligero para Android, que permite editar datos encriptados en un único archivo en formato KeePass y puede rellenar los formularios de forma segura. [Contribuidor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) permite desbloquear contenido cosmético y funciones de protocolo no estándar, pero lo más importante es que ayuda y fomenta el desarrollo. + + [:octicons-home-16: Página Principal](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** es un administrador de contraseñas nativo y de código abierto para iOS y macOS. Es compatible con los formatos KeePass y Password Safe, por lo que Strongbox puede utilizarse junto con otros administradores de contraseñas, como KeePassXC, en plataformas que no sean Apple. Al emplear un [modelo freemium](https://strongboxsafe.com/pricing/), Strongbox ofrece la mayoría de las funciones en su nivel gratuito con más funciones orientadas a la comodidad [features](https://strongboxsafe.com/comparison/) -como la autenticación biométrica- bloqueadas tras una suscripción o licencia perpetua. + + [:octicons-home-16: Página Principal](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Además, hay una versión sin conexión: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Esta versión tiene solo lo básico para reducir la superficie de ataque. + +### Línea de comandos + +Estos productos son administradores de contraseñas mínimos que se pueden utilizar dentro de las aplicaciones de scripting. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** es un gestor de contraseñas para línea de comandos escrito en Go. Funciona en los principales sistemas operativos de escritorio y servidor (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Página Principal](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Debe ser multiplataforma. diff --git a/i18n/es/productivity.md b/i18n/es/productivity.md new file mode 100644 index 00000000..a3a08cda --- /dev/null +++ b/i18n/es/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Herramientas de Productividad" +icon: material/file-sign +description: La mayoría de las paquetes de ofimática en línea no admiten E2EE, lo que significa que el proveedor de la nube tiene acceso a todo lo que usted hace. +--- + +La mayoría de las paquetes de ofimática en línea no admiten E2EE, lo que significa que el proveedor de la nube tiene acceso a todo lo que usted hace. La política de privacidad puede proteger legalmente sus derechos, pero no establece limitaciones técnicas de acceso. + +## Plataformas de Colaboración + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** es un conjunto de programas gratuitos y de código abierto, para la creación de su propio servicio de almacenamiento de archivos en un servidor privado que usted controle. + + [:octicons-home-16: Página Principal](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Peligro" + + No recomendamos utilizar la [aplicación con cifrado de extremo a extremo](https://apps.nextcloud.com/apps/end_to_end_encryption) para Nextcloud, porque puede causar la pérdida de datos; esta es considerada como altamente experimental y no debe utilizarse en entornos de producción. Por esta razón, no recomendamos proveedores de Nextcloud de terceros. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** es una alternativa privada a las herramientas de ofimática populares. Todos los contenidos de este servicio web están cifrados de extremo a extremo y pueden compartirse fácilmente con otros usuarios. + + [:octicons-home-16: Página Principal](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribuir } + +### Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +En general, definimos las plataformas de colaboración como paquetes completos que podrían actuar razonablemente como un sustituto de plataformas de colaboración como Google Drive. + +- De Código Abierto. +- Hace que los archivos sean accesibles a través de WebDAV a menos que sea imposible debido al E2EE. +- Dispone de clientes de sincronización para Linux, macOS y Windows. +- Admite la edición de documentos y hojas de cálculo. +- Admite la colaboración en documentos en tiempo real. +- Admite la exportación de documentos a formatos de documento estándar (por ejemplo, ODF). + +#### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Debe almacenar los archivos en un sistema de archivos convencional. +- Debe ser compatible con la autenticación multifactor TOTP o FIDO2, o con los inicios de sesión Passkey. + +## Paquetes Ofimáticos + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** es un paquete de ofimática gratuito y de código abierto con amplias funcionalidades. + + [:octicons-home-16: Página Principal](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Página Principal" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentación} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** es un paquete de ofimática gratuito y de código abierto basado en la nube con amplias funcionalidades, incluida la integración con Nextcloud. + + [:octicons-home-16: Página Principal](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +En general, definimos las paquetes ofimáticos como aplicaciones que podrían sustituir razonablemente a Microsoft Word para la mayoría de las necesidades. + +- Debe ser multiplataforma. +- Debe ser software de código abierto. +- Debe funcionar sin conexión. +- Debe admitir la edición de documentos, hojas de cálculo y presentaciones de diapositivas. +- Debe exportar archivos a formatos de documento estándar. + +## Servicios Pastebin + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** es un pastebin en línea minimalista y de código abierto en el que el servidor no tiene ningún conocimiento de los datos pegados. Los datos se cifran/descifran en el navegador utilizando AES de 256 bits. Es la versión mejorada de ZeroBin. Hay una [lista de instancias](https://privatebin.info/directory/). + + [:octicons-home-16: Página Principal](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Instancias Públicas"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Código Fuente" } diff --git a/i18n/es/real-time-communication.md b/i18n/es/real-time-communication.md new file mode 100644 index 00000000..8463979b --- /dev/null +++ b/i18n/es/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Comunicación en Tiempo Real" +icon: material/chat-processing +description: Otros servicios de mensajería instantánea ponen todas sus conversaciones privadas a disposición de la empresa que los gestiona. +--- + +Estas son nuestras recomendaciones para la comunicación cifrada en tiempo real. + +[Tipos de Redes de Comunicación :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Servicios de Mensajería Cifrados + +Estos servicios de mensajería son ideales para proteger sus comunicaciones confidenciales. + +### Signal + +!!! recommendation + + ![Logotipo de Signal](assets/img/messengers/signal.svg){ align=right } + + **Signal** es una aplicación móvil desarrollada por Signal Messenger LLC. La aplicación ofrece mensajería instantánea, así como llamadas de voz y vídeo. + + Todas las comunicaciones son E2EE. Las listas de contactos se encriptan con su PIN de Signal y el servidor no tiene acceso a ellas. Los perfiles personales también están encriptados y sólo se comparten con los contactos con los que chatea. + + [:octicons-home-16: Página Principal](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribuir } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal admite [grupos privados](https://signal.org/blog/signal-private-group-system/). El servidor no tiene registro de la pertenencia a un grupo, los títulos de los grupos, los avatares de los grupos o los atributos de los grupos. Signal tiene pocos metadatos cuando [Remitente Confidencial](https://signal.org/blog/sealed-sender/) está activado. La dirección del remitente se encripta junto con el cuerpo del mensaje, y sólo la dirección del destinatario es visible para el servidor. Remitente confidencial sólo está activado para las personas de su lista de contactos, pero se puede activar para todos los destinatarios con el consiguiente riesgo de recibir spam. Signal requiere su número de teléfono como identificador personal. + +El protocolo fue [auditado](https://eprint.iacr.org/2016/1013.pdf) de forma independiente en 2016. La especificación del protocolo Signal puede encontrarse en su [documentación](https://signal.org/docs/). + +Tenemos algunos consejos adicionales para configurar y endurecer su instalación de Signal: + +[Configuración y Endurecimiento de Signal :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat es un servicio de mensajería instantánea descentralizado que no depende de ningún identificador único, como números de teléfono o nombres de usuario. Los usuarios de SimpleX Chat pueden escanear un código QR o hacer clic en un enlace de invitación para participar en conversaciones de grupo. + + [:octicons-home-16: Página Principal](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [fue auditado](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) por Trail of Bits en octubre de 2022. + +Actualmente SimpleX Chat sólo ofrece un cliente para Android e iOS. Se admiten funciones básicas de chat en grupo, mensajería directa, edición de mensajes y markdown. También se admiten llamadas de audio y vídeo E2EE. + +Sus datos se pueden exportar e importar a otro dispositivo, ya que no hay servidores centrales en los que se realice una copia de seguridad. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** es un servicio de mensajería instantánea encriptado que [connects](https://briarproject.org/how-it-works/) a otros clientes usando la Red Tor. Briar también puede conectarse a través de Wi-Fi o Bluetooth si está cerca. El modo de malla local de Briar puede ser útil cuando la disponibilidad de Internet es un problema. + + [:octicons-home-16: Página Principal](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title=""Política de Privacidad" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentación} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Las opciones de donación están listadas en la parte inferior de la página principal" } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +Para añadir un contacto en Briar, ambos deben añadirse entre sí primero. Puede intercambiar enlaces `briar://` o escanear el código QR de un contacto si están cerca. + +El software cliente fue [auditado](https://briarproject.org/news/2017-beta-released-security-audit/) de forma independiente, y el protocolo de enrutamiento anónimo utiliza la red Tor, que también ha sido auditada. + +Briar tiene una [especificación publicada](https://code.briarproject.org/briar/briar-spec) completamente. + +Briar admite el secreto de reenvío perfecto utilizando el protocolo Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) y el protocolo [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md). + +## Opciones Adicionales + +!!! advertencia + + Estos servicios de mensajería no tienen Perfect [Forward Secrecy](https://es.wikipedia.org/wiki/Perfect_forward_secrecy) (PFS), y aunque satisfacen ciertas necesidades que nuestras recomendaciones anteriores no pueden satisfacer, no los recomendamos para comunicaciones a largo plazo o sensibles. Cualquier compromiso de claves entre los destinatarios de los mensajes afectaría a la confidencialidad de **todas** las comunicaciones anteriores. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** es el cliente de referencia para el protocolo [Matrix](https://matrix.org/docs/guides/introduction), un [estándar abierto](https://matrix.org/docs/spec) para la comunicación segura descentralizada en tiempo real. + + Los mensajes y los archivos compartidos en las salas privadas (las que requieren una invitación) son por defecto E2EE, al igual que las llamadas de voz y vídeo uno a uno. + + [:octicons-home-16: Página Principal](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Las fotos de perfil, las reacciones y los apodos no están cifrados. + +Las llamadas de voz y vídeo en grupo [no](https://github.com/vector-im/element-web/issues/12878) son E2EE, y utilizan Jitsi, pero se espera que esto cambie con [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Actualmente, las llamadas grupales [no tienen autenticación](https://github.com/vector-im/element-web/issues/13074), lo que significa que los participantes que no son de la sala también pueden entrar a las llamadas. Le recomendamos que no utilice esta función para las reuniones privadas. + +El propio protocolo Matrix [soporta teóricamente PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), sin embargo [no está soportado actualmente en Element](https://github.com/vector-im/element-web/issues/7101) debido a que rompe algunos aspectos de la experiencia del usuario como las copias de seguridad de claves y el historial de mensajes compartidos. + +El protocolo fue [auditado](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) de forma independiente en 2016. La especificación del protocolo Matrix puede encontrarse en su [documentación](https://spec.matrix.org/latest/). El trinquete criptográfico [Olm](https://matrix.org/docs/projects/other/olm) utilizado por Matrix es una implementación del algoritmo [Double Ratchet](https://signal.org/docs/specifications/doubleratchet/) de Signal. + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** es un servicio de mensajería descentralizado centrado en las comunicaciones privadas, seguras y anónimas. Session ofrece soporte para mensajes directos, chats de grupo y llamadas de voz. + + Session utiliza la red descentralizada [Oxen Service Node Network](https://oxen.io/) para almacenar y enrutar los mensajes. Cada mensaje encriptado pasa por tres nodos de la Oxen Service Node Network, lo que hace prácticamente imposible que los nodos recopilen información significativa sobre quienes utilizan la red. + + [:octicons-home-16: Página Principal](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Código Fuente" } + + ??? descargas + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session permite E2EE en chats individuales o grupos cerrados que admiten hasta 100 miembros. Los grupos abiertos no tienen ninguna restricción en cuanto al número de miembros, pero son abiertos por diseño. + +Session [no](https://getsession.org/blog/session-protocol-technical-information) soporta PFS, que es cuando un sistema de cifrado cambia automáticamente y con frecuencia las claves que utiliza para cifrar y descifrar la información, de tal manera que si la última clave se ve comprometida expone una porción menor de información sensible. + +Oxen solicitó una auditoría independiente para Session en marzo de 2020. La auditoría [concluyó](https://getsession.org/session-code-audit) en abril de 2021, "El nivel de seguridad general de esta aplicación es bueno y la hace utilizable para las personas preocupadas por la privacidad". + +Session tiene un [informe oficial](https://arxiv.org/pdf/2002.04609.pdf) que describe los aspectos técnicos de la aplicación y el protocolo. + +## Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Debe tener clientes de código abierto. +- Debe utilizar E2EE para los mensajes privados por defecto. +- Debe ser compatible con E2EE para todos los mensajes. +- Debe haber sido objeto de una auditoría independiente. + +### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Debe tener Perfect Forward Secrecy. +- Debe tener servidores de código abierto. +- Debe ser descentralizado, es decir, federado o P2P. +- Debe utilizar E2EE para todos los mensajes por defecto. +- Debe ser compatible con Linux, macOS, Windows, Android e iOS. diff --git a/i18n/es/router.md b/i18n/es/router.md new file mode 100644 index 00000000..b4a7dcfe --- /dev/null +++ b/i18n/es/router.md @@ -0,0 +1,50 @@ +--- +title: "Firmware del Router" +icon: material/router-wireless +description: Estos sistemas operativos alternativos pueden utilizarse para proteger tu router o punto de acceso Wi-Fi. +--- + +A continuación se presentan algunos sistemas operativos alternativos, que pueden utilizarse en routers, puntos de acceso Wi-Fi, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** es un sistema operativo basado en Linux; se utiliza principalmente en dispositivos integrados para enrutar el tráfico de red. Incluye util-linux, uClibc, y BusyBox. Todos los componentes han sido optimizados para routers domésticos. + + [:octicons-home-16: Página Principal](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Código Fuente } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribuir } + +Puedes consultar [ la tabla de hardware](https://openwrt.org/toh/start) de OpenWrt para comprobar si tu dispositivo es compatible. + +## OPNsense + +!!! recommendation + + ![pfSense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** es una plataforma de enrutamiento y cortafuegos de código abierto basada en FreeBSD que incorpora muchas características avanzadas, como la conformación del tráfico, el equilibrio de carga y las capacidades de VPN, con muchas más características disponibles en forma de plugins. OPNsense se implementa habitualmente como cortafuegos perimetral, router, punto de acceso inalámbrico, servidor DHCP, servidor DNS y punto final VPN. + + [:octicons-home-16: Página Principal](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribuir } + +OPNsense se desarrolló originalmente como una bifurcación de [pfSense](https://en.wikipedia.org/wiki/PfSense), y ambos proyectos destacan por ser distribuciones de cortafuegos libres y fiables que ofrecen características que a menudo sólo se encuentran en los costosos cortafuegos comerciales. Lanzado en 2015, los desarrolladores de OPNsense [citaron a](https://docs.opnsense.org/history/thefork.html) una serie de problemas de seguridad y de calidad del código de pfSense que consideraban que necesitaba una bifurcación del proyecto, así como preocupaciones por la adquisición mayoritaria de pfSense por parte de Netgate y la futura dirección del proyecto pfSense. + +## Criterios + +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten proporcionar recomendaciones objetivas. Te sugerimos que te familiarices con esta lista antes de elegir usar un proyecto, y que lleves a cabo tu propia investigación para asegurarte de que es la elección correcta para ti. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujero a cambios. Si tienes alguna duda sobre nuestros criterios, por favor [pregunta en nuestro foro](https://discuss.privacyguides.net/latest) y no asumas que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- Debe ser de código abierto. +- Debe recibir actualizaciones de manera periódica. +- Debe ser compatible con una amplia variedad de hardware. diff --git a/i18n/es/search-engines.md b/i18n/es/search-engines.md new file mode 100644 index 00000000..f140722b --- /dev/null +++ b/i18n/es/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Motores de Búsqueda" +icon: material/search-web +description: Estos motores de búsqueda respetuosos con la privacidad no construyen un perfil publicitario basado en sus búsquedas. +--- + +Utilice un motor de búsqueda que no construya un perfil publicitario basado en sus búsquedas. + +Las recomendaciones aquí se basan en los méritos de la política de privacidad de cada servicio. No hay **garantías** de que estas políticas de privacidad se respeten. + +Considere usar una [VPN](vpn.md) o [Tor](https://www.torproject.org/) si su modelo de amenaza requiere ocultar su dirección IP al proveedor de búsquedas. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** es desarrollado por Brave y ofrece resultados procedentes principalmente de su propio índice independiente. El índice está optimizado en comparación con Google Search y, por lo tanto, puede proporcionar resultados más precisos contextualmente en comparación con otras alternativas. + + Brave Search incluye funciones exclusivas como Discusiones, que destaca los resultados centrados en la conversación, como los mensajes de los foros. + + Le recomendamos que deshabilite [Estadísticas de uso anónimas](https://search.brave.com/help/usage-metrics), ya que está habilitado de forma predeterminada y se puede deshabilitar dentro de la configuración. + + [:octicons-home-16: Página Principal](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servicio Onion" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentación} + +Brave Search tiene su sede en Estados Unidos. Su [política de privacidad](https://search.brave.com/help/privacy-policy) afirma que recogen métricas de uso agregadas, que incluyen el sistema operativo y el navegador utilizados, pero no datos de identificación personal. Las direcciones IP se procesan temporalmente, pero no se conservan. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** es uno de los buscadores privados más populares. Entre las funciones de búsqueda de DuckDuckGo que merecen ser destacadas se encuentran [bangs](https://duckduckgo.com/bang) y muchas [respuestas instantáneas](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). El motor de búsqueda se basa en una API comercial de Bing para ofrecer la mayoría de los resultados, pero utiliza numerosas [otras fuentes](https://help.duckduckgo.com/results/sources/) para las respuestas instantáneas y otros resultados no primarios. + + DuckDuckGo es el motor de búsqueda por defecto del Navegador Tor y es una de las pocas opciones disponibles en el navegador Safari de Apple. + + [:octicons-home-16: Página Principal](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Servicio Onion" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Politica de Privacidad" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentación} + +DuckDuckGo tiene su sede en Estados Unidos. Su [política de privacidad](https://duckduckgo.com/privacy) afirma que **registra** sus búsquedas para mejorar los productos, pero no su dirección IP ni ningún otro dato de identificación personal. + +DuckDuckGo ofrece [otras dos versiones](https://help.duckduckgo.com/features/non-javascript/) de su motor de búsqueda y ninguna de ellas requiere JavaScript. Sin embargo, estas versiones carecen de funciones. Estas versiones también pueden utilizarse junto con su dirección [Tor onion](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) añadiendo [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) o [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) según la versión. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** es un metabuscador de código abierto y autoalojable que agrega los resultados de otros motores de búsqueda sin almacenar ninguna información. Es una bifurcación de [SearX](https://github.com/searx/searx) mantenida activamente. + + [:octicons-home-16: Página Principal](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Instancias Públicos"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Código Fuente" } + +SearXNG es un proxy entre usted y los motores de búsqueda desde los que se agrega. Sus consultas seguirán siendo enviadas a los motores de búsqueda de los que SearXNG obtiene sus resultados. + +Al autoalojarse, es importante que otras personas utilicen su instancia para que las consultas se integren. Debe tener cuidado con dónde y cómo aloja SearXNG, ya que las personas que busquen contenidos ilegales en su instancia podrían atraer la atención no deseada de las autoridades. + +Cuando utilice una instancia de SearXNG, asegúrese de leer su política de privacidad. Dado que las instancias de SearXNG pueden ser modificadas por sus propietarios, no reflejan necesariamente su política de privacidad. Algunas instancias se ejecutan como un servicio oculto de Tor, lo que puede garantizar cierta privacidad siempre y cuando sus consultas de búsqueda no contengan PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** es un motor de búsqueda privado conocido por servir los resultados de búsqueda de Google. Una de las características exclusivas de Startpage es la [Vista Anónima](https://www.startpage.com/en/anonymous-view/), que se esfuerza por normalizar la actividad de los usuarios para dificultar su identificación exclusiva. Esta función puede ser útil para ocultar [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) propiedades de la red y el navegador. A diferencia de lo que sugiere su nombre, no se debe confiar en esta función para mantener el anonimato. Si busca anonimato, utilice [Tor Browser](tor.md#tor-browser) en su lugar. + + [:octicons-home-16: Página Principal](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentación} + +!!! advertencia + + Startpage limita regularmente el acceso al servicio a ciertas direcciones IP, como las IPs reservadas para VPNs o Tor. [DuckDuckGo](#duckduckgo) y [Brave Search](#brave-search) son opciones más amigables si su modelo de amenazas requiere ocultar su dirección IP al proveedor de búsquedas. + +Startpage tiene su sede en los Países Bajos. Según su [política de privacidad](https://www.startpage.com/en/privacy-policy/), registran datos como: sistema operativo, tipo de navegador e idioma. No registran su dirección IP, consultas de búsqueda u otra información de identificación personal. + +El accionista mayoritario de Startpage es System1, una empresa de tecnología publicitaria. No creemos que eso sea un problema, ya que tienen una [política de privacidad](https://system1.com/terms/privacy-policy) claramente separada. El equipo de Privacy Guides se puso en contacto con Startpage [en 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) para aclarar cualquier duda sobre la considerable inversión de System1 en el servicio. Quedamos satisfechos con las respuestas que recibimos. + +## Criterios + +**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! ejemplo "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna duda sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no hemos tenido en cuenta algo a la hora de hacer nuestras recomendaciones si no aparece aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +### Requisitos Mínimos + +- No debe recopilar información personal identificable según su política de privacidad. +- No debe permitir que los usuarios creen una cuenta con ellos. + +### Mejor Caso + +Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página. + +- Debe estar basado en software de código abierto. +- No debería bloquear las direcciones IP del nodo de salida de Tor. diff --git a/i18n/es/tools.md b/i18n/es/tools.md new file mode 100644 index 00000000..9e80d3c0 --- /dev/null +++ b/i18n/es/tools.md @@ -0,0 +1,477 @@ +--- +title: "Herramientas de Privacidad" +icon: material/tools +hide: + - toc +description: Privacy Guides es el sitio web más transparente y fiable para encontrar software, aplicaciones y servicios que protejan sus datos personales de los programas de vigilancia masiva y otras amenazas de Internet. +--- + +Si está buscando una solución específica para algo, estas son las herramientas de hardware y software que recomendamos en una variedad de categorías. Nuestras herramientas de privacidad recomendadas se eligen principalmente en función de sus características de seguridad, con un énfasis adicional en las herramientas descentralizadas y de código abierto. Son aplicables a una variedad de modelos de amenazas que van desde la protección contra los programas de vigilancia masiva global y la evasión de las grandes empresas tecnológicas hasta la mitigación de ataques, pero solo usted puede determinar lo que funcionará mejor según sus necesidades. + +¡Si necesita ayuda para averiguar cuáles son las mejores herramientas de privacidad y programas alternativos para sus necesidades, inicie un debate en nuestro [foro](https://discuss.privacyguides.net/) o en nuestra comunidad [Matrix](https://matrix.to/#/#privacyguides:matrix.org)! + +Para obtener más información sobre cada proyecto, por qué han sido elegidos y otros consejos o trucos que recomendamos, haga clic en el enlace "Más información" de cada sección o en la propia recomendación para acceder a la sección correspondiente de la página. + +## Red Tor + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake no aumenta la privacidad, sin embargo, le permite a usted contribuir fácilmente a la red Tor y ayudar a que la gente en redes censuradas consiga una mejor privacidad. + +[Más información :material-arrow-right-drop-circle:](tor.md) + +## Navegadores Web de Escritorio + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Más información :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Recursos Adicionales + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Más información :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Navegadores Web Para Móviles + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Más información :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Recursos Adicionales + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard para iOS](mobile-browsers.md#adguard) + +
+ +[Más información :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Sistemas Operativos + +### Móvil + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Más información :material-arrow-right-drop-circle:](android.md) + +#### Aplicaciones de Android + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Cliente de Google Play)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Perfiles de Trabajo)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Dispositivos Compatibles)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Más información :material-arrow-right-drop-circle:](android.md#general-apps) + +### Escritorio/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Distribución de MV de Xen)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Más información :material-arrow-right-drop-circle:](desktop.md) + +### Firmware del Router + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Más información :material-arrow-right-drop-circle:](router.md) + +## Proveedores de Servicios + +### Almacenamiento en la Nube + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Más información :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### Proveedores de DNS + +[Recomendamos](dns.md#recommended-providers) una serie de servidores DNS cifrados, como [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) y [Quad9](https://quad9.net/) entre otros, según varios criterios. Recomendamos que leas nuestras páginas sobre DNS antes de elegir un proveedor. En muchos casos no se recomienda utilizar un proveedor de DNS alternativo. + +[Más información :material-arrow-right-drop-circle:](dns.md) + +#### Proxies DNS Cifrados + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Más información :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Soluciones Autoalojadas + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Más información :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Correo Electrónico + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Más información :material-arrow-right-drop-circle:](email.md) + +#### Servicios de Alias de Correo Electrónico + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Más información :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Autoalojamiento de Correo Electrónico + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Más información :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Servicios Financieros + +#### Servicios de Enmascaramiento de Pagos + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Más información :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Mercados en Línea de Tarjetas Regalo + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Más información :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Motores de Búsqueda + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Más información :material-arrow-right-drop-circle:](search-engines.md) + +### Proveedores de VPN + +??? danger "Las VPNs no proporcionan anonimato" + + El uso de una VPN **no** mantendrá sus hábitos de navegación en el anonimato, ni añadirá seguridad adicional al tráfico no seguro (HTTP). + + Si está buscando **anonimato**, debería usar el navegador Tor **en lugar** de una VPN. + + Si busca mayor **seguridad**, debería asegurarse siempre de que se conecta a sitios web que utilicen HTTPS. Una VPN no sustituye las buenas prácticas de seguridad. + + [Aprende más :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Más información :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Sincronización del Calendario + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Más información :material-arrow-right-drop-circle:](calendar.md) + +### Criptomonedas + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji }[Monero](cryptocurrency.md#monero) + +
+ +[Más información :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Edición de Datos y Metadatos + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Más información :material-arrow-right-drop-circle:](data-redaction.md) + +### Clientes de Correo Electrónico + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP en correo web estándar)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Más información :material-arrow-right-drop-circle:](email-clients.md) + +### Software de Cifrado + +??? info "Cifrado de Disco del Sistema Operativo" + + Para cifrar la unidad de su sistema operativo, normalmente recomendamos utilizar cualquier herramienta de cifrado que proporcione su sistema operativo, ya sea **BitLocker** en Windows, **FileVault** en macOS, o **LUKS** en Linux. Estas herramientas están incluidas en el sistema operativo y suelen utilizar elementos de cifrado por hardware, como un TPM, que otros programas de cifrado de disco completo, como VeraCrypt, no utilizan. VeraCrypt sigue siendo adecuado para los discos que no son del sistema operativo, como las unidades externas, especialmente las unidades a las que se puede acceder desde varios sistemas operativos. + + [Más información :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Basado en el navegador)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Más información :material-arrow-right-drop-circle:](encryption.md) + +#### Clientes OpenPGP + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Más información :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Compartición y Sincronización de Archivos + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Autohosteable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Más información :material-arrow-right-drop-circle:](file-sharing.md) + +### Interfaces de usuario + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Más información :material-arrow-right-drop-circle:](frontends.md) + +### Herramientas de Autenticación de Múltiples Factores + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Más información :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Agregadores de Noticias + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Más información :material-arrow-right-drop-circle:](news-aggregators.md) + +### Blocs de Notas + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Más información :material-arrow-right-drop-circle:](notebooks.md) + +### Administradores de Contraseñas + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Más información :material-arrow-right-drop-circle:](passwords.md) + +### Herramientas de Productividad + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Autohosteable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Más información :material-arrow-right-drop-circle:](productivity.md) + +### Comunicación en Tiempo Real + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Más información :material-arrow-right-drop-circle:](real-time-communication.md) + +### Clientes de Transmisión de Vídeo + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Más información :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/es/tor.md b/i18n/es/tor.md new file mode 100644 index 00000000..1dc5efe8 --- /dev/null +++ b/i18n/es/tor.md @@ -0,0 +1,121 @@ +--- +title: "Red Tor" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Logotipo de Tor](assets/img/self-contained-networks/tor.svg){ align=right } + +La red **Tor** es un grupo de servidores operados por voluntarios que te permite conectarte gratuitamente y mejorar tu privacidad y seguridad en Internet. Individuos y organizaciones también pueden compartir información a través de la red Tor con los "servicios ocultos .onion" sin comprometer su privacidad. Debido a que el tráfico de Tor es difícil de bloquear y rastrear, Tor es una herramienta eficaz para eludir la censura. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Página Principal} +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Servicio Onion" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentación} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Código Fuente" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuir } + +Tor funciona enrutando tu tráfico de Internet a través de esos servidores operados por voluntarios, en lugar de hacer una conexión directa con el sitio que estás tratando de visitar. Esto ofusca de dónde viene el tráfico, y ningún servidor en la ruta de conexión es capaz de ver la ruta completa de dónde viene y a dónde va el tráfico, lo que significa que incluso los servidores a los que te estás conectando no pueden romper tu anonimato. + +[Descripción detallada de Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Conectándote a Tor + +Hay varias maneras de conectarte a la red Tor desde tu dispositivo, la más utilizada es **Tor Browser**, un fork de Firefox diseñado para la navegación anónima para computadoras y Android. Además de las aplicaciones enumeradas a continuación, también hay sistemas operativos diseñados específicamente para conectarse a la red Tor, como [Whonix](desktop.md#whonix) en [Qubes OS](desktop.md#qubes-os), que proporcionan incluso mayor seguridad y protección que el Navegador Tor estándar. + +### Tor Browser + +!!! recommendation + + ![Logo del Navegador Tor](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** es la elección si necesitas anonimato, ya que te proporciona acceso a la red de Tor y puentes, e incluye ajustes por defecto y extensiones que estan configuradas automáticamente a los niveles de seguridad por defecto: *Estándar*, *Más seguro* y *Más seguro de todos*. + + [:octicons-home-16: Página Principal](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Servicio Onion" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentación } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + - [:simple-openbsd: OpenBSD](https://openports.se/net/tor) + - [:simple-netbsd: NetBSD](https://pkgsrc.se/net/tor) + +!!! danger "Peligro" + + **Nunca** deberías instalar ninguna extensión adicional en el Navegador Tor, ni siquiera las que sugerimos para Firefox. Las extensiones del navegador y las configuraciones no estándar te hacen destacar de los demás en la red Tor, haciendo así que tu navegador sea más fácil de [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +El navegador Tor está diseñado para evitar la toma de huellas dactilares o tu identificación basado en la configuración de tu navegador. Por lo tanto, es imperativo que **no** modifiques el navegador más allá de los [niveles de seguridad](https://tb-manual.torproject.org/security-settings/) predeterminados. + +### Perfiles de usuario + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** es una VPN de Tor gratuita para smartphones que enruta el tráfico desde cualquier aplicación en tu dispositivo a través de la red Tor. + + [:octicons-home-16: Página Principal](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Política de Privacidad" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentación} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Consejos para Android" + + Orbot puede hacer de proxy de aplicaciones individuales si soportan SOCKS o proxy HTTP. También puede hacer un proxy de todas sus conexiones de red usando [VpnService](https://developer.android.com/reference/android/net/VpnService) y se puede usar con el killswitch VPN en :gear: * * Configuración → ** *Red e Internet* → **VPN** → :gear: → **Bloquear conexiones sin VPN**. + + Orbot suele estar desactualizado en el [repositorio F-Droid](https://guardianproject.info/fdroid) de Guardian Project y en [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), así que considera descargarlo directamente desde el [repositorio GitHub](https://github.com/guardianproject/orbot/releases). + + Todas las versiones están firmadas con la misma firma, por lo que deberían ser compatibles entre sí. + +## Relés y puentes + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** te permite donar ancho de banda al Proyecto Tor operando un "proxy Snowflake" dentro de tu navegador. + + Las personas censuradas pueden utilizar proxies Snowflake para conectarse a la red Tor. Snowflake es una gran forma de contribuir a la red incluso si no tienes los conocimientos técnicos para dirigir un repetidor o puente Tor. + + [:octicons-home-16: Página Principal](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentación} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Código Fuente" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuir } + + ??? downloads "Descargas" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Snowflake incrustado" + + Puedes activar Snowflake en tu navegador haciendo clic en el interruptor de abajo y ==dejando esta página abierta==. También puedes instalar Snowflake como una extensión del navegador para que se ejecute siempre mientras el navegador está abierto, aunque añadir extensiones de terceros puede aumentar tu superficie de ataque. + +
+ Si la incrustación no te aparece, asegúrate de que no estés bloqueando el marco de terceros de `torproject.org`. También puede visitar [esta página](https://snowflake.torproject.org/embed.html). + +Snowflake no aumenta tu privacidad de ninguna manera, ni se utiliza para conectarte a la red Tor dentro de tu navegador personal. Sin embargo, si tu conexión a Internet no está censurada, deberías ejecutarlo para ayudar a las personas en redes censuradas a conseguir mejor privacidad. No hay necesidad de preocuparte por los sitios web a los que la gente accede a través de tu proxy-su dirección IP de navegación visible coincidirá con su nodo de salida Tor, no con el tuyo. + +Ejecutar un proxy Snowflake es de bajo riesgo, incluso más que ejecutar un relé Tor o un puente ya que no son esfuerzos particularmente arriesgados. Sin embargo, no deja de ser un proxy de tráfico a través de tu red, lo que puede tener consecuencias en algunos aspectos, especialmente si tu red tiene un ancho de banda limitado. Asegúrate de que entiendes [cómo funciona Snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) antes de decidir si ejecutas un proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/es/video-streaming.md b/i18n/es/video-streaming.md new file mode 100644 index 00000000..99570a06 --- /dev/null +++ b/i18n/es/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Transmisiones en Vivo" +icon: material/video-wireless +description: Estas redes le permiten transmitir contenidos de Internet sin crear un perfil publicitario basado en sus intereses. +--- + +La principal amenaza al utilizar una plataforma de streaming es que sus hábitos de streaming y sus suscripciones podrían utilizarse para elaborar un perfil. Deberías combinar estas herramientas con un [VPN](vpn.md) o [Tor](https://www.torproject.org/) para hacer más difícil la recolección de tu perfil. + +## LBRY + +!!! recommendation + + ![Logo LBRY](assets/img/video-streaming/lbry.svg){ align=right } + + **La red LBRY** es una red de intercambio de vídeo descentralizada. Usa una red tipo [BitTorrent](https://wikipedia.org/wiki/BitTorrent) para almacenar el contenido de los vídeos, y una [blockchain](https://wikipedia.org/wiki/Blockchain) para almacenar los índices de esos vídeos. La principal ventaja de este diseño es la resistencia a la censura. + + **El cliente de escritorio LBRY** te ayuda a transmitir vídeos desde la red LBRY y almacena tu lista de suscripción en tu propia billetera LBRY. + + [:octicons-home-16: Inicio](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Código fuente" } + + ??? Descargas + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! nota + + Solo se recomienda el **cliente de escritorio LBRY**, ya que el sitio web [Odysee](https://odysee.com) y los clientes LBRY en F-Droid, Play Store y App Store tienen sincronización y telemetría obligatorias. + +!!! warning "Advertencia" + + Mientras ve y aloja vídeos, su dirección IP es visible para la red LBRY. Considera la posibilidad de utilizar un [VPN](vpn.md) o [Tor](https://www.torproject.org) si tu [modelo de amenaza](basics/threat-modeling.md) requiere ocultar tu dirección IP. + +Recomendamos **no** sincronizar tu monedero con LBRY Inc, ya que la sincronización de monederos encriptados no es compatible todavía. Si sincronizas tu wallet con LBRY Inc. tendrás que confiar que ellos no mirarán tu lista de suscripciones, tus fondos [LBC](https://lbry.com/faq/earn-credits) o tomen el control de tu canal. + +Puedes desactivar la opción *Guardar datos de alojamiento para ayudar a la red LBRY* en :gear: **Ajustes** → **Ajustes avanzados**, para evitar exponer tu dirección IP y los vídeos vistos cuando utilices LBRY durante un periodo de tiempo prolongado. + +## Criterios + +**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted. + +!!! example "Esta sección es nueva" + + Estamos trabajando en establecer criterios definidos para cada sección de nuestra página, y esto puede estar sujeto a cambios. Si tiene alguna pregunta sobre nuestros criterios, por favor [pregunte en nuestro foro](https://discuss.privacyguides.net/latest) y no asuma que no consideramos algo al hacer nuestras recomendaciones, si no se encuentra listado aquí. Son muchos los factores que se tienen en cuenta y se debaten cuando recomendamos un proyecto, y documentar cada uno de ellos es un trabajo en curso. + +- No debe requerir una cuenta centralizada para ver los vídeos. + - La autenticación descentralizada, como por ejemplo a través de la clave privada de un monedero móvil, es aceptable. diff --git a/i18n/es/vpn.md b/i18n/es/vpn.md new file mode 100644 index 00000000..12e239d0 --- /dev/null +++ b/i18n/es/vpn.md @@ -0,0 +1,329 @@ +--- +title: "Servicios de VPN" +icon: material/vpn +description: Estos son los mejores servicios VPN para proteger tu privacidad y seguridad en línea. Encuentra un proveedor aquí que no esté para espiarte. +--- + +Si buscas **privacidad** adicional de tu proveedor de servicios de internet, en una red wifi pública o mientras descargando archivos Torrent, una VPN puede ser la solución para ti, siempre y cuando entiendas los riesgos que conlleva. Creemos que estos proveedores están por encima de los demás: + +
+ +- ![Logo IVPN](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![logotipo VPN de Proton](assets/img/vpn/protonvpn.svg){ .twemoji } [VPN de Proton](#proton-vpn) + +
+ +!!! danger "Las VPNs no proporcionan anonimato" + + El uso de una VPN **no** mantendrá sus hábitos de navegación en el anonimato, ni añadirá seguridad adicional al tráfico no seguro (HTTP). + + Si está buscando **anonimato**, debería usar el navegador Tor **en lugar** de una VPN. + + Si busca mayor **seguridad**, debería asegurarse siempre de que se conecta a sitios web que utilicen HTTPS. Una VPN no sustituye las buenas prácticas de seguridad. + + [Descargar Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Mitos de Tor & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button } + +[Resumen detallado de VPN :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Proveedores Recomendados + +Nuestros proveedores recomendados usan encriptación, aceptan Monero, soportan WireGuard & OpenVPN, y tienen una política de no registro. Lee nuestra [lista completa de criterios](#criteria) para más información. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **IVPN** es un fuerte contendiente en el espacio de las VPNs, y ha estado en funcionamiento desde 2009. IVPN es basado en Gibraltar. + + [:octicons-home-16: Página de inicio](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Países + +IVPN tiene servidores [en 35 países](https://www.ivpn.net/server-locations).(1) Elegiendo un proveedor de VPN con un servidor más cercano de ti reducirá la latencia del tráfico de red que envíes. Esto se debe a que es una ruta más corta (menos saltos) hasta el destino. +{ .annotate } + +1. Última comprobación: 2022-09-16 + +También pensamos que es mejor para la seguridad de las claves privadas del proveedor de VPN si utilizan [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), en lugar de soluciones compartidas más baratas (con otros clientes) como los [[servidores privados virtuales](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Auditado independientemente + +IVPN se ha sometido a una auditoría de no-registrar en [por parte de Cure53](https://cure53.de/audit-report_ivpn.pdf) que concluyó de acuerdo con la afirmación de no-registrar de IVPN. IVPN también ha completado una [prueba de penetración exhaustiva Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) en enero de 2020. IVPN también ha dicho que tiene previsto tener [informes anuales](https://www.ivpn.net/blog/independent-security-audit-concluded) en el futuro. Se realizó una revisión adicional [en abril de 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) y fue producida por Cure53 [en su sitio web](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Clientes de código abierto + +A partir de febrero de 2020 [Las aplicaciones IVPN ya son de código abierto](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). El código fuente puede ser obtenido en su [organización GitHub](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Acepta Efectivo y Monero + +Además de aceptar tarjetas de crédito/débito y PayPal, IVPN acepta Bitcoin, **Monero** y **efectivo/moneda local** (en planes anuales) como formas anónimas de pago. + +#### :material-check:{ .pg-green } Soporte de WireGuard + +IVPN soporta el protocolo WireGuard®. [WireGuard](https://www.wireguard.com) es un protocolo más nuevo que utiliza criptografía de última generación [](https://www.wireguard.com/protocol/). Además, WireGuard aspira ser más simple y veloz. + +IVPN [recomienda](https://www.ivpn.net/wireguard/) el uso de WireGuard con su servicio y, como tal, el protocolo es el predeterminado en todas las aplicaciones de IVPN. IVPN también ofrece un generador de configuración de WireGuard para utilizarlo con las [apps](https://www.wireguard.com/install/) oficiales. + +#### :material-check:{ .pg-green } Reenvío Remoto de Puertos + +El reenvío remoto de puertos [](https://en.wikipedia.org/wiki/Port_forwarding) es posible con un plan Pro. Redirección de puertos [puede ser activada](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) a través del client area. La redirección de puertos solo está disponible en IVPN cuando se utilizan los protocolos WireGuard u OpenVPN y está [deshabilitada en los servidores de Estados Unidos](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Clientes Móviles + +Además de proporcionar los archivos de configuración estándar de OpenVPN, IVPN tiene clientes móviles para [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), y [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client) y[GitHub](https://github.com/ivpn/android-app/releases) que permiten conexiones fáciles a sus servidores. + +#### :material-information-outline:{ .pg-blue } Funcionalidad Adicional + +Proton VPN tiene sus propios servidores y centros de datos en Suiza, Islandia y Suecia. IVPN también proporciona la funcionalidad "[AntiTracker](https://www.ivpn.net/antitracker)", que bloquea las redes publicitarias y los rastreadores al nivel de la red. + +### Mullvad + +!!! recommendation + + ![Logo de Mullvad](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** es una VPN rápida y económica que se centra en la transparencia y la seguridad. Llevan en funcionamiento desde **2009**. Mullvad tiene su sede en Suecia y no tiene prueba gratuita. + + [:octicons-home-16: Página de inicio](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Servicio Onion" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Países + +IVPN tiene servidores [en 41 países](https://mullvad.net/servers/).(1) Elegiendo un proveedor de VPN con un servidor más cercano de ti reducirá la latencia del tráfico de red que envíes. Esto se debe a que es una ruta más corta (menos saltos) hasta el destino. +{ .annotate } + +1. Última comprobación: 2023-01-19 + +También pensamos que es mejor para la seguridad de las claves privadas del proveedor de VPN si utilizan [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), en lugar de soluciones compartidas más baratas (con otros clientes) como los [[servidores privados virtuales](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Auditado independientemente + +Los clientes VPN de Mullvad han sido auditados por Cure53 y Assured AB en un reporte de prueba de penetración [publicado en cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). Los investigadores de seguridad concluyeron: + +> Cure53 y Assured AB están satisfechos con los resultados de la auditoría y el software deja una impresión general positiva. Con la dedicación a la seguridad del equipo interno de Mullvad VPN, los comprobadores no tienen dudas de que el proyecto va por buen camino desde el punto de vista de la seguridad. + +En 2020 una segunda auditoría [fue anunciada](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) y el [informe final de auditoríase](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) fue hecho disponible en la página de Cure53: + +> Los resultados del proyecto de mayo-junio de 2020 dirigido al complejo de Mullvad son bastante positivos. [...] El ecosistema general de aplicaciones utilizado por Mullvad deja una impresión sólida y estructurada. La estructura general de la aplicación facilita el despliegue de parches y correcciones de forma estructurada. Más que nada, los hallazgos detectados por Cure53 muestran la importancia de auditar y reevaluar constantemente los vectores de filtración actuales, para garantizar siempre la privacidad de los usuarios finales. Dicho esto, Mullvad hace un gran trabajo protegiendo al usuario final de las filtraciones comunes de Información personalmente identificable y de los riesgos relacionados con la privacidad. + +En 2021 [se anunció](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) una auditoría de infraestructuras y el [informe final de auditoría](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) se publicó en el sitio web de Cure53. Otro informe se encargó a [en junio de 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) y está disponible en [la web de Assured](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Clientes de Código Abierto + +Mullvad proporciona el código fuente para sus clientes de escritorio y móviles en su [organización de GitHub](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Acepta Efectivo y Monero + +Mullvad, además de aceptar tarjetas de crédito/débito y PayPal, acepta Bitcoin, Bitcoin Cash, **Monero** y **dinero en efectivo/moneda local** como formas de pago anónimas. \[WireGuard\](https://www.wireguard.com) es un protocolo más reciente que utiliza \[criptografía\](https://www.wireguard.com/protocol/) de última generación. + +#### :material-check:{ .pg-green } Soporte de WireGuard + +IVPN soporta el protocolo WireGuard®. [WireGuard](https://www.wireguard.com) es un protocolo más nuevo que utiliza criptografía de última generación [](https://www.wireguard.com/protocol/). Además, WireGuard aspira ser más simple y veloz. + +Mullvad [recomienda a](https://mullvad.net/en/help/why-wireguard/) el uso de WireGuard con su servicio. Es el protocolo predeterminado o único en las aplicaciones Android, iOS, macOS y Linux de Mullvad, pero en Windows debe [habilitar manualmente](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad también ofrece un generador de configuraciones WireGuard para su uso con las [aplicaciones](https://www.wireguard.com/install/) oficiales de WireGuard. + +#### :material-check:{ .pg-green } Soporte de IPv6 + +Mullvad soporta el futuro de la red [IPv6](https://en.wikipedia.org/wiki/IPv6). Su red permite [acceder a servicios alojados en IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/), a diferencia de otros proveedores que bloquean las conexiones IPv6. + +#### :material-check:{ .pg-green } Reenvío Remoto de Puertos + +Se permite el [reenvío remoto de puertos](https://en.wikipedia.org/wiki/Port_forwarding) para personas que realizan pagos de una sola vez, pero no para cuentas con un método de pago recurrente y basado en suscripción. La aplicación móvil en Android también está disponible en \[F-Droid\](https://f-droid.org/en/packages/net.ivpn.client), lo que garantiza que se compila con \[builds reproducibles\](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). Consulte [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) para obtener más información. + +#### :material-check:{ .pg-green } Clientes Móviles + +Mullvad ha publicado los clientes en [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) y [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), ambos con una interfaz fácil de usar en lugar de tener que configurar manualmente la conexión WireGuard. El cliente de Android también está disponible en [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Funcionalidad Adicional + +Mullvad es muy transparente sobre los nodos que [posee o alquila](https://mullvad.net/en/servers/). Utilizan [ShadowSocks](https://shadowsocks.org/) en su configuración ShadowSocks + OpenVPN, haciéndolos más resistentes contra cortafuegos con [Inspección de paquetes profundos](https://en.wikipedia.org/wiki/Deep_packet_inspection) intentando bloquear VPNs. Supuestamente, [China tiene que utilizar un método diferente para bloquear los servidores de ShadowSocks](https://github.com/net4people/bbs/issues/22). El sitio web de Mullvad también es accesible a través de Tor en [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Logo de Proton VPN](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** es un fuerte contendiente en el espacio VPN, y han estado en funcionamiento desde 2016. Proton AG tiene su sede en Suiza y ofrece un nivel gratuito limitado, así como una opción premium con más funciones. + + [:octicons-home-16: Página de inicio](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Politica de privacidad" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentación} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Código fuente" } + + ??? downloads "Descargas" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Países + +Proton VPN tiene [servidores en 67 países](https://protonvpn.com/vpn-servers).(1) Elegir un proveedor VPN con un servidor más cercano reducirá la latencia del tráfico de red que envía. Esto se debe a que es una ruta más corta (menos saltos) hasta el destino. +{ .annotate } + +1. Última comprobación: 2022-09-16 + +También pensamos que es mejor para la seguridad de las claves privadas del proveedor de VPN si utilizan [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), en lugar de soluciones compartidas más baratas (con otros clientes) como los [[servidores privados virtuales](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Auditado Independientemente + +Los clientes VPN de Mullvad han sido auditados por Cure53 y Assured AB en un reporte de pentest \[publicado en cure53.de\](https://cure53.de/pentest-report_mullvad_v2.pdf). Los investigadores de seguridad concluyeron: + +> Cure53 y Assured AB están satisfechos con los resultados de la auditoría y el software deja una impresión positiva en general. Con la dedicación a la seguridad del equipo interno de Mullvad VPN, los testers no tienen dudas de que el proyecto va por buen camino desde el punto de vista de la seguridad. Puedes ver informes individuales para cada plataforma en [protonvpn.com](https://protonvpn.com/blog/open-source/). En abril de 2022, Proton VPN se sometió a [otra auditoría](https://protonvpn.com/blog/no-logs-audit/) y el informe fue [elaborado por Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). El 9 de noviembre de 2021, [Securitum](https://research.securitum.com)proporcionó una carta de certificación [](https://proton.me/blog/security-audit-all-proton-apps) para las aplicaciones de Proton VPN. + +#### :material-check:{ .pg-green } Clientes de Código Abierto + +Proton VPN proporciona el código fuente para sus clientes de escritorio y móviles en su organización [GitHub](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Acepta efectivo + +Proton VPN, además de aceptar tarjetas de crédito/débito, PayPal y [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), también acepta **efectivo/moneda local** como forma de pago anónima. + +#### :material-check:{ .pg-green } Soporte de WireGuard + +Mullvad soporta el protocolo WireGuard®. [WireGuard](https://www.wireguard.com) es un protocolo más nuevo que utiliza criptografía de última generación [](https://www.wireguard.com/protocol/). Además, WireGuard aspira ser más simple y veloz. + +Proton VPN [recomienda](https://protonvpn.com/blog/wireguard/) el uso de WireGuard con su servicio. En las aplicaciones de Proton VPN para Windows, macOS, iOS, Android, ChromeOS y Android TV, WireGuard es el protocolo predeterminado; sin embargo, [la compatibilidad](https://protonvpn.com/support/how-to-change-vpn-protocols/) para el protocolo no está presente en su aplicación para Linux. + +#### :material-alert-outline:{ .pg-orange } Reenvío Remoto de Puertos + +Actualmente, Proton VPN solo admite el [ reenvío remoto del puerto](https://protonvpn.com/support/port-forwarding/) en Windows, lo que puede afectar a algunas aplicaciones. Su red permite \[acceder a servicios alojados en IPv6\](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) a diferencia de otros proveedores que bloquean las conexiones IPv6. + +#### :material-check:{ .pg-green } Clientes Móviles + +Además de proporcionar archivos de configuración estándar de OpenVPN, Proton VPN tiene clientes móviles para [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US)y [GitHub](https://github.com/ProtonVPN/android-app/releases), lo que permite conexiones fáciles a sus servidores. + +#### :material-information-outline:{ .pg-blue } Funcionalidad Adicional + +Mullvad ha publicado su cliente en la \[App Store\](https://apps.apple.com/app/mullvad-vpn/id1488466513) y en \[Google Play\](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), ambos con una interfaz fácil de usar en lugar de requerir la configuración manual de la conexión de WireGuard. El cliente móvil en Android también está disponible en \[F-Droid\](https://f-droid.org/packages/net.mullvad.mullvadvpn), lo que garantiza que se compila con \[builds reproducibles\](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). Ofrecen bloqueo de anuncios y de dominios con malware conocido con su servicio de DNS. Además, Proton VPN también ofrece servidores "Tor" que te permiten conectarte fácilmente a sitios.onion, pero seguimos recomendando encarecidamente utilizar [el Navegador Tor oficial](https://www.torproject.org/) para este propósito. + +#### :material-alert-outline:{ .pg-orange } La función Killswitch no funciona en los Macs basados en Intel + +Los fallos del sistema [pueden ocurrir](https://protonvpn.com/support/macos-t2-chip-kill-switch/) en Macs basados en Intel cuando se utiliza el killswitch de VPN. Utilizan \[ShadowSocks\](https://shadowsocks.org/en/index.html) en su configuración de ShadowSocks + OpenVPN, lo que les hace más resistentes contra los cortafuegos con \[Inspección profunda de paquete\](https://es.wikipedia.org/wiki/Deep_Packet_Inspection) que intentan bloquear las VPN. + +## Criterios + +!!! danger "Peligro" + + Es importante tener en cuenta que el uso de un proveedor de VPN no le hará anónimo, pero le dará mayor privacidad en ciertas situaciones. Una VPN no es una herramienta para actividades ilegales. No confíes en una política de "sin registro". + +**Por favor, tenga en cuenta que no estamos afiliados a ninguno de los proveedores que recomendamos. Esto nos permite ofrecer recomendaciones completamente objetivas.** Además de [nuestros cirterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos para cualquier proveedor de VPN que desee ser recomendado, incluyendo un cifrado fuerte, auditorías de seguridad independientes, tecnología moderna y más. Te sugerimos que te familiarices con esta lista antes de elegir un proveedor VPN, y lleves a cabo tu propia investigación para asegurar que el proveedor VPN que elijas sea lo más fiable posible. + +### Tecnología + +Requerimos que todos nuestros proveedores de VPN recomendados proporcionen archivos de configuración OpenVPN para ser usados en cualquier cliente. **Si** una VPN proporciona su propio cliente personalizado, requerimos un killswitch para bloquear las fugas de datos de la red cuando se desconecta. + +**Mínimo para Calificar:** + +- Soporte para protocolos fuertes como WireGuard & OpenVPN. +- Killswitch integrado en los clientes. +- Soporte de multisaltos. El multihopping es importante para mantener la privacidad de los datos en caso de que un solo nodo se vea comprometido. +- Si se proporciona clientes VPN, deben ser [de código abierto](https://en.wikipedia.org/wiki/Open_source), como el software VPN que generalmente llevan incorporado. Creemos que la disponibilidad de [código fuente](https://en.wikipedia.org/wiki/Source_code) proporciona una mayor transparencia sobre lo que su dispositivo está haciendo realmente. + +**Mejor Caso:** + +- Soporte de WireGuard y OpenVPN. +- Killswitch con opciones altamente configurables (activar/desactivar en determinadas redes, en el arranque, etc.) +- Clientes VPN fáciles de usar +- Admite [IPv6](https://en.wikipedia.org/wiki/IPv6). Esperamos que los servidores permitan las conexiones entrantes a través de IPv6 y le permitan acceder a los servicios alojados en direcciones IPv6. +- La capacidad de [redirección de puertos](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) ayuda a crear conexiones cuando se utiliza software de intercambio de archivos P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)), Freenet, o se aloja un servidor (por ejemplo, Mumble). + +### Privacidad + +Preferimos que nuestros proveedores recomendados recojan la menor cantidad de datos posible. Es necesario no recoger información personal en el momento de la inscripción y aceptar formas de pago anónimas. + +**Mínimo para Calificar:** + +- [Criptomoneda anónima](cryptocurrency.md) **o** opción de pago en efectivo. +- No se requiere información personal para registrarse: Sólo nombre de usuario, contraseña y correo electrónico como máximo. + +**Mejor Caso:** + +- Acepte múltiples [opciones de pago anónimo](advanced/payments.md). +- No se acepten datos personales (nombre de usuario autogenerado, no se requiere correo electrónico, etc.). + +### Seguridad + +Una VPN no tiene sentido si ni siquiera puede proporcionar una seguridad adecuada. Requerimos que todos nuestros proveedores recomendados que se atengan a las normas de seguridad vigentes para sus conexiones OpenVPN. Lo ideal sería que utilizaran por defecto esquemas de encriptación más resistentes al futuro. También requerimos que un tercero independiente audite la seguridad del proveedor, idealmente de una manera muy completa y sobre una base repetida (anual). + +**Mínimo para Calificar:** + +- Esquemas de cifrado fuertes: OpenVPN con autenticación SHA-256; RSA-2048 o mejor handshake; AES-256-CBC o cifrado de datos AES-256-GCM. +- Perfect Forward Secrecy (PFS). +- Auditorías de seguridad publicadas por una empresa externa de prestigio. + +**Mejor Caso:** + +- Cifrado más fuerte: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Auditorías de seguridad exhaustivas publicadas por una empresa externa de prestigio. +- Programas de recompensa de errores y/o un proceso coordinado de divulgación de vulnerabilidades. + +### Confianza + +No confiarías tus finanzas a alguien con una identidad falsa, así que ¿por qué confiarle tus datos de Internet? Requerimos que nuestros proveedores recomendados sean públicos sobre su propiedad o liderazgo. También nos gustaría ver informes de transparencia frecuentes, especialmente en lo que se refiere a cómo se gestionan las solicitudes del gobierno. + +**Mínimo para Calificar:** + +- Liderazgo o titularidad de cara al público. + +**Mejor Caso:** + +- Liderazgo de cara al público. +- Informes de transparencia frecuentes. + +### Marketing + +Con los proveedores de VPN que recomendamos nos gusta ver un marketing responsable. + +**Mínimo para Calificar:** + +- Debe tener análisis propios (no Google Analytics, etc.). El sitio del proveedor también debe cumplir con [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) para las personas que quieran excluirse. + +No debe tener ningún mercadeo que sea irresponsable: + +- Haciendo garantías de proteger el anonimato al 100%. Cuando alguien afirma que algo es 100% significa que no hay certeza de fracaso. Sabemos que la gente puede desanonimizarse fácilmente de varias maneras, por ejemplo: + - Reutilizando información personal (por ejemplo, cuentas de correo electrónico, seudónimos únicos, etc) a los que accedieron sin software de anonimato (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Afirmar que una VPN de un solo circuito es "más anónima" que Tor, el cual es un circuito de 3 o más saltos que cambia regularmente. +- Utilice un lenguaje responsable, por ejemplo, está bien decir que una VPN está "desconectada" o "no conectada", pero afirmar que alguien está "expuesto", "vulnerable" o "comprometido" es un uso innecesario de un lenguaje alarmante que puede ser incorrecto. Por ejemplo, esa persona podría simplemente estar en el servicio de otro proveedor de VPN o usar Tor. + +**Mejor Caso:** + +El marketing responsable que es a la vez educativo y útil para el consumidor podría incluir: + +- Una comparación precisa para cuando se debe utilizar Tor u otras [redes autónomas](self-contained-networks.md). +- Disponibilidad del sitio web del proveedor de VPN a través de un .onion [Hidden Service](https://es.wikipedia.org/wiki/.onion) + +### Funcionalidad Adicional + +Aunque no son estrictamente requisitos, hay algunos factores en los que nos fijamos a la hora de determinar qué proveedores recomendar. Entre ellas, la funcionalidad de bloqueo de anuncios/rastreo, los alertas de canarios(warrant canaries), las conexiones multihop, la excelente atención al cliente, el número de conexiones simultáneas permitidas, etc. diff --git a/i18n/fa/404.md b/i18n/fa/404.md new file mode 100644 index 00000000..25c1c780 --- /dev/null +++ b/i18n/fa/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) diff --git a/i18n/fa/CODE_OF_CONDUCT.md b/i18n/fa/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/fa/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/fa/about/criteria.md b/i18n/fa/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/fa/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/fa/about/donate.md b/i18n/fa/about/donate.md new file mode 100644 index 00000000..8accd67a --- /dev/null +++ b/i18n/fa/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/fa/about/index.md b/i18n/fa/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/fa/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/fa/about/notices.md b/i18n/fa/about/notices.md new file mode 100644 index 00000000..66802656 --- /dev/null +++ b/i18n/fa/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## سلب مسئولیت حقوقی + +Privacy Guides(راهنمای حفظ حریم خصوصی) یک شرکت حقوقی نیست. به این ترتیب، که وب سایت راهنمای حریم خصوصی و مشارکت کنندگان . مشاوره حقوقی ارائه نمی دهند. مطالب و توصیه‌های موجود در وب‌سایت و راهنماهای ما به منزله مشاوره حقوقی نیست و مشارکت در وب‌سایت یا برقراری ارتباط با راهنمای حریم خصوصی یا سایر مشارکت‌کنندگان در مورد وب‌سایت ما باعث ایجاد رابطه وکیل و مشتری نمی‌شود. + +راه اندازی این وب سایت، مانند هر تلاش انسانی، مستلزم عدم اطمینان و مبادله است. امیدواریم این وب سایت به شما کمک کند، اما ممکن است شامل اشتباهاتی باشد و نتواند به هر موقعیتی رسیدگی کند. اگر در مورد وضعیت خود سؤالی دارید، ما شما را تشویق می‌کنیم که تحقیقات خود را انجام دهید، کارشناسان دیگر را جستجو کنید و با انجمن راهنماهای حریم خصوصی وارد بحث شوید. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/fa/about/privacy-policy.md b/i18n/fa/about/privacy-policy.md new file mode 100644 index 00000000..26c668d1 --- /dev/null +++ b/i18n/fa/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/fa/about/privacytools.md b/i18n/fa/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/fa/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/fa/about/services.md b/i18n/fa/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/fa/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/fa/about/statistics.md b/i18n/fa/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/fa/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/fa/advanced/communication-network-types.md b/i18n/fa/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/fa/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/fa/advanced/dns-overview.md b/i18n/fa/advanced/dns-overview.md new file mode 100644 index 00000000..95a4ee11 --- /dev/null +++ b/i18n/fa/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +[سیستم نام دامنه (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) 'دفترچه تلفن اینترنت' است. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## دی ان اس DNS چیست؟ + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/fa/advanced/payments.md b/i18n/fa/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/fa/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/fa/advanced/tor-overview.md b/i18n/fa/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/fa/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/fa/android.md b/i18n/fa/android.md new file mode 100644 index 00000000..481bad8a --- /dev/null +++ b/i18n/fa/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/fa/assets/img/account-deletion/exposed_passwords.png b/i18n/fa/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/fa/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/fa/assets/img/android/rss-apk-dark.png b/i18n/fa/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/fa/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/fa/assets/img/android/rss-apk-light.png b/i18n/fa/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/fa/assets/img/android/rss-apk-light.png differ diff --git a/i18n/fa/assets/img/android/rss-changes-dark.png b/i18n/fa/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/fa/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/fa/assets/img/android/rss-changes-light.png b/i18n/fa/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/fa/assets/img/android/rss-changes-light.png differ diff --git a/i18n/fa/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/fa/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/how-tor-works/tor-encryption.svg b/i18n/fa/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/how-tor-works/tor-path-dark.svg b/i18n/fa/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/fa/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/fa/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/how-tor-works/tor-path.svg b/i18n/fa/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/fa/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fa/assets/img/multi-factor-authentication/fido.png b/i18n/fa/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/fa/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/fa/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/fa/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/fa/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/fa/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/fa/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/fa/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/fa/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/fa/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/fa/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/fa/basics/account-creation.md b/i18n/fa/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/fa/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/fa/basics/account-deletion.md b/i18n/fa/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/fa/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/fa/basics/common-misconceptions.md b/i18n/fa/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/fa/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/fa/basics/common-threats.md b/i18n/fa/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/fa/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/fa/basics/email-security.md b/i18n/fa/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/fa/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/fa/basics/multi-factor-authentication.md b/i18n/fa/basics/multi-factor-authentication.md new file mode 100644 index 00000000..2f6a7b55 --- /dev/null +++ b/i18n/fa/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## توصیه‌های عمومی + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/fa/basics/passwords-overview.md b/i18n/fa/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/fa/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/fa/basics/threat-modeling.md b/i18n/fa/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/fa/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/fa/basics/vpn-overview.md b/i18n/fa/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/fa/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/fa/calendar.md b/i18n/fa/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/fa/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/fa/cloud.md b/i18n/fa/cloud.md new file mode 100644 index 00000000..645dbc8d --- /dev/null +++ b/i18n/fa/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? توصیه شده + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/fa/cryptocurrency.md b/i18n/fa/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/fa/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/fa/data-redaction.md b/i18n/fa/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/fa/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/fa/desktop-browsers.md b/i18n/fa/desktop-browsers.md new file mode 100644 index 00000000..962b5ec4 --- /dev/null +++ b/i18n/fa/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### فایرفاکس Firefox + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### افزونه‌ها + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### فایرفاکس Firefox + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### افزونه‌ها + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/fa/desktop.md b/i18n/fa/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/fa/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/fa/dns.md b/i18n/fa/dns.md new file mode 100644 index 00000000..a8cc21da --- /dev/null +++ b/i18n/fa/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/fa/email-clients.md b/i18n/fa/email-clients.md new file mode 100644 index 00000000..b9f5dd7d --- /dev/null +++ b/i18n/fa/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### فایرفاکس Firefox + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/fa/email.md b/i18n/fa/email.md new file mode 100644 index 00000000..62156fdd --- /dev/null +++ b/i18n/fa/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/fa/encryption.md b/i18n/fa/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/fa/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/fa/file-sharing.md b/i18n/fa/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/fa/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/fa/financial-services.md b/i18n/fa/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/fa/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/fa/frontends.md b/i18n/fa/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/fa/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/fa/index.md b/i18n/fa/index.md new file mode 100644 index 00000000..fdb434f7 --- /dev/null +++ b/i18n/fa/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.fa.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/fa/kb-archive.md b/i18n/fa/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/fa/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/fa/meta/brand.md b/i18n/fa/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/fa/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/fa/meta/git-recommendations.md b/i18n/fa/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/fa/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/fa/meta/uploading-images.md b/i18n/fa/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/fa/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/fa/meta/writing-style.md b/i18n/fa/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/fa/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/fa/mobile-browsers.md b/i18n/fa/mobile-browsers.md new file mode 100644 index 00000000..76bb9f46 --- /dev/null +++ b/i18n/fa/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### فایرفاکس Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### فایرفاکس Firefox + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/fa/multi-factor-authentication.md b/i18n/fa/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/fa/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/fa/news-aggregators.md b/i18n/fa/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/fa/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/fa/notebooks.md b/i18n/fa/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/fa/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/fa/os/android-overview.md b/i18n/fa/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/fa/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/fa/os/linux-overview.md b/i18n/fa/os/linux-overview.md new file mode 100644 index 00000000..638c7927 --- /dev/null +++ b/i18n/fa/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## توصیه‌های عمومی + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/fa/os/qubes-overview.md b/i18n/fa/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/fa/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/fa/passwords.md b/i18n/fa/passwords.md new file mode 100644 index 00000000..59579402 --- /dev/null +++ b/i18n/fa/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/fa/productivity.md b/i18n/fa/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/fa/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/fa/real-time-communication.md b/i18n/fa/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/fa/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/fa/router.md b/i18n/fa/router.md new file mode 100644 index 00000000..a494c017 --- /dev/null +++ b/i18n/fa/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/fa/search-engines.md b/i18n/fa/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/fa/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/fa/tools.md b/i18n/fa/tools.md new file mode 100644 index 00000000..d9e57d9b --- /dev/null +++ b/i18n/fa/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/fa/tor.md b/i18n/fa/tor.md new file mode 100644 index 00000000..b1f2afbf --- /dev/null +++ b/i18n/fa/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/fa/video-streaming.md b/i18n/fa/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/fa/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/fa/vpn.md b/i18n/fa/vpn.md new file mode 100644 index 00000000..6bba2546 --- /dev/null +++ b/i18n/fa/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/fr/404.md b/i18n/fr/404.md new file mode 100644 index 00000000..ea9af6fb --- /dev/null +++ b/i18n/fr/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Page introuvable + +Nous n'avons pas pu trouver la page que vous recherchiez ! Peut-être recherchiez-vous l'une d'entre elles ? + +- [Introduction à la modélisation des menaces](basics/threat-modeling.md) +- [Fournisseurs DNS recommandés](dns.md) +- [Les meilleurs navigateurs web pour ordinateurs de bureau](desktop-browsers.md) +- [Les meilleurs fournisseurs de VPN](vpn.md) +- [Le forum de Privacy Guides](https://discuss.privacyguides.net) +- [Notre blog](https://blog.privacyguides.org) diff --git a/i18n/fr/CODE_OF_CONDUCT.md b/i18n/fr/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88e156d7 --- /dev/null +++ b/i18n/fr/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Code de conduite communautaire + +**Nous nous engageons** à faire de notre communauté une expérience sans harcèlement pour tous. + +**Nous nous efforçons** de créer un environnement positif, en utilisant un langage accueillant et inclusif, et en étant respectueux des points de vue des autres. + +**Nous n'autorisons pas** un comportement inapproprié ou autrement inacceptable, tel qu'un langage sexualisé, des commentaires trolls et insultants, ou toute autre promotion de l'intolérance ou du harcèlement. + +## Normes communautaires + +Ce que nous attendons des membres de nos communautés : + +1. **Ne diffusez pas de fausses informations** + + Nous créons une communauté éducative fondée sur des preuves en matière de confidentialité et de sécurité de l'information, et non un foyer pour les théories du complot. Par exemple, lorsque vous affirmez qu'un certain logiciel est malveillant ou que certaines données de télémétrie portent atteinte à la vie privée, expliquez en détail ce qui est collecté et comment. Les affirmations de cette nature doivent être étayées par des preuves techniques. + +1. **N'abusez pas de notre volonté d'aider** + + Les membres de notre communauté ne sont pas votre support technique gratuit. Nous sommes heureux de vous aider à franchir certaines étapes de votre parcours de protection de la vie privée si vous êtes prêt à faire des efforts de votre côté. Nous ne sommes pas disposés à répondre à des questions répétées à l'infini sur des problèmes informatiques génériques auxquels vous auriez pu répondre vous-même en 30 secondes de recherche sur Internet. Ne soyez pas un [vampire de l'aide](https://slash7.com/2006/12/22/vampires/). + +1. **Comportez-vous de manière positive et constructive** + + Voici quelques exemples de comportements qui contribuent à un environnement positif pour notre communauté : + + - Faire preuve d'empathie et de gentillesse envers les autres + - Être respectueux des différentes opinions, points de vue et expériences + - Donner et accepter avec grâce des retours constructifs + - Accepter la responsabilité et présenter des excuses à ceux qui ont été affectés par nos erreurs, et tirer des leçons de cette expérience + - Se concentrer sur ce qui est le mieux non seulement pour nous en tant qu'individus, mais aussi pour l'ensemble de la communauté + +### Comportement inacceptable + +Les comportements suivants sont considérés comme du harcèlement et sont inacceptables au sein de notre communauté : + +- L'utilisation d'un langage ou d'images à caractère sexuel, ainsi que des attentions ou des avances sexuelles de quelque nature que ce soit +- Le "trolling", les commentaires insultants ou désobligeants et les attaques personnelles ou d’ordre politique +- Le harcèlement en public ou en privé +- Publier des informations privées d'autrui, telles qu'une adresse physique ou électronique, sans leur permission explicite +- Toute autre conduite qui pourrait raisonnablement être considérée comme inappropriée dans un cadre professionnel + +## Périmètre d’application + +Notre code de conduite s'applique dans tous les espaces du projet, ainsi que lorsqu'une personne représente le projet Privacy Guides dans d'autres communautés. + +Nous sommes responsables de la clarification des normes de notre communauté, et nous avons le droit de supprimer ou de modifier les commentaires de ceux qui participent à notre communauté, si nécessaire et à notre discrétion. + +### Contact + +Si vous observez un problème sur une plateforme comme Matrix ou Reddit, veuillez contacter nos modérateurs sur cette plateforme en chat, via DM, ou par le biais de tout système désigné "Modmail". + +Si vous avez un problème ailleurs, ou un problème que nos modérateurs de la communauté ne sont pas en mesure de résoudre, adressez-vous à `jonah@privacyguides.org` et/ou `dngray@privacyguides.org`. + +Tous les dirigeants de la communauté sont tenus de respecter la vie privée et la sécurité du rapporteur de l'incident. diff --git a/i18n/fr/about/criteria.md b/i18n/fr/about/criteria.md new file mode 100644 index 00000000..847148ed --- /dev/null +++ b/i18n/fr/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Critères généraux +--- + +!!! example "Travail inachevé" + + La page suivante est inachevée et ne reflète pas l'ensemble des critères de nos recommandations à l'heure actuelle. Discussion antérieure sur ce sujet : [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Vous trouverez ci-dessous certains éléments qui doivent s'appliquer à toutes les soumissions à Privacy Guides. Chaque catégorie aura des exigences supplémentaires pour être incluse. + +## Divulgation financière + +Nous ne gagnons pas d'argent en recommandant certains produits, nous n'utilisons pas de liens affiliés et nous n'accordons pas de considération particulière aux donateurs du projet. + +## Directives générales + +Nous appliquons ces priorités lorsque nous envisageons de nouvelles recommandations : + +- **Sécurisé** : les outils doivent respecter les bonnes pratiques en matière de sécurité, le cas échéant. +- **Disponibilité des sources** : les projets à source ouverte sont généralement préférés aux solutions propriétaires équivalentes. +- **Multiplateforme** : nous préférons généralement que les recommandations soient multiplateformes, afin d'éviter d'être coincé chez un fournisseur. +- **Développement actif** : les outils que nous recommandons doivent être activement maintenus. Les projets non maintenus seront, dans la plupart des cas, supprimés. +- **Facilité d'utilisation** : les outils doivent être accessibles à la plupart des utilisateurs d'ordinateurs, sans qu'un bagage trop technique soit nécessaire. +- **Documenté** : ses outils doivent disposer d'une documentation claire et complète pour leur utilisation. + +## Soumissions par les développeurs + +Nous avons ces exigences à l'égard des développeurs qui souhaitent soumettre leur projet ou logiciel pour examen. + +- Vous devez indiquer votre affiliation, c'est-à-dire votre position au sein du projet soumis. + +- Vous devez avoir un livre blanc sur la sécurité s'il s'agit d'un projet qui implique la manipulation d'informations sensibles comme une messagerie, un gestionnaire de mots de passe, un stockage cloud chiffré, etc. + - Statut d'audit par une tierce partie. Nous voulons savoir si vous en avez un, ou si vous en prévoyez un. Si possible, veuillez mentionner qui mènera l'audit. + +- Vous devez expliquer ce que le projet apporte en matière de respect de la vie privée. + - Cela résout-il un nouveau problème ? + - Pourquoi devrait-on l'utiliser plutôt que d'autres solutions ? + +- Vous devez indiquer quel est le modèle de menace exact avec votre projet. + - Il doit être clair pour les utilisateurs potentiels ce que le projet peut fournir et ce qu'il ne peut pas fournir. diff --git a/i18n/fr/about/donate.md b/i18n/fr/about/donate.md new file mode 100644 index 00000000..8717528b --- /dev/null +++ b/i18n/fr/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Nous soutenir +--- + + +De nombreuses [personnes](https://github.com/privacyguides/privacyguides.org/graphs/contributors) ainsi qu'un [travail](https://github.com/privacyguides/privacyguides.org/pulse/monthly) conséquent sont nécessaires afin de maintenir Privacy Guides à jour et de transmettre nos connaissances concernant la vie privée et la surveillance de masse. Si vous aimez ce que nous faisons, envisagez de vous impliquer en [éditant le site](https://github.com/privacyguides/privacyguides.org) ou en [contribuant aux traductions](https://crowdin.com/project/privacyguides). + +Si vous souhaitez nous soutenir financièrement, la méthode la plus simple est de contribuer via le site web Open Collective, qui est géré par notre hébergeur fiscal. Open Collective accepte les paiements par carte de crédit/débit, PayPal et virements bancaires. + +[Faire un don sur OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Les dons qui nous sont faits via Open Collective sont généralement déductibles des impôts aux États-Unis, car notre hôte fiscal (la Fondation Open Collective) est une organisation enregistrée 501(c)3. Vous recevrez un reçu de la Fondation Open Collective après avoir fait votre don. Privacy Guides ne fournit pas de conseils financiers, et vous devez contacter votre conseiller fiscal pour savoir si cela s'applique à vous. + +Vous pouvez également nous soutenir via les sponsors GitHub. + +[Soutenez-nous sur GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Donateurs + +Un grand merci à tous ceux qui soutiennent notre mission ! :heart: + +*Remarque : Cette section charge un widget directement depuis Open Collective. Cette section ne reflète pas les dons effectués en dehors de l'Open Collective, et nous n'avons aucun contrôle sur l'ordre des donateurs présentés dans cette section.* + + + +## A Quoi Servent Vos Dons ? + +Privacy Guides est une **organisation à but non lucratif** . Nous utilisons les dons à des fins diverses, notamment : + +**Noms de Domaine** +: + +Nous avons quelques noms de domaine comme `privacyguides.org` qui nous coûtent environ 10 $ par an pour maintenir leur enregistrement. + +**Hébergement Web** +: + +Plusieurs centaines de gigaoctets de trafic sont générés sur ce site chaque mois. Nous faisons appel à différents fournisseurs de services pour gérer ce trafic. + +**Services En Ligne** +: + +Nous hébergeons [des services internet](https://privacyguides.net) pour tester et présenter différents produits qui respectent votre vie privée, que nous apprécions et que nous [recommandons](../tools.md). Certains sont mis à la disposition du public pour l'usage de notre communauté (SearXNG, Tor, etc.), et d'autres sont fournis aux membres de notre équipe (courriel, etc.). + +**Achats de Produits** +: + +Nous achetons occasionnellement des produits et des services dans le but de tester nos [outils recommandés](../tools.md). + +Nous travaillons toujours avec notre hôte fiscal (la Fondation Open Collective) pour recevoir des dons en crypto-monnaies. Pour l'instant, la comptabilité est irréalisable pour de nombreuses petites transactions, mais cela devrait changer à l'avenir. En attendant, si vous souhaitez faire un don important en crypto-monnaies (> 100 $), veuillez contacter [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/fr/about/index.md b/i18n/fr/about/index.md new file mode 100644 index 00000000..6ecfeb81 --- /dev/null +++ b/i18n/fr/about/index.md @@ -0,0 +1,102 @@ +--- +title: "À propos de Privacy Guides" +description: Privacy Guides est un site web à vocation sociale qui fournit des informations pour protéger la sécurité de vos données et votre vie privée. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Logo de Privacy Guides](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** est un site web à vocation sociale qui fournit [des informations](/kb) pour protéger la sécurité de vos données et votre vie privée. Notre mission est d'informer le public sur la valeur de la vie privée numérique et sur les initiatives gouvernementales mondiales visant à surveiller votre activité en ligne. Nous sommes un collectif à but non lucratif entièrement géré par des [membres bénévoles de l'équipe](https://discuss.privacyguides.net/g/team) et des contributeurs. Notre site est exempt de publicité et n'est affilié à aucun des fournisseurs cités. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title="Page d'accueil" } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Code source" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribuer } + +> Pour trouver des applications [alternatives axées sur la protection de la vie privée], consultez des sites tels que Good Reports et **Privacy Guides**, qui répertorient les applications axées sur la protection de la vie privée dans diverses catégories, notamment les fournisseurs de courrier électronique (généralement payants) qui ne sont pas gérés par les grands géants du web. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) [Traduit de l'anglais] + +> Si vous êtes à la recherche d'un nouveau VPN, vous pouvez consulter le code de réduction d'à peu près tous les podcasts. Si vous cherchez un **bon** VPN, vous avez besoin d'une aide professionnelle. Il en va de même pour les clients de messagerie, les navigateurs, les systèmes d'exploitation et les gestionnaires de mots de passe. Comment savoir laquelle de ces options est la meilleure, la plus respectueuse de la vie privée ? Pour cela, il existe **Privacy Guides**, une plateforme sur laquelle un certain nombre de bénévoles recherchent jour après jour les meilleurs outils respectueux de la vie privée à utiliser sur internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Traduit du néerlandais] + +Également présenté sur : [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), et [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## Histoire + +Privacy Guides a été lancé en septembre 2021 dans le prolongement du projet éducatif open-source "PrivacyTools", aujourd'hui [disparu](privacytools.md). Nous avons reconnu l’importance de recommandations indépendantes, axées sur des critères, et de connaissances générales dans l’environnement de la protection de la vie privée. C'est pourquoi nous avions besoin de préserver le travail qui avait été créé par tant de contributeurs depuis 2015, et être sûr que ces informations aient une place stable sur le web indéfiniment. + +En 2022, nous avons achevé la transition de l'environnement de site web principal de Jekyll à MkDocs, en utilisant le logiciel de documentation `mkdocs-material`. Ce changement a rendu les contributions open source à notre site considérablement plus facile pour les personnes extérieures, parce qu'au lieu d'avoir besoin de connaître une syntaxe complexe pour écrire des messages efficacement, contribuer est maintenant aussi simple que d'écrire un document Markdown standard. + +Nous avons également lancé notre nouveau forum de discussion sur [discuss.privacyguides.net](https://discuss.privacyguides.net/) comme plateforme communautaire pour partager des idées et poser des questions sur notre mission. Cela complète notre communauté existante sur Matrix et remplace notre précédente plate-forme de Discussions GitHub, réduisant ainsi notre dépendance aux plateformes de discussion propriétaires. + +Jusqu'à présent en 2023, nous avons lancé des traductions internationales de notre site en [français](/fr/), [hébreu](/he/), et [néerlandais](/nl/), et d'autres langues sont à venir, rendu possible par notre excellente équipe de traduction sur [Crowdin](https://crowdin.com/project/privacyguides). Nous avons l'intention de poursuivre notre mission de sensibilisation et d'éducation, et trouver des moyens de mieux mettre en évidence les dangers d'un manque de sensibilisation à la protection de la vie privée à l'ère numérique moderne, et la prévalence et les conséquences des failles de sécurité dans l'industrie de la technologie. + +## Notre équipe + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Page d'accueil](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Page d'accueil](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Page d'accueil](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +De plus, [de nombreuses personnes](https://github.com/privacyguides/privacyguides.org/graphs/contributors) ont apporté des contributions au projet. Vous pouvez aussi, nous sommes open source sur GitHub, et acceptons les suggestions de traduction sur [Crowdin](https://crowdin.com/project/privacyguides). + +Les membres de notre équipe examinent toutes les modifications apportées au site et s'occupent des tâches administratives telles que l'hébergement et les finances, mais ils ne profitent pas personnellement des contributions apportées à ce site. Nos finances sont hébergées de manière transparente par la Fondation Open Collective 501(c)(3) sur [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Les dons à Privacy Guides sont généralement déductibles des impôts aux États-Unis. + +## Licence de site + +!!! danger "" + + Ce qui suit est un résumé lisible par l'homme de la [licence](/license) (et ne se substitue pas à celle-ci). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Sauf indication contraire, le contenu original de ce site web est mis à disposition sous la [licence publique internationale Creative Commons Attribution-NoDerivatives 4.0](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). Cela signifie que vous êtes libre de copier et de redistribuer le matériel sur n'importe quel support ou dans n'importe quel format, à n'importe quelle fin, même commerciale, pour autant que vous accordiez le crédit approprié à `Privacy Guides (www.privacyguides.org)` et que vous fournissiez un lien vers la licence. Vous pouvez le faire de toute manière raisonnable, mais pas d'une manière qui suggère que Privacy Guides vous approuve ou approuve votre utilisation. Si vous remixez, transformez ou construisez sur le contenu de ce site web, vous n'êtes pas autorisé à distribuer le matériel modifié. + +Cette licence a été mise en place pour empêcher les gens de partager notre travail sans en donner le crédit approprié, et pour empêcher les gens de modifier notre travail d'une manière qui pourrait être utilisée pour induire les gens en erreur. Si vous trouvez les termes de cette licence trop restrictifs pour le projet sur lequel vous travaillez, veuillez nous contacter à l'adresse `jonah@privacyguides.org`. Nous serons heureux de fournir des options de licence alternatives pour les projets bien intentionnés dans le domaine de la vie privée ! diff --git a/i18n/fr/about/notices.md b/i18n/fr/about/notices.md new file mode 100644 index 00000000..94412d24 --- /dev/null +++ b/i18n/fr/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Avis de non-responsabilité" +--- + +## Avertissement légal + +Privacy Guides n'est pas un cabinet d'avocats. À ce titre, le site web Privacy Guides et les contributeurs ne fournissent pas de conseils juridiques. Le contenu et les recommandations de notre site web et de nos guides ne constituent pas des conseils juridiques. Et le fait de contribuer au site web ou de communiquer avec Privacy Guides ou d'autres contributeurs au sujet de notre site web ne crée pas une relation avocat-client. + +La gestion de ce site web, comme toute entreprise humaine, comporte des incertitudes et des compromis. Nous espérons que ce site web vous aidera, mais il peut comporter des erreurs et ne peut pas répondre à toutes les situations. Si vous avez des questions sur votre situation, nous vous encourageons à faire vos propres recherches, à consulter d'autres experts et à participer à des discussions avec la communauté Privacy Guides. Si vous avez des questions d'ordre juridique, vous devez consulter votre propre conseiller juridique avant de poursuivre. + +Privacy Guides est un projet open-source dont la contribution est soumise à des licences comprenant des conditions qui, pour la protection du site web et de ses contributeurs, précisent que le projet et le site Privacy Guides sont proposés "en l'état", sans garantie, et déclinent toute responsabilité pour les dommages résultant de l'utilisation du site web ou des recommandations qu'il contient. Privacy Guides ne garantit en aucun cas et ne fait aucune déclaration concernant l'exactitude, les résultats probables ou la fiabilité de l'utilisation des éléments sur le site web ou autrement liés sur le site web ou sur tout autre site tiers lié à ce site. + +En outre, Privacy Guides ne garantit pas que ce site web sera constamment disponible, ou disponible tout court. + +## Aperçu des licences + +!!! danger "" + + Ce qui suit est un résumé lisible par l'homme de la [licence](/license) (et ne se substitue pas à celle-ci). + +Sauf indication contraire, l'ensemble du **contenu** de ce site web est mis à disposition selon les termes de la [license publique Creative Commons Attribution - Pas de Modification 4.0 International](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). Le **code source** sous-jacent utilisé pour générer ce site web et afficher son contenu est publié sous la [licence MIT](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Cela n'inclut pas le code tiers intégré dans ce dépôt, ou le code pour lequel une licence de remplacement est indiquée. Les exemples suivants sont notables, mais cette liste n'est pas exhaustive : + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) est sous licence [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* La police d'en-tête [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) est placée sous la licence [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* La police [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) utilisée pour la plupart des textes sur le site est sous licence selon les termes détaillés [ici](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* La police [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) utilisée pour le texte monospace sur le site est sous licence [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Cela signifie que vous pouvez utiliser le contenu lisible par l'homme de ce dépôt pour votre propre projet, conformément aux conditions décrites dans le texte de la license publique Creative Commons Attribution - Pas de Modification 4.0 International. Vous pouvez le faire de toute manière raisonnable, mais pas d'une manière qui suggère que Privacy Guides vous approuve ou approuve votre utilisation. Vous **ne pouvez pas** utiliser la marque Privacy Guides dans votre propre projet sans l'approbation expresse de ce projet. Les marques déposées de Privacy Guides comprennent l'appellation "Privacy Guides" ainsi que le logo de bouclier. + +Nous estimons que les logos et autres images des `actifs` obtenus auprès de fournisseurs tiers sont soit du domaine public, soit **d'un usage raisonnable**. En résumé, la [doctrine d'usage raisonnable](https://fr.wikipedia.org/wiki/Fair_use) permet l'utilisation d'images protégées par le droit d'auteur afin d'identifier le sujet à des fins de commentaire public. Toutefois, ces logos et autres images peuvent encore être soumis aux lois sur les marques commerciales dans une ou plusieurs juridictions. Avant d'utiliser ce contenu, veuillez vous assurer qu'il est utilisé pour identifier l'entité ou l'organisation propriétaire de la marque et que vous avez le droit de l'utiliser en vertu des lois applicables dans les circonstances de votre utilisation prévue. *Lorsque vous copiez le contenu de ce site web, vous êtes seul responsable de vous assurer que vous ne violez pas la marque ou le droit d'auteur de quelqu'un d'autre.* + +Lorsque vous contribuez à notre site web, vous le faites dans le cadre des licences susmentionnées et vous accordez à Privacy Guides une licence perpétuelle, mondiale, non exclusive, transférable, libre de redevances et irrévocable, avec le droit d'accorder une sous-licence à plusieurs niveaux de sous-licenciés, pour reproduire, modifier, afficher, exécuter et distribuer votre contribution dans le cadre de notre projet. + +## Utilisation acceptable + +Il est interdit d'utiliser ce site web d'une manière qui cause ou pourrait causer des dommages au site web ou compromettre la disponibilité ou l'accessibilité de Privacy Guides, ou d'une manière qui serait illégale, frauduleuse ou nuisible, ou en relation avec un objectif ou une activité illégale, frauduleuse ou nuisible. + +Vous ne devez pas mener d'activités de collecte de données systématiques ou automatisées sur ce site web ou en relation avec celui-ci sans autorisation écrite expresse, y compris : + +* Analyses automatisées excessives +* Attaques par déni de service +* Scraping +* Extraction de données +* 'Framing' (IFrames) + +--- + +*Certaines parties de cet avis ont été reprises du projet [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) sur GitHub. Cette ressource et cette page elle-même sont publiées sous [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/fr/about/privacy-policy.md b/i18n/fr/about/privacy-policy.md new file mode 100644 index 00000000..5a4eb667 --- /dev/null +++ b/i18n/fr/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Politique de confidentialité" +--- + +Privacy Guides est un projet communautaire géré par un certain nombre de bénévoles actifs. La liste actuelle des membres de notre équipe se trouve [ici sur GitHub](https://github.com/orgs/privacyguides/people). + +## Collecte et utilisation des données + +Le respect de la vie privée étant importante pour nous, nous ne traquons pas les personnes individuellement. En tant que visisteur sur notre site web : + +- Aucune information personnelle n'est collectée +- Aucune information telle que les cookies n'est stockée dans le navigateur +- Aucune information n'est partagée, envoyée ou vendue à des tiers +- Aucune information n'est partagée avec des sociétés de publicité +- Aucune information n'est exploitée et récoltée pour établir des tendances personnelles et comportementales +- Aucune information n'est monétisée + +Vous pouvez consulter les données que nous collectons sur notre page [statistiques](statistics.md). + +Nous avons mis en place une installation auto-hébergée de [Plausible Analytics](https://plausible.io) pour collecter certaines données d'utilisation anonymes à des fins statistiques. L'objectif est de suivre les tendances générales du trafic de notre site web, et non de suivre les visiteurs individuellement. Toutes les données sont regroupées uniquement. Aucune information personnelle n'est collectée. + +Les données collectées comprennent les sources de référence, les pages les plus consultées, la durée de la visite, les informations sur les appareils (type d'appareil, système d'exploitation, pays et navigateur) utilisés pendant la visite, etc. Vous pouvez en savoir plus sur la manière dont Plausible fonctionne et collecte les informations dans le respect de la vie privée [ici](https://plausible.io/data-policy). + +## Données que nous recueillons auprès des détenteurs d'un compte + +Sur certains sites web et services que nous fournissons, de nombreuses fonctionnalités peuvent nécessiter un compte. Par exemple, un compte peut être nécessaire pour publier et répondre à des sujets sur une plateforme de forum. + +Pour s'inscrire à la plupart des comptes, nous recueillons un nom, un nom d'utilisateur, une adresse électronique et un mot de passe. Si un site web requiert plus d'informations que ces seules données, cela sera clairement indiqué et noté dans une politique de confidentialité distincte pour chaque site. + +Nous utilisons les données de votre compte pour vous identifier sur le site web et pour créer des pages qui vous sont spécifiques, telles que votre page de profil. Nous utiliserons également les données de votre compte pour publier un profil public vous concernant sur nos services. + +Nous utilisons votre e-mail pour : + +- Vous informer de la publication de messages et d'autres activités sur les sites web ou les services. +- Réinitialisez votre mot de passe et contribuez à la sécurité de votre compte. +- Vous contacter dans des circonstances particulières liées à votre compte. +- Vous contacter au sujet de demandes légales, telles que les demandes de retrait DMCA. + +Sur certains sites web et services, vous pouvez fournir des informations supplémentaires pour votre compte, telles qu'une courte biographie, un avatar, votre localisation ou votre date d'anniversaire. Nous mettons ces informations à la disposition de tous ceux qui peuvent accéder au site web ou au service en question. Ces informations ne sont pas nécessaires pour utiliser l'un de nos services et peuvent être effacées à tout moment. + +Nous conserverons les données de votre compte tant que celui-ci restera ouvert. Après la fermeture d'un compte, nous pouvons conserver une partie ou la totalité des données de votre compte sous forme de sauvegardes ou d'archives pendant 90 jours au maximum. + +## Nous contacter + +L'équipe de Privacy Guides n'a généralement pas accès aux données personnelles en dehors d'un accès limité accordé via certains panneaux de modération. Pour toute question concernant vos données personnelles, vous pouvez nous contacter à cette adresse : + +```text +Jonah Aragon +Administrateur de services +jonah@privacyguides.org +``` + +Pour toute autre demande, vous pouvez contacter n'importe quel autre membre de notre équipe. + +De manière plus générale, pour les plaintes en vertu du RGPD. Vous pouvez les déposer auprès de vos autorités locales de surveillance de la protection des données. En France, c'est la Commission Nationale de l'Informatique et des Libertés qui s'occupent notamment de gérer ces plaintes. Ils fournissent un [modèle de lettre de plainte](https://www.cnil.fr/en/plaintes) à utiliser. + +## À propos de cette politique de confidentialité + +Nous publierons toute nouvelle version de cette déclaration [ici](privacy-policy.md). Il se peut que nous modifiions la manière dont nous annonçons les changements dans les futures versions de ce document. Nous pouvons également mettre à jour nos coordonnées à tout moment sans annoncer de changement. Veuillez vous référer à la [politique de confidentialité](privacy-policy.md) pour obtenir les dernières informations de contact à tout moment. + +Un [historique](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) de révision complet de cette page peut être trouvé sur GitHub. diff --git a/i18n/fr/about/privacytools.md b/i18n/fr/about/privacytools.md new file mode 100644 index 00000000..3475ffd6 --- /dev/null +++ b/i18n/fr/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "FAQ PrivacyTools" +--- + +# Pourquoi nous avons abandonné PrivacyTools + +En septembre 2021, tous les contributeurs actifs ont accepté à l'unanimité de quitter PrivacyTools pour travailler sur ce site : Privacy Guides. Cette décision a été prise parce que le fondateur et contrôleur du nom de domaine de PrivacyTools avait disparu pendant une longue période et n'a pas pu être contacté. + +Ayant construit un site et un ensemble de services réputés sur PrivacyTools.io, cela a suscité de graves inquiétudes pour l'avenir de PrivacyTools, car toute perturbation future pourrait anéantir l'ensemble de l'organisation sans méthode de récupération. Cette transition a été communiquée à la communauté PrivacyTools de nombreux mois à l'avance par le biais de divers canaux, notamment son blog, Twitter, Reddit et Mastodon, afin de garantir que l'ensemble du processus se déroule aussi bien que possible. Nous avons fait cela pour nous assurer que personne n'était tenu dans l'ignorance, ce qui a été notre modus operandi depuis la création de notre équipe, et pour nous assurer que Privacy Guides était reconnu comme la même organisation fiable que PrivacyTools était avant la transition. + +Une fois le déménagement terminé, le fondateur de PrivacyTools est revenu et a commencé à diffuser des informations erronées sur le projet Privacy Guides. Ils continuent à diffuser des informations erronées en plus d'exploiter un parc de liens payants sur le domaine PrivacyTools. Nous avons créé cette page pour dissiper tout malentendu. + +## Qu'est-ce que PrivacyTools ? + +PrivacyTools a été créé en 2015 par "BurungHantu", qui voulait faire une ressource d'information sur la vie privée - des outils utiles suite aux révélations de Snowden. Le site est devenu un projet open-source florissant avec [de nombreux contributeurs](https://github.com/privacytools/privacytools.io/graphs/contributors), dont certains se sont vus confier diverses responsabilités organisationnelles, telles que l'exploitation de services en ligne comme Matrix et Mastodon, la gestion et l'examen des modifications apportées au site sur GitHub, la recherche de sponsors pour le projet, la rédaction d'articles de blog et l'exploitation de plateformes de sensibilisation aux médias sociaux comme Twitter, etc. + +À partir de 2019, BurungHantu s'est éloigné de plus en plus du développement actif du site web et des communautés, et a commencé à retarder les paiements dont il était responsable liés aux serveurs que nous exploitions. Pour éviter que notre administrateur système ne paie les coûts du serveur de sa propre poche, nous avons changé les méthodes de don indiquées sur le site, passant des comptes PayPal et crypto personnels de BurungHantu à une nouvelle page OpenCollective sur [31 octobre 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Cela avait pour avantage de rendre nos finances totalement transparentes, une valeur à laquelle nous croyons fermement, et déductibles des impôts aux États-Unis, car elles étaient détenues par l'Open Collective Foundation 501(c)3. Ce changement a été accepté à l'unanimité par l'équipe et n'a pas été contesté. + +## Pourquoi nous sommes passés à autre chose + +En 2020, l'absence de BurungHantu s'est considérablement accentuée. À un moment, nous avons demandé que les serveurs de noms du domaine soient remplacés par des serveurs de noms contrôlés par notre administrateur système afin d'éviter toute perturbation future, et ce changement n'a été effectué que plus d'un mois après la demande initiale. Il disparaissait du chat public et des salles de chat privées de l'équipe sur Matrix pendant des mois, faisant occasionnellement une apparition pour donner un petit feedback ou promettre d'être plus actif avant de disparaître à nouveau. + +En octobre 2020, l'administrateur système de PrivacyTools (Jonah) [a quitté](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) le projet en raison de ces difficultés, cédant le contrôle à un autre contributeur de longue date. Jonah a opéré presque tous les services de PrivacyTools et a agi comme le chef de projet *de facto* pour le développement du site web en l'absence de BurungHantu, donc son départ a été un changement significatif pour l'organisation. À l'époque, en raison de ces changements organisationnels importants, BurungHantu a promis à l'équipe restante qu'il reviendrait prendre le contrôle du projet à l'avenir. ==L'équipe PrivacyTools l'a contacté via plusieurs méthodes de communication au cours des mois suivants, mais n'a reçu aucune réponse.== + +## Dépendance des noms de domaine + +Au début de l'année 2021, l'équipe de PrivacyTools s'est inquiétée de l'avenir du projet, car le nom de domaine devait expirer le 1er mars 2021. Le domaine a finalement été renouvelé par BurungHantu sans commentaire. + +Les préoccupations de l'équipe n'ont pas été prises en compte, et nous avons réalisé que ce problème se poserait chaque année : si le domaine avait expiré, il aurait pu être volé par des squatteurs ou des spammeurs, ce qui aurait ruiné la réputation de l'organisation. Nous aurions également eu du mal à joindre la communauté pour l'informer de ce qui s'est passé. + +Sans contact avec BurungHantu, nous avons décidé que le meilleur plan d'action serait de passer à un nouveau nom de domaine pendant que nous avions encore le contrôle garanti de l'ancien nom de domaine, quelque temps avant mars 2022. De cette façon, nous serions en mesure de rediriger proprement toutes les ressources PrivacyTools vers le nouveau site sans interruption de service. Cette décision a été prise plusieurs mois à l'avance et communiquée à l'ensemble de l'équipe dans l'espoir que BurungHantu prenne contact et assure son soutien continu au projet, car avec un nom de marque reconnaissable et de grandes communautés en ligne, s'éloigner de "PrivacyTools" était le résultat le moins souhaitable possible. + +À la mi-2021, l'équipe de PrivacyTools a contacté Jonah, qui a accepté de rejoindre l'équipe pour aider à la transition. + +## Appel à l'action de la communauté + +Fin juillet 2021, nous avons informé [ la communauté](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) PrivacyTools de notre intention de choisir un nouveau nom et de poursuivre le projet sur un nouveau domaine, qui sera [choisi](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) le 2 août 2022. En fin de compte, "Privacy Guides" a été choisi, avec le domaine `privacyguides.org` déjà détenu par Jonah pour un projet secondaire de 2020 qui n'a pas été développé. + +## Contrôle de r/privacytoolsIO + +En même temps que les problèmes du site privacytools.io, l'équipe de modération de r/privacytoolsIO était confrontée à des difficultés pour gérer le subreddit. Le subreddit a toujours été géré de manière indépendante du développement du site Web, mais BurungHantu en était également le principal modérateur, et il était le seul modérateur à bénéficier des privilèges de "contrôle total". u/trai_dep était le seul modérateur actif à l'époque, et [a posté](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) une demande aux administrateurs de Reddit le 28 juin 2021, demandant qu'on lui accorde le poste de modérateur principal et tous les privilèges de contrôle, afin d'apporter les changements nécessaires au Subreddit. + +Reddit exige que les subreddits aient des modérateurs actifs. Si le modérateur principal est inactif pendant une longue période (par exemple un an), le poste de modérateur principal peut être réattribué au modérateur suivant. Pour que cette demande ait été accordée, BurungHantu devait avoir été complètement absent de toute activité Reddit pendant une longue période, ce qui était cohérent avec ses comportements sur d'autres plateformes. + +> Si vous avez été retiré en tant que modérateur d'un sous-rédit via la demande Reddit, c'est parce que votre manque de réponse et votre manque d'activité ont qualifié le sous-rédit pour un transfert de r/redditrequest. +> +> r/redditrequest est le moyen utilisé par Reddit pour s'assurer que les communautés ont des modérateurs actifs et fait partie du [code de conduite des modérateurs](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Début de la transition + +Le 14 septembre 2021, nous [avons annoncé](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) le début de notre migration vers ce nouveau domaine : + +> [...] nous avons jugé nécessaire d'effectuer ce changement plus tôt que prévu afin que les gens soient informés de cette transition le plus tôt possible. Cela nous laisse suffisamment de temps pour effectuer la transition du nom de domaine, qui est actuellement redirigé vers www.privacyguides.org, et nous espérons que tout le monde aura le temps de remarquer le changement, de mettre à jour les signets et les sites web, etc. + +Ce changement [a entraîné :](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirection de www.privacytools.io vers [www.privacyguides.org](https://www.privacyguides.org). +- Archiver le code source sur GitHub pour préserver notre travail passé et le suivi de tickets, que nous avons continué à utiliser pendant des mois de développement futur de ce site. +- Publier des annonces dans notre sous-reddit et dans diverses autres communautés pour informer les gens du changement officiel. +- Fermer formellement les services privacytools.io, comme Matrix et Mastodon, et encourager les utilisateurs existants à migrer dès que possible. + +Les choses semblaient se dérouler sans problème, et la plupart de notre communauté active a fait le passage à notre nouveau projet exactement comme nous l'espérions. + +## Événements suivants + +Environ une semaine après la transition, BurungHantu est revenu en ligne pour la première fois depuis près d'un an, mais personne dans notre équipe n'était prêt à revenir à PrivacyTools en raison de son manque de fiabilité historique. Au lieu de s'excuser de son absence prolongée, il est immédiatement passé à l'offensive et a présenté le passage à Privacy Guides comme une attaque contre lui et son projet. Il a ensuite [supprimé](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) nombre de ces messages lorsque la communauté lui a fait remarquer qu'il avait été absent et avait abandonné le projet. + +À ce stade, BurungHantu a déclaré qu'il voulait continuer à travailler sur privacytools.io par lui-même et a demandé que nous supprimions la redirection de www.privacytools.io vers [www.privacyguides.org](https://www.privacyguides.org). Nous avons accepté et lui avons demandé de garder les sous-domaines de Matrix, Mastodon et PeerTube actifs pour que nous les gérions comme un service public pour notre communauté pendant au moins quelques mois, afin de permettre aux utilisateurs de ces plateformes de migrer facilement vers d'autres comptes. En raison de la nature fédérée des services que nous fournissions, ils étaient liés à des noms de domaine spécifiques, ce qui rendait la migration très difficile (et dans certains cas impossible). + +Malheureusement, parce que le contrôle du sous-breddit r/privacytoolsIO n'a pas été retourné à BurungHantu à sa demande (plus d'informations ci-dessous), ces sous-domaines ont été [coupés](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) au début d'octobre, mettant fin à toute possibilité de migration vers les utilisateurs utilisant toujours ces services. + +Suite à cela, BurungHantu a lancé de fausses accusations selon lesquelles Jonah aurait volé les dons du projet. BurungHantu avait plus d'un an depuis l'incident présumé pour informer la communauté, et pourtant, il n'en a informé personne avant la migration vers Privacy Guides. L'équipe [et la communauté](https://twitter.com/TommyTran732/status/1526153536962281474)ont demandé à plusieurs reprises à BurungHantu de fournir des preuves et de s'expliquer sur la raison de son silence, mais il ne l'a pas fait. + +BurungHantu a également publié [un message sur Twitter](https://twitter.com/privacytoolsIO/status/1510560676967710728) prétendant qu'un "avocat" l'avait contacté sur Twitter et lui donnait des conseils, dans une autre tentative de nous intimider pour que nous lui donnions le contrôle de notre subreddit, et dans le cadre de sa campagne de diffamation visant à brouiller les pistes concernant le lancement de Privacy Guides tout en prétendant être une victime. + +## PrivacyTools.io maintenant + +Depuis le 25 septembre 2022, nous voyons les plans de BurungHantu se dessiner sur privacytools.io, et c'est la raison pour laquelle nous avons décidé de créer cette page explicative aujourd'hui. Le site qu'il exploite semble être une version fortement optimisée pour le référencement du site qui recommande des outils en échange d'une compensation financière. Très récemment, IVPN et Mullvad, deux fournisseurs de VPN presque universellement [recommandés](../vpn.md) par la communauté de la protection de la vie privée et remarquables pour leur position contre les programmes d'affiliation ont été retirés de PrivacyTools. A leur place ? NordVPN, Surfshark, ExpressVPN, et hide.me; Des géantes sociétés de VPN avec des plateformes et des pratiques commerciales peu fiables, connues pour leur marketing agressif et leurs programmes d'affiliation. + +==**PrivacyTools est devenu exactement le type de site contre lequel nous [avons mis en garde](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) sur le blog PrivacyTools en 2019.**== Nous avons essayé de garder notre distance avec PrivacyTools depuis la transition, mais leur harcèlement continu à l'égard de notre projet et maintenant leur abus absurde de la crédibilité que leur marque a gagné depuis plus de 6 ans de contributions open source est extrêmement troublant à nos yeux. Ceux d'entre nous qui luttent vraiment pour la protection de la vie privée ne se battent pas les uns contre les autres et ne reçoivent pas leurs conseils des plus offrant. + +## r/privacytoolsIO maintenant + +Après le lancement de [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), il n'était pas pratique pour u/trai_dep de continuer à modérer les deux subreddits, et avec l'adhésion de la communauté à la transition, r/privacytoolsIO a été [transformé en](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) en un subreddit restreint dans un post du 1er novembre 2021 : + +> [...] La croissance de ce sous-reddit a été le résultat de grands efforts, sur plusieurs années, par l'équipe PrivacyGuides.org. Et par chacun d'entre vous. +> +> Un sous-reddit représente beaucoup de travail à administrer et à modérer. Comme un jardin, il nécessite un entretien patient et des soins quotidiens. Ce n'est pas une tâche pour les dilettantes ou les personnes qui ont du mal à s'engager. Il ne peut pas prospérer sous la houlette d'un jardinier qui l'abandonne pendant plusieurs années, puis se présente en exigeant la récolte de cette année en guise de tribut. C'est injuste pour l'équipe formée il y a des années. C'est injuste pour vous. [...] + +Les sous-reddits n'appartiennent à personne, et ils n'appartiennent surtout pas aux détenteurs de marques. Ils appartiennent à leurs communautés, et la communauté et ses modérateurs ont pris la décision de soutenir le déplacement vers r/PrivacyGuides. + +Dans les mois qui ont suivi, BurungHantu a menacé et supplié de rendre le contrôle du subreddit à son compte, en violation des [règles](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) de Reddit : + +> Les représailles d'un modérateur à l'égard des demandes de suppression sont interdites. + +Pour une communauté qui compte encore plusieurs milliers d'abonnés, nous estimons qu'il serait incroyablement irrespectueux de rendre le contrôle de cette énorme plateforme à la personne qui l'a abandonnée pendant plus d'un an et qui gère désormais un site web qui, selon nous, fournit des informations de très mauvaise qualité. Préserver les années de discussions passées dans cette communauté est plus important pour nous, et donc u/trai_dep et le reste de l'équipe de modération du subreddit a pris la décision de garder r/privacytoolsIO tel quel. + +## OpenCollective maintenant + +Notre plateforme de collecte de fonds, OpenCollective, est une autre source de discorde. Notre position est qu'OpenCollective a été mis en place par notre équipe et géré par notre équipe pour financer les services que nous exploitons actuellement et que PrivacyTools ne fait plus. Nous avons [contacté](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) tous nos donateurs au sujet de notre passage à Privacy Guides, et nous avons reçu le soutien unanime de nos sponsors et de notre communauté. + +Ainsi, les fonds dans OpenCollective appartiennent à Privacy Guides, ils ont été donnés à notre projet, et non au propriétaire d'un nom de domaine bien connu. Dans l'annonce faite aux donateurs le 17 septembre 2021, nous avons proposé un remboursement à tout donateur qui ne serait pas d'accord avec la position que nous avons adoptée, mais personne n'a accepté cette offre : + +> Si des sponsors ou des bailleurs de fonds sont en désaccord ou se sentent induits en erreur par ces événements récents et souhaitent demander un remboursement compte tenu de ces circonstances très inhabituelles, veuillez contacter notre administrateur de projet en envoyant un e-mail à jonah@triplebit.net. + +## Pour en savoir plus + +Ce sujet a fait l'objet de nombreuses discussions au sein de nos communautés à divers endroits, et il est probable que la plupart des personnes qui lisent cette page connaissent déjà les événements qui ont conduit au passage aux guides de confidentialité. Certains de nos précédents billets sur le sujet peuvent contenir des détails supplémentaires que nous avons omis ici par souci de brièveté. Ils ont été mis en lien ci-dessous dans un souci d'exhaustivité. + +- [28 juin 2021 demande de contrôle de r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 juillet 2021 : annonce de nos intentions de déménager sur le blog PrivacyTools, écrite par l'équipe](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 septembre 2021 : annonce du début de notre transition vers Privacy Guides sur r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Annonce du 17 septembre 2021 sur OpenCollective par Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 septembre 2021 Fil Twitter détaillant la plupart des événements décrits sur cette page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [1er octobre 2021, publication de u/dng99 constatant un échec du sous-domaine](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 avr 2022 réponse de u/dng99 à l'article de blog accusatoire de PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 mai 2022 réponse de @TommyTran732 sur Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post sur le forum de Techlore par @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/fr/about/services.md b/i18n/fr/about/services.md new file mode 100644 index 00000000..4fdbe8cc --- /dev/null +++ b/i18n/fr/about/services.md @@ -0,0 +1,38 @@ +# Services de Privacy Guides + +Nous utilisons un certain nombre de services web pour tester des fonctionnalités et promouvoir des projets décentralisés, fédérés et/ou open-source. Bon nombre de ces services sont accessibles au public et sont détaillés ci-dessous. + +[:material-comment-alert: Signaler un problème](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domaine : [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Disponibilité : public +- Source : [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domaine : [code.privacyguides.dev](https://code.privacyguides.dev) +- Disponibilité : sur invitation seulement + L'accès peut être accordé sur demande à toute équipe travaillant sur un développement ou du contenu lié à *Privacy Guides*. +- Source : [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domaine : [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Disponibilité : sur invitation uniquement + L'accès peut être accordé sur demande aux membres de l'équipe de Privacy Guides, aux modérateurs de Matrix, aux administrateurs tiers de la communauté Matrix, aux opérateurs de robots Matrix et à d'autres personnes ayant besoin d'une présence fiable dans Matrix. +- Source : [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domaine : [search.privacyguides.net](https://search.privacyguides.net) +- Disponibilité : public +- Source : [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domaine : [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Disponibilité : semi-public + Nous hébergeons Invidious principalement pour servir les vidéos YouTube intégrées à notre site web. Cette instance n'est pas destinée à un usage général et peut être limitée à tout moment. +- Source : [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/fr/about/statistics.md b/i18n/fr/about/statistics.md new file mode 100644 index 00000000..381af078 --- /dev/null +++ b/i18n/fr/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Statistiques de trafic +--- + +## Statistiques du site web + + +
Statistiques alimentées par Plausible Analytics
+ + + + +## Statistiques du blog + + +
Statistiques alimentées par Plausible Analytics
+ + + diff --git a/i18n/fr/advanced/communication-network-types.md b/i18n/fr/advanced/communication-network-types.md new file mode 100644 index 00000000..7f890710 --- /dev/null +++ b/i18n/fr/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types de réseaux de communication" +icon: 'material/transit-connection-variant' +description: Une présentation de plusieurs architectures réseau couramment utilisées par les applications de messagerie instantanée. +--- + +Il existe plusieurs architectures réseau couramment utilisées pour relayer des messages entre des personnes. Ces réseaux peuvent offrir des garanties différentes en matière de protection de la vie privée. C'est pourquoi il est utile de tenir compte de votre [modèle de menace](../basics/threat-modeling.md) lorsque vous décidez quelle application à utiliser. + +[Messageries instantanées recommandées](../real-time-communication.md ""){.md-button} + +## Réseaux Centralisés + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Les messageries centralisées sont celles où tous les participants se trouvent sur le même serveur ou réseau de serveurs, contrôlés par la même organisation. + +Certaines messageries auto-hébergées vous permettent de configurer votre propre serveur. L'auto-hébergement peut offrir des garanties de confidentialité supplémentaires, tel que l'absence de journaux d'utilisation ou un accès limité aux métadonnées (les données sur qui parle à qui). Les messageries centralisées auto-hébergées sont isolées et tout le monde doit être sur le même serveur pour communiquer. + +**Avantages :** + +- Les nouvelles fonctionnalités et les changements peuvent être mis en place plus rapidement. +- Il est plus facile de démarrer et de trouver des contacts. +- L'écosystème de fonctionnalités est plus mature et plus stable, car plus facile à programmer dans un logiciel centralisé. +- Les problèmes de confidentialité peuvent être réduits lorsque vous faites confiance à un serveur que vous hébergez vous-même. + +**Inconvénients :** + +- Peut inclure des [restrictions de contrôle ou d'accès](https://drewdevault.com/2018/08/08/Signal.html). Cela peut inclure des choses telles que : +- Être [interdit de connecter des clients tiers](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) au réseau centralisé, ce qui pourrait permettre une plus grande personnalisation ou une meilleure expérience. Ces modalités sont souvent définies dans les conditions d'utilisation. +- Documentation insuffisante ou inexistante pour les développeurs tiers. +- La [propriété](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), la politique de confidentialité et les opérations du service peuvent changer facilement lorsqu'une seule entité le contrôle, ce qui peut compromettre le service par la suite. +- L'auto-hébergement demande des efforts et des connaissances sur la manière de mettre en place un service. + +## Réseaux Fédérés + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Les messageries fédérées utilisent plusieurs serveurs indépendants et décentralisés capables de communiquer entre eux (le courrier électronique est un exemple de service fédéré). La fédération permet aux administrateurs système de contrôler leur propre serveur tout en faisant partie d'un réseau de communication plus vaste. + +Lorsqu'ils sont auto-hébergés, les membres d'un serveur fédéré peuvent découvrir et communiquer avec les membres d'autres serveurs, bien que certains serveurs puissent choisir de rester privés en étant non fédérés (par exemple, un serveur d'équipe de travail). + +**Avantages :** + +- Permet un meilleur contrôle de vos propres données lorsque vous utilisez votre propre serveur. +- Vous permet de choisir à qui confier vos données en choisissant entre plusieurs serveurs "publics". +- Permet souvent l'utilisation de clients tiers qui peuvent fournir une expérience plus naturelle, personnalisée ou accessible. +- Il est possible de vérifier que le logiciel du serveur correspond au code source public, en supposant que vous avez accès au serveur ou que vous faites confiance à la personne qui y a accès (par exemple, un membre de la famille). + +**Inconvénients :** + +- L'ajout de nouvelles fonctionnalités est plus complexe, car ces dernières doivent être normalisées et testées pour s'assurer qu'elles fonctionnent avec tous les serveurs du réseau. +- En raison du point précédent, les fonctionnalités peuvent manquer, être incomplètes ou fonctionner de manière inattendue par rapport aux plateformes centralisées, comme le relais des messages hors ligne ou la suppression des messages. +- Certaines métadonnées peuvent être disponibles (par exemple, des informations comme "qui parle à qui", mais pas le contenu réel du message si le chiffrement de bout en bout est utilisé). +- Les serveurs fédérés nécessitent généralement de faire confiance à l'administrateur de votre serveur. Il peut s'agir d'un amateur ou d'une personne qui n'est pas un "professionnel de la sécurité", et il se peut qu'il ne fournisse pas de documents aux normes comme une politique de confidentialité ou des conditions de service détaillant l'utilisation de vos données. +- Les administrateurs de serveurs choisissent parfois de bloquer d'autres serveurs, qui sont une source d'abus non modérés ou qui enfreignent les règles générales de comportement accepté. Cela entravera votre capacité à communiquer avec les membres de ces serveurs. + +## Réseaux Pair-à-Pair + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +Les messageries P2P se connectent à un [réseau distribué](https://fr.wikipedia.org/wiki/Réseau_distribué) de nœuds pour relayer un message au destinataire sans serveur tiers. + +Les clients (les pairs) se trouvent généralement les uns les autres grâce à l'utilisation d'un réseau de [calcul distribué](https://fr.wikipedia.org/wiki/Calcul_distribué). Citons par exemple les [Tables de Hachages Distribuées](https://fr.wikipedia.org/wiki/Table_de_hachage_distribuée) (THD), utilisées par les [Torrents](https://fr.wikipedia.org/wiki/BitTorrent) et [l'IPFS](https://fr.wikipedia.org/wiki/InterPlanetary_File_System). Une autre approche est celle des réseaux basés sur la proximité, où une connexion est établie par Wi-Fi ou Bluetooth (par exemple Briar ou le protocole de réseau social [Scuttlebutt](https://www.scuttlebutt.nz)). + +Lorsqu'un pair a trouvé une route vers son contact par l'une de ces méthodes, une connexion directe est établie entre eux. Bien que les messages soient généralement chiffrés, un observateur peut toujours déduire l'emplacement et l'identité de l'expéditeur et du destinataire. + +Les réseaux P2P n'utilisent pas de serveurs, car les pairs communiquent directement entre eux, et ne peuvent donc pas être auto-hébergés. Cependant, certains services supplémentaires peuvent dépendre de serveurs centralisés, comme la découverte d'autres utilisateurs ou le relais des messages hors ligne, qui peuvent bénéficier de l'auto-hébergement. + +**Avantages :** + +- Minimum d'informations exposées à des tiers. +- Les plateformes P2P modernes implémentent l'E2EE par défaut. Il n'y a pas de serveurs qui pourraient potentiellement intercepter et déchiffrer vos transmissions, contrairement aux modèles centralisés et fédérés. + +**Inconvénients :** + +- Ensemble de fonctionnalités réduit : +- Les messages ne peuvent être envoyés que lorsque les deux pairs sont en ligne. Toutefois, votre client peut stocker les messages localement pour attendre le retour en ligne du contact. +- Augmente généralement l'utilisation de la batterie sur les appareils mobiles, car le client doit rester connecté au réseau distribué pour savoir qui est en ligne. +- Certaines fonctionnalités courantes de messageries peuvent ne pas être mises en œuvre ou de manière incomplète, comme la suppression des messages. +- Votre adresse IP et celle des contacts avec lesquels vous communiquez peuvent être exposées si vous n'utilisez pas le logiciel avec un VPN [](../vpn.md) ou [Tor](../tor.md). De nombreux pays disposent d'une forme de surveillance de masse et/ou de conservation des métadonnées. + +## Routage Anonyme + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Une messagerie utilisant le [routage anonyme](https://doi.org/10.1007/978-1-4419-5906-5_628) cache soit l'identité de l'expéditeur, celle du destinataire, ou la preuve qu'ils aient communiqué. Idéalement, une messagerie devrait cacher les trois. + +Il existe de [nombreuses](https://doi.org/10.1145/3182658) façons différentes de mettre en œuvre le routage anonyme. L'une des plus célèbres est le [routage en oignon](https://en.wikipedia.org/wiki/Onion_routing) comme [Tor](https://fr.wikipedia.org/wiki/Tor_(réseau)), qui communique des messages chiffrés par le biais d'un [réseau superposé](https://fr.wikipedia.org/wiki/Réseau_superposé) qui masque l'emplacement de chaque nœud ainsi que le destinataire et l'expéditeur de chaque message. L'expéditeur et le destinataire n'interagissent jamais directement et ne se rencontrent que par l'intermédiaire d'un nœud de rendez-vous secret, de sorte qu'il n'y ait aucune fuite d'adresses IP ni de localisation physique. Les nœuds ne peuvent pas déchiffrer les messages ni la destination finale, seul le destinataire le peut. Chaque nœud intermédiaire ne peut déchiffrer qu'une partie qui indique où envoyer ensuite le message encore chiffré, jusqu'à ce qu'il arrive au destinataire qui peut le déchiffrer entièrement, d'où les "couches d'oignon." + +L'auto-hébergement d'un nœud dans un réseau de routage anonyme ne procure pas à l'hébergeur des avantages supplémentaires en matière de confidentialité, mais contribue plutôt à la résilience de l'ensemble du réseau contre les attaques d'identification pour le bénéfice de tous. + +**Avantages :** + +- Minimum d'informations exposées à des tiers. +- Les messages peuvent être relayés de manière décentralisée même si l'une des parties est hors ligne. + +**Inconvénients :** + +- Propagation des messages lente. +- Souvent limité à un nombre restreint de types de médias, principalement du texte, car le réseau est lent. +- Moins fiable si les nœuds sont sélectionnés par un routage aléatoire, certains nœuds peuvent être très éloignés de l'expéditeur et du récepteur, ce qui ajoute une latence ou même l'impossibilité de transmettre les messages si l'un des nœuds se déconnecte. +- Plus complexe à mettre en œuvre car la création et la sauvegarde sécurisée d'une clé cryptographique privé sont nécessaires. +- Comme pour les autres plateformes décentralisées, l'ajout de fonctionnalités est plus complexe pour les développeurs que sur une plateforme centralisée. Par conséquent, des fonctionnalités peuvent manquer ou être incomplètement mises en œuvre, comme le relais des messages hors ligne ou la suppression des messages. diff --git a/i18n/fr/advanced/dns-overview.md b/i18n/fr/advanced/dns-overview.md new file mode 100644 index 00000000..2e4a9144 --- /dev/null +++ b/i18n/fr/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "Introduction aux DNS" +icon: material/dns +description: Le Système de Nom de Domaine est le "répertoire téléphonique de l'internet", qui aide votre navigateur à trouver le site web qu'il recherche. +--- + +Le [système de nom de domaine](https://fr.wikipedia.org/wiki/Domain_Name_System) est "l'annuaire de l'internet". Le DNS traduit les noms de domaine en adresses IP afin que les navigateurs et autres services puissent charger les ressources de l'internet, grâce à un réseau décentralisé de serveurs. + +## Qu'est-ce que le DNS ? + +Lorsque vous visitez un site web, une adresse numérique est renvoyée. Par exemple, lorsque vous visitez `privacyguides.org`, l'adresse `192.98.54.105` est renvoyée. + +Le DNS existe depuis [les premiers jours](https://fr.wikipedia.org/wiki/Domain_Name_System#Histoire) de l'Internet. Les demandes DNS faites à destination et en provenance des serveurs DNS sont généralement **non** chiffrées. Dans un environnement résidentiel, un client se voit attribuer des serveurs par le FAI via [DHCP](https://fr.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Les demandes DNS non chiffrées peuvent être facilement **surveillées** et **modifiées** en transit. Dans certaines régions du monde, les fournisseurs d'accès à Internet reçoivent l'ordre de procéder à un [ filtrage DNS primitif](https://en.wikipedia.org/wiki/DNS_blocking). Lorsque vous demandez l'adresse IP d'un domaine bloqué, le serveur peut ne pas répondre ou répondre avec une adresse IP différente. Le protocole DNS n'étant pas chiffré, le FAI (ou tout opérateur de réseau) peut utiliser [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) pour surveiller les demandes. Les FAI peuvent également bloquer des requêtes sur la base de caractéristiques communes, quel que soit le serveur DNS utilisé. Un DNS non chiffré utilise toujours le [port](https://fr.wikipedia.org/wiki/Port_(logiciel)) 53 et utilise toujours UDP. + +Ci-dessous, nous discutons et fournissons un tutoriel pour prouver ce qu'un observateur extérieur peut voir en utilisant un DNS normal non chiffré et un [DNS chiffré](#what-is-encrypted-dns). + +### DNS non chiffré + +1. En utilisant [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (qui fait partie du projet [Wireshark](https://fr. wikipedia. org/wiki/Wireshark)), nous pouvons surveiller et enregistrer le flux de paquets Internet. Cette commande enregistre les paquets qui répondent aux règles spécifiées : + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. Nous pouvons ensuite utiliser [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) ou [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) pour envoyer la recherche DNS aux deux serveurs. Les logiciels tels que les navigateurs web effectuent ces recherches automatiquement, à moins qu'ils ne soient configurés pour utiliser un DNS chiffré. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Ensuite, nous voulons [ analyser](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) les résultats : + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Si vous exécutez la commande Wireshark ci-dessus, le volet supérieur affiche les "[trames](https://en.wikipedia.org/wiki/Ethernet_frame)", et le volet inférieur affiche toutes les données relatives à la trame sélectionnée. Les solutions de filtrage et de surveillance d'entreprise (telles que celles achetées par les gouvernements) peuvent effectuer ce processus automatiquement, sans interaction humaine, et peuvent agréger ces trames pour produire des données statistiques utiles à l'observateur du réseau. + +| No. | Heure | Source | Destination | Protocole | Longueur | Info | +| --- | -------- | --------- | ----------- | --------- | -------- | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Un observateur pourrait modifier n'importe lequel de ces paquets. + +## Qu'est-ce qu'un "DNS chiffré" ? + +Un DNS chiffré peut faire référence à un certain nombre de protocoles, les plus courants étant : + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) était l'une des premières méthodes de chiffrement des requêtes DNS. DNSCrypt opère sur le port 443 et fonctionne avec les protocoles de transport TCP ou UDP. DNSCrypt n'a jamais été soumis à l'IETF (Internet Engineering Task Force) [](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) et n'est pas passé par le processus de demande de commentaires (RFC) [](https://en.wikipedia.org/wiki/Request_for_Comments) . Il n'a donc pas été largement utilisé en dehors de quelques implémentations [](https://dnscrypt.info/implementations). En conséquence, il a été largement remplacé par le plus populaire [DNS sur HTTPS](#dns-over-https-doh). + +### DNS sur TLS (DoT) + +[**DNS sur TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) est une autre méthode de chiffrement des communications DNS qui est définie dans [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). La prise en charge a été implémentée pour la première fois dans Android 9, iOS 14, et sur Linux dans [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) dans la version 237. Ces dernières années, la préférence du secteur s'est déplacée de DoT vers DoH, car DoT est un protocole complexe [](https://dnscrypt.info/faq/) et sa conformité au RFC varie selon les implémentations existantes. Le DoT fonctionne également sur un port dédié 853 qui peut être facilement bloqué par des pare-feu restrictifs. + +### DNS sur HTTPS (DoH) + +[**DNS sur HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) tel que défini dans [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) regroupe les requêtes dans le protocole [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) et assure la sécurité avec HTTPS. La prise en charge a d'abord été ajoutée dans les navigateurs web tels que Firefox 60 et Chrome 83. + +L'implémentation native de DoH est apparue dans iOS 14, macOS 11, Microsoft Windows et Android 13 (cependant, elle ne sera pas activée [par défaut](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). Sous Linux la prise en charge sera assurée par [l'implémentation](https://github.com/systemd/systemd/issues/8639) dans systemd donc [l'installation de logiciels tiers est encore nécessaire](../dns.md#encrypted-dns-proxies). + +## Que peut voir un tiers ? + +Dans cet exemple, nous allons enregistrer ce qui se passe lorsque nous faisons une requête DoH : + +1. Tout d'abord, lancez `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1 + ``` + +2. Deuxièmement, faites une requête avec `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Après avoir fait la demande, nous pouvons arrêter la capture de paquets avec CTRL + C. + +4. Analysez les résultats dans Wireshark : + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +Nous pouvons voir [l'établissement de la connexion](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) et [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) qui se produit avec toute connexion chiffrée. Lorsque l'on regarde les paquets de "données d'application" qui suivent, aucun d'entre eux ne contient le domaine que nous avons demandé ou l'adresse IP renvoyée. + +## Pourquoi **ne devrais-je pas** utiliser un DNS chiffré ? + +Dans les endroits où il existe un filtrage (ou une censure) de l'Internet, la visite de ressources interdites peut avoir ses propres conséquences que vous devez prendre en compte dans votre [modèle de menace](../basics/threat-modeling.md). Nous ne suggérons **pas** l'utilisation de DNS chiffrés à cette fin. Utilisez plutôt [Tor](https://torproject.org) ou un [VPN](../vpn.md). Si vous utilisez un VPN, vous devez utiliser les serveurs DNS de votre VPN. En utilisant un VPN, vous lui confiez déjà toute votre activité réseau. + +Lorsque nous effectuons une recherche DNS, c'est généralement parce que nous voulons accéder à une ressource. Nous examinerons ci-dessous certaines des méthodes susceptibles de divulguer vos activités de navigation, même lorsque vous utilisez un DNS chiffré : + +### Adresse IP + +Le moyen le plus simple de déterminer l'activité de navigation est de regarder les adresses IP auxquelles vos appareils accèdent. Par exemple, si l'observateur sait que `privacyguides.org` est à `198.98.54.105`, et que votre appareil demande des données à `198.98.54.105`, il y a de fortes chances que vous visitiez Privacy Guides. + +Cette méthode n'est utile que lorsque l'adresse IP appartient à un serveur qui n'héberge que quelques sites web. Elle n'est pas non plus très utile si le site est hébergé sur une plateforme partagée (par exemple, Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). Il n'est pas non plus très utile si le serveur est hébergé derrière un [proxy inverse](https://fr.wikipedia.org/wiki/Proxy_inverse), ce qui est très courant actuellement sur Internet. + +### Server Name Indication (SNI) + +La Server Name Indication (indication du nom du serveur) est généralement utilisée lorsqu'une adresse IP héberge de nombreux sites web. Il peut s'agir d'un service comme Cloudflare, ou d'une autre protection contre les [attaques par déni de service](https://fr.wikipedia.org/wiki/Attaque_par_déni_de_service). + +1. Recommencez à capturer avec `tshark`. Nous avons ajouté un filtre avec notre adresse IP pour que vous ne capturiez pas beaucoup de paquets : + + ```bash + tshark -w /tmp/pg.pcap port 443 et hôte 198.98.54.105 + ``` + +2. Ensuite, nous visitons [https://privacyguides.org](https://privacyguides.org). + +3. Après avoir visité le site web, nous voulons arrêter la capture de paquets avec CTRL + C. + +4. Ensuite, nous voulons analyser les résultats : + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + Nous verrons l'établissement de la connexion, suivi du TLS handshake pour le site web Privacy Guides. Au niveau de l'image 5, vous verrez un "Client Hello". + +5. Développez le triangle ▸ à côté de chaque champ : + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer : Handshake Protocol : Client Hello + ▸ Handshake Protocol : Client Hello + ▸ Extension : server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. Nous pouvons voir la valeur SNI qui révèle le site web que nous visitons. La commande `tshark` peut vous donner directement la valeur pour tous les paquets contenant une valeur SNI : + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Cela signifie que même si nous utilisons des serveurs "DNS chiffrés", le domaine sera probablement divulgué par le SNI. Le protocole [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) apporte avec lui [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), qui empêche ce type de fuite. + +Des gouvernements, en particulier [la Chine](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) et [la Russie](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), ont déjà commencé à [bloquer](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) le protocole ou ont exprimé le souhait de le faire. Récemment, la Russie [a commencé à bloquer les sites web étrangers](https://github.com/net4people/bbs/issues/108) qui utilisent le standard [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3). En effet, le protocole [QUIC](https://fr.wikipedia.org/wiki/QUIC) qui fait partie de HTTP/3 exige que `ClientHello` soit également chiffré. + +### Online Certificate Status Protocol (OCSP) + +Une autre façon dont votre navigateur peut divulguer vos activités de navigation est avec [l'Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) (protocole de vérification de certificat en ligne). Lors de la visite d'un site Web HTTPS, le navigateur peut vérifier si le [certificat](https://fr.wikipedia.org/wiki/Certificat_%C3%A9lectronique) du site Web a été révoqué. Cela se fait généralement via le protocole HTTP, ce qui signifie qu'il **n'est pas** chiffré. + +La requête OCSP contient le certificat "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", qui est unique. Il est envoyé au "OCSP responder" afin de vérifier son statut. + +Nous pouvons simuler ce que ferait un navigateur en utilisant la commande [`openssl`](https://fr.wikipedia.org/wiki/OpenSSL). + +1. Obtenez le certificat du serveur et utilisez [`sed`](https://fr.wikipedia.org/wiki/Stream_Editor) pour ne garder que la partie importante et l'écrire dans un fichier : + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Obtenez le certificat intermédiaire. Les [Autorités de certification](https://fr.wikipedia.org/wiki/Autorité_de_certification) (CA) ne signent normalement pas directement un certificat ; elles utilisent ce que l'on appelle un certificat "intermédiaire". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. Le premier certificat dans `pg_and_intermediate.cert` est en fait le certificat du serveur de l'étape 1. Nous pouvons utiliser à nouveau `sed` pour tout supprimer jusqu'à la première instance de END : + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Obtenir le répondeur OCSP pour le certificat du serveur : + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Notre certificat montre le répondeur du certificat Lets Encrypt. Si nous voulons voir tous les détails du certificat, nous pouvons utiliser : + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Démarrer la capture de paquets : + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Faites la demande OCSP : + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Ouvrez la capture : + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + Il y aura deux paquets avec le protocole "OCSP" : un "Demande" et un "Réponse". Pour la "Demande", nous pouvons voir le "numéro de série" en développant le triangle ▸ à côté de chaque champ : + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + Pour la "Réponse", nous pouvons également voir le "numéro de série" : + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Ou utilisez `tshark` pour filtrer les paquets du numéro de série : + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Si l'observateur du réseau dispose du certificat public, qui est accessible au public, il peut faire correspondre le numéro de série à ce certificat et donc déterminer le site que vous visitez à partir de celui-ci. Le processus peut être automatisé et permet d'associer des adresses IP à des numéros de série. Il est également possible de vérifier les journaux de [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) (en anlais) pour le numéro de série. + +## Devrais-je utiliser un DNS chiffré ? + +Nous avons créé cet organigramme pour décrire quand vous *devriez* utiliser des DNS chiffrés: + +``` mermaid +graph TB + Start[Démarrage] --> anonymous{Essayez-vous
d'être
anonyme ?} + anonymous--> | Oui | tor(Utilisez Tor) + anonymous --> | Non | censorship{Essayez-vous
d'eviter la
censure ?} + censorship --> | Oui | vpnOrTor(Utilisez un
VPN ou Tor) + censorship --> | Non | privacy{Essayez-vous de
protéger votre vie
privée du FAI ?} + privacy --> | Oui | vpnOrTor + privacy --> | Non | obnoxious{Votre
FAI fait des
redirections
nuisibles ?} + obnoxious --> | Oui | encryptedDNS(Utilisez un
DNS chiffré
tiers) + obnoxious --> | Non | ispDNS{Votre
FAI supporte
les DNS
chiffrés ?} + ispDNS --> | Oui | useISP(Utilisez le
DNS chiffré
de votre FAI) + ispDNS --> | Non | nothing(Ne faites rien) +``` + +Le DNS chiffré avec des serveurs tiers ne doit être utilisé que pour contourner le [blocage DNS](https://en.wikipedia.org/wiki/DNS_blocking) de base lorsque vous êtes certain qu'il n'y aura pas de conséquences ou que vous êtes intéressés par un fournisseur qui effectue un filtrage rudimentaire. + +[Liste des serveurs DNS recommandés](../dns.md ""){.md-button} + +## Qu'est-ce que le DNSSEC ? + +[Domain Name System Security Extensions](https://fr.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (extension de SECurité du Système de Nom de Domaine) est une fonctionnalité du DNS qui authentifie les réponses aux recherches de noms de domaine. Il ne fournit pas de protection de la vie privée pour ces recherches, mais empêche les attaquants de manipuler ou d'empoisonner les réponses aux requêtes DNS. + +En d'autres termes, le DNSSEC signe numériquement les données afin de garantir leur validité. Afin de garantir une recherche sécurisée, la signature a lieu à chaque niveau du processus de consultation du DNS. Par conséquent, toutes les réponses du DNS sont fiables. + +Le processus de signature DNSSEC est similaire à celui d'une personne qui signe un document juridique avec un stylo ; cette personne signe avec une signature unique que personne d'autre ne peut créer, et un expert judiciaire peut examiner cette signature et vérifier que le document a été signé par cette personne. Ces signatures numériques garantissent que les données n'ont pas été altérées. + +DNSSEC met en œuvre une politique de signature numérique hiérarchique à travers toutes les couches du DNS. Par exemple, dans le cas d'une consultation de `privacyguides.org`, un serveur DNS racine signe une clé pour le serveur de noms `.org`, et le serveur de noms `.org` signe ensuite une clé pour le serveur de noms faisant autorité `privacyguides.org`. + +Adapté de [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) par Google et [DNSSEC : An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) par Cloudflare, tous deux sous licence [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## Qu'est-ce que la minimization QNAME ? + +Un QNAME est un "nom qualifié", par exemple `privacyguides.org`. La QNAME minimization réduit la quantité d'informations envoyées par le serveur DNS au [serveur de noms](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server) faisant autorité. + +Au lieu d'envoyer le domaine entier `privacyguides.org`, la QNAME minimization signifie que le serveur DNS demandera tous les enregistrements qui se terminent par `.org`. Une description technique plus détaillée est définie dans [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## Qu'est-ce que le sous-réseau client EDNS (ECS) ? + +Le [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) est une méthode permettant à un résolveur DNS récursif de spécifier un [sous-réseau](https://fr.wikipedia.org/wiki/Sous-réseau) pour l'hôte ou le [client](https://fr.wikipedia.org/wiki/Client_(informatique)) qui effectue la requête DNS. + +Il est destiné à "accélérer" la transmission des données en donnant au client une réponse qui appartient à un serveur proche de lui, comme un [réseau de diffusion de contenu](https://fr.wikipedia.org/wiki/Réseau_de_diffusion_de_contenu), souvent utilisé pour la diffusion de vidéos en continu et pour servir des applications Web JavaScript. + +Cette fonction a un coût en termes de confidentialité, car elle fournit au serveur DNS des informations sur la localisation du client. diff --git a/i18n/fr/advanced/payments.md b/i18n/fr/advanced/payments.md new file mode 100644 index 00000000..c3fe69c7 --- /dev/null +++ b/i18n/fr/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Paiements privés +icon: material/hand-coin +--- + +Ce n'est pas pour rien que les données relatives à vos habitudes d'achat sont considérées comme le Saint-Graal du ciblage publicitaire : vos achats peuvent constituer un véritable trésor de données vous concernant. Malheureusement, le système financier actuel est, de par sa conception, hostile à la protection de la vie privée, car il permet aux banques, aux autres entreprises et aux gouvernements de retracer facilement les transactions. Néanmoins, vous disposez de nombreuses options pour effectuer des paiements de façon privée. + +## Argent liquide + +Pendant des siècles, **l'argent liquide** a été la principale forme de paiement privé. Dans la plupart des cas, l'argent liquide présente d'excellentes caractéristiques de confidentialité, est largement accepté dans la plupart des pays et est **fongible**, ce qui signifie qu'il n'est pas unique et qu'il est totalement interchangeable. + +Les lois sur les paiements en espèces varient d'un pays à l'autre. Aux États-Unis, les paiements en espèces supérieurs à 10 000 $ doivent faire l'objet d'une déclaration spéciale à l'IRS sur le [formulaire 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). L'entreprise destinataire est tenue de vérifier l'identité du bénéficiaire (nom, adresse, profession, date de naissance et numéro de sécurité sociale ou autre numéro fiscal), à quelques exceptions près. Des limites inférieures sans pièce d'identité, telles que 3 000 $ ou moins, existent pour les échanges et les transferts de fonds. Les espèces contiennent également des numéros de série. Ces données ne sont presque jamais tracées par les commerçants, mais elles peuvent être utilisées par les services répressifs dans le cadre d'enquêtes ciblées. + +Malgré cela, c'est généralement la meilleure option. + +## Cartes prépayées & cartes-cadeaux + +Il est relativement simple d'acheter des cartes-cadeaux et des cartes prépayées dans la plupart des magasins d'alimentation et des commerces de proximité avec de l'argent liquide. Les cartes-cadeaux ne sont généralement pas payantes, mais les cartes prépayées le sont souvent. Il convient donc d'être attentif à ces frais et aux dates d'expiration. Certains magasins peuvent demander à voir votre pièce d'identité à la caisse afin de réduire les fraudes. + +Les cartes-cadeaux sont généralement assorties d'une limite de 200 $ par carte, mais certaines offrent des limites allant jusqu'à 2 000 $ par carte. Les cartes prépayées (Visa ou Mastercard, par exemple) sont généralement assorties d'une limite de 1 000 $ par carte. + +Les cartes-cadeaux ont l'inconvénient d'être soumises aux politiques des commerçants, qui peuvent avoir des conditions et des restrictions terribles. Par exemple, certains commerçants n'acceptent pas exclusivement les paiements par carte-cadeau ou peuvent annuler la valeur de la carte s'ils considèrent que vous êtes un utilisateur à haut risque. Une fois que vous disposez d'un crédit commercial, le commerçant exerce un contrôle important sur ce crédit. + +Les cartes prépayées ne permettent pas de retirer de l'argent dans les DABs ni d'effectuer des paiements "pair à pair" avec Venmo et d'autres applications similaires. + +Pour la plupart des gens, l'argent liquide reste la meilleure option pour les achats en personne. Les cartes-cadeaux peuvent être utiles pour les économies qu'elles permettent de réaliser. Les cartes prépayées peuvent être utiles dans les endroits qui n'acceptent pas d'argent liquide. Les cartes-cadeaux et les cartes prépayées sont plus faciles à utiliser en ligne que l'argent liquide, et elles sont plus faciles à acquérir avec des crypto-monnaies qu'avec de l'argent liquide. + +### Marchés en ligne + +Si vous avez des [crypto-monnaies](../cryptocurrency.md), vous pouvez acheter des cartes-cadeaux sur une place de marché de cartes-cadeaux en ligne. Certains de ces services proposent des options de vérification d'identité pour des limites plus élevées, mais ils permettent également d'ouvrir des comptes avec une simple adresse email. Les limites de base commencent à 5 000 - 10 000 $ par jour pour les comptes de base, et des limites nettement plus élevées sont prévues pour les comptes dont l'identité a été vérifiée (le cas échéant). + +Lorsque vous achetez des cartes-cadeaux en ligne, vous bénéficiez généralement d'une légère réduction. Les cartes prépayées sont généralement vendues en ligne à leur valeur nominale ou moyennant des frais. Si vous achetez des cartes prépayées et des cartes-cadeaux avec des crypto-monnaies, vous devriez fortement préférer payer avec du Monero qui offre une grande confidentialité, plus d'informations à ce sujet ci-dessous. Payer une carte-cadeau avec une méthode de paiement traçable annule les avantages qu'une carte-cadeau peut offrir lorsqu'elle est achetée en espèces ou en Monero. + +- [Places de marché de cartes-cadeaux en ligne :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Cartes virtuelles + +Un autre moyen de protéger vos informations auprès des commerçants en ligne est d'utiliser des cartes virtuelles à usage unique qui masquent vos informations bancaires ou de facturation. Cette fonction est principalement utile pour vous protéger contre les fuites de données des commerçants, le suivi peu sophistiqué ou la corrélation des achats par les agences de marketing, et le vol de données en ligne. Elles ne vous aident **pas** à effectuer un achat de manière totalement anonyme et ne cachent aucune information à l'institution bancaire elle-même. Les institutions financières habituelles qui proposent des cartes virtuelles sont soumises aux lois sur la connaissance du client (KYC), ce qui signifie qu'elles peuvent exiger une pièce d'identité ou d'autres informations d'identification. + +- [Services de masquage des paiements recommandés :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +Ce sont généralement de bonnes options pour les paiements récurrents/abonnements en ligne, tandis que les cartes-cadeaux prépayées sont préférables pour les transactions ponctuelles. + +## Crypto-monnaie + +Les crypto-monnaies sont une forme numérique de monnaie conçue pour fonctionner sans autorités centrales telles qu'un gouvernement ou une banque. Bien que *certains* projets de crypto-monnaie vous permettent d'effectuer des transactions privées en ligne, beaucoup d'entre eux utilisent une chaîne de blocs publique qui ne garantit pas la confidentialité des transactions. Les crypto-monnaies ont également tendance à être des actifs très volatils, ce qui signifie que leur valeur peut changer rapidement et de manière significative à tout moment. C'est pourquoi nous ne recommandons généralement pas d'utiliser les crypto-monnaies comme réserve de valeur à long terme. Si vous décidez d'utiliser des crypto-monnaies en ligne, assurez-vous au préalable de bien comprendre les aspects liés à la protection de la vie privée et n'investissez que des montants qu'il ne serait pas désastreux de perdre. + +!!! danger "Danger" + + La grande majorité des crypto-monnaies fonctionnent sur une chaîne de blocs **publique**, ce qui signifie que chaque transaction est connue de tous. Cela inclut même les crypto-monnaies les plus connues comme le Bitcoin et l'Ethereum. Les transactions avec ces crypto-monnaies ne doivent pas être considérées comme privées et ne protégeront pas votre anonymat. + + En outre, de nombreuses crypto-monnaies, si ce n'est la plupart, sont des escroqueries. Effectuez des transactions avec prudence, uniquement avec des projets auxquels vous faites confiance. + +### Crypto-monnaies privées + +Il existe un certain nombre de projets de crypto-monnaies qui prétendent assurer la protection de la vie privée en rendant les transactions anonymes. Nous recommandons d'en utiliser un qui assure l'anonymat des transactions **par défaut** afin d'éviter des erreurs opérationnelles. + +- [Crypto-monnaies recommandées :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Les crypto-monnaies privées font l'objet d'un examen de plus en plus minutieux de la part des agences gouvernementales. En 2020, [l'IRS a publié une prime de 625 000 $](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) pour des outils qui peuvent briser la confidentialité des transactions du réseau Lightning Bitcoin et/ou de Monero. En fin de compte, ils [ont versé à deux sociétés](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis et Integra Fec) un montant combiné de 1,25 million $ pour des outils qui prétendent le faire (on ne sait pas quel réseau de crypto-monnaies ces outils ciblent). En raison du secret qui entoure ce type d'outils, ==aucune de ces méthodes de traçage des crypto-monnaies n'a été confirmée de manière indépendante.== Cependant, il est tout à fait probable que des outils qui aident les enquêtes ciblées sur les transactions de crypto-monnaies privées existent, et que les crypto-monnaies privées ne parviennent qu'à contrecarrer la surveillance de masse. + +### Autres crypto-monnaies (Bitcoin, Ethereum, etc.) + +La grande majorité des projets de crypto-monnaies utilisent une chaîne de blocs publique, ce qui signifie que toutes les transactions sont à la fois facilement traçables et permanentes. C'est pourquoi nous décourageons fortement l'utilisation de la plupart des crypto-monnaies pour une utilisation liées à la protection de la vie privée. + +Les transactions anonymes sur une chaîne de blocs publique sont *théoriquement* possibles, et le wiki Bitcoin [donne un exemple de transaction "complètement anonyme"](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). Toutefois, cela nécessite une configuration compliquée impliquant Tor et le "minage en solo" d'un bloc pour générer une crypto-monnaie complètement indépendante, une pratique qui n'a pas été pratique pour presque tous les enthousiastes depuis de nombreuses années. + +==Votre meilleure option est d'éviter complètement ces crypto-monnaies et de vous en tenir à une qui assure la confidentialité par défaut.== Tenter d'utiliser d'autres crypto-monnaies sort du cadre de ce site et est fortement déconseillé. + +### Garde du portefeuille + +Il existe deux types de portefeuilles pour les crypto-monnaies : les portefeuilles de garde et les portefeuilles non gardiens. Les portefeuilles de garde sont gérés par des sociétés centralisées ou des centres d'échange, qui détiennent la clé privée de votre portefeuille, et vous pouvez y accéder n'importe où, en général avec un nom d'utilisateur et un mot de passe ordinaires. Les portefeuilles non gardiens sont des portefeuilles dont vous contrôlez et gérez les clés privées permettant d'y accéder. Si vous conservez les clés privées de votre portefeuille en toute sécurité et que vous les sauvegardez, les portefeuilles non gardiens offrent une plus grande sécurité et une meilleure résistance à la censure que les portefeuilles dépositaires, car vos crypto-monnaies ne peuvent pas être volées ou gelées par une entreprise qui a la garde de vos clés privées. La garde des clés est particulièrement importante lorsqu'il s'agit de crypto-monnaies privées : les portefeuilles de garde permettent à la société d'exploitation de consulter vos transactions, ce qui annule les avantages de ces crypto-monnaies sur la protection de la vie privée. + +### Acquisition + +Il peut être difficile d'acquérir des [crypto-monnaies](../cryptocurrency.md) comme Monero de façon privée. Les places de marché P2P telles que [LocalMonero](https://localmonero.co/), une plateforme qui facilite les échanges entre les personnes, sont une option qui peut être utilisée. Si l'utilisation d'un centre d'échange exigeant la connaissance du client (KYC) est un risque acceptable pour vous tant que les transactions ultérieures ne peuvent pas être tracées, une option beaucoup plus facile est d'acheter des Monero sur un centre d'échange comme [Kraken](https://kraken.com/), ou d'acheter des Bitcoin/Litecoin sur un centre d'échange KYC qui peuvent ensuite être échangés contre des Monero. Ensuite, vous pouvez retirer les Monero achetés vers votre propre portefeuille non gardien pour les utiliser de façon privée à partir de ce moment-là. + +Si vous optez pour cette solution, veillez à acheter des Monero à des moments et dans des quantités différents de ceux où vous les dépenserez. Si vous achetez 5 000 $ de Monero sur un centre d'échange et que vous effectuez un achat de 5 000 $ avec du Monero une heure plus tard, ces actions pourraient potentiellement être corrélées par un observateur extérieur, quel que soit le chemin emprunté par le Monero. L'échelonnement des achats et l'achat de grandes quantités de Monero à l'avance pour les dépenser plus tard dans de multiples transactions plus petites peuvent permettre d'éviter ce piège. + +## Autres considérations + +Lorsque vous effectuez un paiement en personne avec de l'argent liquide, n'oubliez pas de penser à votre vie privée physique. Les caméras de sécurité sont omniprésentes. Envisagez de porter des vêtements non distincts et un masque facial (tel qu'un masque chirurgical ou N95). Ne vous inscrivez pas à des programmes de récompense et ne fournissez pas d'autres informations vous concernant. + +Lorsque vous achetez en ligne, l'idéal est de le faire sur [Tor](tor-overview.md). Cependant, de nombreux commerçants n'autorisent pas les achats avec Tor. Vous pouvez envisager d'utiliser un [VPN recommandé](../vpn.md) (payé en espèces, par carte-cadeau ou par Monero), ou d'effectuer l'achat dans un café ou une bibliothèque disposant d'une connexion Wi-Fi gratuite. Si vous commandez un article physique qui doit être livré, vous devrez fournir une adresse de livraison. Vous devriez envisager d'utiliser une boîte postale, une boîte aux lettres privée ou une adresse professionnelle. diff --git a/i18n/fr/advanced/tor-overview.md b/i18n/fr/advanced/tor-overview.md new file mode 100644 index 00000000..14e2e345 --- /dev/null +++ b/i18n/fr/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Introduction à Tor" +icon: 'simple/torproject' +description: Tor est un réseau décentralisé, gratuit, conçu pour utiliser Internet avec le plus de confidentialité possible. +--- + +Tor est un réseau décentralisé, gratuit, conçu pour utiliser Internet avec le plus de confidentialité possible. S'il est utilisé correctement, le réseau permet une navigation et des communications privées et anonymes. + +## Création de chemins vers les services de surface + +Les "services de surface" sont des sites web auxquels vous pouvez accéder avec n'importe quel navigateur, comme [privacyguides.org](https://www.privacyguides.org). Tor vous permet de vous connecter à ces sites web de manière anonyme en acheminant votre trafic via un réseau composé de milliers de serveurs gérés par des bénévoles et appelés nœuds (ou relais). + +Chaque fois que vous [vous connectez à Tor](../tor.md), il choisit trois nœuds pour construire un chemin vers Internet - ce chemin est appelé "circuit" + +
+ ![Chemin Tor montrant votre appareil se connectant à un noeud d'entrée, un noeud central et un noeud de sortie avant d'atteindre le site web de destination](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Chemin Tor montrant votre appareil se connectant à un noeud d'entrée, un noeud central et un noeud de sortie avant d'atteindre le site web de destination](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Chemin du circuit Tor
+
+ +Chacun de ces nœuds a sa propre fonction: + +### Le nœud d'entrée + +Le noeud d'entrée, souvent appelé le noeud de garde, est le premier noeud auquel votre client Tor se connecte. Le nœud d'entrée est capable de voir votre adresse IP, mais il est incapable de voir à quoi vous vous connectez. + +Contrairement aux autres nœuds, le client Tor choisira aléatoirement un nœud d'entrée et restera avec lui pendant deux à trois mois pour vous protéger de certaines attaques.[^1] + +### Le nœud central + +Le noeud central est le second noeud auquel votre client Tor se connecte. Il peut voir de quel nœud provient le trafic - le nœud d'entrée - et vers quel nœud il se dirige ensuite. Le nœud central ne peut pas voir votre adresse IP ou le domaine auquel vous vous connectez. + +Pour chaque nouveau circuit, le nœud central est choisi au hasard parmi tous les nœuds Tor disponibles. + +### Le nœud de sortie + +Le nœud de sortie est le point où votre trafic web quitte le réseau Tor et est transféré vers la destination souhaitée. Le nœud de sortie ne peut pas voir votre adresse IP, mais il sait à quel site il se connecte. + +Le noeud de sortie sera choisi au hasard parmi tous les noeuds Tor disponibles et exécutés avec une balise "relais de sortie".[^2] + +## Création de chemins vers les services onion + +Les "services onion" (également communément appelés "services cachés") sont des sites web auxquels on ne peut accéder qu'au moyen du navigateur Tor. Ces sites web ont un long nom de domaine généré de manière aléatoire et se terminant par `.onion`. + +La connexion à un service onion dans Tor fonctionne de manière très similaire à la connexion à un service de surface, mais votre trafic est acheminé à travers un total de **six nœuds** avant d'atteindre le serveur de destination. Cependant, comme auparavant, seuls trois de ces nœuds contribuent à *votre* anonymat, les trois autres nœuds protègent *l'anonymat du service onion*, en cachant la véritable IP et la localisation du site web de la même manière que le navigateur Tor cache les vôtres. + +
+ ![Chemin Tor montrant votre trafic acheminé à travers vos trois noeuds Tor plus trois noeuds Tor supplémentaires qui cachent l'identité du site web](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Chemin Tor montrant votre trafic acheminé à travers vos trois noeuds Tor plus trois noeuds Tor supplémentaires qui cachent l'identité du site web](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Chemin du circuit Tor avec des services onion. Les nœuds de la zone bleue appartiennent à votre navigateur, tandis que les nœuds de la zone rouge appartiennent au serveur, de sorte que leur identité vous est cachée.
+
+ +## Chiffrement + +Tor chiffre chaque paquet (un bloc de données transmises) trois fois avec les clés du nœud de sortie, du nœud central, et du nœud d'entrée, dans cet ordre. + +Une fois que Tor a construit un circuit, la transmission des données se fait comme suit: + +1. Premièrement: lorsque le paquet arrive au nœud d'entrée, la première couche de chiffrement est supprimée. Dans ce paquet chiffré, le nœud d'entrée trouvera un autre paquet chiffré avec l'adresse du nœud central. Le nœud d'entrée transmet ensuite le paquet au nœud central. + +2. Deuxièmement : lorsque le nœud central reçoit le paquet du nœud d'entrée, il supprime lui aussi une couche de chiffrement avec sa clé, et trouve cette fois un paquet chiffré avec l'adresse du nœud de sortie. Le nœud central transmet ensuite le paquet au nœud de sortie. + +3. Enfin, lorsque le nœud de sortie reçoit son paquet, il supprime la dernière couche de chiffrement avec sa clé. Le nœud de sortie verra l'adresse de destination et transmettra le paquet à cette adresse. + +Vous trouverez ci-dessous un autre schéma illustrant le processus. Chaque nœud supprime sa propre couche de chiffrement, et lorsque le serveur de destination renvoie les données, le même processus se déroule entièrement en sens inverse. Par exemple, le nœud de sortie ne sait pas qui vous êtes, mais il sait de quel nœud il provient. Il ajoute donc sa propre couche de chiffrement et renvoie le message. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Envoyer et recevoir des données à travers le réseau Tor
+
+ +Tor nous permet de nous connecter à un serveur sans que personne ne connaisse le chemin entier. Le nœud d'entrée sait qui vous êtes, mais pas où vous allez; le nœud central ne sait pas qui vous êtes ni où vous allez; et le nœud de sortie sait où vous allez, mais pas qui vous êtes. Comme le nœud de sortie est celui qui établit la connexion finale, le serveur de destination ne connaîtra jamais votre adresse IP. + +## Mises en garde  + +Bien que Tor offre de solides garanties de confidentialité, il faut être conscient que Tor n'est pas parfait: + +- Des adversaires bien financés ayant la capacité d'observer passivement la plupart du trafic réseau mondial ont une chance de désanonymiser les utilisateurs de Tor au moyen d'une analyse avancée du trafic. Tor ne vous protège pas non plus contre le risque de vous exposer par erreur, par exemple si vous partagez trop d'informations sur votre véritable identité. +- Les nœuds de sortie de Tor peuvent également surveiller le trafic qui passe par eux. Cela signifie que le trafic qui n'est pas chiffré, comme le trafic HTTP ordinaire, peut être enregistré et surveillé. Si ce trafic contient des informations permettant de vous identifier, il peut vous désanonymiser aux yeux de ce nœud de sortie. Par conséquent, nous recommandons d'utiliser HTTPS via Tor dans la mesure du possible. + +Si vous souhaitez utiliser Tor pour naviguer sur le web, nous ne recommandons que le navigateur Tor **officiel** - il est conçu pour empêcher la prise d'empreintes numériques. + +- [Navigateur Tor :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Ressources supplémentaires + +- [Manuel d'utilisation du navigateur Tor](https://tb-manual.torproject.org) +- [Comment Tor fonctionne - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Services onion Tor - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: Le premier relais de votre circuit est appelé "garde d'entrée" ou "garde". Il s'agit d'un relais rapide et stable qui reste le premier de votre circuit pendant 2 à 3 mois afin de vous protéger contre une attaque connue de rupture d'anonymat. Le reste de votre circuit change avec chaque nouveau site web que vous visitez, et tous ensemble ces relais fournissent les protections complètes de Tor en matière de vie privée. Pour en savoir plus sur le fonctionnement des relais de garde, consultez cet [article de blog](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) et ce [document](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) sur les gardes d'entrée. ([https://support.torproject.org/fr/tbb/tbb-2/](https://support.torproject.org/fr/tbb/tbb-2/)) + +[^2]: Balise de relai: une (dis-)qualification spéciale des relais pour les positions de circuit (par exemple, "Guard", "Exit", "BadExit"), les propriétés de circuit (par exemple, "Fast", "Stable") ou les rôles (par exemple, "Authority", "HSDir"), tels qu'attribués par les autorités de l'annuaire et définis plus précisément dans la spécification du protocole de l'annuaire. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/fr/android.md b/i18n/fr/android.md new file mode 100644 index 00000000..23df9ef5 --- /dev/null +++ b/i18n/fr/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: Vous pouvez remplacer le système d'exploitation de votre téléphone Android par ces alternatives sécurisées et respectueuses de la vie privée. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Systèmes d'exploitation Android privés + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Logo d'Android](assets/img/android/android.svg){ align=right } + +**Android Open Source Project** est un système d'exploitation mobile open source dirigé par Google qui équipe la majorité des appareils mobiles dans le monde. La plupart des téléphones vendus avec Android sont modifiés pour inclure des intégrations et des applications invasives telles que Google Play Services. Vous pouvez donc améliorer considérablement votre vie privée sur votre appareil mobile en remplaçant l'installation par défaut de votre téléphone par une version d'Android dépourvue de ces fonctionnalités invasives. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Page d'accueil } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Code source" } + +Voici les systèmes d'exploitation, les appareils et les applications Android que nous recommandons pour optimiser la sécurité et la confidentialité de votre appareil mobile. Pour en savoir plus sur Android : + +[Présentation générale d'Android :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Pourquoi nous recommandons GrapheneOS plutôt que CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## Dérivés de AOSP + +Nous vous recommandons d'installer l'un de ces systèmes d'exploitation Android personnalisés sur votre appareil, classés par ordre de préférence, en fonction de la compatibilité de votre appareil avec ces systèmes d'exploitation. + +!!! note "À noter" + + Les appareils en fin de vie (tels que les appareils à "support étendu" de GrapheneOS ou de CalyxOS) ne disposent pas de correctifs de sécurité complets (mises à jour de micrologiciel) en raison de l'arrêt du support par le constructeur. Ces appareils ne peuvent pas être considérés comme totalement sûrs, quel que soit le logiciel installé. + +### GrapheneOS + +!!! recommendation + + ![Logo GrapheneOS](assets/img/android/grapheneos.svg#only-light){ align=right } + ![Logo GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** est le meilleur choix en matière de confidentialité et de sécurité. + + GrapheneOS apporte des améliorations supplémentaires en matière de [renforcement de la sécurité](https://fr.wikipedia.org/wiki/Durcissement_%28informatique%29) et de confidentialité. Il dispose d'un [allocateur de mémoire renforcé](https://github.com/GrapheneOS/hardened_malloc), d'autorisations pour le réseau et les capteurs, et de diverses autres [fonctions de sécurité](https://grapheneos.org/features). GrapheneOS est également livré avec des mises à jour complètes du micrologiciel et des versions signées, de sorte que le démarrage vérifié est entièrement pris en charge. + + [:octicons-home-16: Page d'accueil ](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Code source" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuer } + +GrapheneOS prend en charge [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), qui exécute les [Services Google Play](https://fr.wikipedia.org/wiki/Services_Google_Play) entièrement sandboxed comme toute autre application normale. Cela signifie que vous pouvez profiter de la plupart des services Google Play, tels que [les notifications push](https://firebase.google.com/docs/cloud-messaging/), tout en vous donnant un contrôle total sur leurs autorisations et leur accès, et tout en les contenant à un [profil de travail](os/android-overview.md#work-profile) ou un [profil d'utilisateur](os/android-overview.md#user-profiles) spécifique de votre choix. + +Les téléphones Google Pixel sont les seuls appareils qui répondent actuellement aux [exigences de sécurité matérielle](https://grapheneos.org/faq#device-support) de GrapheneOS. + +### DivestOS + +!!! recommendation + + ![Logo DivestOS](assets/img/android/divestos.svg){ align=right } + + **DivestOS** est un léger dérivé de [LineageOS](https://lineageos.org/). + DivestOS hérite de nombreux [appareils pris en charge](https://divestos.org/index.php?page=devices&base=LineageOS) de LineageOS. Il a des versions signées, ce qui permet d'avoir un [démarrage vérifié](https://source.android.com/security/verifiedboot) sur certains appareils autres que des Pixel. + + [:octicons-home-16: Page d'accueil](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Service oignon" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Code source" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribuer } + +DivestOS a une [correction](https://gitlab.com/divested-mobile/cve_checker) automatique des vulnérabilités de noyau ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)), moins de blobs propriétaires, et un fichier [hosts](https://divested.dev/index.php?page=dnsbl) personnalisé. Sa WebView renforcée, [Mulch](https://gitlab.com/divested-mobile/mulch), permet [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) pour toutes les architectures et [un partitionnement de l'état du réseau](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), et reçoit des mises à jour hors bande. DivestOS inclut également les correctifs de noyau de GrapheneOS et active toutes les fonctions de sécurité de noyau disponibles via le [renforcement defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Tous les noyaux plus récents que la version 3.4 incluent une [désinfection](https://lwn.net/Articles/334747/) complète de la page et tous les ~22 noyaux compilés par Clang ont [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) activé. + +DivestOS met en œuvre certains correctifs de renforcement du système développés à l'origine pour GrapheneOS. DivestOS 16.0 et plus implémente les autorisations [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) et SENSORS de GrapheneOS, l'[allocateur de mémoire renforcé](https://github.com/GrapheneOS/hardened_malloc), l'[exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), la [constification](https://en.wikipedia.org/wiki/Java_Native_Interface) [JNI](https://en.wikipedia.org/wiki/Const_(computer_programming)), et des patchs de renforcement [bioniques](https://en.wikipedia.org/wiki/Bionic_(software)) partiels. Les versions 17.1 et supérieures offrent l'option de GrapheneOS pour [randomiser les adresses MAC](https://en.wikipedia.org/wiki/MAC_address#Randomization) entre réseaux, le contrôle [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) et les options de redémarrage/coupure Wi-Fi/coupure Bluetooth automatique [sur délai](https://grapheneos.org/features). + +DivestOS utilise F-Droid comme magasin d'applications par défaut. Normalement, nous recommanderions d'éviter F-Droid en raison de ses nombreux [problèmes de sécurité](#f-droid). Cependant, l'éviter sur DivestOS n'est pas viable ; les développeurs mettent à jour leurs applications via leurs propres dépôts F-Droid ([Official DivestOS](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) et [WebView DivestOS](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). Nous recommandons de désactiver l'application officielle F-Droid et d'utiliser le [Neo Store](https://github.com/NeoApplications/Neo-Store/) avec les dépôts DivestOS activés pour maintenir ces composants à jour. Pour les autres applications, nos méthodes recommandées pour les obtenir restent applicables. + +!!! warning "Avertissement" + + L'[état](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) des mises à jour du micrologiciel DivestOS et le contrôle de la qualité varient selon les appareils qu'il prend en charge. Nous recommandons toujours GrapheneOS en fonction de la compatibilité de votre appareil. Pour les autres appareils, DivestOS est une bonne alternative. + + Tous les appareils pris en charge ne disposent pas d'un démarrage vérifié, et certains le font mieux que d'autres. + +## Appareils Android + +Lorsque vous achetez un appareil, nous vous recommandons d'en prendre un aussi neuf que possible. Les logiciels et les micrologiciels des appareils mobiles ne sont pris en charge que pour une durée limitée. L'achat de nouveaux appareils permet donc de prolonger cette durée de vie autant que possible. + +Évitez d'acheter des téléphones auprès des opérateurs de réseaux mobiles. Ces derniers ont souvent un **chargeur d'amorçage verrouillé** et ne supportent pas le [déverrouillage constructeur](https://source.android.com/devices/bootloader/locking_unlocking). Ces variantes de téléphone vous empêcheront d'installer tout type de distribution Android alternative. + +Soyez très **prudent** lorsque vous achetez des téléphones d'occasion sur des marchés en ligne. Vérifiez toujours la réputation du vendeur. Si l'appareil est volé, il est possible que l'[IMEI soit mis sur liste noire](https://www.gsma.com/security/resources/imei-blacklisting/). Il y a également un risque d'être associé à l'activité de l'ancien propriétaire. + +Quelques conseils supplémentaires concernant les appareils Android et la compatibilité des systèmes d'exploitation : + +- N'achetez pas d'appareils qui ont atteint ou sont sur le point d'atteindre leur fin de vie, des mises à jour supplémentaires du micrologiciel doivent être fournies par le fabricant. +- N'achetez pas de téléphones LineageOS ou /e/ OS préchargés ou tout autre téléphone Android sans prise en charge adéquate du [Démarrage Vérifié](https://source.android.com/security/verifiedboot) et sans mises à jour du micrologiciel. En outre, ces appareils ne vous permettent pas de vérifier s'ils ont été manipulés. +- En bref, si un appareil ou une distribution Android ne figure pas dans cette liste, il y a probablement une bonne raison. Consultez notre [forum](https://discuss.privacyguides.net/) pour en savoir plus ! + +### Google Pixel + +Les téléphones Google Pixel sont les **seuls** appareils dont nous recommandons l'achat. Les téléphones Pixel ont une sécurité matérielle plus forte que tous les autres appareils Android actuellement sur le marché, grâce à une prise en charge AVB adéquate pour les systèmes d'exploitation tiers et aux puces de sécurité personnalisées [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) de Google faisant office d'Elément Sécurisé. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + Les appareils **Google Pixel** sont connus pour avoir une bonne sécurité et prendre correctement en charge le [Démarrage Vérifié](https://source.android.com/security/verifiedboot), même lors de l'installation de systèmes d'exploitation personnalisés. + + À partir des **Pixel 6** et **6 Pro**, les appareils Pixel bénéficient d'un minimum de 5 ans de mises à jour de sécurité garanties, ce qui leur assure une durée de vie bien plus longue que les 2 à 4 ans généralement proposés par les constructeurs concurrents. + + [:material-shopping: Boutique](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Les Eléments Sécurisés comme le Titan M2 sont plus limités que le Trusted Execution Environment du processeur utilisé par la plupart des autres téléphones, car ils ne sont utilisés que pour le stockage des secrets, l'attestation matérielle et la limitation du débit, et non pour exécuter des programmes "de confiance". Les téléphones dépourvus d'un Elément Sécurisé doivent utiliser le TEE pour *toutes* ces fonctions, ce qui élargit la surface d'attaque. + +Les téléphones Google Pixel utilisent un OS TEE appelé Trusty qui est [open source](https://source.android.com/security/trusty#whyTrusty), contrairement à de nombreux autres téléphones. + +L'installation de GrapheneOS sur un téléphone Pixel est facile avec leur [installateur web](https://grapheneos.org/install/web). Si vous ne vous sentez pas à l'aise pour le faire vous-même et que vous êtes prêt à dépenser un peu plus d'argent, consultez le site [NitroPhone](https://shop.nitrokey.com/shop) car ils sont préchargés avec GrapheneOS et viennent de la société réputée [Nitrokey](https://www.nitrokey.com/about). + +Quelques conseils supplémentaires pour l'achat d'un Google Pixel : + +- Si vous cherchez une bonne affaire pour un appareil Pixel, nous vous suggérons d'acheter un modèle "**a**", juste après la sortie du prochain produit phare de la marque. Des remises sont généralement disponibles parce que Google essaie d'écouler son stock. +- Tenez compte des offres spéciales et réductions proposées par les magasins en dur. +- Consultez les sites communautaires de bonnes affaires en ligne dans votre pays. Ils peuvent vous alerter lors de bonnes ventes. +- Google fournit une liste indiquant le [cycle de support](https://support.google.com/nexus/answer/4457705) pour chacun de ses appareils. Le prix par jour d'un appareil peut être calculé comme suit : $\text{Coût} \over \text {Date fin de vie}-\text{Date du jour}$, ce qui signifie que plus l'utilisation de l'appareil est longue, plus le coût par jour est faible. + +## Applications générales + +Nous recommandons une grande variété d'applications Android sur ce site. Les applications répertoriées ici sont exclusives à Android et améliorent ou remplacent les principales fonctionnalités du système. + +### Shelter + +!!! recommendation + + ![Logo Shelter](assets/img/android/shelter.svg){ align=right } + + **Shelter** est une application qui vous aide à tirer parti de la fonctionnalité Profil de Travail d'Android pour isoler ou dupliquer des applications sur votre appareil. + + Shelter prend en charge le blocage de la recherche de contacts entre profils et le partage de fichiers entre profils via le gestionnaire de fichiers par défaut ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Dépôt](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning "Avertissement" + + Shelter est recommandé par rapport à [Insular](https://secure-system.gitlab.io/Insular/) et [Island](https://github.com/oasisfeng/island) car il prend en charge le [blocage de la recherche de contact](https://secure-system.gitlab.io/Insular/faq.html). + + En utilisant Shelter, vous accordez une confiance totale à son développeur, car Shelter agit en tant qu'[administrateur de l'appareil](https://developer.android.com/guide/topics/admin/device-admin) pour créer le Profil de Travail, et il a un accès étendu aux données stockées dans ce dernier. + +### Auditor + +!!! recommendation + + ![Logo d'Auditor](assets/img/android/auditor.svg#only-light){ align=right } + ![Logo d'Auditor](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** est une application qui exploite les fonctions de sécurité matérielle pour assurer le contrôle de l'intégrité des [appareils pris en charge](https://attestation.app/about#device-support). Pour le moment elle ne fonctionne qu'avec GrapheneOS et le système d'exploitation d'origine de l'appareil. + + [:octicons-home-16: Page d'accueil](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Code source" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: Magasin d'application de GrapheneOS](https://github.com/GrapheneOS/Apps/releases) + +Auditor effectue l'attestation et la détection d'intrusion : + +- A l'aide d'un modèle de [Confiance lors de la première utilisation (TOFU - Trust On First Use)](https://en.wikipedia.org/wiki/Trust_on_first_use) entre un *auditeur* et un *audité*, la paire établit une clé privée dans le trousseau [matériel](https://source.android.com/security/keystore/) d'*Auditor*. +- L'*auditeur* peut être une autre instance de l'application Auditor ou le [Service d'Attestation à Distance](https://attestation.app). +- L'*auditeur* enregistre l'état et la configuration actuels de l'*audité*. +- En cas d'altération du système d'exploitation de l'*audité* après l'appairage, l'auditeur sera informé de la modification de l'état et des configurations de l'appareil. +- Vous serez alerté de ce changement. + +Aucune donnée à charactère personnel n'est soumise au service d'attestation. Nous vous recommandons de vous inscrire avec un compte anonyme et d'activer l'attestation à distance pour un contrôle continu. + +Si votre [modèle de menace](basics/threat-modeling.md) nécessite une certaine confidentialité, vous pouvez envisager d'utiliser [Orbot](tor.md#orbot) ou un VPN pour cacher votre adresse IP au service d'attestation. Pour s'assurer de l'authenticité de votre matériel et de votre système d'exploitation, [effectuez une attestation locale](https://grapheneos.org/install/web#verifying-installation) immédiatement après l'installation de l'appareil et avant toute connexion à internet. + +### Secure Camera + +!!! recommendation + + ![Logo de Secure Camera](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Logo de Secure Camera](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** est une application de caméra axée sur la confidentialité et la sécurité qui peut capturer des images, des vidéos et des QR codes. Les extensions du vendeur CameraX (Portrait, HDR, Night Sight, Face Retouch et Auto) sont également prises en charge sur les appareils disponibles. + + [:octicons-repo-16: Dépôt](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Code source" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: Magasin d'application de GrapheneOS](https://github.com/GrapheneOS/Apps/releases) + +Les principales caractéristiques de confidentialité comprennent : + +- Suppression automatique des métadonnées [Exif](https://en.wikipedia.org/wiki/Exif) (activée par défaut) +- Utilisation de la nouvelle API [Media](https://developer.android.com/training/data-storage/shared/media), donc les [autorisations de stockage](https://developer.android.com/training/data-storage) ne sont pas nécessaires +- L'autorisation microphone n'est pas nécessaire, sauf si vous souhaitez enregistrer des sons + +!!! note "À noter" + + Les métadonnées ne sont pour le moment pas supprimées des fichiers vidéo, mais cela est prévu. + + Les métadonnées d'orientation de l'image ne sont pas supprimées. Si vous activez la fonction de localisation (dans Secure Camera), elle ne **sera pas** non plus supprimée. Si vous voulez la supprimer ultérieurement, vous devrez utiliser une application externe telle que [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Logo de Secure PDF Viewer](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Logo de Secure PDF Viewer](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** est un visualiseur de PDF basé sur [pdf.js](https://en.wikipedia.org/wiki/PDF.js) qui ne nécessite aucune autorisation. Le PDF est introduit dans une [webview](https://developer.android.com/guide/webapps/webview) [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)). Cela signifie qu'il n'a pas besoin d'autorisation directe pour accéder au contenu ou aux fichiers. + + [Content-Security-Policy](https://fr.wikipedia.org/wiki/Content_Security_Policy) est utilisé pour faire en sorte que les propriétés JavaScript et de style dans la WebView soient entièrement statiques. + + [:octicons-repo-16: Dépôt](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Code source" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: Magasin d'application de GrapheneOS](https://github.com/GrapheneOS/Apps/releases) + +## Obtenir des applications + +### Magasin d'applications de GrapheneOS + +Le magasin d'applications de GrapheneOS est disponible sur [GitHub](https://github.com/GrapheneOS/Apps/releases). Il prend en charge Android 12 et plus et est capable de se mettre à jour. Le magasin d'applications contient des applications indépendantes construites par le projet GrapheneOS, telles que [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), et [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). Si vous recherchez ces applications, nous vous recommandons vivement de les obtenir à partir du magasin d'applications de GrapheneOS plutôt que du Play Store, car les applications de leur magasin sont signées par la signature du projet GrapheneOS à laquelle Google n'a pas accès. + +### Aurora Store + +Le Google Play Store nécessite un compte Google pour se connecter, ce qui n'est pas idéal pour la confidentialité. Vous pouvez contourner ce problème en utilisant un client alternatif, tel que Aurora Store. + +!!! recommendation + + ![Logo Aurora Store](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** est un client Google Play Store qui ne nécessite pas de compte Google, de services Google Play ou microG pour télécharger des applications. + + [:octicons-home-16: Page d'accueil](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store ne vous permet pas de télécharger des applications payantes grâce à sa fonction de compte anonyme. Vous pouvez éventuellement vous connecter avec votre compte Google sur Aurora Store pour télécharger les applications que vous avez achetées, ce qui donne accès à la liste des applications que vous avez installées à Google, mais vous bénéficiez toujours de l'avantage de ne pas avoir besoin du client Google Play complet et des services Google Play ou microG sur votre appareil. + +### Manuellement avec les notifications RSS + +Pour les applications publiées sur des plateformes telles que GitHub et GitLab, vous pouvez ajouter un flux RSS à votre [agrégateur d'actualités](/news-aggregators) qui vous aidera à suivre les nouvelles versions. + +![APK RSS](./assets/img/android/rss-apk-light.png#only-light) ![APK RSS](./assets/img/android/rss-apk-dark.png#only-dark) ![Notes de version APK](./assets/img/android/rss-changes-light.png#only-light) ![Notes de version APK](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +Sur GitHub, en prenant l'exemple de [Secure Camera](#secure-camera), vous naviguez vers sa [page de publications](https://github.com/GrapheneOS/Camera/releases) et ajoutez `.atom` à l'URL : + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +Sur GitLab, en prenant l'exemple de [Aurora Store](#aurora-store), vous naviguez vers son [dépôt de projet](https://gitlab.com/AuroraOSS/AuroraStore) et ajoutez `/-/tags?format=atom` à l'URL : + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Vérifier les empreintes numériques des APK + +Si vous téléchargez des fichiers APK à installer manuellement, vous pouvez vérifier leur signature à l'aide de l'outil [`apksigner`](https://developer.android.com/studio/command-line/apksigner), qui fait partie des [build-tools](https://developer.android.com/studio/releases/build-tools) d'Android. + +1. Installez [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Téléchargez les [outils de ligne de commande d'Android Studio](https://developer.android.com/studio#command-tools). + +3. Extrayez l'archive téléchargée : + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Exécutez la commande de vérification de la signature : + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. Les hachés obtenus peuvent ensuite être comparés avec une autre source. Certains développeurs, comme Signal, [fournissent les empreintes numériques](https://signal.org/android/apk/) sur leur site web. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![Logo F-Droid](assets/img/android/f-droid.svg){ align=right width=120px } + +==Nous ne recommandons **pas** actuellement F-Droid comme moyen d'obtenir des applications.== F-Droid est souvent recommandé comme une alternative à Google Play, en particulier dans la communauté de la vie privée. La possibilité d'ajouter des dépôts tiers et de ne pas être confiné au jardin clos de Google a conduit à sa popularité. F-Droid dispose en outre de [versions reproductibles](https://f-droid.org/en/docs/Reproducible_Builds/) pour certaines applications et est dédié aux logiciels libres et open source. Cependant, il y a des [problèmes notables](https://privsec.dev/posts/android/f-droid-security-issues/) avec le client officiel F-Droid, leur contrôle de qualité, et la façon dont ils construisent, signent, et livrent les paquets. + +En raison de leur processus de construction d'applications, les applications du dépôt officiel de F-Droid sont souvent en retard sur les mises à jour. Les mainteneurs de F-Droid réutilisent également les identifiants des paquets tout en signant les applications avec leurs propres clés, ce qui n'est pas idéal car cela donne à l'équipe F-Droid une confiance ultime. + +D'autres dépôts tiers populaires tels que [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) atténuent certains de ces problèmes. Le dépôt IzzyOnDroid récupère les versions directement depuis GitHub et constitue la meilleure alternative aux dépôts des développeurs. Cependant, ce n'est pas quelque chose que nous pouvons recommander, car les applications sont généralement [retirées](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) de ce dépôt lorsqu'elles arrivent dans le dépôt principal de F-Droid. Bien que cela soit logique (puisque le but de ce dépôt particulier est d'héberger des applications avant qu'elles ne soient acceptées dans le dépôt principal de F-Droid), cela peut vous laisser avec des applications installées qui ne reçoivent plus de mises à jour. + +Cela dit, les dépôts [F-Droid](https://f-droid.org/en/packages/) et [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) abritent d'innombrables applications. Ils peuvent donc être un outil utile pour rechercher et découvrir des applications open-source que vous pouvez ensuite télécharger via le Play Store, Aurora Store ou en obtenant l'APK directement auprès du développeur. Il est important de garder à l'esprit que certaines applications de ces dépôts n'ont pas été mises à jour depuis des années et peuvent s'appuyer sur des bibliothèques non maintenues, entre autres, ce qui constitue un risque potentiel pour la sécurité. Vous devez faire preuve de discernement lorsque vous recherchez de nouvelles applications par cette méthode. + +!!! note "À noter" + + Dans certains cas rares, le développeur d'une application ne la distribue que par le biais de F-Droid ([Gadgetbridge](https://gadgetbridge.org/) en est un exemple). Si vous avez vraiment besoin d'une telle application, nous vous recommandons d'utiliser le [Neo Store](https://github.com/NeoApplications/Neo-Store/) au lieu de l'application officielle F-Droid pour l'obtenir. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Systèmes d'exploitation + +- Doit être un logiciel open source. +- Doit prendre en charge le verrouillage du chargeur d'amorçage avec prise en charge d'une clé AVB personnalisée. +- Doit recevoir les mises à jour majeures d'Android dans le mois suivant leur publication. +- Doit recevoir les mises à jour des fonctionnalités d'Android (version mineure) dans les 14 jours suivant leur publication. +- Doit recevoir les correctifs de sécurité réguliers dans les 5 jours suivant leur publication. +- Ne doit **pas** être fourni "rooté". +- Ne doit **pas** activer les services Google Play par défaut. +- Ne doit **pas** nécessiter une modification du système pour prendre en charge les services Google Play. + +### Appareils + +- Doit prendre en charge au moins l'un des systèmes d'exploitation personnalisés que nous recommandons. +- Doit être actuellement vendu neuf en magasin. +- Doit recevoir un minimum de 5 ans de mises à jour de sécurité. +- Doit disposer d'un matériel dédié aux éléments sécurisés. + +### Applications + +- Les applications de cette page ne doivent pas être applicables à une autre catégorie de logiciels sur le site. +- Les applications générales doivent étendre ou remplacer les fonctionnalités de base du système. +- Les applications doivent être régulièrement mises à jour et maintenues. diff --git a/i18n/fr/assets/img/account-deletion/exposed_passwords.png b/i18n/fr/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/fr/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/fr/assets/img/android/rss-apk-dark.png b/i18n/fr/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/fr/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/fr/assets/img/android/rss-apk-light.png b/i18n/fr/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/fr/assets/img/android/rss-apk-light.png differ diff --git a/i18n/fr/assets/img/android/rss-changes-dark.png b/i18n/fr/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/fr/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/fr/assets/img/android/rss-changes-light.png b/i18n/fr/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/fr/assets/img/android/rss-changes-light.png differ diff --git a/i18n/fr/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/fr/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..dfc36b34 --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + + Appareil + + + + Envoi de données à un site Web + + + + + Réception de données d'un site Web + + + + + Votre + + Appareil + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/how-tor-works/tor-encryption.svg b/i18n/fr/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..ab96c4bb --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + + Appareil + + + + Envoi de données à un site Web + + + + + Réception de données d'un site Web + + + + + Votre + + Appareil + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/how-tor-works/tor-path-dark.svg b/i18n/fr/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..858b0b36 --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + Appareil + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/fr/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..3d55104f --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + + + appareil + + + + + + Garde + + + Relai + + + Relai + + + + + caché...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendez-vous + + + Relai + + + + + Entrée + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/fr/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..5062bea6 --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + + + appareil + + + + + + Garde + + + Relai + + + Relai + + + + + caché...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendez-vous + + + Relai + + + + + Entrée + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/how-tor-works/tor-path.svg b/i18n/fr/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..56128803 --- /dev/null +++ b/i18n/fr/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Votre + Appareil + + + + Entrée + + + + + Milieu + + + + + Sortie + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/fr/assets/img/multi-factor-authentication/fido.png b/i18n/fr/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..3b4057bc Binary files /dev/null and b/i18n/fr/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/fr/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/fr/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..37487048 Binary files /dev/null and b/i18n/fr/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/fr/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/fr/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/fr/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/fr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/fr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/fr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/fr/basics/account-creation.md b/i18n/fr/basics/account-creation.md new file mode 100644 index 00000000..02c356d0 --- /dev/null +++ b/i18n/fr/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Création de compte" +icon: 'material/account-plus' +description: La création de comptes en ligne est pratiquement une nécessité sur internet, prenez ces mesures pour vous assurer de rester privé. +--- + +Souvent, les gens s'inscrivent à des services sans réfléchir. Il s'agit peut-être d'un service de streaming qui vous permet de regarder la nouvelle émission dont tout le monde parle, ou d'un compte qui vous permet de bénéficier d'une réduction dans votre fast-food préféré. Quoi qu'il en soit, vous devez tenir compte des implications pour vos données, maintenant et plus tard. + +Chaque nouveau service que vous utilisez comporte des risques. Les fuites de données, la divulgation d'informations sur les clients à des tiers, l'accès à des données par des employés véreux sont autant de possibilités qui doivent être envisagées avant de founir vos informations. Vous devez être sûr que vous pouvez faire confiance au service, c'est pourquoi nous ne recommandons pas de stocker des données précieuses sur autre chose que les produits les plus matures et les plus éprouvés. Il s'agit généralement de services qui fournissent E2EE et qui ont fait l'objet d'un audit cryptographique. Un audit renforce l'assurance que le produit a été conçu sans problèmes de sécurité flagrants causés par un développeur inexpérimenté. + +Il peut également être difficile de supprimer les comptes sur certains services. Il est parfois possible [d'écraser les données](account-deletion.md#overwriting-account-information) associées à un compte, mais dans d'autres cas, le service conservera un historique complet des modifications apportées au compte. + +## Conditions Générales d'Utilisation & Politique de Confidentialité + +Les CGU sont les règles que vous acceptez de suivre lorsque vous utilisez le service. Dans les grands services, ces règles sont souvent appliquées par des systèmes automatisés. Parfois, ces systèmes automatisés peuvent faire des erreurs. Par exemple, vous pouvez être banni ou bloqué de votre compte sur certains services pour avoir utilisé un VPN ou numéro VOIP. Il est souvent difficile de faire appel de ces interdictions, et cela implique également une procédure automatisée, qui n'aboutit pas toujours. C'est l'une des raisons pour lesquelles nous ne suggérons pas d'utiliser Gmail pour la messagerie électronique, par exemple. L'e-mail est essentiel pour accéder à d'autres services auxquels vous avez peut-être souscrit. + +La Politique de Confidentialité est la manière dont le service indique qu'il utilisera vos données. Elle mérite d'être lue pour que vous compreniez comment vos données seront utilisées. Une entreprise ou une organisation peut ne pas être légalement obligée de suivre tout ce qui est contenu dans la politique (cela dépend de la juridiction). Nous vous recommandons d'avoir une idée de la législation locale et de ce qu'elle autorise un prestataire à collecter. + +Nous vous recommandons de rechercher des termes particuliers tels que "collecte de données", "analyse de données", "cookies", "annonces", "publicité" ou services "tiers". Parfois, vous aurez la possibilité de refuser la collecte ou le partage de vos données, mais il est préférable de choisir un service qui respecte votre vie privée dès le départ. + +Vous faites également confiance à l'entreprise ou à l'organisation pour se conformer à sa propre politique de confidentialité. + +## Méthodes d'authentification + +Il existe généralement plusieurs façons de créer un compte, chacune ayant ses propres avantages et inconvénients. + +### E-mail et mot de passe + +Le moyen le plus courant de créer un nouveau compte est d'utiliser une adresse e-mail et un mot de passe. Lorsque vous utilisez cette méthode, vous devriez utiliser un gestionnaire de mots de passe et suivre les [bonnes pratiques](passwords-overview.md) concernant les mots de passe. + +!!! tip "Conseil" + + Vous pouvez également utiliser votre gestionnaire de mots de passe pour gérer d'autres méthodes d'authentification ! Il suffit d'ajouter la nouvelle entrée et de remplir les champs appropriés. Vous pouvez ajouter des notes pour des choses comme des questions de sécurité ou une clé de secours. + +Vous serez responsable de la gestion de vos identifiants de connexion. Pour plus de sécurité, vous pouvez configurer [MFA](multi-factor-authentication.md) sur vos comptes. + +[Gestionnaires de mots de passe recommandés](../passwords.md ""){.md-button} + +#### Alias d'e-mail + +Si vous ne voulez pas donner votre véritable adresse e-mail à un service, vous avez la possibilité d'utiliser un alias. Nous les avons décrits plus en détail sur notre page de recommandation des services d'e-mail. Essentiellement, les services d'alias vous permettent de créer de nouvelles adresses e-mail qui transmettent tous les courriers à votre adresse principale. Cela peut permettre d'éviter le pistage entre les services et vous aider à gérer les e-mail de marketing qui accompagnent parfois le processus d'inscription. Ceux-ci peuvent être filtrés automatiquement en fonction de l'alias auquel ils sont envoyés. + +Si un service est piraté, vous pouvez commencer à recevoir des e-mails d'hameçonnage ou de spam à l'adresse que vous avez utilisée pour vous inscrire. L'utilisation d'alias uniques pour chaque service peut aider à identifier exactement quel service a été piraté. + +[Services d'alias d'e-mail recommandés](../email.md#email-aliasing-services ""){.md-button} + +### Authentification unique + +!!! note "À noter" + + Nous parlons de l'authentification unique pour l'usage personnel, pas pour les entreprises. + +L'authentification unique (SSO) est une méthode d'authentification qui vous permet de vous inscrire à un service sans partager beaucoup d'informations, voire aucune. Chaque fois que vous voyez quelque chose du type "Continuer avec *nom du fournisseur*" sur un formulaire d'inscription, il s'agit de SSO. + +Lorsque vous choisissez l'authentification unique sur un site web, la page de connexion de votre fournisseur d'authentification unique s'affiche et votre compte est ensuite connecté. Votre mot de passe ne sera pas communiqué, mais certaines informations de base le seront (vous pouvez les consulter lors de la demande de connexion). Ce processus est nécessaire chaque fois que vous voulez vous connecter au même compte. + +Les principaux avantages sont les suivants : + +- **Sécurité**: aucun risque d'être impliqué dans une [fuite de données](https://fr.wikipedia.org/wiki/Violation_de_donn%C3%A9es) car le site ne stocke pas vos informations d'identification. +- **Facilité d'utilisation**: plusieurs comptes sont gérés par un seul login. + +Mais il y a des inconvénients : + +- **Vie privée**: un fournisseur de SSO connaîtra les services que vous utilisez. +- **Centralisation**: si votre compte SSO est compromis ou si vous n'êtes pas en mesure de vous y connecter, tous les autres comptes qui y sont connectés sont affectés. + +Le SSO peut être particulièrement utile dans les situations où vous pouvez bénéficier d'une intégration plus poussée entre les services. Par exemple, l'un de ces services peut offrir le SSO pour les autres. Notre recommandation est de limiter le SSO aux seuls endroits où vous en avez besoin et de protéger le compte principal avec [MFA](multi-factor-authentication.md). + +Tous les services qui utilisent le SSO seront aussi sécurisé que votre compte SSO. Par exemple, si vous souhaitez sécuriser un compte à l'aide d'une clé matérielle mais que ce service ne prend pas en charge les clés matérielles, vous pouvez sécuriser votre compte SSO à l'aide d'une clé matérielle et disposer ainsi d'un MFA matériel sur tous vos comptes. Il convient toutefois de noter qu'une authentification faible sur votre compte SSO signifie que tout compte lié à cette connexion sera également faiblement sécurisé. + +### Numéro de téléphone + +Nous vous recommandons d'éviter les services qui exigent un numéro de téléphone pour l'inscription. Un numéro de téléphone peut vous identifier auprès de plusieurs services et, en fonction des accords de partage des données, cela rendra votre navigation plus facile à suivre, en particulier si l'un de ces services a une fuite, car le numéro de téléphone est souvent **non** chiffré. + +Vous devriez éviter de donner votre vrai numéro de téléphone si vous le pouvez. Certains services autorisent l'utilisation de numéros VOIP, mais ceux-ci déclenchent souvent des systèmes de détection des fraudes, entraînant le blocage du compte, ce que nous ne recommandons pas pour les comptes importants. + +Dans de nombreux cas, vous devrez fournir un numéro à partir duquel vous pourrez recevoir des SMS ou des appels, en particulier lorsque vous effectuez des achats à l'étranger, au cas où votre commande rencontrerait un problème lors du contrôle aux frontières. Il est courant que les services utilisent votre numéro comme méthode de vérification ; ne vous faites pas bloquer un compte important parce que vous avez voulu être malin et donner un faux numéro ! + +### Nom d'utilisateur et mot de passe + +Certains services vous permettent de vous inscrire sans utiliser d'adresse électronique et vous demandent seulement de définir un nom d'utilisateur et un mot de passe. Ces services peuvent offrir un anonymat accru lorsqu'ils sont associés à un VPN ou à Tor. Gardez à l'esprit que pour ces comptes, il n'y aura très probablement **aucun moyen de récupérer votre compte** au cas où vous oublieriez votre nom d'utilisateur ou votre mot de passe. diff --git a/i18n/fr/basics/account-deletion.md b/i18n/fr/basics/account-deletion.md new file mode 100644 index 00000000..f775ecee --- /dev/null +++ b/i18n/fr/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Suppression de compte" +icon: 'material/account-remove' +description: Il est facile d'accumuler un grand nombre de comptes internet. Voici quelques conseils pour élaguer votre collection. +--- + +Au fil du temps, il est facile d'accumuler un certain nombre de comptes en ligne, dont beaucoup ne sont peut-être plus utilisés. La suppression de ces comptes inutilisés est une étape importante dans la récupération de votre vie privée, car les comptes inactifs sont vulnérables aux fuites de données. Il y a une fuite des données lorsque la sécurité d'un service est compromise et que des informations protégées sont consultées, transmises ou volées par des acteurs non autorisés. Les fuites de données sont malheureusement [très fréquentes](https://haveibeenpwned.com/PwnedWebsites) de nos jours, et donc le meilleur moyen de minimiser l'impact qu'elles ont sur votre vie et de pratiquer une bonne hygiène numérique. L'objectif de ce guide est donc de vous aider à traverser le processus fastidieux de la suppression d'un compte, souvent rendu difficile à cause du [dark pattern](https://www.deceptive.design/), une pratique que certains services utilisent afin que vous abandonniez l'idée de supprimer votre compte. + +## Recherche d'anciens comptes + +### Gestionnaire de mots de passe + +Si vous disposez d'un gestionnaire de mots de passe que vous avez utilisé pendant toute votre vie numérique, cette partie sera très facile. Souvent, ils incluent une fonctionnalité intégrée pour détecter si vos informations d'identification ont été exposées dans une fuite de données - comme le [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/) de Bitwarden. + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Même si vous n'avez pas explicitement utilisé un gestionnaire de mots de passe auparavant, il y a de fortes chances que vous ayez utilisé celui de votre navigateur ou de votre téléphone sans même vous en rendre compte. Par exemple : [Firefox Password Manager](https://support.mozilla.org/fr/kb/gestionnaire-mots-passe), [Google Password Manager](https://passwords.google.com/intro) et [Edge Password Manager](https://support.microsoft.com/fr-fr/microsoft-edge/enregistrer-ou-oublier-des-mots-de-passe-dans-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Les systèmes d'exploitation aussi, disposent souvent d'un gestionnaire de mots de passe qui peut vous aider à récupérer les mots de passe que vous avez oubliés : + +- Windows [Credential Manager](https://support.microsoft.com/fr-fr/windows/acc%C3%A8s-au-gestionnaire-d-informations-d-identification-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/fr-fr/HT211145) +- iOS [Passwords](https://support.apple.com/fr-fr/HT211146) +- Linux, Gnome Keyring, accessible par [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.fr) ou [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager). + +### Email + +Si vous n'avez pas utilisé de gestionnaire de mots de passe dans le passé ou si vous pensez avoir des comptes qui n'ont jamais été ajoutés à votre gestionnaire de mots de passe, une autre option consiste à rechercher le ou les comptes de messagerie sur lesquels vous pensez vous être inscrit. Sur votre client de messagerie, recherchez des mots-clés tels que "vérifier" ou "bienvenue". Presque à chaque fois que vous créez un compte en ligne, le service envoie un lien de vérification ou un message d'introduction à votre adresse électronique. Cela peut être un bon moyen de retrouver d'anciens comptes oubliés. + +## Suppression des anciens comptes + +### Se connecter + +Pour supprimer vos anciens comptes, vous devez d'abord vous assurer que vous pouvez vous y connecter. Une fois encore, si le compte est enregistré dans votre gestionnaire de mots de passe, cette étape est facile. Si ce n'est pas le cas, vous pouvez essayer de deviner votre mot de passe. Dans le cas contraire, il existe généralement des options permettant de récupérer l'accès à votre compte, souvent disponibles par le biais d'un lien "mot de passe oublié" sur la page de connexion. Il est également possible que les comptes que vous avez abandonnés aient déjà été supprimés - il arrive que certains services suppriment tous les anciens comptes. + +Lorsque vous tentez de vous reconnecter, si le site renvoie un message d'erreur indiquant que cette adresse électronique n'est pas associée à un compte, ou si vous ne recevez pas de lien de réinitialisation après plusieurs tentatives, c'est que vous n'avez probablement pas de compte sous cette adresse électronique et devez en essayer une autre. Si vous n'arrivez pas à trouver l'adresse électronique que vous avez utilisée ou si vous n'avez plus accès à cette adresse, vous pouvez essayer de contacter l'assistance clientèle du service. Malheureusement, il n'y a aucune garantie que vous puissiez récupérer l'accès à votre compte. + +### RGPD (résidents de l'Espace Économique Européen uniquement) + +Les résidents de l'EEE disposent de droits supplémentaires concernant l'effacement des données spécifiés dans l'article [Article 17](https://www.gdpr.org/regulation/article-17.html) du RGPD. Si vous êtes concerné, lisez la politique de confidentialité de chaque service pour trouver des informations sur la manière d'exercer votre droit à l'effacement. La lecture de la politique de confidentialité peut s'avérer importante, car certains services proposent une option "Supprimer le compte" qui ne fait que le désactiver, vous devez dans ce cas prendre des mesures supplémentaires pour réellement supprimer votre compte. Parfois, la suppression effective peut impliquer de remplir des questionnaires, d'envoyer un courriel au responsable de la protection des données du service ou même de prouver que vous résidez dans l'EEE. Si vous envisagez de procéder de cette manière, n'écrasez **pas** les informations du compte - votre identité en tant que résident de l'EEE peut être requise. Notez que l'emplacement du service n'a pas d'importance ; le RGPD s'applique à toute personne desservant des utilisateurs européens. Si le service ne respecte pas votre droit à l'effacement, vous pouvez contacter votre [autorité nationale de protection des données](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) et vous pouvez avoir droit à une compensation monétaire. L'autorité nationale de protection des données en France est la [Commission Nationale de l'Informatique et des Libertés (CNIL)](https://www.cnil.fr/). Des modèles de courrier pour des clôtures de compte ou de suppression de données sont accessibles sur leur [site](https://www.cnil.fr/fr/modeles/courrier). Pour en savoir plus sur votre droit à l'effacement, voici un [article](https://www.cnil.fr/fr/le-droit-leffacement-supprimer-vos-donnees-en-ligne) de la CNIL. + +### Remplacer les informations de compte + +Dans certaines situations où vous prévoyez d'abandonner un compte, il peut être judicieux de modifier les informations du compte avec de fausses données. Une fois que vous vous êtes assuré que vous pouvez vous connecter, remplacez toutes les informations de votre compte par des informations falsifiées. La raison en est que de nombreux sites conservent les informations que vous aviez auparavant, même après la suppression du compte. L'idée est qu'ils écrasent les informations précédentes avec les données les plus récentes que vous avez saisies. Cependant, il n'y a aucune garantie qu'il n'y aura pas de sauvegardes avec les informations précédentes. + +Pour l'email du compte, créez un nouveau compte email alternatif via le fournisseur de votre choix ou créez un alias en utilisant un [service d'alias d'emails](/email/#email-aliasing-services). Vous pouvez ensuite supprimer cette adresse électronique une fois que vous avez terminé. Nous vous déconseillons d'utiliser des fournisseurs d'emails temporaires, car il est souvent possible de réactiver des emails temporaires. + +### Suppression + +Vous pouvez consulter [JustDeleteMe](https://justdeleteme.xyz/fr) pour obtenir des instructions sur la suppression du compte d'un service en particulier. Certains sites proposent gracieusement une option "Supprimer le compte", tandis que d'autres vont jusqu'à vous obliger à parler au service assistant. Le processus de suppression peut varier d'un site à l'autre, la suppression du compte peut être impossible sur certains. + +Pour les services qui ne permettent pas la suppression du compte, la meilleure chose à faire est de falsifier toutes vos informations comme indiqué précédemment et de renforcer la sécurité du compte. Pour ce faire, activez le [MFA](multi-factor-authentication.md) et toutes les fonctions de sécurité supplémentaires proposées par le site web. De même, changez le mot de passe avec un mot de passe généré de manière aléatoire qui correspond à la taille maximale autorisée par le site web (un [gestionnaire de mots de passe](/passwords/#local-password-managers) peut être utile pour cela). + +Si vous êtes convaincu que toutes les informations auxquelles vous tenez ont été supprimées, vous pouvez oublier ce compte en toute sécurité. Si ce n'est pas le cas, il peut être judicieux de conserver les informations d'identification avec vos autres mots de passe et de vous reconnecter occasionnellement pour réinitialiser le mot de passe. + +Même lorsque vous êtes en mesure de supprimer un compte, il n'y a aucune garantie que toutes vos informations seront supprimées. Certaines entreprises sont tenues par la loi de conserver certaines informations, notamment lorsqu'elles sont liées à des transactions financières. Vous n'avez pratiquement aucun contrôle sur ce qui arrive à vos données lorsqu'il s'agit des sites web et des services cloud. + +## Éviter la création de nouveaux comptes + +Comme le dit le vieil adage, "Mieux vaut prévenir que guérir". Chaque fois que vous êtes tenté de vous inscrire à un nouveau service ou site web, demandez-vous : "En ai-je vraiment besoin ? Puis-je accomplir ce dont j'ai besoin sans compte ?" Il est souvent beaucoup plus difficile de supprimer un compte que d'en créer un. Et même après avoir supprimé ou modifié les informations sur votre compte, il se peut qu'il existe une version en cache provenant d'un tiers, comme [Internet Archive](https://archive.org/). Évitez la tentation quand vous le pouvez - votre futur vous en remerciera ! diff --git a/i18n/fr/basics/common-misconceptions.md b/i18n/fr/basics/common-misconceptions.md new file mode 100644 index 00000000..c67adb86 --- /dev/null +++ b/i18n/fr/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Idées reçues" +icon: 'material/robot-confused' +description: La protection de la vie privée n'est pas un sujet simple, et il est facile de se laisser piéger par les affirmations marketing et autres désinformations. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Les logiciels libres sont-ils intrinsèquement sûrs ? + acceptedAnswer: + "@type": Answer + text: | + Le fait que le code source soit disponible et la manière dont le logiciel est concédé sous licence n'ont pas d'incidence intrinsèque sur sa sécurité. Les logiciels libres ont le potentiel d'être plus sûrs que les logiciels propriétaires, mais il n'y a aucune garantie que ce soit le cas. Lorsque vous évaluez un logiciel, vous devez examiner la réputation et la sécurité de chaque outil au cas par cas. + - + "@type": Question + name: Déplacer la confiance vers un autre fournisseur peut-il améliorer la vie privée ? + acceptedAnswer: + "@type": Answer + text: | + Nous parlons souvent de "déplacement de confiance" lorsque nous abordons des solutions telles que les VPN (qui déplacent la confiance que vous accordez à votre Fournisseur d'Accès Internet vers le fournisseur de VPN). Bien que cela protège vos données de navigation de votre FAI spécifiquement, le fournisseur de VPN que vous choisissez a toujours accès à vos données de navigation : vos données ne sont pas complètement protégées de toutes les parties. + - + "@type": Question + name: Les solutions axées sur la protection de la vie privée sont-elles intrinsèquement dignes de confiance ? + acceptedAnswer: + "@type": Answer + text: | + Se concentrer uniquement sur les politiques de confidentialité et le marketing d'un outil ou d'un fournisseur peut vous aveugler face à ses faiblesses. Lorsque vous recherchez une solution plus privée, vous devez déterminer quel est le problème sous-jacent et trouver des solutions techniques à ce problème. Par exemple, vous voudrez peut-être éviter Google Drive, qui donne à Google l'accès à toutes vos données. Le problème sous-jacent dans ce cas est l'absence d'E2EE, vous devez donc vous assurer que le fournisseur vers lequel vous allez met effectivement en œuvre E2EE, ou utiliser un outil (comme Cryptomator) qui fournit l'E2EE sur n'importe quel fournisseur de cloud. Le passage à un fournisseur "soucieux de la protection de la vie privée" (qui ne met pas en œuvre E2EE) ne résout pas votre problème : il ne fait que déplacer la confiance de Google vers ce fournisseur. + - + "@type": Question + name: Quelle doit être la complexité de mon modèle de menace ? + acceptedAnswer: + "@type": Answer + text: | + Nous voyons souvent des personnes décrire des modèles de menace pour protéger leurs vies privées qui sont trop complexes. Souvent, ces solutions incluent des problèmes tels que de nombreux comptes email différents ou des configurations compliquées avec de nombreuses pièces mouvantes et conditions. Les réponses sont généralement des réponses à la question "Quelle est la meilleure façon de faire X ?". + Trouver la "meilleure" solution pour soi ne signifie pas nécessairement que l'on recherche une solution infaillible avec des dizaines de conditions - ces solutions sont souvent difficiles à utiliser de manière réaliste. Comme nous l'avons vu précédemment, la sécurité se fait souvent au détriment de la commodité. +--- + +## "Les logiciels libres et open-source sont toujours sécurisés" ou "Les logiciels propriétaires sont plus sécurisé" + +Ces mythes découlent d'un certain nombre de préjugés, mais le fait que le code source soit disponible ou non et la manière dont les logiciels sont concédés sous licence n'affectent en rien leur sécurité. ==Les logiciels open-source ont le *potentiel* d'être plus sécurisé que les logiciels propriétaires, mais il n'y a absolument aucune garantie que ce soit le cas.== Lorsque vous évaluez un logiciel, vous devez examiner la réputation et la sécurité de chaque outil individuellement. + +Les logiciels libres *peuvent* être audités par des tiers et sont souvent plus transparents sur les vulnérabilités potentielles que leurs homologues propriétaires. Ils vous permettent également d'examiner le code et de désactiver vous-même toute fonctionnalité suspecte. Cependant, *à moins que vous ne le fassiez*, il n'y a aucune garantie que le code ait jamais été évalué, en particulier pour les petits projets. Le processus de développement ouvert a aussi parfois été exploité pour introduire de nouvelles vulnérabilités même dans des projets importants.[^1] + +Par ailleurs, les logiciels propriétaires sont moins transparents, mais cela ne signifie pas qu'ils ne sont pas sécurisés. Des projets logiciels propriétaires majeurs peuvent être audités en interne et par des agences tierces, et des chercheurs indépendants en sécurité peuvent toujours trouver des vulnérabilités avec des techniques telles que la rétro-ingénierie. + +Pour éviter les décisions biaisées, il est *essentiel* que vous évaluiez les normes de confidentialité et de sécurité des logiciels que vous utilisez. + +## "Déplacer la confiance peut améliorer la vie privée" + +Nous parlons souvent de "déplacement de confiance" lorsque nous abordons des solutions telles que les VPN (qui déplacent la confiance que vous accordez à votre Fournisseur d'Accès Internet vers le fournisseur de VPN). Bien que cela protège vos données de navigation de votre FAI *spécifiquement*, le fournisseur de VPN que vous choisissez a toujours accès à vos données de navigation : Vos données ne sont pas complètement protégées de toutes les parties. Cela signifie que : + +1. Vous devez faire preuve de prudence lorsque vous choisissez un fournisseur auquel accorder votre confiance. +2. Vous devez toujours utiliser d'autres techniques, comme E2EE, pour protéger complètement vos données. Le simple fait de se méfier d'un fournisseur pour faire confiance à un autre ne sécurise pas vos données. + +## "Les solutions axées sur la protection de la vie privée sont intrinsèquement dignes de confiance" + +Se concentrer uniquement sur les politiques de confidentialité et le marketing d'un outil ou d'un fournisseur peut vous aveugler face à ses faiblesses. Lorsque vous recherchez une solution plus privée, vous devez déterminer quel est le problème sous-jacent et trouver des solutions techniques à ce problème. Par exemple, vous voudrez peut-être éviter Google Drive, qui donne à Google l'accès à toutes vos données. Le problème sous-jacent dans ce cas est l'absence d'E2EE, vous devez donc vous assurer que le fournisseur vers lequel vous passez met effectivement en œuvre E2EE, ou utiliser un outil (comme [Cryptomator](../encryption.md#cryptomator-cloud)) qui fournit E2EE sur n'importe quel fournisseur de cloud. Le passage à un fournisseur "soucieux de la protection de la vie privée" (qui ne met pas en œuvre E2EE) ne résout pas votre problème : il ne fait que déplacer la confiance de Google vers ce fournisseur. + +Les politiques de confidentialité et les pratiques commerciales des fournisseurs que vous choisissez sont très importantes, mais doivent être considérées comme secondaires par rapport aux garanties techniques de votre vie privée : Vous ne devriez pas faire confiance à un autre fournisseur lorsque la confiance en un fournisseur n'est pas du tout requise. + +## "Plus c'est complexe mieux c'est" + +Nous voyons souvent des personnes décrire des modèles de menace pour protéger leurs vies privées qui sont trop complexes. Souvent, ces solutions incluent des problèmes tels que de nombreux comptes email différents ou des configurations compliquées avec de nombreuses pièces mouvantes et conditions. Les réponses sont généralement des réponses à la question "Quelle est la meilleure façon de faire *X*?" + +Trouver la "meilleure" solution pour soi ne signifie pas nécessairement que l'on recherche une solution infaillible avec des dizaines de conditions - ces solutions sont souvent difficiles à utiliser de manière réaliste. Comme nous l'avons vu précédemment, la sécurité se fait souvent au détriment de la commodité. Nous vous donnons ci-dessous quelques conseils : + +1. ==Les actions doivent servir un objectif particulier:== réfléchissez à la manière de faire ce que vous voulez avec le moins d'actions possible. +2. ==Supprimer les points d'échec humains:== nous échouons, nous nous fatiguons et nous oublions des choses. Pour maintenir la sécurité, évitez de vous appuyer sur des conditions et des processus manuels dont vous devez vous souvenir. +3. ==Utilisez le bon niveau de protection pour ce que vous voulez faire.== Nous voyons souvent des recommandations de solutions soi-disant à l'épreuve des forces de l'ordre et des assignations/mandats. Celles-ci nécessitent souvent des connaissances spécialisées et ne sont généralement pas ce que les gens recherchent. Il ne sert à rien de construire un modèle de menace complexe pour l'anonymat si vous pouvez être facilement désanonymisé par un simple oubli. + +Alors, à quoi ça pourrait ressembler ? + +Les modèles de menace les plus clairs sont ceux où les gens *savent qui vous êtes* et ceux où ils ne le savent pas. Il y aura toujours des situations où vous devrez déclarer votre nom légal et d'autres où vous n'aurez pas à le faire. + +1. **Identité connue** - Une identité connue est utilisée pour les endroits où vous devez déclarer votre nom. Il existe de nombreux documents juridiques et contrats de ce type pour lesquels une identité légale est requise. Il peut s'agir de l'ouverture d'un compte bancaire, de la signature d'un bail immobilier, de l'obtention d'un passeport, de déclarations douanières lors de l'importation d'articles ou de toute autre démarche auprès de votre gouvernement. Ces éléments conduisent généralement à des informations d'identification telles que des cartes de crédit, des vérifications de la solvabilité, des numéros de compte et éventuellement des adresses physiques. + + Nous ne suggérons pas l'utilisation d'un VPN ou de Tor pour toutes ces choses, car votre identité est déjà connue par d'autres moyens. + + !!! tip "Conseil" + + Lorsque vous effectuez des achats en ligne, l'utilisation d'une [consigne à colis](https://en.wikipedia.org/wiki/Parcel_locker) peut contribuer à préserver la confidentialité de votre adresse physique. + +2. **Identité inconnue** - Une identité inconnue pourrait être un pseudonyme stable que vous utilisez régulièrement. Il n'est pas anonyme car il ne change pas. Si vous faites partie d'une communauté en ligne, vous souhaiterez peut-être conserver un personnage que les autres connaissent. Ce pseudonyme n'est pas anonyme car, s'il est surveillé suffisamment longtemps, les détails concernant le propriétaire peuvent révéler d'autres informations, telles que sa façon d'écrire, ses connaissances générales sur des sujets d'intérêt, etc. + + Vous pouvez utiliser un VPN pour masquer votre adresse IP. Les transactions financières sont plus difficiles à masquer : Vous pouvez envisager d'utiliser des crypto-monnaies anonymes, comme [Monero](https://www.getmonero.org/). L'utilisation de monnaies alternatives peut également contribuer à masquer l'origine de votre monnaie. En règle générale, les centres d'échange exigent que le processus [KYC](https://fr.wikipedia.org/wiki/Know_your_customer) (connaissance du client) soit complété avant de vous autoriser à échanger de la monnaie fiduciaire contre tout type de cryptomonnaie. Les options de rencontres locales peuvent également être une solution, mais elles sont souvent plus coûteuses et nécessitent parfois un processus KYC. + +3. **Identité anonyme** - Même avec de l'expérience, les identités anonymes sont difficiles à maintenir sur de longues périodes. Il doit s'agir d'identités à court terme et de courte durée qui font l'objet d'une rotation régulière. + + L'utilisation de Tor peut y contribuer. Il convient également de noter qu'un plus grand anonymat est possible grâce à la communication asynchrone : La communication en temps réel est vulnérable à l'analyse des habitudes de frappe (c'est-à-dire plus d'un paragraphe de texte, diffusé sur un forum, par e-mail, etc.) + +[^1]: Un exemple notable est l'[incident de 2021 dans lequel des chercheurs de l'Université du Minnesota ont introduit trois vulnérabilités dans le projet de développement du noyau Linux](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/fr/basics/common-threats.md b/i18n/fr/basics/common-threats.md new file mode 100644 index 00000000..e27488c0 --- /dev/null +++ b/i18n/fr/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Menaces courantes" +icon: 'material/eye-outline' +description: Votre modèle de menace vous est personnel, mais ce sont là quelques-unes des questions qui préoccupent de nombreux visiteurs de ce site. +--- + +Pour faire simple, nous classons nos recommandations dans ces catégories générales de [menaces](threat-modeling.md) ou d'objectifs qui s'appliquent à la plupart des gens. ==Vous pouvez vous sentir concerné par une, plusieurs, toutes, ou bien aucune de ces possibilités==. Les outils et les services que vous utilisez dépendent également de vos objectifs. Il est possible que vous ayez des menaces spécifiques ne rentrant dans aucune de ces catégories, ce qui est tout à fait normal ! L'important est de bien comprendre les avantages et les inconvénients des outils que vous choisissez d'utiliser, car pratiquement aucun d'entre eux ne vous protégera contre toutes les menaces possibles. + +- :material-incognito: Anonymat - Séparer votre activité en ligne de votre identité réelle, vous vous protégez des personnes qui tentent de découvrir explicitement *votre* identité +- :material-target-account: Attaques Ciblées - Se protéger contre les pirates informatiques dévoués ou d'autres agents malintentionnés essayant d'accéder spécifiquement à *vos* données ou appareils +- :material-bug-outline: Attaques Passives - Se protéger des logiciels malveillants, des fuites de données, et autres attaques qui sont faites contre des groupes de personnes +- :material-server-network: Fournisseurs de Services - Protéger vos données des fournisseurs de services, en utilisant par exemple un chiffrement de bout en bout rendant vos données illisibles par le serveur +- :material-eye-outline: Surveillance de Masse - Protection contre les agences gouvernementales, organisations, sites web et services qui collaborent pour suivre vos activités en ligne +- :material-account-cash: Capitalisme de Surveillance - Se protéger des grands réseaux publicitaires comme Google et Facebook, ainsi que d'une myriade d'autres collecteurs de données tiers +- :material-account-search: Exposition Publique - Limiter les informations en ligne vous concernant, accessibles par les moteurs de recherche ou par le grand public +- :material-close-outline: Censure - Éviter les accès censurés à l'information et d'être soi-même censuré lorsqu'on discute en ligne + +Certaines de ces menaces peuvent peser plus que d'autres en fonction de vos préoccupations. Par exemple, un développeur de logiciels ayant accès à des données précieuses ou critiques peut être principalement concerné par les :material-target-account: Attaques Ciblées. Mais de plus, il veut probablement empêcher ses données personnelles d'être récupérées par des programmes de :material-eye-outline: Surveillance de Masse. De même, une « personne lambda » peut être principalement concernée par l':material-account-search: Exposition Publique de ses données personnelles, mais devrait tout de même se méfier des problèmes de sécurité tels que les :material-bug-outline: Attaques Passives comme les logiciels malveillants affectant ses appareils. + +## Anonymat et vie privée + +:material-incognito: Anonymat + +L'anonymat et le concept de vie privée sont deux concepts radicalement différents. Avoir une vie privée en ligne est un ensemble de choix que vous faites sur la façon dont vos données sont utilisées et partagées, alors que l'anonymat est la dissociation complète de vos activités en ligne de votre identité réelle. + +Les lanceurs d'alerte et les journalistes, par exemple, peuvent avoir un modèle de menace beaucoup plus extrême nécessitant un anonymat total. Il ne s'agit pas seulement de cacher ce qu'ils font, les données dont ils disposent ou de ne pas se faire pirater par des hackers ou des gouvernements, mais aussi de cacher entièrement qui ils sont. Ils sont prêts à sacrifier tout type de commodité s'il s'agit de protéger leur anonymat, leur vie privée ou leur sécurité, car leur vie pourrait en dépendre. La plupart des gens n'ont pas besoin d'aller si loin. + +## Sécurité et vie privée + +:material-bug-outline: Attaques passives + +La sécurité et la vie privée sont souvent confondues, car vous avez besoin de sécurité pour obtenir tout semblant de vie privée. Utiliser des outils qui semblent respecter votre vie privée est futile s'ils peuvent facilement être exploités par des attaquants pour publier vos données plus tard. Cependant, l'inverse n'est pas nécessairement vrai ; le service le plus sécurisé au monde *ne respecte pas nécessairement* votre vie privée. Le meilleur exemple est de confier des données à Google qui, compte tenu de leur envergure, ont connu un minimum d'incidents de sécurité grâce à l'emploi d'experts en sécurité de premier plan pour sécuriser leur infrastructure. Même si Google fournit un service très sécurisé, rares sont ceux qui considèrent que leurs données restent privées en utilisant leurs outils gratuits (Gmail, YouTube, etc). + +En matière de sécurité des applications, nous ne savons généralement pas (et parfois ne pouvons pas) savoir si le logiciel que nous utilisons est malveillant, ou pourrait un jour le devenir. Même avec les développeurs les plus dignes de confiance, il n'y a généralement aucune garantie que leur logiciel ne présente pas une vulnérabilité grave qui pourrait être exploitée ultérieurement. + +Pour minimiser les dommages potentiels qu'un logiciel malveillant peut causer, vous devez employer la sécurité par compartimentation. Il peut s'agir d'utiliser des ordinateurs différents pour des tâches différentes, d'utiliser des machines virtuelles pour séparer différents groupes d'applications connexes ou d'utiliser un système d'exploitation sécurisé mettant l'accent sur le principe de [sandboxing](https://fr.wikipedia.org/wiki/Sandbox_(s%C3%A9curit%C3%A9_informatique)) (ou « bac à sable » en français) des applications et du [mandatory access control](https://fr.wikipedia.org/wiki/Contr%C3%B4le_d'acc%C3%A8s_obligatoire) (ou « Contrôle d'accès obligatoire » en français). + +!!! tip "Conseil" + + Les systèmes d'exploitation mobiles sont généralement plus sûrs que les systèmes d'exploitation de bureau en ce qui concerne le sandboxing des applications. + + Les systèmes d'exploitation de bureau sont généralement à la traîne en ce qui concerne le sandboxing. ChromeOS possède des capacités de sandboxing similaires à celles d'Android, et macOS dispose d'un contrôle complet des autorisations système (et les développeurs peuvent opter pour le sandboxing pour les applications). Cependant, ces systèmes d'exploitation transmettent des informations d'identification à leurs constructeurs respectifs. Linux a tendance à ne pas soumettre d'informations aux fournisseurs de systèmes, mais il a une mauvaise protection contre les exploits et les applications malveillantes. Ce problème peut être quelque peu atténué avec des distributions spécialisées qui font un usage intensif des machines virtuelles ou des conteneurs, comme Qubes OS. + +:material-target-account: Attaques ciblées + +Les attaques ciblées contre une personne spécifique sont plus difficiles à gérer. Les voies d'attaque les plus courantes sont l'envoi de documents malveillants par courrier électronique, l'exploitation de vulnérabilités dans le navigateur et les systèmes d'exploitation, et les attaques physiques. Si cela vous préoccupe, il vous sera nécessaire de recourir à des stratégies plus avancées d'atténuation des menaces. + +!!! tip "Conseil" + + **Les navigateurs web**, **les clients de messagerie électronique** et **les applications de bureautique** exécutent généralement volontairement, et par conception, du code non fiable qui vous est envoyé par des tiers. L'exécution de plusieurs machines virtuelles pour séparer les applications de ce type de votre système hôte ainsi que les unes des autres est une technique que vous pouvez utiliser pour éviter qu'un code d'exploitation dans ces applications ne compromette le reste de votre système. Les technologies comme Qubes OS ou Microsoft Defender Application Guard sur Windows fournissent des méthodes pratiques pour le faire de manière transparente, par exemple. + +Si vous êtes préoccupé par les **attaques physiques** vous devriez utiliser un système d'exploitation avec une implémentation de démarrage vérifié sécurisé, à la manière d'Android, d'iOS, de macOS ou de [Windows (avec TPM)](https://docs.microsoft.com/fr-fr/windows/security/information-protection/secure-the-windows-10-boot-process). Vous devriez également vous assurer que votre disque est chiffré et que le système d'exploitation utilise un TPM, une [Enclave sécurisée](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) ou un [Element sécurisé](https://developers.google.com/android/security/android-ready-se) pour limiter le taux de tentatives de saisie de la phrase de passe. Vous devriez éviter de partager votre ordinateur avec des personnes en qui vous n'avez pas confiance, car la plupart des systèmes d'exploitation de bureau ne chiffrent pas les données séparément par utilisateur. + +## Protection de ses données des fournisseurs de services + +:material-server-network: Fournisseurs de service + +Nous vivons dans un monde où presque tout est connecté à Internet. Nos messages « privés », e-mails et nos interactions sociales sont généralement stockés sur un serveur quelque part. Généralement, lorsque vous envoyez un message à quelqu'un, ce message est alors stocké en clair sur un serveur, et lorsque votre ami souhaite lire le message, le serveur le lui montre. + +Le problème évident avec cela est que le fournisseur de services (ou un pirate informatique qui a compromis le serveur) peut consulter vos conversations "privées" quand et comme il le souhaite, sans jamais que vous ne le sachiez. Cela s'applique à de nombreux services courants tels que la messagerie SMS, Telegram, Discord, etc. + +Heureusement, le chiffrement de bout en bout peut atténuer ce problème en rendant illisibles les communications entre vous et vos destinataires avant même qu'elles ne soient envoyées au serveur. La confidentialité de vos messages est garantie, tant que le prestataire de services n'a pas accès aux clés privées d'une des deux personnes. + +!!! note "Note sur le chiffrement basé sur le web" + + Dans la pratique, l'efficacité des différentes mises en œuvre du chiffrement de bout en bout varie. Des applications telles que [Signal](../real-time-communication.md#signal) s'exécutent nativement sur votre appareil, et chaque copie de l'application est la même sur différentes installations. Si le fournisseur de services venait à ouvrir une porte dérobée dans son application pour tenter de voler vos clés privées, cela pourrait être détecté ultérieurement par rétro-ingénierie. + + D'autre part, les implémentations de chiffrement de bout en bout basées sur le web, telles que l'application web de Proton Mail ou le coffre-fort web de Bitwarden, reposent sur le serveur qui sert dynamiquement du code JavaScript au navigateur pour gérer les opérations cryptographiques. Un serveur malveillant pourrait cibler une personne spécifique et lui envoyer un code JavaScript malveillant pour voler sa clé de chiffrement, et il serait extrêmement difficile pour l'utilisateur de s'en rendre compte. Même si cette personne s'aperçoit de la tentative de vol de sa clé, il serait incroyablement difficile de prouver que c'est le fournisseur qui tente de le faire, car le serveur peut choisir de servir différents clients web à différentes personnes. + + Par conséquent, lorsque vous comptez sur le chiffrement de bout en bout, vous devriez choisir d'utiliser des applications natives plutôt que des clients web, dans la mesure du possible. + +Même avec le chiffrement de bout en bout, les fournisseurs de services peuvent toujours vous profiler sur la base des **métadonnées**, qui ne sont généralement pas protégées. Si le fournisseur de services ne peut pas lire vos messages pour savoir ce que vous dites, il peut néanmoins observer des choses comme les personnes avec lesquelles vous parlez, la fréquence de vos messages et les heures où vous êtes généralement actif. La protection des métadonnées est assez rare, et vous devriez prêter une attention particulière à la documentation technique du logiciel que vous utilisez pour voir s'il y a une minimisation ou une protection des métadonnées, si cela vous préoccupe. + +## Programmes de surveillance de masse + +:material-eye-outline: Surveillance de masse + +La surveillance de masse est un effort visant à surveiller le "comportement, de nombreuses activités ou les informations" d'une population entière (ou d'une fraction substantielle d'une population).[^1] Elle fait souvent référence à des programmes gouvernementaux, tels que ceux [divulgués par Edward Snowden en 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). Cependant, elle peut également être réalisée par des entreprises, soit pour le compte d'agences gouvernementales, soit de leur propre initiative. + +!!! abstract "Atlas de la surveillance" + + Si vous souhaitez en savoir plus sur les méthodes de surveillance et la manière dont elles sont mises en œuvre dans les villes aux États-Unis, vous pouvez également consulter l'[Atlas de la Surveillance](https://atlasofsurveillance.org/) de l'[Electronic Frontier Foundation](https://www.eff.org/). + + En France, vous pouvez consulter le site [Technolopolice](https://technopolice.fr/villes/) géré par l'association à but non lucratif La Quadrature du Net. + +Les gouvernements justifient souvent les programmes de surveillance de masse comme des moyens nécessaires pour combattre le terrorisme et prévenir la criminalité. Cependant, en violation des droits de l'homme, ces programmes de surveillance sont, entre autres, le plus souvent utilisés pour cibler de manière disproportionnée les minorités et les dissidents politiques. + +!!! quote "ACLU : [*La leçon du 11 septembre en matière de vie privée : La surveillance de masse n'est pas la voie à suivre*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Face aux [révélations d'Edward Snowden sur des programmes gouvernementaux tels que [PRISM](https://fr.wikipedia.org/wiki/PRISM_%28programme_de_surveillance%29) et [Upstream](https://fr.wikipedia.org/wiki/Upstream_collection)], les responsables des services de renseignement ont également admis que la NSA collectait secrètement depuis des années des enregistrements sur pratiquement tous les appels téléphoniques des Américains - qui appelle qui, quand ces appels sont passés et la durée de ces appels. Ce type d'informations, lorsqu'il est amassé par la NSA quotidiennement, peut révéler des détails terriblement sensibles sur la vie des gens en associant ces données : s'ils ont appelé un pasteur, une clinique d'avortement, un centre d'addiction ou une ligne d'assistance contre le suicide par exemple. + +Malgré la surveillance de masse croissante aux États-Unis, le gouvernement a constaté que les programmes de surveillance de masse comme la section 215 ont eu "peu de valeur unique" en ce qui concerne l'arrêt de crimes réels ou de complots terroristes, les efforts faisant largement double emploi avec les programmes de surveillance ciblée du FBI.[^2] + +Vous pouvez être pisté de plusieurs manières en ligne : + +- Votre adresse IP +- Les cookies de votre navigateur +- Les données que vous soumettez aux sites web +- L'empreinte numérique de votre navigateur ou de votre appareil +- La corrélation des modes de paiement + +\[Cette liste n'est pas exhaustive]. + +Si vous êtes préoccupé par les programmes de surveillance de masse, vous pouvez utiliser des stratégies comme cloisonner vos identités virtuelles, vous fondre dans la masse des utilisateurs, ou, dans la mesure du possible, simplement éviter de renseigner des informations qui pourraient permettre de vous identifier. + +:material-account-cash: Capitalisme de surveillance + +> Le capitalisme de surveillance est un système économique centré sur la collecte et la marchandisation des données personnelles dont le principal but est de faire du profit.[^3] + +Pour de nombreuses personnes, le pistage et la surveillance par des sociétés privées constituent une préoccupation croissante. Les réseaux publicitaires omniprésents, tels que ceux exploités par Google et Facebook, s'étendent sur internet bien au-delà des sites qu'ils contrôlent et suivent vos actions tout le long de votre navigation. L'utilisation d'outils tels que des bloqueurs de contenu pour limiter les requêtes du réseau vers leurs serveurs, et la lecture des politiques de confidentialité des services que vous utilisez peuvent vous aider à éviter de nombreux adversaires de base (bien que cela ne puisse pas empêcher complètement le pistage).[^4] + +En outre, même les entreprises n'appartenant pas au secteur de l'*Industrie Publicitaire (AdTech)* ou du pistage peuvent partager vos informations avec des [data brokers](https://en.wikipedia.org/wiki/Information_broker) (ou « courtiers en données » en français) (tels que Cambridge Analytica, Experian ou Datalogix) ou d'autres parties. Vous ne pouvez pas automatiquement supposer que vos données sont en sécurité simplement parce que le service que vous utilisez n'a pas un modèle économique typique de l'AdTech ou du pistage. La meilleure protection contre la collecte de données par les entreprises est de chiffrer ou d'obscurcir vos données dans la mesure du possible, afin qu'il soit plus difficile pour les différents fournisseurs de corréler les données entre elles et d'établir un profil sur vous. + +## Limiter l'information publique + +:material-account-search: Exposition publique + +La meilleure façon de préserver la confidentialité de vos données est tout simplement de ne pas les mettre en ligne. La suppression des informations indésirables que vous trouvez sur vous en ligne est l'une des meilleures premières mesures que vous pouvez prendre pour retrouver votre vie privée. + +- [Consultez notre guide sur la suppression de compte :material-arrow-right-drop-circle:](account-deletion.md) + +Il est très important de vérifier les paramètres de confidentialité de votre compte pour limiter la diffusion de ces données sur les sites dans lesquels vous partagez des informations. Par exemple, activez le "mode privé" sur vos comptes si vous en avez la possibilité : cela garantit que votre compte n'est pas indexé par les moteurs de recherche et qu'il ne peut pas être consulté sans votre permission. + +Si vous avez déjà soumis vos véritables informations à des sites qui ne devraient pas les avoir, envisagez d'utiliser des tactiques de désinformation, comme la soumission d'informations fictives liées à cette identité en ligne. Vos vraies informations seront alors indiscernables des fausses informations. + +## Éviter la censure + +:material-close-outline: Censure + +La censure en ligne peut être exercée (à des degrés divers) par des acteurs tels que des gouvernements totalitaires, des administrateurs de réseaux et des fournisseurs de services. Ces efforts pour contrôler la communication et restreindre l'accès à l'information seront toujours incompatibles avec le droit humain à la liberté d'expression.[^5] + +La censure sur les plateformes privées est de plus en plus courante, car des plateformes comme Twitter et Facebook cèdent à la demande du public, aux pressions du marché et à celles des agences gouvernementales. Les pressions gouvernementales peuvent prendre la forme de demandes secrètes adressées aux entreprises, comme la Maison Blanche [demandant le retrait](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) d'une vidéo provocante sur YouTube, ou de demandes manifestes, comme le gouvernement chinois exigeant des entreprises qu'elles adhèrent à un régime de censure strict. + +Les personnes concernées par la menace de la censure peuvent utiliser des technologies comme [Tor](../advanced/tor-overview.md) pour la contourner, et soutenir des plateformes de communication résistantes à la censure comme [Matrix](../real-time-communication.md#element), qui ne dispose pas d'une autorité centralisée pouvant fermer des comptes de manière arbitraire. + +!!! tip "Conseil" + + S'il peut être facile d'échapper à la censure en soi, cacher le fait que vous le faites peut être très problématique. + + Vous devez prendre en compte quels aspects du réseau votre adversaire peut observer, et si vous avez une possibilité de déni plausible pour vos actions. Par exemple, l'utilisation de [DNS chiffrés](../advanced/dns-overview.md#what-is-encrypted-dns) peut vous aider à contourner les systèmes de censure rudimentaires basés sur les DNS, mais elle ne peut pas vraiment cacher ce que vous visitez à votre FAI. Un VPN ou Tor peut aider à cacher ce que vous visitez aux administrateurs du réseaux, mais ne peut pas cacher que vous utilisez ces réseaux. Les transports enfichables (tels que Obfs4proxy, Meek ou Shadowsocks) peuvent vous aider à contourner les pare-feu qui bloquent les protocoles VPN courants ou Tor, mais vos tentatives de contournement peuvent toujours être détectées par des méthodes telles que le sondage ou [l'inspection approfondie des paquets](https://fr.wikipedia.org/wiki/Deep_packet_inspection). + +Vous devez toujours tenir compte des risques encourus en essayant de contourner la censure, des conséquences potentielles et du degré de sophistication de votre adversaire. Soyez très prudent dans le choix de vos logiciels et prévoyez un plan de secours au cas où vous seriez pris. + +[^1]: Commission de surveillance de la vie privée et des libertés civiles des États-Unis : [Rapport sur le programme d'enregistrements téléphoniques mené en vertu de la section 215](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^2]: Conseil de surveillance de la vie privée et des libertés civiles des États-Unis : [*Rapport sur le programme d'enregistrements téléphoniques mené en vertu de la section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipédia : [*Capitalisme de surveillance*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Énumérer la méchanceté](https://www.ranum.com/security/computer_security/editorials/dumb/)" (ou "énumérer toutes les mauvaises choses que nous connaissons") comme le font de nombreux bloqueurs de publicités et programmes antivirus, ne permet pas de vous protéger correctement contre les menaces nouvelles et inconnues, car elles n'ont pas encore été ajoutées à la liste des filtres. Vous devriez également utiliser d'autres techniques d'atténuation. +[^5]: Nations Unies : [*Déclaration universelle des droits de l'homme*](https://www.un.org/fr/about-us/universal-declaration-of-human-rights). diff --git a/i18n/fr/basics/email-security.md b/i18n/fr/basics/email-security.md new file mode 100644 index 00000000..bb5394e7 --- /dev/null +++ b/i18n/fr/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Sécurité des emails +icon: material/email +description: L'email est intrinsèquement peu sûr à bien des égards, et voici quelques-unes des raisons pour lesquelles il n'est pas notre premier choix en matière de communications sécurisées. +--- + +Le courrier électronique est une forme de communication non sécurisée par défaut. Vous pouvez améliorer la sécurité de votre courrier électronique avec des outils tels que OpenPGP, qui ajoute un chiffrement de bout en bout à vos messages, mais OpenPGP présente toujours un certain nombre d'inconvénients par rapport au chiffrement dans d'autres applications de messagerie, et certaines données de courrier électronique ne peuvent jamais être chiffrées de manière inhérente en raison de la manière dont le courrier électronique est conçu. + +Par conséquent, il est préférable d'utiliser le courrier électronique pour recevoir des courriels transactionnels (notifications, courriels de vérification, réinitialisation de mot de passe, etc.) provenant des services auxquels vous vous inscrivez en ligne, et non pour communiquer avec d'autres personnes. + +## Aperçu du chiffrement des e-mails + +La méthode standard pour ajouter du E2EE aux emails entre différents fournisseurs mails est d'utiliser OpenPGP. Il existe différentes implémentations de la norme OpenPGP, les plus courantes étant [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) et [OpenPGP.js](https://openpgpjs.org). + +Il existe une autre norme populaire auprès des entreprises, appelée [S/MIME](https://en.wikipedia.org/wiki/S/MIME), mais elle nécessite un certificat émis par une [Autorité de Certification](https://en.wikipedia.org/wiki/Certificate_authority) (toutes ne délivrent pas de certificats S/MIME). Elle est prise en charge par [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) et [Outlook sur le Web ou Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Même si vous utilisez OpenPGP, il ne prend pas en charge la [confidentialité persistante](https://en.wikipedia.org/wiki/Forward_secrecy), ce qui signifie que si votre clé privée ou celle du destinataire est volée, tous les messages précédents chiffrés avec cette clé seront exposés. C'est pourquoi nous recommandons, dans la mesure du possible, les [messageries instantanées](../real-time-communication.md) qui mettent en œuvre la confidentialité persistante par rapport aux emails pour les communications de personne à personne. + +### Quels clients mails supportent le E2EE ? + +Les fournisseurs d'emails qui vous permettent d'utiliser les protocoles d'accès standard comme IMAP et SMTP peuvent être utilisés avec n'importe lequel des [clients mail que nous recommandons](../email-clients.md). En fonction de la méthode d'authentification, cela peut entraîner une diminution de la sécurité si le fournisseur ou le client mail ne prend pas en charge OATH ou une application passerelle, car [l'authentification multi-facteurs](/basics/multi-factor-authentication/) n'est pas possible avec l'authentification par mot de passe simple. + +### Comment Puis-Je Protéger Mes Clés Privées? + +Une carte à puce (telle qu'une [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) ou [Nitrokey](https://www.nitrokey.com)) fonctionne en recevant un email chiffré d'un appareil (téléphone, tablette, ordinateur, etc.) exécutant un client mail/webmail. Le message est ensuite déchiffré par la carte à puce et le contenu déchiffré est renvoyé à l'appareil. + +Il est avantageux que le déchiffrement se fasse sur la carte à puce afin d'éviter d'exposer votre clé privée à un dispositif compromis. + +## Aperçu des Métadonnées des Emails + +Les métadonnées des emails sont stockées dans [l'en-tête de message](https://en.wikipedia.org/wiki/Email#Message_header) de l'email et comprennent certains en-têtes visibles que vous avez peut-être vus, tels que : `À`, `De`, `Cc`, `Date`, `Sujet`. Il existe également un certain nombre d'en-têtes cachés inclus par de nombreux clients et fournisseurs de messagerie qui peuvent révéler des informations sur votre compte. + +Le logiciel client peut utiliser les métadonnées de l'email pour montrer de qui provient un message et à quelle heure il a été reçu. Les serveurs peuvent l'utiliser pour déterminer où un email doit être envoyé, parmi [d'autres objectifs](https://en.wikipedia.org/wiki/Email#Message_header) qui ne sont pas toujours transparents. + +### Qui Peut Voir Les Métadonnées Des Emails? + +Les métadonnées des emails sont protégées des observateurs extérieurs par le protocole [TLS Opportuniste](https://en.wikipedia.org/wiki/Opportunistic_TLS). Elles peuvent néanmoins être vues par votre logiciel client mail (ou webmail) et par tout serveur relayant le message de votre part à ses destinataires, y compris votre fournisseur mails. Parfois, les serveurs mails font également appel à des services tiers pour se protéger des spams, qui ont généralement aussi accès à vos messages. + +### Pourquoi les métadonnées ne peuvent-elles pas être E2EE? + +Les métadonnées des emails sont essentielles à la fonctionnalité la plus élémentaire d'un email (d'où il vient et où il doit aller). À l'origine, l'E2EE n'était pas intégré dans les protocoles d'emails, mais nécessitait un logiciel complémentaire comme OpenPGP. Comme les messages OpenPGP doivent toujours fonctionner avec les fournisseurs d'emails traditionnels, il ne peut pas chiffrer les métadonnées du mail, mais seulement le corps du message lui-même. Cela signifie que, même en utilisant OpenPGP, des observateurs extérieurs peuvent voir de nombreuses informations sur vos messages, comme l'identité de l'expéditeur, l'objet du message, le moment de l'envoi, etc. diff --git a/i18n/fr/basics/multi-factor-authentication.md b/i18n/fr/basics/multi-factor-authentication.md new file mode 100644 index 00000000..0fdd50b4 --- /dev/null +++ b/i18n/fr/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Authentification multi-facteurs" +icon: 'material/two-factor-authentication' +description: MFA est un mécanisme de sécurité essentiel pour sécuriser vos comptes en ligne, mais certaines méthodes sont plus efficaces que d'autres. +--- + +L'**Authentification Multi-Facteurs** (**MFA**) est un mécanisme de sécurité qui exige des étapes supplémentaires au-delà de la saisie du nom d'utilisateur (ou de l'email) et du mot de passe. La méthode la plus courante est celle des codes à durée limitée que vous pouvez recevoir par SMS ou par une application. + +Normalement, si un pirate informatique (ou un adversaire) est capable de trouver votre mot de passe, il aura alors accès au compte auquel ce mot de passe appartient. Un compte avec MFA oblige le pirate informatique à avoir à la fois le mot de passe (quelque chose que vous *connaissez*) et un appareil que vous possédez (quelque chose que vous *avez*), comme votre téléphone. + +Les méthodes MFA varient en termes de sécurité, mais elles reposent sur le principe suivant : plus il est difficile pour un hacker d'accéder à votre méthode MFA, mieux c'est. Parmi les méthodes MFA (de la plus faible à la plus forte), citons les SMS, les codes par e-mail, les notifications push des applications, TOTP, Yubico OTP et FIDO. + +## Comparaison des méthodes de MFA + +### MFA SMS ou Email + +La réception de codes OTP par SMS ou e-mail est l'un des moyens les plus faibles pour sécuriser vos comptes avec MFA. L'obtention d'un code par e-mail ou SMS retire de l'idée "quelque chose que vous *avez*", parce qu'il existe une variété de façons dont un pirate informatique pourrait [prendre le contrôle de votre numéro de téléphone](https://en.wikipedia.org/wiki/SIM_swap_scam) ou accéder à votre e-mail sans avoir physiquement accès à aucun de vos appareils. Si une personne non autorisée a accès à votre e-mail, ils seraient en mesure d'utiliser cet accès à la fois pour réinitialiser votre mot de passe et pour recevoir le code d'authentification, en leur donnant un accès complet à votre compte. + +### Notifications push + +La MFA par notification push prend la forme d'un message envoyé à une application sur votre téléphone vous demandant de confirmer les nouvelles connexions de compte. Cette méthode est bien meilleure que le SMS ou l'e-mail, car un attaquant ne pourrait généralement pas obtenir ces notifications push sans avoir un appareil déjà connecté, ce qui signifie qu'il devrait d'abord compromettre l'un de vos autres appareils. + +Nous faisons tous des erreurs, et il y a le risque que vous acceptiez la tentative de connexion par accident. Les autorisations de connexion par notification push sont généralement envoyées à *tous* vos appareils en même temps, ce qui élargit la disponibilité du code MFA si vous avez de nombreux appareils. + +La sécurité de la MFA par notification push dépend à la fois de la qualité de l'application, du composant serveur et de la confiance du développeur qui la produit. L'installation d'une application peut également vous obliger à accepter des privilèges envahissants qui donnent accès à d'autres données sur votre appareil. Une application individuelle nécessite également que vous ayez une application spécifique pour chaque service qui peut ne pas nécessiter l'ouverture d'un mot de passe. contrairement à une bonne application de générateur TOTP. + +### Mot de passe unique basé sur le temps (TOTP) + +TOTP est l'une des formes les plus courantes de MFA. Lorsque vous configurez un TOTP, vous devez généralement scanner un code QR [](https://fr.wikipedia.org/wiki/Code_QR) qui établit un "[secret partagé](https://fr.wikipedia.org/wiki/Secret_partag%C3%A9)" avec le service que vous avez l'intention d'utiliser. Le secret partagé est sécurisé à l'intérieur des données de l'application d'authentification, et est parfois protégé par un mot de passe. + +Le code limité dans le temps est alors dérivé du secret partagé et de l'heure courante. Comme le code n'est valable que pour une courte période, sans accès au secret partagé, un adversaire ne peut pas générer de nouveaux codes. + +Si vous disposez d'une clé de sécurité matérielle avec support TOTP (comme une YubiKey avec [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), nous vous recommandons de stocker vos "secrets partagés" sur le matériel. Un matériel tel que la YubiKey a été développé dans l'intention de rendre le "secret partagé" difficile à extraire et à copier. Une clé YubiKey n'est pas non plus connectée à Internet, contrairement à un téléphone équipé d'une application TOTP. + +Contrairement à [WebAuthn](#fido-fast-identity-online), TOTP n'offre aucune protection contre les attaques d'[hammeçonnage](https://en.wikipedia.org/wiki/Phishing) ou de réutilisation. Si un adversaire obtient de vous un code valide, il peut l'utiliser autant de fois qu'il le souhaite jusqu'à son expiration (généralement 60 secondes). + +Un adversaire pourrait créer un site web imitant un service officiel afin de vous inciter à donner votre nom d'utilisateur, votre mot de passe et votre code TOTP actuel. Si l'adversaire utilise ensuite ces informations d'identification enregistrées, il peut être en mesure de se connecter au service réel et de détourner le compte. + +Bien qu'imparfait, TOTP est suffisamment sûr pour la plupart des gens, et lorsque [les clés de sécurité matérielles](../multi-factor-authentication.md#hardware-security-keys) ne sont pas prises en charge [les applications d'authentification](../multi-factor-authentication.md#authenticator-apps) restent une bonne option. + +### Clés de Sécurité Matérielles + +La clé YubiKey stocke les données sur une puce à semi-conducteurs inviolable à laquelle il est [impossible d'accéder](https://security.stackexchange.com/a/245772) de manière non destructive sans un processus coûteux et un laboratoire d'expertise. + +Ces clés sont généralement multifonctionnelles et fournissent un certain nombre de méthodes d'authentification. Vous trouverez ci-dessous les plus courantes. + +#### Yubico OTP + +Le protocole OTP de Yubico est un protocole d'authentification généralement mis en œuvre dans les clés de sécurité matérielles. Lorsque vous décidez d'utiliser l'OTP de Yubico, la clé génère un identifiant public, un identifiant privé et une clé secrète qui sont ensuite téléchargés sur le serveur OTP de Yubico. + +Lorsque vous vous connectez à un site web, il vous suffit de toucher physiquement la clé de sécurité. La clé de sécurité émule un clavier et imprime un mot de passe unique dans le champ mot de passe. + +Le service transmettra ensuite le mot de passe unique au serveur Yubico OTP pour validation. Un compteur est incrémenté à la fois sur la clé et sur le serveur de validation de Yubico. L'OTP ne peut être utilisé qu'une seule fois, et lorsqu'une authentification réussie se produit, le compteur est augmenté, ce qui empêche la réutilisation de l'OTP. Yubico fournit un [document détaillé](https://developers.yubico.com/OTP/OTPs_Explained.html) sur le processus. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +L'utilisation de l'OTP de Yubico présente certains avantages et inconvénients par rapport à TOTP. + +Le serveur de validation Yubico est un service basé sur le cloud, et vous placez la confiance dans Yubico pour stocker les données en toute sécurité et ne pas vous profiler. L'identifiant public associé à l'OTP de Yubico est réutilisé sur tous les sites web et pourrait constituer un autre moyen pour des tiers de vous profiler. Comme TOTP, Yubico OTP ne fournit pas de résistance au phishing. + +Si votre modèle de menace exige que vous ayez des identités différentes sur différents sites Web, **ne pas** utiliser Yubico OTP avec la même clé de sécurité matérielle entre ces sites Web car l'identifiant public est unique à chaque clé de sécurité. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) comprend un certain nombre de normes, d'abord l'U2F puis, plus tard, la [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) qui comprend la norme Web [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F et FIDO2 font référence au [Protocole client à authentificateur](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), qui est le protocole entre la clé de sécurité et l'ordinateur, comme un ordinateur portable ou un téléphone. Il complète WebAuthn qui est le composant utilisé pour s'authentifier avec le site Web (la « partie utilisatrice ») sur lequel vous essayez de vous connecter. + +WebAuthn est la forme la plus sûre et la plus privée d'authentification par second facteur. Bien que l'expérience d'authentification soit similaire à celle de Yubico OTP, la clé n'imprime pas un mot de passe à usage unique et ne le valide pas auprès d'un serveur tiers. Il utilise plutôt la [cryptographie asymétrique](https://en.wikipedia.org/wiki/Public-key_cryptography) pour l'authentification. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +Lorsque vous créez un compte, la clé publique est envoyée au service, puis lorsque vous vous connectez, le service vous demande de "signer" certaines données avec votre clé privée. L'avantage de cette méthode est qu'aucune donnée de mot de passe n'est jamais stockée par le service, et qu'il n'y a donc rien qu'un adversaire puisse voler. + +Cette présentation aborde l'histoire de l'authentification par mot de passe, les pièges (tels que la réutilisation du mot de passe), et discute des normes FIDO2 et [WebAuthn](https://webauthn.guide) . + +
+ +
+ +FIDO2 et WebAuthn présentent des propriétés de sécurité et de confidentialité supérieures à celles de toute autre méthode MFA. + +Généralement pour les services web, il est utilisé avec WebAuthn qui fait partie des [recommandations W3C](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). Il utilise l'authentification asymétrique et est plus sécurisé que les secrets partagés utilisés dans les méthodes OTP de Yubico et TOTP, car il inclut le nom d'origine (habituellement le nom de domaine) lors de l'authentification. L'attestation est fournie pour vous protéger des attaques de phishing, car elle vous aide à déterminer que vous utilisez le service authentique et non une fausse copie. + +Contrairement à Yubico OTP, WebAuthn n'utilise pas d'identifiant public, de sorte que la clé est **non** identifiable sur différents sites web. Il n'utilise pas non plus de serveur cloud tiers pour l'authentification. Toute la communication se fait entre la clé et le site web auquel vous vous connectez. FIDO utilise également un compteur qui est incrémenté lors de l'utilisation afin d'empêcher la réutilisation de session et les clés clonées. + +Si un site Web ou un service prend en charge WebAuthn pour l'authentification, il est fortement recommandé de l'utiliser plutôt que toute autre forme de MFA. + +## Recommandations générales + +Nous avons les recommandations générales suivantes : + +### Quelle méthode choisir ? + +Lors de la configuration de votre méthode MFA, gardez à l'esprit qu'elle est aussi sécurisée que votre méthode d'authentification la plus faible que vous utilisez. Cela signifie qu'il est important que vous n'utilisiez que la meilleure méthode d'MFA disponible. Par exemple, si vous utilisez déjà TOTP, vous devez désactiver les MFA par e-mail et les SMS. Si vous utilisez déjà FIDO2/WebAuthn, vous ne devez pas utiliser Yubico OTP ou TOTP sur votre compte. + +### Sauvegardes + +Vous devriez toujours avoir des sauvegardes pour votre méthode MFA. Les clés de sécurité matérielle peuvent être perdues, volées ou simplement cesser de fonctionner au fil du temps. Il est recommandé d'avoir une paire de clés de sécurité matérielle avec le même accès à vos comptes au lieu d'une seule. + +Lorsque vous utilisez TOTP avec une application d'authentification, assurez-vous de sauvegarder vos clés de récupération ou l'application elle-même, ou copiez les « secrets partagés » vers une autre instance de l'application sur un autre téléphone ou vers un conteneur chiffré (par exemple [VeraCrypt](../encryption.md#veracrypt)). + +### Configuration Initiale + +Lors de l'achat d'une clé de sécurité, il est important de modifier les informations d'identification par défaut, de configurer la protection par mot de passe de la clé et d'activer la confirmation tactile si votre clé la prend en charge. Les produits tels que la clé YubiKey ont plusieurs interfaces avec des informations d'identification distinctes pour chacune d'entre elles, vous devez donc passer en revue chaque interface et mettre en place une protection. + +### E-mail et SMS + +Si vous devez utiliser le courrier électronique pour MFA, assurez-vous que le compte de courrier électronique est lui-même sécurisé avec une méthode MFA appropriée. + +Si vous utilisez la MFA par SMS, utilisez un opérateur qui ne changera pas votre numéro de téléphone pour une nouvelle carte SIM sans accès au compte, ou utilisez un numéro VoIP dédié d'un fournisseur offrant une sécurité similaire pour éviter une attaque par [échange de carte SIM](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[Outils de MFA que nous recommandons](../multi-factor-authentication.md ""){.md-button} + +## Plus d'endroits pour configurer MFA + +Au-delà de la simple sécurisation des connexions à votre site web, l'authentification multifactorielle peut être utilisée pour sécuriser vos connexions locales, vos clés SSH ou même vos bases de données de mots de passe. + +### Windows + +Yubico dispose d'un [fournisseur d'identifiants](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) dédié qui ajoute l'authentification à épreuve-réponse pour le flux de connexion nom d'utilisateur + mot de passe pour les comptes Windows locaux. Si vous avez une YubiKey avec le support d'authentification de Challenge-Response, jetez un œil au [Guide de configuration de Yubico pour Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), qui vous permettra de configurer la MFA sur votre ordinateur Windows. + +### macOS + +macOS dispose d'un [support natif](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) pour l'authentification par carte à puce (PIV). Si vous avez une carte à puce ou une clé de sécurité matérielle qui prend en charge l'interface PIV telle que la YubiKey, nous vous recommandons de suivre la documentation de votre fournisseur de sécurité de carte à puce/matérielle et de configurer l'authentification à second facteur pour votre ordinateur macOS. + +Yubico a un guide [Utiliser votre YubiKey comme une Smart Card dans macOS](https://support.yubico.com/hc/en-us/articles/360016649059) qui peut vous aider à configurer votre YubiKey sur macOS. + +Une fois votre carte à puce/clé de sécurité configurée, nous vous recommandons d'exécuter cette commande dans le terminal : + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +Cette commande empêchera un adversaire de contourner le MFA au démarrage de l'ordinateur. + +### Linux + +!!! warning "Avertissement" + + Si le nom d'hôte de votre système change (par exemple à cause du DHCP), vous ne pourrez pas vous connecter. Il est essentiel que vous configuriez un nom d'hôte approprié pour votre ordinateur avant de suivre ce guide. + +Le module `pam_u2f` sous Linux peut fournir une authentification à deux facteurs pour se connecter sur la plupart des distributions Linux populaires. Si vous avez une clé de sécurité matérielle qui prend en charge U2F, vous pouvez configurer l'authentification MFA pour votre connexion. Yubico a un guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) qui devrait fonctionner sur n'importe quelle distribution. Les commandes du gestionnaire de paquets - telles que `apt-get`- et les noms de paquets peuvent toutefois différer. Ce guide ne s'applique **pas** à Qubes OS. + +### Qubes OS + +Qubes OS prend en charge l'authentification Challenge-Response avec YubiKeys. Si vous avez une YubiKey avec un support d'authentification Challenge-Response, jetez un coup d'oeil à la documentation de Qubes OS [YubiKey](https://www.qubes-os.org/doc/yubikey/) si vous voulez configurer la MFA sur Qubes OS. + +### SSH + +#### Clés de sécurité matérielles + +La MFA par SSH peut être configuré en utilisant plusieurs méthodes d'authentification différentes qui sont populaires avec les clés de sécurité matérielle. Nous vous recommandons de consulter la [documentation](https://developers.yubico.com/SSH/) de Yubico sur la manière de la configurer. + +#### Mot de passe unique basé sur le temps (TOTP) + +La MFA par SSH peut également être configurée en utilisant TOTP. DigitalOcean fourni un tutoriel [Comment configurer l'authentification multifacteurs pour SSH sur Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). La plupart des éléments devraient être les mêmes quelle que soit la distribution, mais les commandes du gestionnaire de paquets - telles que `apt-get`- et les noms des paquets peuvent différer. + +### KeePass (et KeePassXC) + +Les bases de données KeePass et KeePassXC peuvent être sécurisées en utilisant Challenge-Response ou HOTP comme second facteur d'authentification. Yubico a fourni un tutoriel pour KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) et il y en a également un autre sur le site [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) . diff --git a/i18n/fr/basics/passwords-overview.md b/i18n/fr/basics/passwords-overview.md new file mode 100644 index 00000000..b076fddb --- /dev/null +++ b/i18n/fr/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction aux mots de passe" +icon: 'material/form-textbox-password' +description: Voici quelques conseils et astuces pour créer des mots de passe plus forts et sécuriser vos comptes. +--- + +Les mots de passe sont un élément essentiel de notre vie numérique quotidienne. Nous les utilisons pour protéger nos comptes, nos appareils et nos secrets. Bien qu'ils soient souvent la seule chose qui nous sépare d'un adversaire qui en veut à nos informations privées, ils ne font pas l'objet d'une réflexion approfondie, ce qui conduit souvent les gens à utiliser des mots de passe faciles à deviner ou à forcer. + +## Bonnes pratiques + +### Utiliser des mots de passe uniques pour chaque service + +Imaginez ceci : vous vous inscrivez à un compte avec le même e-mail et le même mot de passe sur plusieurs services en ligne. Si l'un de ces fournisseurs de services est malveillant ou si son service subit une fuite de données qui expose votre mot de passe dans un format non chiffré, il suffit à un acteur malveillant d'essayer cette combinaison d'e-mail et de mot de passe sur plusieurs services populaires jusqu'à ce qu'il obtienne un résultat. La force de ce mot de passe n'a pas d'importance, car ils l'ont déjà. + +C'est ce qu'on appelle le [bourrage d'identifiants](https://en.wikipedia.org/wiki/Credential_stuffing), et c'est l'une des façons les plus courantes dont vos comptes peuvent être compromis par des cybercriminels. Pour éviter cela, assurez-vous de ne jamais réutiliser vos mots de passe. + +### Utilisez des mots de passe générés de manière aléatoire + +==Vous ne devez **jamais** compter sur vous-même pour trouver un bon mot de passe.== Nous vous recommandons d'utiliser [des mots de passe générés de manière aléatoire](#passwords) ou [des phrases secrètes de type "diceware"](#diceware-passphrases) avec une entropie suffisante pour protéger vos comptes et vos appareils. + +Tous nos [gestionnaires de mots de passe recommandés](../passwords.md) comprennent un générateur de mots de passe intégré que vous pouvez utiliser. + +### Rotation des mots de passe + +Vous devez éviter de changer trop souvent les mots de passe que vous devez retenir (comme le mot de passe principal de votre gestionnaire de mots de passe), sauf si vous avez des raisons de penser qu'ils ont été compromis, car le fait de les changer trop souvent vous expose au risque de les oublier. + +En ce qui concerne les mots de passe que vous n'avez pas à retenir (comme les mots de passe stockés dans votre gestionnaire de mots de passe), si votre [modèle de menace](threat-modeling.md) le demande, nous vous recommandons de passer en revue les comptes importants (en particulier les comptes qui n'utilisent pas l'authentification multi-facteurs) et de changer leur mot de passe tous les deux mois, au cas où ils auraient été compromis dans le cadre d'une fuite de données qui n'a pas encore été rendue publique. La plupart des gestionnaires de mots de passe vous permettent de fixer une date d'expiration pour votre mot de passe afin d'en faciliter la gestion. + +!!! tip "Vérifier les fuites de données" + + Si votre gestionnaire de mots de passe vous permet de vérifier les mots de passe compromis, assurez-vous de le faire et changez rapidement tout mot de passe qui pourrait avoir été exposé dans une fuite de données. Vous pouvez également suivre le flux [Dernières Brèches de Have I Been Pwned](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) à l'aide d'un [agrégateur d'actualités](../news-aggregators.md). + +## Créer des mots de passe forts + +### Mots de passe + +De nombreux services imposent certains critères en ce qui concerne les mots de passe, notamment une longueur minimale ou maximale, ainsi que les caractères spéciaux qui peuvent être utilisés le cas échéant. Vous devez utiliser le générateur de mots de passe intégré à votre gestionnaire de mots de passe pour créer des mots de passe aussi longs et complexes que le service le permet en incluant des lettres majuscules et minuscules, des chiffres et des caractères spéciaux. + +Si vous avez besoin d'un mot de passe que vous pouvez mémoriser, nous vous recommandons la [phrase secrète diceware](#diceware-passphrases). + +### Phrases secrètes Diceware + +Diceware est une méthode permettant de créer des phrases secrètes faciles à retenir, mais difficiles à deviner. + +Les phrases secrètes Diceware sont une excellente option lorsque vous devez mémoriser ou saisir manuellement vos informations d'identification, par exemple pour le mot de passe principal de votre gestionnaire de mots de passe ou le mot de passe de chiffrement de votre appareil. + +Un exemple de phrase secrète diceware est `viewable fastness reluctant squishy seventeen shown pencil`. + +Pour générer une phrase secrète diceware à l'aide de vrais dés, suivez ces étapes : + +!!! note "À noter" + + Ces instructions supposent que vous utilisez la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) pour générer la phrase secrète, ce qui nécessite cinq lancers de dés par mot. D'autres listes de mots peuvent nécessiter plus ou moins de lancers par mot, et peuvent nécessiter un nombre différent de mots pour obtenir la même entropie. + +1. Lancez cinq fois un dé à six faces, en notant le nombre après chaque lancer. + +2. Par exemple, disons que vous avez obtenu `2-5-2-6-6`. Cherchez dans la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) le mot qui correspond à `25266`. + +3. Vous trouverez le mot `encrypt`. Notez ce mot. + +4. Répétez ce processus jusqu'à ce que votre phrase secrète comporte autant de mots que nécessaire, que vous devez séparer par un espace. + +!!! warning "Avertissement" + + Vous ne devez **pas** relancer les mots jusqu'à ce que vous obteniez une combinaison de mots qui vous plaît. Le processus doit être complètement aléatoire. + +Si vous n'avez pas accès à de vrais dés ou si vous préférez ne pas en utiliser, vous pouvez utiliser le générateur de mots de passe intégré à votre gestionnaire de mots de passe, car la plupart d'entre eux ont la possibilité de générer des phrases secrètes diceware en plus des mots de passe ordinaires. + +Nous vous recommandons d'utiliser la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) pour générer vos phrases secrètes diceware, car elle offre exactement la même sécurité que la liste originale, tout en contenant des mots plus faciles à mémoriser. Il existe également [d'autres listes de mots dans différentes langues](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), si vous ne souhaitez pas que votre phrase secrète soit en anglais. + +??? note "Explication de l'entropie et de la force des phrases secrètes diceware" + + Pour démontrer la force des phrases secrètes diceware, nous utiliserons la phrase secrète de sept mots mentionnée plus haut (`viewable fastness reluctant squishy seventeen shown pencil`) et la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) comme exemple. + + L'une des mesures permettant de déterminer la force d'une phrase secrète est son degré d'entropie. L'entropie par mot dans une phrase secrète est calculée comme suit : $\text{log}_2(\text{WordsInList})$ et l'entropie globale de la phrase secrète est calculée comme suit : $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Par conséquent, chaque mot de la liste susmentionnée génère ~12,9 bits d'entropie ($\text{log}_2(7776)$), et une phrase secrète de sept mots dérivée de cette liste a ~90,47 bits d'entropie ($\text{log}_2(7776^7)$). + + La [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contient 7776 mots uniques. Pour calculer le nombre de phrases secrètes possibles, il suffit de faire $\text{WordsInList}^\text{WordsInPhrase}$, ou dans notre cas, $7776^7$. + + Mettons tout cela en perspective : Une phrase secrète de sept mots utilisant la [grande liste de mots de l'EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) est l'une des ~1 719 070 799 748 422 500 000 000 000 phrases secrètes possibles. + + En moyenne, il faut essayer 50 % de toutes les combinaisons possibles pour deviner votre phrase. En gardant cela à l'esprit, même si votre adversaire est capable de faire ~1 000 000 000 000 de suppositions par seconde, il lui faudrait toujours ~27 255 689 ans pour deviner votre phrase secrète. C'est le cas même si les choses suivantes sont vraies : + + - Votre adversaire sait que vous avez utilisé la méthode du diceware. + - Votre adversaire connaît la liste de mots spécifique que vous avez utilisée. + - Votre adversaire sait combien de mots contient votre phrase secrète. + +Pour résumer, les phrases secrètes diceware sont votre meilleure option lorsque vous avez besoin d'une phrase à la fois facile à retenir *et* exceptionnellement forte. + +## Stockage des mots de passe + +### Gestionnaires de mots de passe + +La meilleure façon de stocker vos mots de passe est d'utiliser un gestionnaire de mots de passe. Ils vous permettent de stocker vos mots de passe dans un fichier ou dans le cloud et de les protéger avec un seul mot de passe principal. Ainsi, vous n'aurez à retenir qu'un seul mot de passe fort, qui vous permettra d'accéder aux autres. + +Il existe de nombreuses options intéressantes, qu'elles soient basées sur le cloud ou locales. Choisissez l'un de nos gestionnaires de mots de passe recommandés et utilisez-le pour établir des mots de passe forts pour tous vos comptes. Nous vous recommandons de sécuriser votre gestionnaire de mots de passe avec une [phrase secrète diceware](#diceware-passphrases) composée d'au moins sept mots. + +[Liste des gestionnaires de mots de passe recommandés](../passwords.md ""){.md-button} + +!!! warning "Ne placez pas vos mots de passe et vos codes TOTP dans le même gestionnaire de mots de passe" + + Lorsque vous utilisez des codes TOTP comme [authentification à multi-facteurs](../multi-factor-authentication.md), la meilleure pratique de sécurité consiste à conserver vos codes TOTP dans une [application séparée](../multi-factor-authentication.md#authenticator-apps). + + Le stockage de vos codes TOTP au même endroit que vos mots de passe, bien que pratique, réduit les comptes à un seul facteur dans le cas où un adversaire aurait accès à votre gestionnaire de mots de passe. + + En outre, nous ne recommandons pas de stocker des codes de récupération à usage unique dans votre gestionnaire de mots de passe. Ils doivent être stockés séparément, par exemple dans un conteneur chiffré sur un dispositif de stockage hors ligne. + +### Sauvegardes + +Vous devriez conserver une sauvegarde [chiffrée](../encryption.md) de vos mots de passe sur plusieurs dispositifs de stockage ou sur un fournisseur de stockage cloud. Cela peut vous aider à accéder à vos mots de passe si quelque chose arrive à votre appareil principal ou au service que vous utilisez. diff --git a/i18n/fr/basics/threat-modeling.md b/i18n/fr/basics/threat-modeling.md new file mode 100644 index 00000000..5c0e64d5 --- /dev/null +++ b/i18n/fr/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Modélisation des menaces" +icon: 'material/target-account' +description: Trouver le bon équilibre entre la sécurité, la confidentialité et la commodité est l'une des premières et plus difficiles tâches que vous aurez à accomplir dans votre parcours pour regagner votre vie privée en ligne. +--- + +Trouver le bon équilibre entre la sécurité, la confidentialité et la commodité est l'une des premières et plus difficiles tâches que vous aurez à accomplir dans votre parcours pour regagner votre vie privée en ligne. Tout est une histoire de compromis : plus quelque chose est sécurisé, plus il est limité ou peu pratique, etc. Souvent, les gens trouvent que le problème avec les outils qui leurs sont recommandés est qu'ils sont trop difficiles à utiliser ! + +Si vous vouliez utiliser les outils les **plus** sécurisés actuellement disponibles, vous devriez sacrifier *beaucoup* de commodité. Et même dans ce cas, ==rien n'est jamais totalement sécurisé.== On parle de sécurité **élevée**, mais jamais de sécurité **totale**. C'est pourquoi les modèles de menace sont importants. + +**Alors, quels sont ces modèles de menace ?** + +==Un modèle de menace est une liste des menaces les plus probables pour votre sécurité/vie privée.== Puisqu'il est impossible de se protéger contre **toutes** les attaques(ants), vous devriez vous concentrer sur les menaces **les plus probables**. En matière de sécurité informatique, une menace est un événement potentiel qui pourrait saper vos efforts pour protéger votre vie privée et votre sécurité. + +En vous concentrant sur les menaces qui comptent pour vous, vous affinez votre réflexion sur la protection dont vous avez besoin, ce qui vous permet de choisir les outils qui conviennent le mieux. + +## Création de votre modèle de menace + +Pour identifier ce qui pourrait arriver aux choses auxquelles vous tenez et déterminer de qui vous devez les protéger, vous devez répondre à ces cinq questions : + +1. Qu'est-ce que je veux protéger ? +2. De qui je veux le protéger ? +3. Quelle est la probabilité que je doive le protéger ? +4. Quelles sont les conséquences si j'échoue ? +5. Jusqu'à quel point suis-je prêt à me donner du mal pour essayer de prévenir les conséquences potentielles ? + +### Qu'est-ce que je veux protéger ? + +Un "actif" est quelque chose que vous valorisez et que vous voulez protéger. Dans le contexte de la sécurité numérique, ==un actif est généralement un type d'information.== Par exemple, vos e-mails, vos listes de contacts, vos messages instantanés, votre emplacement et vos fichiers sont tous des actifs possibles. Vos appareils eux-mêmes peuvent également constituer des actifs. + +*Dressez la liste de vos actifs : les données que vous conservez, où elles sont conservées, qui y a accès et ce qui empêche les autres d'y accéder.* + +### De qui je veux le protéger ? + +Pour répondre à cette question, il est important d'identifier qui pourrait vouloir vous cibler, vous ou vos informations. ==Une personne ou une entité qui représente une menace pour vos actifs est un “adversaire.”== Des exemples d'adversaires potentiels sont votre patron, votre ancien partenaire, une entreprise concurrentielle, votre gouvernement ou un pirate informatique sur un réseau public. + +*Dressez une liste de vos adversaires, ou de ceux qui pourraient vouloir s'emparer de vos actifs. Votre liste peut comprendre des particuliers, une agence gouvernementale ou des sociétés.* + +Selon l'identité de vos adversaires, dans certaines circonstances, cette liste peut être quelque chose que vous souhaitez détruire après avoir terminé ce plan de sécurité. + +### Quelle est la probabilité que je doive le protéger ? + +==Le risque est la probabilité qu'une menace particulière contre un actif particulier se produise réellement. Il va de pair avec la capacité. Si votre opérateur de téléphonie mobile a la capacité d'accéder à toutes vos données, le risque qu'il publie vos données privées en ligne pour nuire à votre réputation est faible. + +Il est important de faire la distinction entre ce qui pourrait se produire et la probabilité que cela se produise. Par exemple, votre bâtiment risque de s'effondrer, mais le risque que cela se produise est bien plus grand à San Francisco (où les tremblements de terre sont fréquents) qu'à Stockholm (où ils ne le sont pas). + +L'évaluation des risques est un processus à la fois personnel et subjectif. De nombreuses personnes jugent certaines menaces inacceptables, quelle que soit la probabilité qu'elles se produisent, car la simple présence de la menace, quelle que soit la probabilité, n'en vaut pas la peine. Dans d'autres cas, les gens ignorent les risques élevés parce qu'ils ne considèrent pas la menace comme un problème. + +*Notez les menaces que vous allez prendre au sérieux et celles qui sont peut-être trop rares ou trop inoffensives (ou trop difficiles à combattre) pour que vous vous en préoccupiez.* + +### Quelles sont les conséquences si j'échoue ? + +Il existe de nombreuses façons pour un adversaire d'accéder à vos données. Par exemple, un adversaire peut lire vos communications privées lorsqu'elles passent par le réseau, ou il peut supprimer ou corrompre vos données. + +==Les motifs des adversaires diffèrent considérablement, tout comme leurs tactiques.== Un gouvernement qui tente d'empêcher la diffusion d'une vidéo montrant des violences policières peut se contenter de supprimer ou de réduire la disponibilité de cette vidéo. En revanche, un adversaire politique pourrait vouloir accéder à un contenu secret et le publier à votre insu. + +Préparer un plan de sécurité implique de comprendre à quelle point les conséquences pourraient être mauvaises si un adversaire réussissait à accéder à l'un de vos actifs. Pour le déterminer, vous devez tenir compte du potentiel de votre adversaire. Par exemple, votre opérateur de téléphonie mobile a accès à tous vos relevés téléphoniques. Un pirate sur un réseau Wi-Fi ouvert peut accéder à vos communications non chiffrées. Votre gouvernement a peut-être des capacités plus importantes. + +*Écrivez ce que votre adversaire pourrait vouloir faire avec vos données privées.* + +### Jusqu'à quel point suis-je prêt à me donner du mal pour essayer de prévenir les conséquences potentielles ? + +==Il n'y a pas d'option parfaite pour la sécurité.== Tout le monde n'a pas les mêmes priorités, préoccupations, ou accès aux ressources. Votre évaluation des risques vous permettra de planifier la stratégie qui vous convient le mieux, en conciliant commodité, coût et respect de la vie privée. + +Par exemple, un avocat représentant un client dans une affaire de sécurité nationale peut être prêt à faire plus d'efforts pour protéger les communications relatives à cette affaire, par exemple en utilisant un e-mail chiffré, qu'une mère qui envoie régulièrement à sa fille des vidéos de chats amusants. + +*Notez les options dont vous disposez pour atténuer les menaces qui vous sont propres. Notez si vous avez des contraintes financières, techniques ou sociales.* + +### Essayez vous-même : protéger vos biens + +Ces questions peuvent s'appliquer à une grande variété de situations, en ligne et hors ligne. Pour illustrer de manière générique le fonctionnement de ces questions, établissons un plan pour assurer la sécurité de votre maison et de vos biens. + +**Que voulez-vous protéger ? (ou, *que possédez-vous qui mérite d'être protégé ?*)** +: + +Vos actifs peuvent comprendre des bijoux, des appareils électroniques, des documents importants ou des photos. + +**De qui voulez-vous les protéger ?** +: + +Vos adversaires peuvent être des cambrioleurs, des colocataires ou des invités. + +**Quelle est la probabilité que je doive les protéger ?** +: + +Votre quartier a-t-il des antécédents de cambriolages ? Vos colocataires/invités sont-ils dignes de confiance ? Quelles sont les capacités de vos adversaires ? Quels sont les risques à prendre en compte ? + +**Quelles sont les conséquences si j'échoue ?** +: + +Avez-vous quelque chose dans votre maison que vous ne pouvez pas remplacer ? Avez-vous le temps ou l'argent pour remplacer ces choses ? Avez-vous une assurance qui couvre les biens volés à votre domicile ? + +**Jusqu'à quel point suis-je prêt à me donner du mal pour essayer de prévenir ces conséquences ?** +: + +Êtes-vous prêt à acheter un coffre-fort pour les documents sensibles ? Pouvez-vous vous permettre d'acheter une serrure de haute qualité ? Avez-vous le temps d'ouvrir un coffre-fort à votre banque locale et d'y conserver vos objets de valeur ? + +Ce n'est qu'après vous être posé ces questions que vous serez en mesure d'évaluer les mesures à prendre. Si vos biens ont de la valeur, mais que la probabilité d'une effraction est faible, alors vous ne voudrez peut-être pas investir trop d'argent dans un verrou. Mais si la probabilité d'une effraction est élevée, vous voudrez vous procurer la meilleure serrure du marché et envisager d'ajouter un système de sécurité. + +L'élaboration d'un plan de sécurité vous aidera à comprendre les menaces qui vous sont propres et à évaluer vos actifs, vos adversaires et les capacités de ces derniers, ainsi que la probabilité des risques auxquels vous êtes confrontés. + +## Pour en savoir plus + +Pour les personnes qui cherchent à améliorer leur vie privée et leur sécurité en ligne, nous avons dressé une liste des menaces courantes auxquelles nos visiteurs sont confrontés ou des objectifs qu'ils poursuivent, afin de vous donner de l'inspiration et de démontrer la base de nos recommandations. + +- [Objectifs et menaces courants :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: votre plan de sécurité](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/fr/basics/vpn-overview.md b/i18n/fr/basics/vpn-overview.md new file mode 100644 index 00000000..f3e1bdcf --- /dev/null +++ b/i18n/fr/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: Introduction aux VPNs +icon: material/vpn +description: Les réseaux privés virtuels déplacent le risque de votre FAI à un tiers en qui vous avez confiance. Vous devriez garder ces éléments à l'esprit. +--- + +Les Réseaux Privés Virtuels sont un moyen d'étendre l'extrémité de votre réseau à une sortie située ailleurs dans le monde. Un Fournisseur d'Accès Internet (FAI) peut voir le flux du trafic internet qui entre et sort de votre dispositif de terminaison de réseau (c'est-à-dire la box/modem). + +Les protocoles de chiffrement tels que HTTPS sont couramment utilisés sur internet, ils peuvent donc ne pas être en mesure de voir exactement ce que vous publiez ou lisez, mais ils peuvent avoir une idée [des domaines que vous visitez](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +Un VPN peut vous aider car il peut déplacer la confiance offerte à votre FAI vers un serveur situé ailleurs dans le monde. Par conséquent, le FAI ne voit que le fait que vous êtes connecté à un VPN et rien sur l'activité que vous lui transmettez. + +## Devrais-je utiliser un VPN ? + +**Oui**, sauf si vous utilisez déjà Tor. Un VPN fait deux choses: déplacer les risques de votre Fournisseur d'Accès à Internet vers lui-même et cacher votre adresse IP d'un service tiers. + +Les VPN ne peuvent pas chiffrer les données en dehors de la connexion entre votre appareil et le serveur VPN. Les fournisseurs de VPN peuvent voir et modifier votre trafic de la même manière que votre FAI pourrait le faire. Et il n'existe aucun moyen de vérifier de quelque manière que ce soit la politique de "non journalisation" d'un fournisseur de VPN. + +Cependant, ils cachent votre IP réelle d'un service tiers, à condition qu'il n'y ait pas de fuites d'IP. Ils vous aident à vous fondre dans la masse et à atténuer le suivi par IP. + +## Quand ne devrais-je pas utiliser un VPN ? + +L'utilisation d'un VPN dans les cas où vous utilisez votre [identité connue](common-threats.md#common-misconceptions) ne sera probablement pas utile. + +Cela peut déclencher des systèmes de détection de spam et de fraude, par exemple si vous vous connectez au site web de votre banque. + +## Qu'en est-il du chiffrement ? + +Le chiffrement offert par les fournisseurs VPN se situe entre vos appareils et leurs serveurs. Il garantit que ce lien spécifique est sécurisé. Il s'agit d'une avancée par rapport à l'utilisation de proxys non chiffrés où un adversaire sur le réseau peut intercepter les communications entre vos appareils et lesdits proxys et les modifier. Cependant, le chiffrement entre vos applications ou navigateurs et les fournisseurs de services n'est pas géré par ce chiffrement. + +Pour que ce que vous faites sur les sites web que vous visitez reste privé et sécurisé, vous devez utiliser le protocole HTTPS. Cela protégera vos mots de passe, jetons de session et requêtes du fournisseur VPN. Envisagez d'activer "HTTPS partout" dans votre navigateur pour atténuer les attaques de rétrogradation comme [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Devrais-je utiliser un DNS chiffré avec un VPN ? + +À moins que votre fournisseur VPN n'héberge les serveurs DNS chiffrés, **non**. L'utilisation de DOH/DOT (ou de toute autre forme de DNS chiffré) avec des serveurs tiers ne fera qu'ajouter des entités supplémentaires auxquelles il faudra faire confiance, et ne fait **absolument rien** pour améliorer votre confidentialité/sécurité. Votre fournisseur de VPN peut toujours voir quels sites web vous visitez en se basant sur les adresses IP et d'autres méthodes. Au lieu de faire uniquement confiance à votre fournisseur de VPN, vous faites maintenant confiance à la fois au fournisseur de VPN et au fournisseur de DNS. + +Une raison courante de recommander le DNS chiffré est qu'il permet de lutter contre l'usurpation DNS. Cependant, votre navigateur devrait déjà vérifier la présence de [certificats TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) avec **HTTPS** et vous en avertir. Si vous n'utilisez pas **HTTPS**, alors un adversaire peut toujours modifier n'importe quoi d'autre que vos requêtes DNS et le résultat final sera peu différent. + +Inutile de dire que **vous ne devriez pas utiliser de DNS chiffré avec Tor**. Toutes vos requêtes DNS seraient ainsi dirigées vers un seul circuit, ce qui permettrait au fournisseur de DNS chiffré de vous désanonymiser. + +## Devrais-je utiliser Tor *et* un VPN? + +En utilisant un VPN avec Tor, vous créez essentiellement un nœud d'entrée permanent, souvent avec une trace financière attachée. Cela ne vous apporte aucun avantages supplémentaires, tout en augmentant considérablement la surface d'attaque de votre connexion. Si vous souhaitez cacher votre utilisation de Tor à votre FAI ou à votre gouvernement, Tor a une solution intégrée pour cela : les passerelles Tor. [En savoir plus sur les passerelles Tor et pourquoi l'utilisation d'un VPN n'est pas nécessaire](../advanced/tor-overview.md). + +## Et si j'ai besoin d'anonymat ? + +Les VPNs ne peuvent pas fournir d'anonymat. Votre fournisseur de VPN verra toujours votre adresse IP réelle, et dispose souvent d'une trace financière qui peut être liée directement à vous. Vous ne pouvez pas compter sur des politiques de "non journalisation" pour protéger vos données. Utilisez plutôt [Tor](https://www.torproject.org/fr/). + +## Qu'en est-il des fournisseurs de VPN qui proposent des nœuds Tor ? + +N'utilisez pas cette fonctionnalité. L'intérêt d'utiliser Tor est que vous ne faites pas confiance à votre fournisseur de VPN. Actuellement Tor ne supporte que le protocole [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol). [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (utilisé dans [WebRTC](https://en.wikipedia.org/wiki/WebRTC) pour le partage de la voix et de la vidéo, le nouveau protocole [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), etc...), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) et les autres paquets seront abandonnés. Pour compenser cela, les fournisseurs de VPN acheminent généralement tous les paquets non TCP par leur serveur VPN (votre premier saut). C'est le cas de [Proton VPN](https://protonvpn.com/support/tor-vpn/). De plus, lorsque vous utilisez cette configuration Tor par VPN, vous n'avez pas le contrôle sur d'autres fonctionnalités importantes de Tor telles que [Adresse de Destination Isolée](https://www.whonix.org/wiki/Stream_Isolation) (utilisation d'un circuit Tor différent pour chaque domaine que vous visitez). + +Cette fonctionnalité doit être considérée comme un moyen pratique d'accéder au réseau Tor, et non comme un moyen de rester anonyme. Pour un véritable anonymat, utilisez le navigateur Tor, TorSocks, ou une passerelle Tor. + +## Quand les VPNs sont-ils utiles ? + +Un VPN peut toujours vous être utile dans divers scénarios, tels que : + +1. Cacher votre trafic de **seulement** votre Fournisseur d'Accès Internet. +1. Cacher vos téléchargements (tels que les torrents) à votre FAI et aux organisations anti-piratage. +1. Cacher votre adresse IP des sites web et services tiers, empêchant le suivi basé sur l'adresse IP. + +Pour des situations comme celles-ci, ou si vous avez une autre raison impérieuse, les fournisseurs de VPN que nous avons listés ci-dessus sont ceux que nous pensons être les plus dignes de confiance. Cependant, l'utilisation d'un fournisseur de VPN signifie toujours que vous *faites confiance* à ce fournisseur. Dans presque tous les autres cas, vous devriez utiliser un outil sécurisé **par conception** tel que Tor. + +## Sources et Lectures Complémentaires + +1. [VPN - un Récit Très Précaire](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) par Dennis Schubert +1. [Présentation du Réseau Tor](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Ai-je besoin d'un VPN ?"](https://www.doineedavpn.com), un outil développé par IVPN pour défier le marketing agressif des autres VPNs en aidant les individus à décider si un VPN leur convient. + +## Informations VPN Liées + +- [Le Problème avec les sites d'évaluation des VPNs et de la Vie Privée](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Enquête sur les Applications VPN Gratuites](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Les propriétaires inconnus des VPNs dévoilés : 101 produits VPN gérés par seulement 23 sociétés](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [Cette société chinoise est secrètement à l'origine de 24 applications populaires qui cherchent à obtenir des autorisations dangereuses](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/fr/calendar.md b/i18n/fr/calendar.md new file mode 100644 index 00000000..1a90a26a --- /dev/null +++ b/i18n/fr/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Synchronisation de calendrier" +icon: material/calendar +description: Les calendriers contiennent certaines de vos données les plus sensibles ; utilisez des produits qui implémentent le chiffrement au repos. +--- + +Les calendriers contiennent certaines de vos données les plus sensibles ; utilisez des produits qui mettent en œuvre l'E2EE au repos pour empêcher un fournisseur de les lire. + +## Tutanota + +!!! recommendation + + ![Logo Tutanota](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Logo Tutanota](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** propose un calendrier gratuit et chiffré sur l'ensemble de ses plateformes prises en charge. Les fonctionnalités incluent: E2EE automatique de toutes les données, fonctionnalités de partage, fonctionnalité d'import/export, authentification multifacteur, et [plus](https://tutanota.com/calendar-app-comparison/). + + Les calendriers multiples et la fonctionnalité de partage étendue sont réservés aux abonnés payants. + + [:octicons-home-16: Page d'accueil](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Code source" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuer } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** est un service de calendrier chiffré disponible pour les membres de Proton via des clients web ou mobiles. Les fonctionnalités incluent: E2EE automatique de toutes les données, des fonctions de partage, la fonctionnalité d'import/export, et [plus](https://proton.me/fr/support/proton-calendar-guide). Les abonnés au service gratuit n'ont accès qu'à un seul calendrier, tandis que les abonnés payants peuvent créer jusqu'à 20 calendriers. Les fonctionnalités de partage avancées sont également limitées aux abonnés payants. + + [:octicons-home-16: Page d'accueil](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Qualifications minimales + +- Doit synchroniser et stocker les informations avec E2EE pour s'assurer que les données ne sont pas visibles par le fournisseur de services. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Doit s'intégrer aux applications natives de gestion des contacts et de calendrier du système d'exploitation, le cas échéant. diff --git a/i18n/fr/cloud.md b/i18n/fr/cloud.md new file mode 100644 index 00000000..0c14f3f1 --- /dev/null +++ b/i18n/fr/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Stockage cloud" +icon: material/file-cloud +description: De nombreux fournisseurs de stockage cloud nécessitent que vous leur fassiez confiance pour ne pas consulter vos fichiers. Voici des alternatives privées ! +--- + +De nombreux fournisseurs de stockage cloud nécessitent que vous leur fassiez entièrement confiance pour ne pas consulter vos fichiers. Les alternatives énumérées ci-dessous éliminent le besoin de confiance en mettant en œuvre un E2EE sécurisé. + +Si ces alternatives ne répondent pas à vos besoins, nous vous suggérons d'utiliser un logiciel de chiffrement tel que [Cryptomator](encryption.md#cryptomator-cloud) avec un autre fournisseur de cloud. L'utilisation de Cryptomator en conjonction avec **tout** fournisseur de cloud (y compris ceux-ci) peut être une bonne idée pour réduire le risque de failles de chiffrement dans les clients natifs d'un fournisseur. + +??? question "Vous cherchez Nextcloud ?" + + Nextcloud est [toujours un outil recommandé](productivity.md) pour l'auto-hébergement d'une suite de gestion de fichiers, mais nous ne recommandons pas de fournisseurs de stockage Nextcloud tiers pour le moment, car nous [ne recommandons pas](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) la fonctionnalité E2EE intégrée de Nextcloud pour les utilisateurs moyens. + +## Proton Drive + +!!! recommendation + + ![Logo Proton Drive](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** est un fournisseur suisse de stockage cloud chiffré issu du populaire fournisseur d'email chiffré [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Page d'accueil](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +L'application web Proton Drive a fait l'objet d'un audit indépendant par Securitum en [2021](https://proton.me/blog/security-audit-all-proton-apps), tous les détails n'ont pas été communiqués, mais la lettre d'attestation de Securitum indique ce qui suit : + +> Les auditeurs ont relevé deux faiblesses de faible gravité. En outre, cinq recommandations générales ont été formulées. En même temps, nous confirmons qu'aucun problème de sécurité important n'a été identifié pendant le test d'intrusion. + +Les nouveaux clients mobiles de Proton Drive n'ont pas encore fait l'objet d'un audit public par un tiers. + +## Tresorit + +!!! recommendation + + ![Logo Tresorit](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** est un fournisseur hongrois de stockage cloud chiffré fondé en 2011. Tresorit appartient à la Poste suisse, le service postal national de la Suisse. + + [:octicons-home-16: Page d'accueil](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit a fait l'objet d'un certain nombre d'audits de sécurité indépendants : + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/) : ISO/IEC 27001:2013[^1] [Certification](https://www.certipedia.com/quality_marks/9108644476) de conformité par TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/) : Test de pénétration par Computest + - Cet examen a permis d'évaluer la sécurité du client web de Tresorit, de l'application Android, de l'application Windows et de l'infrastructure associée. + - Computest a découvert deux vulnérabilités qui ont été résolues. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/) : Test de pénétration par Ernst & Young. + - Cette étude a analysé le code source complet de Tresorit et validé que la mise en œuvre correspond aux concepts décrits dans le [livre blanc](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf) de Tresorit. + - Ernst & Young a également testé les clients web, mobiles et de bureau : "Les résultats des tests n'ont révélé aucun écart par rapport aux affirmations de Tresorit en matière de confidentialité des données". + +Ils ont également reçu le Digital Trust Label, une certification de la [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) qui exige la réussite de [35 critères](https://digitaltrust-label.swiss/criteria/) liés à la sécurité, à la confidentialité et à la fiabilité. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Exigences minimales + +- Doit imposer le chiffrement de bout en bout. +- Doit avoir une offre gratuite ou une période d'essai pour les tests. +- Doit prendre en charge l'authentification multifactorielle TOTP ou FIDO2, ou les connexions Passkey. +- Doit offrir une interface web prennant en charge les fonctionnalités de base de gestion des fichiers. +- Doit permettre d'exporter facilement tous les fichiers/documents. +- Doit utiliser un chiffrement standard et audité. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Les clients doivent être open-source. +- Les clients doivent être audités dans leur intégralité par un tiers indépendant. +- Doit offrir des clients natifs pour Linux, Android, Windows, macOS et iOS. + - Ces clients doivent s'intégrer aux outils natifs du système d'exploitation pour les fournisseurs de stockage cloud, comme l'intégration de l'application Fichiers sur iOS, ou la fonctionnalité DocumentsProvider sur Android. +- Doit permettre de partager facilement des fichiers avec d'autres utilisateurs. +- Doit offrir au moins une fonctionnalité de base d'aperçu et d'édition de fichiers sur l'interface web. + +[^1]: La conformité à la norme [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 concerne le [système de gestion de la sécurité de l'information](https://en.wikipedia.org/wiki/Information_security_management) de l'entreprise et couvre la vente, le développement, la maintenance et le soutien de ses services cloud. diff --git a/i18n/fr/cryptocurrency.md b/i18n/fr/cryptocurrency.md new file mode 100644 index 00000000..d8922b54 --- /dev/null +++ b/i18n/fr/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Crypto-monnaie +icon: material/bank-circle +--- + +Effectuer des paiements en ligne est l'un des plus grands défis en matière de protection de la vie privée. Ces crypto-monnaies garantissent par défaut la confidentialité des transactions (ce qui n'est **pas** garanti par la majorité des crypto-monnaies), à condition que vous ayez une bonne compréhension de la façon d'effectuer des paiements privés de manière efficace. Nous vous encourageons vivement à lire notre article sur les paiements avant d'effectuer tout achat : + +[Effectuer des paiements privés :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger "Danger" + + De nombreux projets de crypto-monnaies, voire la plupart, sont des escroqueries. Effectuez des transactions avec prudence, uniquement avec des projets auxquels vous faites confiance. + +## Monero + +!!! recommendation + + ![Logo Monero](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** utilise une chaîne de blocs avec des technologies de protection de la vie privée qui obscurcissent les transactions afin d'obtenir un anonymat. Chaque transaction Monero cache le montant de la transaction, les adresses d'envoi et de réception, ainsi que la source des fonds, sans aucune difficulté, ce qui en fait un choix idéal pour les novices en matière de crypto-monnaies. + + [:octicons-home-16: Page d'accueil](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribuer } + +Avec Monero, les observateurs extérieurs ne peuvent pas déchiffrer les adresses qui échangent des Monero, les montants des transactions, les soldes des adresses ou l'historique des transactions. + +Pour une confidentialité optimale, assurez-vous d'utiliser un portefeuille sans garde, où la clé de visualisation reste sur l'appareil. Cela signifie que vous êtes le seul à pouvoir dépenser vos fonds et à voir les transactions entrantes et sortantes. Si vous utilisez un portefeuille de garde, le fournisseur peut voir **tout** ce que vous faites ; si vous utilisez un portefeuille "léger" dans lequel le fournisseur conserve votre clé privée, il peut voir presque tout ce que vous faites. Parmi les portefeuilles non gardiens, on peut citer : + +- [le client Monero officiel](https://getmonero.org/downloads) (bureau) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet prend en charge plusieurs crypto-monnaies. Une version de Cake Wallet réservée aux utilisateurs de Monero est disponible sur [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (bureau) +- [Monerujo](https://www.monerujo.io/) (Android) + +Pour une confidentialité maximale (même avec un portefeuille sans garde), vous devriez utiliser votre propre nœud Monero. L'utilisation du nœud d'une autre personne expose certaines informations, telles que l'adresse IP à partir de laquelle vous vous connectez, les heures auxquelles vous synchronisez votre portefeuille et les transactions que vous envoyez à partir de votre portefeuille (mais pas d'autres détails sur ces transactions). Vous pouvez également vous connecter au nœud Monero de quelqu'un d'autre via Tor ou i2p. + +En août 2021, CipherTrace [a annoncé](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) des capacités de traçage de Monero améliorées pour les agences gouvernementales. Des publications publiques montrent que le Financial Crimes Enforcement Network du département du Trésor américain [a accordé une licence à](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace pour son "module Monero" à la fin de l'année 2022. + +La confidentialité du graphe des transactions Monero est limitée par son cercle de signatures relativement petit, en particulier contre les attaques ciblées. Les caractéristiques de confidentialité de Monero ont également été [remises en question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) par certains chercheurs en sécurité, et un certain nombre de vulnérabilités graves ont été trouvées et corrigées dans le passé, de sorte que les affirmations faites par des organisations comme CipherTrace ne sont pas hors de question. S'il est peu probable qu'il existe des outils de surveillance de masse de Monero comme il en existe pour le Bitcoin et d'autres, il est certain que les outils de traçage facilitent les enquêtes ciblées. + +En fin de compte, Monero est la crypto-monnaie la plus respectueuse de la vie privée, mais ses revendications en matière de confidentialité **n'ont pas** été prouvées de manière définitive. Plus de temps et de recherche sont nécessaires pour évaluer si le Monero est suffisamment résistant aux attaques pour toujours offrir une protection adéquate de la vie privée. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- La crypto-monnaie doit offrir des transactions privées/intraçables par défaut. diff --git a/i18n/fr/data-redaction.md b/i18n/fr/data-redaction.md new file mode 100644 index 00000000..75365924 --- /dev/null +++ b/i18n/fr/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Rédaction de données et de métadonnées" +icon: material/tag-remove +description: Utilisez ces outils pour supprimer les métadonnées telles que la position GPS et d'autres informations d'identification des photos et des fichiers que vous partagez. +--- + +Lorsque vous partagez des fichiers, veillez à supprimer les métadonnées associées. Les fichiers d'image comprennent généralement des données [Exif](https://en.wikipedia.org/wiki/Exif) . Les photos comportent parfois même des coordonnées GPS dans les métadonnées du fichier. + +## Bureau + +### MAT2 + +!!! recommendation + + ![Logo MAT2](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** est un logiciel gratuit, qui permet de supprimer les métadonnées des types de fichiers image, audio, torrent et document. Il fournit à la fois un outil en ligne de commande et une interface utilisateur graphique via une [extension pour Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), le gestionnaire de fichiers par défaut de [GNOME](https://www.gnome.org), et [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), le gestionnaire de fichiers par défaut de [KDE](https://kde.org). + + Sous Linux, un outil graphique tiers [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) fonctionnant avec MAT2 existe et est [disponible sur Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Dépôt](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![Logo ExifEraser](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** est une application moderne d'effacement des métadonnées d'image sans autorisation pour Android. + + Il prend actuellement en charge les fichiers JPEG, PNG et WebP. + + [:octicons-repo-16: Dépôt](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +Les métadonnées qui sont effacées dépendent du type de fichier de l'image : + +* **JPEG**: Les métadonnées ICC Profile, Exif, Photoshop Image Resources et XMP/ExtendedXMP seront effacées si elles existent. +* **PNG**: Les métadonnées ICC Profile, Exif et XMP seront effacées si elles existent. +* **WebP**: les métadonnées ICC Profile, Exif et XMP seront effacées si elles existent. + +Après avoir traité les images, ExifEraser vous fournit un rapport complet sur ce qui a été exactement supprimé de chaque image. + +L'application offre plusieurs façons d'effacer les métadonnées des images. À savoir : + +* Vous pouvez partager une image depuis une autre application avec ExifEraser. +* Par l'intermédiaire de l'application elle-même, vous pouvez sélectionner une seule image, plusieurs images à la fois, ou même un répertoire entier. +* Elle comporte une option "Appareil photo", qui utilise l'application appareil photo de votre système d'exploitation pour prendre une photo, puis en supprime les métadonnées. +* Elle vous permet de faire glisser des photos d'une autre application dans ExifEraser lorsque les deux sont ouvertes en mode écran partagé. +* Enfin, elle vous permet de coller une image à partir de votre presse-papiers. + +### Metapho (iOS) + +!!! recommendation + + ![Logo Metapho](assets/img/data-redaction/metapho.jpg){ align=right } + + Metapho est une visionneuse simple et propre pour les métadonnées des photos telles que la date, le nom du fichier, la taille, le modèle d'appareil photo, la vitesse d'obturation et le lieu. + + [:octicons-home-16: Page d'accueil](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Politique de confidentialité" } + + ??? downloads "Téléchagements" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![Logo PrivacyBlur](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** est une application gratuite qui permet de brouiller les parties sensibles des photos avant de les partager en ligne. + + [:octicons-home-16: Page d'accueil](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Code source" } + + ??? downloads "Téléchagements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning "Avertissement" + + Vous ne devez **jamais** utiliser le flou pour expurger [du texte dans les images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). Si vous voulez expurger du texte dans une image, dessinez une case sur le texte. Pour cela, nous vous suggérons [Pocket Paint](https://github.com/Catrobat/Paintroid) ou [Imagepipe](https://codeberg.org/Starfish/Imagepipe). + +## Ligne de commande + +### ExifTool + +!!! recommendation + + ![Logo ExifTool](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** est la bibliothèque perl originale et l'application en ligne de commande pour lire, écrire et modifier les méta-informations (Exif, IPTC, XMP, etc.) dans une grande variété de formats de fichiers (JPEG, TIFF, PNG, PDF, RAW, etc.). + + Elle est souvent un composant d'autres applications de suppression d'Exif et se trouve dans les dépôts de la plupart des distributions Linux. + + [:octicons-home-16: Page d'accueil](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Code source" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribuer } + + ??? downloads "Téléchagements" + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Suppression des données d'un répertoire de fichiers" + + ```bash + exiftool -all= *.extension_de_fichier + ``` + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Les applications développées pour les systèmes d'exploitation open source doivent être open source. +- Les applications doivent être gratuites et ne doivent pas comporter de publicités ou d'autres limitations. diff --git a/i18n/fr/desktop-browsers.md b/i18n/fr/desktop-browsers.md new file mode 100644 index 00000000..bceeb0cf --- /dev/null +++ b/i18n/fr/desktop-browsers.md @@ -0,0 +1,361 @@ +--- +title: "Navigateurs de bureau" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Recommandations de navigateurs de bureau privés + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +Ce sont les navigateurs web de bureau et les configurations que nous recommandons actuellement pour une navigation classique/non anonyme. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +Si vous avez besoin de naviguer anonymement sur Internet, vous devriez plutôt utiliser [Tor](tor.md). We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Logo Firefox](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** offre de solides paramètres de confidentialité, tels que la [protection renforcée contre le suivi](https://support.mozilla.org/fr/kb/protection-renforcee-contre-pistage-firefox-ordinateur), qui peut contribuer à bloquer divers [types de suivi](https://support.mozilla.org/fr/kb/protection-renforcee-contre-pistage-firefox-ordinateur#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Accueil](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/fr/privacy/firefox/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title="Documentation"} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Code source"} + [:octicons-heart-16:](https://donate.mozilla.org/fr/){ .card-link title=Contribuer} + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning "Avertissement" + Firefox inclut un [jeton de téléchargement](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) unique dans les téléchargements effectués à partir du site Web de Mozilla et utilise la télémétrie dans Firefox pour envoyer le jeton. Le jeton **n'est pas** inclus dans les versions de [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Configuration recommandée + +Ces options se trouvent dans :material-menu: → **Paramètres** → **Confidentialité & Sécurité**. + +##### Protection renforcée contre le pistage + +- [x] Sélectionnez **Stricte** Protection renforcée contre le pistage + +Cela vous protège en bloquant les traceurs de réseaux sociaux, les scripts de prise d'empreinte (notez que cela ne vous protège pas de *toutes* les prises d'empreinte), les cryptomineurs, les cookies de suivi intersites et certains autres contenus de suivi. La PRT protège de nombreuses menaces courantes, mais ne bloque pas tous les moyens de suivi, car il est conçu pour avoir un impact minimal, voire nul, sur l'utilisation du site. + +##### Supprimer à la fermeture + +Si vous voulez rester connecté à des sites en particulier, vous pouvez autoriser des exceptions dans **Cookies et données de site** → **Gérer les exceptions....** + +- [x] Cochez **Supprimer les cookies et les données du site lorsque Firefox est fermé** + +Cela vous protège contre les cookies persistants, mais ne vous protège pas contre les cookies acquis au cours d'une même session de navigation. Lorsque cette option est activée, il devient possible de nettoyer facilement les cookies de votre navigateur en redémarrant simplement Firefox. Vous pouvez définir des exceptions par site, si vous souhaitez rester connecté à un site précis que vous visitez souvent. + +##### Suggestions de recherche + +- [ ] Décochez **Fournir des suggestions de recherche** + +Les fonctionnalités de suggestion de recherche peuvent ne pas être disponibles dans votre région. + +Les suggestions de recherche envoient tout ce que vous tapez dans la barre d'adresse au moteur de recherche par défaut, que vous effectuiez ou non une recherche effective. La désactivation des suggestions de recherche vous permet de contrôler plus précisément les données que vous envoyez à votre fournisseur de moteur de recherche. + +##### Télémétrie + +- [ ] Décochez **Autoriser Firefox à envoyer des données techniques et d'interaction à Mozilla** +- [ ] Décochez **Autoriser Firefox à installer et à exécuter des études** +- [ ] Décochez **Permettre à Firefox d'envoyer en votre nom les rapports de plantage** + +> Firefox nous envoie des données sur la version et la langue de votre Firefox ; le système d'exploitation de l'appareil et la configuration matérielle ; la mémoire, les informations de base sur les plantages et les erreurs; les résultats de processus automatisés tels que les mises à jour, la navigation sécurisée et l'activation de notre système. Lorsque Firefox nous envoie des données, votre adresse IP est temporairement collectée dans les journaux de notre serveur. + +En outre, le service Firefox Accounts collecte [certaines données techniques](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). Si vous utilisez un compte Firefox, vous pouvez la refuser : + +1. Ouvrez les [paramètres de votre profil sur accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Décochez **Collecte et utilisation de données** > **Aidez à améliorer les comptes Firefox** + +##### Mode HTTPS uniquement + +- [x] Sélectionnez **Activer le mode HTTPS uniquement dans toutes les fenêtres** + +Cela vous empêche de vous connecter involontairement à un site Web en "clair" HTTP. Les sites sans HTTPS sont rares de nos jours. Cela ne devrait donc avoir que peu ou pas d'impact sur votre navigation quotidienne. + +### Synchronisation Firefox + +La [Synchronisation Firefox](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) permet à vos données de navigation (historique, favoris, etc.) d'être accessibles sur tous vos appareils et les protège avec le chiffrement de bout en bout (E2EE). + +### Arkenfox (avancé) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +Le projet [Arkenfox](https://github.com/arkenfox/user.js) fournit un ensemble d'options soigneusement étudiées pour Firefox. Si vous [décidez](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) d'utiliser Arkenfox, quelques [options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) sont subjectivement strictes et/ou peuvent empêcher certains sites Web de fonctionner correctement. [Vous pouvez facilement modifier ces options](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) pour répondre à vos besoins. Nous **recommandons vivement** de lire l'intégralité de leur [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox permet également la prise en charge des [conteneurs](https://support.mozilla.org/fr/kb/conteneurs#w_for-advanced-users). + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Logo Brave](assets/img/browsers/brave.svg){ align=right } + + **Le navigateur Brave** comprend un bloqueur de contenu intégré et des [fonctions de confidentialité](https://brave.com/privacy-features/), dont la plupart sont activées par défaut. + + Brave est basé sur le projet de navigateur Web Chromium. Il devrait donc vous être familier et présenter un minimum de problèmes de compatibilité avec les sites Web. + + [:octicons-home-16: Page d'accueil](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Code source" } + + ??? downloads annotate "Téléchargements" + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. Nous vous déconseillons d'utiliser la version Flatpak de Brave, car elle remplace la sandbox de Chromium par celle de Flatpak, qui est moins efficace. De plus, le paquet n'est pas maintenu par Brave Software, Inc. + +### Configuration recommandée + +Ces options se trouvent dans :material-menu: → **Paramètres**. + +##### Shields + +Brave inclut certaines mesures contre la prise d'empreinte numérique dans sa fonction [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Nous vous suggérons de configurer ces options [de manière globale](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) sur toutes les pages que vous visitez. + +Les options Shields peuvent être réduites par site selon les besoins, mais par défaut, nous recommandons de définir les paramètres suivants: + +
+ +- [x] Sélectionnez **Empêchez les sites de prendre mon empreinte numérique en fonction de mes préférences linguistiques** +- [x] Sélectionnez **Agressif** dans la rubrique Blocage des pisteurs et annonces + + ??? warning "Utiliser les listes de filtres par défaut" + Brave vous permet de sélectionner des filtres de contenu supplémentaires dans la page interne `brave://adblock`. Nous vous déconseillons d'utiliser cette fonctionnalité ; conservez plutôt les listes de filtres par défaut. L'utilisation de listes supplémentaires vous distinguera des autres utilisateurs de Brave et peut également augmenter la surface d'attaque s'il y a une faille dans Brave et qu'une règle malveillante est ajoutée à l'une des listes que vous utilisez. + +- [x] (Facultatif) Sélectionnez **Bloquer les scripts** (1) +- [x] Sélectionnez **Strict, peut casser les sites** sous Bloquer la capture d'empreinte numérique + +
+ +1. Cette option fournit une fonctionnalité similaire aux [modes de blocage](https://github.com/gorhill/uBlock/wiki/Blocking-mode) avancés de uBlock Origin ou l'extension [NoScript](https://noscript.net/). + +##### Blocage des médias sociaux + +- [ ] Décochez toutes les fonctionnalités de médias sociaux + +##### Confidentialité et sécurité + +
+ +- [x] Sélectionnez **Désactiver l'UDP pas en proxy** sous [Politique de gestion des adresses IP WebRTC](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Décochez **Utiliser les services Google pour la messagerie push** +- [ ] Décochez **Autoriser l'analyse de produits respectueuse de la vie privée (P3A)** +- [ ] Décochez **Envoyer automatiquement un signal d'utilisation quotidienne à Brave** +- [x] Sélectionnez **Toujours utiliser une connexion sécurisée** dans le menu **Sécurité** +- [ ] Décochez **Fenêtre privée avec Tor** (1) + + !!! tip "Nettoyer à la Fermeture" + - [x] Sélectionnez **Effacer les cookies et les données du site lorsque vous fermez toutes les fenêtres** dans le menu *Cookies et autres données du site* + + Si vous souhaitez rester connecté à un site particulier que vous visitez souvent, vous pouvez définir des exceptions par site dans la section *Comportements personnalisés*. + +
+ +1. Brave **n'est pas** aussi résistant à la prise d'empreinte numérique que le navigateur Tor et beaucoup moins de personnes utilisent Brave avec Tor, vous sortirez donc du lot. Lorsqu'[un fort anonymat est nécessaire](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) utilisez le [Navigateur Tor ](tor.md#tor-browser). + +##### Extensions + +Désactivez les extensions intégrées que vous n'utilisez pas dans **Extensions** + +- [ ] Décochez **Hangouts** +- [ ] Décochez **WebTorrent** + +##### Web3 + +
+ +- [x] Sélectionnez **Désactivé** dans Méthode de résolution des ressources IPFS (1) + +
+ +1. InterPlanetary File System (IPFS) est un réseau décentralisé, de pair à pair, permettant de stocker et de partager des données dans un système de fichiers distribué. À moins que vous n'utilisiez cette fonctionnalité, désactivez-la. + +##### Paramètres additionnels + +Dans le menu *Système* + +
+ +- [ ] Décochez **Continuer l'exécution des applications lorsque Brave est fermé** pour désactiver les applications en arrière-plan (1) + +
+ +1. Cette option n'est pas présente sur toutes les plateformes. + +### Synchronisation Brave + +La [Synchronisation Brave](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permet à vos données de navigation (historique, signets, etc.) d'être accessibles sur tous vos appareils sans nécessiter de compte et les protège avec E2EE. + +## Ressources supplémentaires + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. Cependant, uBlock Origin peut s'avérer utile si vous appréciez la fonctionnalité de blocage de contenu. + +### uBlock Origin + +!!! recommendation + + ![Logo uBlock Origin](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** est un bloqueur de contenu populaire qui peut vous aider à bloquer les publicités, les traqueurs et les scripts d'empreintes numériques. + + [:octicons-repo-16: Dépôt](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +Nous vous suggérons de suivre la [documentation du développeur](https://github.com/gorhill/uBlock/wiki/Blocking-mode) et de choisir l'un des "modes". Des listes de filtres supplémentaires peuvent avoir un impact sur les performances et [peuvent augmenter la surface d'attaque](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Autres listes + +Voici d'autres [listes de filtres](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) que vous pourriez envisager d'ajouter : + +- [x] Cochez **Confidentialité** > **AdGuard URL Tracking Protection** +- Ajoutez [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Exigences minimales + +- Doit être un logiciel open source. +- Prend en charge les mises à jour automatiques. +- Reçoit les mises à jour du moteur dans un délai de 1 jour à partir de la publication en amont. +- Disponible sur Linux, macOS et Windows. +- Les modifications nécessaires pour rendre le navigateur plus respectueux de la vie privée ne devraient pas avoir d'impact négatif sur l'expérience des utilisateurs. +- Bloque les cookies tiers par défaut. +- Prend en charge le [cloisonnement des états](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) pour atténuer le suivi intersite.[^1] + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Comprend une fonctionnalité intégrée de blocage du contenu. +- Supporte la compartimentation des cookies (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Prend en charge les Progressive Web Apps. + Les PWAs vous permettent d'installer certains sites web comme s'il s'agissait d'applications natives sur votre ordinateur. Cela peut présenter des avantages par rapport à l'installation d'applications basées sur Electron, car vous bénéficiez des mises à jour de sécurité régulières de votre navigateur. +- Ne comprend pas de fonctionnalités supplémentaires (bloatware) qui n'ont pas d'incidence sur la vie privée des utilisateurs. +- Ne collecte pas de télémétrie par défaut. +- Fournit une implémentation de serveur de synchronisation open-source. +- Le moteur de recherche par défaut est un [moteur de recherche privé](search-engines.md). + +### Critères d'extension + +- Ne doit pas dupliquer une fonctionnalité intégrée dans le navigateur ou dans le système d'exploitation. +- Doit avoir un impact direct sur la vie privée des utilisateurs, c'est-à-dire qu'il ne doit pas simplement fournir des informations. + +[^1]: L'implémentation de Brave est détaillée dans [Mises à jour de la confidentialité de Brave : Partitionnement de l'état du réseau pour la confidentialité](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/fr/desktop.md b/i18n/fr/desktop.md new file mode 100644 index 00000000..69a17a78 --- /dev/null +++ b/i18n/fr/desktop.md @@ -0,0 +1,182 @@ +--- +title: "Bureau/PC" +icon: simple/linux +description: Les distributions Linux sont généralement recommandées pour la protection de la vie privée et la liberté logicielle. +--- + +Les distributions Linux sont généralement recommandées pour la protection de la vie privée et la liberté logicielle. Si vous n'utilisez pas encore Linux, vous trouverez ci-dessous quelques distributions que nous vous suggérons d'essayer, ainsi que des conseils généraux d'amélioration de la sécurité et de la confidentialité qui s'appliquent à de nombreuses distributions Linux. + +- [Vue d'ensemble de Linux :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Distributions Traditionnelles + +### Station de Travail Fedora + +!!! recommendation + + ![Logo Fedora](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** est notre distribution recommandée pour les personnes débutant sous Linux. Fedora adopte généralement les nouvelles technologies avant les autres distributions, par exemple, [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), et bientôt. Ces nouvelles technologies s'accompagnent souvent d'améliorations générales en matière de sécurité, de vie privée et d'ergonomie. + + [:octicons-home-16: Page d'accueil](https://getfedora.org/fr/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/fr/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribuer } + +Fedora a un cycle de publication semi-continu. Si certains paquets comme [GNOME](https://www.gnome.org) sont gelés jusqu'à la prochaine version de Fedora, la plupart des paquets (y compris le noyau) sont mis à jour fréquemment tout au long de la durée de vie de la version. Chaque version de Fedora est supportée pendant un an, avec une nouvelle version publiée tous les 6 mois. + +### openSUSE Tumbleweed + +!!! recommendation + + ![logo openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** est une distribution stable à publication continue. + + openSUSE Tumbleweed dispose d'un système de [mise à jour transactionnelle](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) qui utilise [Btrfs](https://en.wikipedia.org/wiki/Btrfs) et [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) pour s'assurer que les livraisons peuvent être annulées en cas de problème. + + [:octicons-home-16: Page d'accueil](https://get.opensuse.org/fr/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/fr/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribuer } + +Tumbleweed suit un modèle de publication continu où chaque mise à jour est publiée comme un instantané de la distribution. Lorsque vous mettez votre système à niveau, un nouvel instantané est téléchargé. Chaque livraison est soumise à une série de tests automatisés par [openQA](https://openqa.opensuse.org) afin de garantir sa qualité. + +### Arch Linux + +!!! recommendation + + ![Logo Arch](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** est une distribution légère, de type do-it-yourself (DIY), ce qui signifie que vous n'obtenez que ce que vous installez. Pour plus d'informations, voir leur [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions_(Fran%C3%A7ais)). + + [:octicons-home-16: Page d'accueil](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/title/Main_page_(Fran%C3%A7ais)){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribuer } + +Arch Linux a un cycle de publication continue. Il n'y a pas de calendrier de publication fixe et les paquets sont mis à jour très fréquemment. + +S'agissant d'une distribution DIY, vous êtes [censé mettre en place et maintenir](os/linux-overview.md#arch-based-distributions) votre système par vous-même. Arch a un [installateur officiel](https://wiki.archlinux.org/title/Archinstall_(Fran%C3%A7ais)) pour rendre le processus d'installation un peu plus facile. + +Une grande partie des [paquets d'Arch Linux](https://reproducible.archlinux.org) sont [reproductibles](https://reproducible-builds.org). + +## Distributions Immuables + +### Fedora Silverblue + +!!! recommendation + + ![Logo Fedora Silverblue](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** et **Fedora Kinoite** sont des variantes immuables de Fedora qui mettent l'accent sur les flux de travail en conteneur. Silverblue est livré avec l'environnement de bureau [GNOME](https://www.gnome.org/) tandis que Kinoite est livré avec [KDE](https://kde.org/fr/). Silverblue et Kinoite suivent le même calendrier de publication que Fedora Workstation, bénéficiant des mêmes mises à jour rapides et restant très proches de l'original. + + [:octicons-home-16: Page d'accueil](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/fr/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribuer } + +Silverblue (et Kinoite) diffèrent de Fedora Workstation car ils remplacent le gestionnaire de paquets [DNF](https://docs.fedoraproject.org/fr/quick-docs/dnf/) par une alternative beaucoup plus avancée appelée [`rpm-ostree`](https://docs.fedoraproject.org/fr/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). Le gestionnaire de paquets `rpm-ostree` fonctionne en téléchargeant une image de base pour le système, puis en superposant des paquets par-dessus dans un arbre de commit semblable à [git](https://fr.wikipedia.org/wiki/Git). Lorsque le système est mis à jour, une nouvelle image de base est téléchargée et les surcouches seront appliquées à cette nouvelle image. + +Une fois la mise à jour terminée, vous redémarrez le système dans le nouveau déploiement. `rpm-ostree` conserve deux déploiements du système afin que vous puissiez facilement revenir en arrière si quelque chose se casse dans le nouveau déploiement. Il est également possible d'épingler plus de déploiements selon les besoins. + +[Flatpak](https://www.flatpak.org) est la méthode principale d'installation des paquets sur ces distributions, car `rpm-ostree` n'est destiné qu'à superposer les paquets qui ne peuvent pas rester à l'intérieur d'un conteneur sur l'image de base. + +Comme alternative aux Flatpaks, il y a l'option de [Toolbox](https://docs.fedoraproject.org/fr/fedora-silverblue/toolbox/) pour créer des conteneurs [Podman](https://podman.io) avec un répertoire de base partagé avec le système d'exploitation hôte et imiter un environnement Fedora traditionnel, ce qui est une [fonctionnalité utile](https://containertoolbx.org) pour le développeur averti. + +### NixOS + +!!! recommendation + + ![Logo NixOS](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS est une distribution indépendante basée sur le gestionnaire de paquets Nix avec un accent sur la reproductibilité et la fiabilité. + + [:octicons-home-16: Page d'accueil](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribuer } + +Le gestionnaire de paquets de NixOS conserve chaque version de chaque paquet dans un dossier différent dans le **magasin Nix**. De ce fait, vous pouvez avoir différentes versions d'un même paquet installé sur votre système. Une fois que le contenu du paquet a été écrit dans le dossier, ce dernier est mis en lecture seule. + +NixOS fournit également des mises à jour atomiques ; il télécharge d'abord (ou construit) les paquets et les fichiers pour la nouvelle génération de système et ensuite y bascule. Il y a différentes façons de passer à une nouvelle génération ; vous pouvez dire à NixOS de l'activer après le redémarrage ou vous pouvez basculer sur celle-ci pendant l'exécution. Vous pouvez également *tester* la nouvelle génération en basculant sur celle-ci pendant l'exécution, mais sans la définir comme la génération actuelle du système. Si quelque chose se casse pendant le processus de mise à jour, vous pouvez simplement redémarrer et revenir automatiquement à une version fonctionnelle de votre système. + +Nix, le gestionnaire de paquets, utilise un langage purement fonctionnel - qui s'appelle aussi Nix - pour définir les paquets. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (la source principale des paquets) sont contenus dans un seul dépôt GitHub. Vous pouvez également définir vos propres paquets dans le même langage, puis les inclure facilement dans votre configuration. + +Nix est un gestionnaire de paquets basé sur les sources ; s'il n'y a pas de paquet pré-construit disponible dans le cache binaire, Nix construira simplement le paquet à partir des sources en utilisant sa définition. Il construit chaque paquet dans un environnement *pur* en bac à sable, qui est aussi indépendant que possible du système hôte, ce qui rend les binaires reproductibles. + +## Distributions Axées sur l'Anonymat + +### Whonix + +!!! recommendation + + ![Logo Whonix](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** est basé sur [Kicksecure](https://www.whonix.org/wiki/Kicksecure), un fork de Debian axé sur la sécurité. Il vise à assurer la vie privée, la sécurité et l'anonymat sur Internet. Whonix est utilisé de préférence en conjonction avec [Qubes OS](#qubes-os). + + [:octicons-home-16: Page d'accueil](https://www.whonix.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribuer } + +Whonix est conçu pour fonctionner sous la forme de deux machines virtuelles : une "Station de Travail" et une "Passerelle" Tor. Toutes les communications de la station de travail doivent passer par la passerelle Tor, et seront acheminées par le réseau Tor. Cela signifie que même si la "Station de Travail" est compromise par un logiciel malveillant quelconque, la véritable adresse IP reste cachée. + +Parmi ses fonctionnalités, citons l'isolation des Flux Tor, [l'anonymisation des frappes de clavier](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [un swap chiffré](https://github.com/Whonix/swap-file-creator), et un allocateur de mémoire renforcé. + +Les futures versions de Whonix incluront probablement [des politiques AppArmor système complètes](https://github.com/Whonix/apparmor-profile-everything) et [un lanceur d'apps bac à sable](https://www.whonix.org/wiki/Sandbox-app-launcher) pour confiner complètement tous les processus sur le système. + +Il est préférable d'utiliser Whonix [en conjonction avec Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). + +### Tails + +!!! recommendation + + ![Logo de Tails](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** est un système d'exploitation autonome basé sur Debian qui fait passer toutes les communications par Tor, et qui peut démarrer sur presque n'importe quel ordinateur à partir d'un DVD, d'une clé USB ou d'une installation sur carte SD. Il utilise [Tor](tor.md) pour préserver la vie privée et l'anonymat tout en contournant la censure, et il ne laisse aucune trace de son passage sur l'ordinateur sur lequel il est utilisé après avoir été éteint. + + [:octicons-home-16: Page d'accueil](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribuer } + +Tails est excellent pour contrer l'analyse scientifique en raison de son amnésie (ce qui signifie que rien n'est écrit sur le disque) ; cependant, ce n'est pas une distribution renforcée comme Whonix. Il ne dispose pas de nombreuses fonctions d'anonymat et de sécurité comme Whonix et est mis à jour beaucoup moins souvent (seulement une fois toutes les six semaines). Un système Tails compromis par un logiciel malveillant peut potentiellement contourner le proxy transparent et permettre à l'utilisateur d'être désanonymisé. + +Tails inclut [uBlock Origin](desktop-browsers.md#ublock-origin) dans le Navigateur Tor par défaut, ce qui peut potentiellement faciliter la tâche des adversaires pour identifier l'empreinte numérique des utilisateurs de Tails. Les machines virtuelles [Whonix](desktop.md#whonix) sont peut-être plus étanches, mais elles ne sont pas amnésiques, ce qui signifie que les données peuvent être récupérées sur votre périphérique de stockage. + +Par conception, Tails est censé se réinitialiser complètement après chaque redémarrage. Le [stockage persistant](https://tails.boum.org/doc/first_steps/persistence/index.fr.html) chiffré peut être configuré pour stocker certaines données entre les redémarrages. + +## Distributions axées sur la sécurité + +### Qubes OS + +!!! recommendation + + ![Logo Qubes OS](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** est un système d'exploitation open-source conçu pour fournir une sécurité forte pour l'informatique de bureau. Qubes est basé sur Xen, le système X Window et Linux, et peut exécuter la plupart des applications Linux et utiliser la plupart des pilotes Linux. + + [:octicons-home-16: Page d'accueil](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Aperçu](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribuer } + +Qubes OS est un système d'exploitation basé sur Xen destiné à fournir une sécurité forte pour l'informatique de bureau par le biais de machines virtuelles (VMs) sécurisées, également connues sous le nom de *Qubes*. + +Le système d'exploitation Qubes OS sécurise l'ordinateur en isolant les sous-systèmes (par exemple, réseau, USB, etc.) et les applications dans des VMs distinctes. Si une partie du système est compromise, l'isolation supplémentaire est susceptible de protéger le reste du système. Pour plus de détails, voir la FAQ de Qubes [](https://www.qubes-os.org/faq/). + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +Nos systèmes d'exploitation recommandés : + +- Doivent être open-source. +- Doivent recevoir régulièrement des mises à jour des logiciels et du noyau Linux. +- Les distributions Linux doivent prendre en charge [Wayland](os/linux-overview.md#Wayland). +- Doitvent prendre en charge le chiffrement complet du disque pendant l'installation. +- Ne doivent pas geler les mises à jour régulières pendant plus d'un an. Nous [ne recommandons pas](os/linux-overview.md#release-cycle) "Long Term Support" ou les versions "stables" de distro pour une utilisation domestique. +- Doivent prendre en charge une grande variété de matériel. diff --git a/i18n/fr/dns.md b/i18n/fr/dns.md new file mode 100644 index 00000000..3e729928 --- /dev/null +++ b/i18n/fr/dns.md @@ -0,0 +1,139 @@ +--- +title: "Résolveurs DNS" +icon: material/dns +description: Voici quelques fournisseurs de DNS chiffrés que nous vous recommandons d'utiliser pour remplacer la configuration par défaut de votre FAI. +--- + +Les DNS chiffrés avec des serveurs tiers ne doivent être utilisés que pour contourner le [blocage DNS](https://en.wikipedia.org/wiki/DNS_blocking) de base lorsque vous pouvez être sûr qu'il n'y aura pas de conséquences. Le DNS chiffré ne vous aidera pas à dissimuler vos activités de navigation. + +[En savoir plus sur les DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Fournisseurs recommandés + +| Fournisseur DNS | Politique de confidentialité | Protocoles | Journalisation | ECS | Filtrage | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | --------------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH
DoT
DNSCrypt | Un peu[^1] | Non | En fonction du choix fait côté serveur. La liste des filtres utilisés peut être consultée ici. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH
DoT | Un peu[^2] | Non | En fonction du choix fait côté serveur. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH
DoT
DNSCrypt
DoQ
DoH3 | Optionnelle[^3] | Non | En fonction du choix fait côté serveur. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Aucune[^4] | Non | En fonction du choix fait côté serveur. La liste des filtres utilisés peut être consultée ici. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH
DoT | Optionnelle[^5] | Optionnel | En fonction du choix fait côté serveur. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Un peu[^6] | Optionnel | En fonction du choix fait côté serveur, Blocage des logiciels malveillants par défaut. | + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit supporter [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [Minimisation QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- Permettre la désactivation de [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) +- Doit préférer la prise en charge [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) ou geo-steering. + +## Prise en charge native des systèmes d'exploitation + +### Android + +Android 9 et supérieur prennent en charge DNS via TLS. Les paramètres peuvent être trouvés dans : **Paramètres** → **Réseau & Internet** → **DNS Privé**. + +### Appareils Apple + +Les dernières versions d'iOS, iPadOS, tvOS et macOS prennent en charge à la fois DoT et DoH. Les deux protocoles sont pris en charge nativement par l'intermédiaire des [profils de configuration](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) ou par l'intermédiaire de [l'API de Paramètres DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +Après l'installation d'un profil de configuration ou d'une application qui utilise l'API des Paramètres DNS, la configuration DNS peut être sélectionnée. Si un VPN est actif, la résolution au sein du tunnel VPN utilisera les paramètres DNS du VPN et non les paramètres de votre système. + +#### Profils signés + +Apple ne fournit pas d'interface native pour la création de profils DNS chiffrés. Le [créateur de profil DNS Sécurisé](https://dns.notjakob.com/tool.html) est un outil non officiel permettant de créer vos propres profils DNS chiffrés, mais ils ne seront pas signés. Les profils signés sont préférables ; la signature valide l'origine d'un profil et contribue à garantir l'intégrité des profils. Un label vert "Vérifié" est attribué aux profils de configuration signés. Pour plus d'informations sur la signature de code, voir [A propos de la signature de code](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Les profils signés** sont fournis par [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), et [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info "Information" + + `systemd-resolved`, que de nombreuses distributions Linux utilisent pour effectuer leurs recherches DNS, ne [supporte pas encore DoH](https://github.com/systemd/systemd/issues/8639). Si vous voulez utiliser DoH, vous devez installer un proxy comme [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) et [le configurer](https://wiki.archlinux.org/title/Dnscrypt-proxy) pour prendre toutes les requêtes DNS du résolveur de votre système et les transmettre via HTTPS. + +## Proxys DNS chiffrés + +Un logiciel de proxy DNS chiffré fourni un proxy local vers lequel le résolveur [DNS non chiffré](advanced/dns-overview.md#unencrypted-dns) doit rediriger. Il est généralement utilisé sur les plates-formes qui ne supportent pas nativement les [DNS chiffrés](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![Logo RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![Logo RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** est un client Android open-source prenant en charge [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) et DNS Proxy, ainsi que la mise en cache des réponses DNS, l'enregistrement local des requêtes DNS et peut également être utilisé comme pare-feu. + + [:octicons-home-16: Page d'accueil](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![logo dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** est un proxy DNS qui prend en charge [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) et [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "La fonction DNS anonyme n'anonymise [**pas**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) le reste du trafic réseau." + + [:octicons-repo-16: Dépôt](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Code source" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Solutions auto-hébergées + +Une solution DNS auto-hébergée est utile pour assurer le filtrage sur les plateformes contrôlées, telles que les téléviseurs intelligents et autres appareils IoT, car aucun logiciel côté client n'est nécessaire. + +### AdGuard Home + +!!! recommendation + + ![Logo AdGuard Home](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** est un logiciel libre [gouffre DNS](https://wikipedia.org/wiki/DNS_sinkhole) qui utilise le [filtrage DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) pour bloquer les contenus web indésirables, tels que les publicités. + + AdGuard Home est doté d'une interface web conviviale qui permet de visualiser et de gérer le contenu bloqué. + + [:octicons-home-16: Page d'accueil](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Code source" } + +### Pi-hole + +!!! recommendation + + ![Logo Pi-hole](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** est un [gouffre DNS](https://wikipedia.org/wiki/DNS_sinkhole) open-source qui utilise le [filtrage DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) pour bloquer les contenus web indésirables, tels que les publicités. + + Pi-hole est conçu pour être hébergé sur un Raspberry Pi, mais il n'est pas limité à ce type de matériel. Le logiciel est doté d'une interface web conviviale permettant de visualiser et de gérer les contenus bloqués. + + [:octicons-home-16: Page d'accueil](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Code source" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribuer } + +[^1]: AdGuard stocke des mesures de performance agrégées de ses serveurs DNS, à savoir le nombre de demandes complètes adressées à un serveur particulier, le nombre de demandes bloquées et la vitesse de traitement des demandes. Ils conservent et stockent également la base de données des domaines demandés dans les dernières 24 heures. "Nous avons besoin de ces informations pour identifier et bloquer les nouveaux traqueurs et menaces." "Nous enregistrons également le nombre de fois où tel ou tel traqueur a été bloqué. Nous avons besoin de ces informations pour supprimer les règles obsolètes de nos filtres." [https://adguard.com/fr/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare ne collecte et ne stocke que les données limitées des requêtes DNS qui sont envoyées au résolveur 1.1.1.1. Le service de résolution 1.1.1.1 n'enregistre pas de données personnelles, et la majeure partie des données de requête limitées et non personnellement identifiables n'est stockée que pendant 25 heures. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D n'enregistre que les résolveurs Premium avec des profils DNS personnalisés. Les résolveurs libres n'enregistrent pas de données. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Le service DNS de Mullvad est disponible à la fois pour les abonnés et les non-abonnés de Mullvad VPN. Leur politique de confidentialité affirme explicitement qu'ils n'enregistrent pas les requêtes DNS de quelque manière que ce soit. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS peut fournir des informations et des fonctions de journalisation sur la base d'un accord préalable. Vous pouvez choisir les durées de conservation et les emplacements de stockage des journaux pour tous les journaux que vous choisissez de conserver. Si ce n'est pas spécifiquement demandé, aucune donnée n'est enregistrée. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 recueille certaines données à des fins de surveillance et de réponse aux menaces. Ces données peuvent ensuite être remélangées et partagées, par exemple à des fins de recherche sur la sécurité. Quad9 ne collecte ni n'enregistre les adresses IP ou d'autres données qu'elle juge personnellement identifiables. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/fr/email-clients.md b/i18n/fr/email-clients.md new file mode 100644 index 00000000..8ce29576 --- /dev/null +++ b/i18n/fr/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Logiciels de messagerie électronique" +icon: material/email-open +description: Ces clients d'email respectent la vie privée et prennent en charge le chiffrement OpenPGP. +--- + +Notre liste de recommandations contient des clients de messagerie qui prennent en charge à la fois [OpenPGP](encryption.md#openpgp) et l'authentification forte telle que [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth vous permet d'utiliser l'[Authentification à Multi-Facteurs](multi-factor-authentication) et d'empêcher le vol de compte. + +??? warning "L'email ne fournit pas de secret de transmission" + + Lors de l'utilisation d'une technologie de chiffrement de bout en bout (E2EE) comme OpenPGP, le courrier électronique contiendra toujours [certaines métadonnées](email.md#email-metadata-overview) qui ne sont pas chiffrées dans l'en-tête du courrier électronique. + + OpenPGP ne prend pas non plus en charge la [confidentialité persistante](https://fr.wikipedia.org/wiki/Confidentialit%C3%A9_persistante), ce qui signifie que si votre clé privée ou celle du destinataire est volée, tous les messages précédents chiffrés avec cette clé seront exposés: [Comment protéger mes clés privées ?](basics/email-security.md) Envisagez l'utilisation d'un support qui assure la confidentialité persistante: + + [Communication en temps réel](real-time-communication.md){ .md-button } + +## Multi-plateformes + +### Thunderbird + +!!! recommendation + + ![Logo Thunderbird](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** est un client de messagerie, de groupes de discussion, de flux d'informations et de chat (XMPP, IRC, Twitter) gratuit, open-source et multiplateforme, développé par la communauté Thunderbird, et précédemment par la Fondation Mozilla. + + [:octicons-home-16: Page d'accueil](https://www.thunderbird.net/fr/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.mozilla.org/fr/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.thunderbird.net/fr/) + - [:simple-apple: macOS](https://www.thunderbird.net/fr/) + - [:simple-linux: Linux](https://www.thunderbird.net/fr/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Configuration recommandée + +Nous vous recommandons de modifier certains de ces paramètres pour rendre Thunderbird un peu plus privé. + +Ces options se trouvent dans :material-menu: → **Paramètres** → **Confidentialité & Sécurité**. + +##### Contenu Web + +- [ ] Décochez **Se souvenir des sites web et des liens que j'ai visités** +- [ ] Décochez **Accepter les cookies des sites** + +##### Télémétrie + +- [ ] Décochez **Autoriser Thunderbird à envoyer des données techniques et d'interaction à Mozilla** + +#### Thunderbird-user.js (avancé) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), est un ensemble d'options de configuration qui vise à désactiver le plus grand nombre possible de fonctions de navigation web dans Thunderbird afin de réduire la surface d'attaque et de préserver la confidentialité. Certains changements sont rétroportés depuis le [projet Arkenfox](https://github.com/arkenfox/user.js). + +## Spécifique à une plateforme + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** est inclus dans macOS et peut être étendu pour prendre en charge OpenPGP avec [GPG Suite](/encryption/# gpg-suite), ce qui ajoute la possibilité d'envoyer des e-mails chiffrés. + + [:octicons-home-16: Page d'accueil](https://support.apple.com/fr-fr/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/fr/legal/privacy/fr-ww/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.apple.com/fr-fr/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Logo de Canary Mail](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** est un client de messagerie payant conçu pour rendre le chiffrement de bout en bout transparent grâce à des fonctions de sécurité telles que le verrouillage biométrique des applications. + + [:octicons-home-16: Page d'accueil](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning "Avertissement" + + Canary Mail n'a publié que récemment un client Windows et Android, mais nous ne pensons pas qu'ils soient aussi stables que leurs homologues iOS et Mac. + +Canary Mail est à source fermée. Nous le recommandons en raison du peu de choix disponibles pour les clients de messagerie sur iOS prenant en charge PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![Logo FairEmail](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** est une application de messagerie électronique minimale et open-source, utilisant des standards ouverts (IMAP, SMTP, OpenPGP) avec une faible consommation de données et de batterie. + + [:octicons-home-16: Page d'accueil](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Code source" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribuer} + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Logo Evolution](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** est une application de gestion des informations personnelles qui fournit des fonctionnalités intégrées de courrier, de calendrier et de carnet d'adresses. Evolution dispose d'une vaste [documentation](https://help.gnome.org/users/evolution/stable/) pour vous aider à démarrer. + + [:octicons-home-16: Page d'accueil](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribuer} + + ??? downloads "Téléchargements" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![Logo de K-9 Mail](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** est une application de messagerie indépendante qui prend en charge les boîtes aux lettres POP3 et IMAP, mais ne prend en charge le push mail que pour IMAP. + + À l'avenir, K-9 Mail sera le client Thunderbird [officiel](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) pour Android . + + [:octicons-home-16: Page d'accueil](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Code source" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning "Avertissement" + + Lorsque vous répondez à un membre d'une liste de diffusion, l'option "répondre" peut également inclure la liste de diffusion. Pour plus d'informations, voir [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Logo Kontact](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** est une application de gestion des informations personnelles (PIM) issue du projet [KDE](https://kde.org). Il offre un client de messagerie, un carnet d'adresses, un organiseur et un client RSS. + + [:octicons-home-16: Page d'accueil](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Code source" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Navigateur) + +!!! recommendation + + ![Logo Mailvelope](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** est une extension de navigateur qui permet l'échange de courriers électroniques chiffrés selon la norme de chiffrement OpenPGP. + + [:octicons-home-16: Page d'accueil](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![Logo NeoMutt](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** est un lecteur de courrier en ligne de commande (ou MUA) open-source pour Linux et BSD. C'est un fork de [Mutt](https://fr.wikipedia.org/wiki/Mutt) avec des fonctionnalités supplémentaires. + + NeoMutt est un client textuel qui a une courbe d'apprentissage abrupte. Il est cependant très personnalisable. + + [:octicons-home-16: Page d'accueil](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Qualifications minimales + +- Les applications développées pour les systèmes d'exploitation open source doivent être open source. +- Ne doit pas collecter de télémétrie, ou disposer d'un moyen facile de désactiver toute télémétrie. +- Doit prendre en charge le chiffrement des messages OpenPGP. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Doit être open-source. +- Doit être multiplateforme. +- Ne doit pas collecter de télémétrie par défaut. +- Doit prendre en charge OpenPGP nativement, c'est-à-dire sans extensions. +- Doit prendre en charge le stockage local de courriels chiffrés par OpenPGP. diff --git a/i18n/fr/email.md b/i18n/fr/email.md new file mode 100644 index 00000000..8e54e798 --- /dev/null +++ b/i18n/fr/email.md @@ -0,0 +1,503 @@ +--- +title: "Services d'email" +icon: material/email +description: Ces fournisseurs d'email constituent un excellent moyen de stocker vos emails en toute sécurité, et nombre d'entre eux proposent un système de chiffrement OpenPGP interopérable avec d'autres fournisseurs. +--- + +L'email est pratiquement une nécessité pour utiliser n'importe quel service en ligne, mais nous ne le recommandons pas pour les conversations de particulier à particulier. Plutôt que d'utiliser l'email pour contacter d'autres personnes, envisagez d'utiliser un support de messagerie instantanée qui prend en charge la confidentialité persistante. + +[Messageries instantanées recommandées](real-time-communication.md ""){.md-button} + +Pour tout le reste, nous recommandons une variété de fournisseurs d'email en fonction de la viabilité de leur modèle économique et de leurs fonctions intégrées de sécurité et de confidentialité. + +- [Fournisseurs d'emails compatibles avec OpenPGP :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Autres fournisseurs chiffrés :material-arrow-right-drop-circle:](#more-providers) +- [Services d'alias d'email :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Options d'auto-hébergement :material-arrow-right-drop-circle:](#self-hosting-email) + +## Services compatibles avec OpenPGP + +Ces fournisseurs prennent en charge de manière native le chiffrement/déchiffrement par OpenPGP et la norme WKD (Web Key Directory), ce qui permet d'obtenir des emails E2EE indépendamment du fournisseur. Par exemple, un utilisateur de Proton Mail peut envoyer un message E2EE à un utilisateur de Mailbox.org, ou vous pouvez recevoir des notifications chiffrées par OpenPGP de la part de services internet qui le supportent. + +
+ +- ![Logo Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Logo Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning "Avertissement" + + Lors de l'utilisation d'une technologie E2EE telle que OpenPGP, l'email contiendra toujours certaines métadonnées non chiffrées dans l'en-tête. En savoir plus sur les [métadonnées des emails](basics/email-security.md#email-metadata-overview). + + OpenPGP ne prend pas non plus en charge la confidentialité persistante, ce qui signifie que si votre clé privée ou celle du destinataire est volée, tous les messages précédents chiffrés avec elle seront exposés. [Comment protéger mes clés privées ?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Logo Proton Mail](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** est un service d'email qui met l'accent sur la confidentialité, le chiffrement, la sécurité et la facilité d'utilisation. Il est en activité depuis **2013**. Proton AG a son siège à Genève, en Suisse. Les comptes commencent avec 500 Mo de stockage avec leur offre gratuite. + + [:octicons-home-16: Page d'accueil](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Les comptes gratuits présentent certaines limitations, comme le fait de ne pas pouvoir effectuer de recherche dans le corps du texte et de ne pas avoir accès à [Proton Mail Bridge](https://proton.me/mail/bridge), qui est nécessaire pour utiliser un [client d'email de bureau recommandé](email-clients.md) (par exemple Thunderbird). Les comptes payants comprennent des fonctionnalités telles que Proton Mail Bridge, un espace de stockage supplémentaire et la prise en charge de domaines personnalisés. Une [lettre d'attestation](https://proton.me/blog/security-audit-all-proton-apps) a été fournie pour les applications de Proton Mail le 9 novembre 2021 par [Securitum](https://research.securitum.com). + +Si vous avez l'offre Proton Illimité, Entreprise ou Visionnaire, vous obtenez également [SimpleLogin](#simplelogin) Premium gratuitement. + +Proton Mail dispose de rapports de plantages internes qu'il **ne partage pas** avec des tiers. Ils peuvent être désactivés dans : **Paramètres** > **Aller à Paramètres** > **Compte** > **Sécurité et confidentialité** > **Envoyer des rapports de crash**. + +#### :material-check:{ .pg-green } Domaines personnalisés et alias + +Les abonnés payants à Proton Mail peuvent utiliser leur propre domaine avec le service ou une adresse [fourre-tout](https://proton.me/support/catch-all). Proton Mail prend également en charge le [sous-adressage](https://proton.me/support/creating-aliases), ce qui est utile pour les personnes qui ne souhaitent pas acheter un domaine. + +#### :material-check:{ .pg-green } Modes de paiement privés + +Proton Mail [accepte](https://proton.me/support/payment-options) les paiements en espèces par courrier, ainsi que les paiements par carte de crédit/débit, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc)et PayPal. + +#### :material-check:{ .pg-green } Sécurité du compte + +Proton Mail prend en charge [l'authentification à deux facteurs](https://proton.me/support/two-factor-authentication-2fa) TOTP et les [clés de sécurité matérielles](https://proton.me/support/2fa-security-key) en utilisant les normes FIDO2 ou U2F. L'utilisation d'une clé de sécurité matérielle nécessite la mise en place préalable d'une authentification à deux facteurs TOTP. + +#### :material-check:{ .pg-green } Sécurité des données + +Proton Mail dispose d'un [chiffrement à accès zéro](https://proton.me/blog/zero-access-encryption) au repos pour vos emails et [calendriers](https://proton.me/news/protoncalendar-security-model). Les données sécurisées par un chiffrement à accès zéro ne sont accessibles que par vous. + +Certaines informations stockées dans [Proton Contacts](https://proton.me/support/proton-contacts), telles que les noms et les adresses email, ne sont pas sécurisées par un chiffrement à accès zéro. Les champs de contact qui prennent en charge le chiffrement à accès zéro, comme les numéros de téléphone, sont indiqués par une icône de cadenas. + +#### :material-check:{ .pg-green } Chiffrement des emails + +Proton Mail a [du chiffrement OpenPGP intégré](https://proton.me/support/how-to-use-pgp) dans son webmail. Les emails destinés à d'autres comptes Proton Mail sont chiffrés automatiquement, et le chiffrement vers des adresses autres que Proton Mail avec une clé OpenPGP peut être activé facilement dans les paramètres de votre compte. Ils vous permettent également d'[envoyer des messages chiffrés à des adresses non Proton Mail](https://proton.me/support/password-protected-emails) sans qu'ils aient besoin de s'inscrire à un compte Proton Mail ou d'utiliser un logiciel comme OpenPGP. + +Proton Mail prend également en charge la découverte de clés publiques via HTTP à partir de leur [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Cela permet aux personnes qui n'utilisent pas Proton Mail de trouver facilement les clés OpenPGP des comptes Proton Mail, pour un E2EE inter-fournisseurs. + + +#### :material-information-outline:{ .pg-blue } Résiliation du compte + +Si vous avez un compte payant et que votre [facture est impayée](https://proton.me/support/delinquency) après 14 jours, vous ne pourrez pas accéder à vos données. Après 30 jours, votre compte sera en impayé et ne recevra plus d'email entrant. Vous continuerez à être facturé pendant cette période. + +#### :material-information-outline:{ .pg-blue } Fonctionnalités supplémentaires + +Proton Mail propose un compte "Illimité" pour 9,99 €/mois, qui permet également d'accéder à Proton VPN en plus de fournir plusieurs comptes, domaines, alias et 500 Go de stockage. + +Proton Mail ne propose pas de fonction d'héritage numérique. + +### Mailbox.org + +!!! recommendation + + ![Logo de Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** est un service d'email qui se veut sécurisé, sans publicité et alimenté par une énergie 100% écologique. Il est en activité depuis 2014. Mailbox.org est basé à Berlin, en Allemagne. Les comptes commencent avec 2 Go de stockage, qui peuvent être mis à niveau si nécessaire. + + [:octicons-home-16: Page d'accueil](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Domaines personnalisés et alias + +Mailbox.org vous permet d'utiliser votre propre domaine et prend en charge les adresses [fourre-tout](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). Mailbox.org prend également en charge le [sous-adressage](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), ce qui est utile pour les personnes qui ne souhaitent pas acheter un domaine. + +#### :material-check:{ .pg-green } Modes de paiement privés + +Mailbox.org n'accepte aucune crypto-monnaie en raison de la suspension des activités de son processeur de paiement BitPay en Allemagne. Cependant, ils acceptent les paiements en espèces par courrier, les paiements en espèces sur compte bancaire, les virements bancaires, les cartes de crédit, PayPal et quelques processeurs spécifiques à l'Allemagne : paydirekt et Sofortüberweisung. + +#### :material-check:{ .pg-green } Sécurité du compte + +Mailbox.org prend en charge l'[authentification à deux facteurs](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) pour son webmail uniquement. Vous pouvez utiliser soit TOTP, soit une [Yubikey](https://fr.wikipedia.org/wiki/YubiKey) via le [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Les normes web telles que [WebAuthn](https://fr.wikipedia.org/wiki/WebAuthn) ne sont pas encore prises en charge. + +#### :material-information-outline:{ .pg-blue } Sécurité des données + +Mailbox.org permet le chiffrement des emails entrant à l'aide de sa [boîte mails chiffrée](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). Les nouveaux messages que vous recevrez seront alors immédiatement chiffrés avec votre clé publique. + +Cependant, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), la plateforme logicielle utilisée par Mailbox.org, [ne prend pas en charge](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) le chiffrement de votre carnet d'adresses et de votre calendrier. Une [option tierce](calendar.md) pourrait être plus appropriée pour ces informations. + +#### :material-check:{ .pg-green } Chiffrement des emails + +Mailbox.org a [du chiffrement intégré](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) dans son webmail, ce qui simplifie l'envoi de messages à des personnes possédant des clés OpenPGP publiques. Ils permettent également aux [destinataires distants de déchiffrer un email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) sur les serveurs de Mailbox.org. Cette fonction est utile lorsque le destinataire distant ne dispose pas d'OpenPGP et ne peut pas déchiffrer une copie de l'email dans sa propre boîte mail. + +Mailbox.org prend également en charge la découverte de clés publiques via HTTP à partir de leur [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Cela permet aux personnes extérieures à Mailbox.org de trouver facilement les clés OpenPGP des comptes Mailbox.org, pour un E2EE inter-fournisseurs. + +#### :material-information-outline:{ .pg-blue } Résiliation du compte + +Votre compte sera défini comme un compte d'utilisateur restreint à la fin de votre contrat, après [30 jours, il sera irrévocablement supprimé](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Fonctionnalités supplémentaires + +Vous pouvez accéder à votre compte Mailbox.org via IMAP/SMTP en utilisant leur [service .onion](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). Cependant, leur interface webmail n'est pas accessible via leur service .onion et vous pouvez rencontrer des erreurs de certificat TLS. + +Tous les comptes sont assortis d'un espace de stockage cloud limité qui [peut être chiffré](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org propose également l'alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), qui applique le chiffrement TLS à la connexion entre les serveurs mail, faute de quoi le message ne sera pas envoyé. Mailbox.org prend également en charge [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) en plus des protocoles d'accès standard comme IMAP et POP3. + +Mailbox.org dispose d'une fonction d'héritage numérique pour toutes les offres. Vous pouvez choisir de transmettre certaines de vos données à vos héritiers, à condition d'en faire la demande et de fournir votre testament. Vous pouvez également désigner une personne par son nom et son adresse. + +## D'autres fournisseurs + +Ces fournisseurs stockent vos emails avec un chiffrement à connaissance zéro, ce qui en fait d'excellentes options pour assurer la sécurité de vos emails stockés. Cependant, ils ne prennent pas en charge les normes de chiffrement interopérables pour des communications E2EE entre fournisseurs. + +
+ +- ![Logo StartMail](assets/img/email/startmail.svg#only-light){ .twemoji }![Logo StartMail](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Logo Tutanota](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![Logo de StartMail](assets/img/email/startmail.svg#only-light){ align=right } + ![Logo de StartMail](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** est un service d'email qui met l'accent sur la sécurité et la confidentialité grâce à l'utilisation du standard de chiffrement OpenPGP. StartMail est en activité depuis 2014 et est basé à Boulevard 11, Zeist Pays-Bas. Les comptes commencent avec 10 Go. Ils offrent un essai de 30 jours. + + [:octicons-home-16: Page d'accueil](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Domaines personnalisés et alias + +Les comptes personnels peuvent utiliser des alias [Personnalisés ou Rapides](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) . Des [domaines personnalisés](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) sont également disponibles. + +#### :material-alert-outline:{ .pg-orange } Modes de paiement privés + +StartMail accepte Visa, MasterCard, American Express et Paypal. StartMail a aussi d'autres [options de paiement](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) comme [le Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (actuellement seulement pour les comptes personnels) et le prélèvement direct SEPA pour les comptes de plus d'un an. + +#### :material-check:{ .pg-green } Sécurité du compte + +StartMail prend en charge l'authentification à deux facteurs TOTP [pour le webmail seulement](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). Ils ne permettent pas l'authentification par clé de sécurité U2F. + +#### :material-information-outline:{ .pg-blue } Sécurité des données + +StartMail a du [chiffrement à accès zéro au repos](https://www.startmail.com/en/whitepaper/#_Toc458527835), en utilisant leur système "coffre-fort utilisateur". Lorsque vous vous connectez, le coffre-fort est ouvert, et l'email est alors déplacé dans le coffre-fort hors de la file d'attente où il est déchiffré par la clé privée correspondante. + +StartMail permet d'importer des [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) mais ceux-ci ne sont accessibles que dans le webmail et non via des protocoles tels que [CalDAV](https://fr.wikipedia.org/wiki/CalDAV). Les contacts ne sont pas non plus stockés à l'aide d'un chiffrement à connaissance zéro. + +#### :material-check:{ .pg-green } Chiffrement des emails + +StartMail a [du chiffrement intégré](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) dans son webmail, ce qui simplifie l'envoi de messages chiffrés avec des clés publiques OpenPGP. Cependant, ils ne supportent pas la norme Web Key Directory, ce qui rend la découverte de la clé publique d'une boîte mail Startmail plus difficile pour d'autres fournisseurs ou clients email. + +#### :material-information-outline:{ .pg-blue } Résiliation du compte + +A l'expiration du compte, StartMail supprimera définitivement votre compte après [6 mois en 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Fonctionnalités supplémentaires + +StartMail permet de faire passer les images des emails par leur serveur proxy. Si vous autorisez le chargement de l'image distante, l'expéditeur ne saura pas quelle est votre adresse IP. + +StartMail ne propose pas de fonction d'héritage numérique. + +### Tutanota + +!!! recommendation + + ![Logo Tutanota](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** est un service d'email qui met l'accent sur la sécurité et la confidentialité grâce à l'utilisation du chiffrement. Tutanota est en activité depuis **2011** et est basée à Hanovre, en Allemagne. Les comptes commencent avec 1 Go de stockage avec leur offre gratuite. + + [:octicons-home-16: Page d'accueil](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Code source" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota ne prend pas en charge le [protocole IMAP](https://tutanota.com/faq/#imap) ni l'utilisation de [clients email](email-clients.md) tiers, et vous ne pourrez pas non plus ajouter [des comptes email externes](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) à l'application Tutanota. Ni [l'import d'emails](https://github.com/tutao/tutanota/issues/630) ni [les sous-dossiers](https://github.com/tutao/tutanota/issues/927) ne sont actuellement pris en charge, bien que cela soit [amené à changer](https://tutanota.com/blog/posts/kickoff-import). Les emails peuvent être exportés [individuellement ou par sélection groupée](https://tutanota.com/howto#generalMail) par dossier, ce qui peut s'avérer peu pratique si vous avez de nombreux dossiers. + +#### :material-check:{ .pg-green } Domaines personnalisés et alias + +Les comptes Tutanota payants peuvent utiliser jusqu'à 5 [alias](https://tutanota.com/faq#alias) et [domaines personnalisés](https://tutanota.com/faq#custom-domain). Tutanota ne permet pas le [sous-adressage (adresses plus)](https://tutanota.com/faq#plus), mais vous pouvez utiliser une adresse [fourre-tout](https://tutanota.com/howto#settings-global) avec un domaine personnalisé. + +#### :material-information-outline:{ .pg-blue } Modes de paiement privés + +Tutanota n'accepte directement que les cartes de crédit et PayPal, mais [les crypto-monnaies](cryptocurrency.md) peuvent être utilisées pour acheter des cartes-cadeaux grâce à leur [partenariat](https://tutanota.com/faq/#cryptocurrency) avec Proxystore. + +#### :material-check:{ .pg-green } Sécurité du compte + +Tutanota prend en charge l'[authentification à deux facteurs](https://tutanota.com/faq#2fa) avec TOTP ou U2F. + +#### :material-check:{ .pg-green } Sécurité des données + +Tutanota dispose d'un [chiffrement accès zéro au repos](https://tutanota.com/faq#what-encrypted) pour vos emails, vos [contacts de carnet d'addresse](https://tutanota.com/faq#encrypted-address-book), et vos [calendars](https://tutanota.com/faq#calendar). Cela signifie que les messages et autres données stockés dans votre compte ne sont lisibles que par vous. + +#### :material-information-outline:{ .pg-blue } Chiffrement des emails + +Tutanota [n'utilise pas OpenPGP](https://www.tutanota.com/faq/#pgp). Les comptes Tutanota ne peuvent recevoir des emails chiffrés provenant de comptes email non Tutanota que s'ils sont envoyés via une [boîte mail temporaire Tutanota](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Résiliation du compte + +Tutanota supprimera [les comptes gratuits inactifs](https://tutanota.com/faq#inactive-accounts) après six mois. Vous pouvez réutiliser un compte gratuit désactivé si vous payez. + +#### :material-information-outline:{ .pg-blue } Fonctionnalités supplémentaires + +Tutanota offre la version professionnelle de [Tutanota aux organisations à but non lucratif](https://tutanota.com/blog/posts/secure-email-for-non-profit) gratuitement ou avec une forte réduction. + +Tutanota dispose également d'une fonction commerciale appelée [Secure Connect](https://tutanota.com/secure-connect/). Cela garantit que le contact du client avec l'entreprise utilise E2EE. La fonctionnalité coûte 240 €/an. + +Tutanota ne propose pas de fonction d'héritage numérique. + +## Services d'alias d'emails + +Un service d'alias d'emails vous permet de générer facilement une nouvelle adresse email pour chaque site web auquel vous vous inscrivez. Les alias que vous créez sont ensuite transférés vers une adresse email de votre choix, ce qui permet de masquer à la fois votre adresse email "principale" et l'identité de votre fournisseur d'email. Un véritable alias d'email est mieux que l'adressage plus, couramment utilisé et pris en charge par de nombreux fournisseurs, qui vous permet de créer des alias tels que votrenom+[nimportequoiici]@exemple.fr, car les sites web, les annonceurs et les réseaux de pistage peuvent trivialement supprimer tout ce qui suit le signe + pour connaître votre véritable adresse email. + +
+ +- ![Logo AnonAddy](assets/img/email/anonaddy.svg#only-light){ .twemoji }![Logo AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![Logo SimpleLogin](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +L'alias d'email peut servir de protection au cas où votre fournisseur d'email cesserait de fonctionner. Dans ce cas, vous pouvez facilement rediriger vos alias vers une nouvelle adresse email. En revanche, vous faites confiance au service d'alias pour qu'il continue de fonctionner. + +L'utilisation d'un service d'alias d'email dédié présente également un certain nombre d'avantages par rapport à un alias fourre-tout sur un domaine personnalisé : + +- Les alias peuvent être activés et désactivés individuellement lorsque vous en avez besoin, ce qui empêche les sites web de vous envoyer des emails de façon aléatoire. +- Les réponses sont envoyées à partir de l'adresse alias, qui masque votre véritable adresse email. + +Ils présentent également un certain nombre d'avantages par rapport aux services qui fournissent des "emails temporaires" : + +- Les alias sont permanents et peuvent être réactivés si vous devez recevoir quelque chose comme une réinitialisation de mot de passe. +- Les emails sont envoyés à votre boîte mail de confiance plutôt que d'être stockés par le fournisseur d'alias. +- Les services d'emails temporaires proposent généralement des boîtes mail publiques auxquelles peuvent accéder tous ceux qui connaissent l'adresse, tandis que les alias sont privés. + +Nos recommandations en matière d'alias d'email sont des fournisseurs qui vous permettent de créer des alias sur des domaines qu'ils contrôlent, ainsi que sur votre ou vos propres domaine(s) personnalisé(s), pour un coût annuel modeste. Ils peuvent également être auto-hébergés si vous souhaitez un contrôle maximal. Toutefois, l'utilisation d'un domaine personnalisé peut présenter des inconvénients en matière de confidentialité : Si vous êtes la seule personne à utiliser votre domaine personnalisé, vos actions peuvent être facilement suivies sur les sites web en regardant simplement le nom de domaine dans l'adresse email et en ignorant tout ce qui se trouve avant le signe arobase (@). + +L'utilisation d'un service d'alias nécessite de faire confiance à la fois à votre fournisseur d'email et à votre fournisseur d'alias pour vos messages non chiffrés. Certains fournisseurs atténuent légèrement ce problème grâce au chiffrement automatique PGP, qui réduit le nombre de services auxquels vous devez faire confiance de deux à un en chiffrant les emails entrants avant qu'ils ne soient remis à votre fournisseur de boîte mail final. + +### AnonAddy + +!!! recommendation + + ![Logo AnonAddy](assets/img/email/anonaddy.svg#only-light){ align=right } + ![Logo AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** vous permet de créer gratuitement 20 alias de domaine sur un domaine partagé, ou un nombre illimité d'alias "standard" qui sont moins anonymes. + + [:octicons-home-16: Page d'accueil](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Code source" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/fr/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +Le nombre d'alias partagés (qui se terminent par un domaine partagé comme @anonaddy.me) que vous pouvez créer est limité à 20 sur l'offre gratuite d'AnonAddy et à 50 sur leur offre à 12 $/an. Vous pouvez créer un nombre illimité d'alias standard (qui se terminent par un domaine tel que @[nomdutilisateur].anonaddy.com ou un domaine personnalisé sur les offres payantes), mais, comme nous l'avons déjà mentionné, cela peut nuire à la confidentialité car les gens peuvent trivialement relier vos alias standard en se basant sur le seul nom de domaine. Des alias partagés illimités sont disponibles pour 36 $/an. + +Fonctions gratuites notables : + +- [x] 20 Alias partagés +- [x] Alias standard illimités +- [ ] Pas de réponses sortantes +- [x] 2 Boîtes mail de réception +- [x] Chiffrement automatique PGP + +### SimpleLogin + +!!! recommendation + + ![Logo Simplelogin](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** est un service gratuit qui fournit des alias d'email sur une variété de noms de domaine partagés, et offre en option des fonctionnalités payantes comme des alias illimités et des domaines personnalisés. + + [:octicons-home-16: Page d'accueil](https://simplelogin.io/fr/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/fr/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin a été [acquis par Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) à compter du 8 avril 2022. Si vous utilisez Proton Mail pour votre boîte mail principale, SimpleLogin est un excellent choix. Les deux produits étant désormais détenus par la même société, vous ne devez plus faire confiance qu'à une seule entité. Nous supposons également que SimpleLogin sera plus étroitement intégré aux offres de Proton à l'avenir. SimpleLogin continue de prendre en charge la redirection vers le fournisseur d'email de votre choix. Securitum [a audité](https://simplelogin.io/blog/security-audit/) SimpleLogin début 2022 et tous les problèmes [ont été résolus](https://simplelogin.io/audit2022/web.pdf). + +Vous pouvez lier votre compte SimpleLogin avec votre compte Proton dans les paramètres de SimpleLogin. Si vous avez l'offre Proton Illimité, Entreprise, ou Visionnaire, vous aurez SimpleLogin Premium gratuitement. + +Fonctions gratuites notables : + +- [x] 10 Alias partagés +- [x] Réponses illimitées +- [x] 1 Boîte mail de réception + +## Email auto-hébergé + +Les administrateurs système peuvent envisager de mettre en place leur propre serveur mail. Les serveurs mail requièrent une attention et une maintenance permanente afin de garantir la sécurité et la fiabilité de la distribution des emails. + +### Solutions logicielles combinées + +!!! recommendation + + ![Logo Mailcow](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** est un serveur mail plus avancé, parfait pour ceux qui ont un peu plus d'expérience de Linux. Il possède tout ce dont vous avez besoin dans un conteneur Docker : un serveur mail avec prise en charge de DKIM, une surveillance antivirus et spam, un webmail et ActiveSync avec SOGo, et une administration basée sur le web avec prise en charge de 2FA. + + [:octicons-home-16: Page d'accueil](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribuer } + +!!! recommendation + + ![Logo Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** est un script de configuration automatisé pour le déploiement d'un serveur mail sur Ubuntu. Son objectif est de faciliter la mise en place de son propre serveur mail. + + [:octicons-home-16: Page d'accueil](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Code source" } + +Pour une approche plus manuelle, nous avons choisi ces deux articles : + +- [Configuration d'un serveur mail avec OpenSMTPD, Dovecot et Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [Comment gérer votre propre serveur mail](https://www.c0ffee.net/blog/mail-server-guide/) (août 2017) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des fournisseurs que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour tout fournisseur d'email souhaitant être recommandé, y compris la mise en place des bonnes pratiques du secteur, une technologie moderne et bien plus. Nous vous suggérons de vous familiariser avec cette liste avant de choisir un fournisseur d'email, et de mener vos propres recherches pour vous assurer que le fournisseur d'email que vous choisissez est le bon choix pour vous. + +### Technologie + +Nous considérons ces caractéristiques comme importantes afin de fournir un service sûr et optimal. Vous devez vous demander si le fournisseur possède les caractéristiques dont vous avez besoin. + +**Minimum pour se qualifier :** + +- Chiffre les données du compte email au repos avec un chiffrement à accès zéro. +- Capacité d'export en tant que [Mbox](https://en.wikipedia.org/wiki/Mbox) ou .eml individuel avec standard [RFC5322](https://datatracker.ietf.org/doc/rfc5322/). +- Permet aux utilisateurs d'utiliser leur propre [nom de domaine](https://en.wikipedia.org/wiki/Domain_name). Les noms de domaine personnalisés sont importants pour les utilisateurs car ils leur permettent de conserver leur indépendance du service, au cas où celui-ci tournerait mal ou serait racheté par une autre société qui ne donne pas priorité à la vie privée. +- Fonctionne sur sa propre infrastructure, c'est-à-dire qu'elle ne repose pas sur des fournisseurs de services d'email tiers. + +**Dans le meilleur des cas :** + +- Chiffre toutes les données du compte (contacts, calendriers, etc.) au repos avec un chiffrement à accès zéro. +- Un webmail intégré avec chiffrement E2EE/PGP est fourni à titre de commodité. +- Prise en charge de [WKD](https://wiki.gnupg.org/WKD) pour permettre une meilleure découverte des clés publiques OpenPGP via HTTP. Les utilisateurs de GnuPG peuvent obtenir une clé en tapant : `gpg --locate-key utilisateur_exemple@exemple.fr` +- Prise en charge d'une boîte mail temporaire pour les utilisateurs externes. Cette fonction est utile lorsque vous souhaitez envoyer un email chiffré, sans envoyer une copie réelle à votre destinataire. Ces emails ont généralement une durée de vie limitée et sont ensuite automatiquement supprimés. Ils n'obligent pas non plus le destinataire à configurer un système de chiffrement comme OpenPGP. +- Disponibilité des services du fournisseur d'email via un [service onion](https://en.wikipedia.org/wiki/.onion). +- Prise en charge du [sous-adressage](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- Fonctionnalité fourre-tout ou alias pour ceux qui possèdent leurs propres domaines. +- Utilisation de protocoles standard d'accès au emails tels que IMAP, SMTP ou [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Les protocoles d'accès standard garantissent que les clients peuvent facilement télécharger l'ensemble de leurs emails, s'ils souhaitent changer de fournisseur. + +### Confidentialité + +Nous préférons que nos prestataires recommandés collectent le moins de données possible. + +**Minimum pour se qualifier :** + +- Protéger l'adresse IP de l'expéditeur. Filtrez-la pour qu'elle n'apparaisse pas dans le champ d'en-tête `Received`. +- Ne demandez pas de Données à Caractère Personnel (DCP) en plus d'un nom d'utilisateur et d'un mot de passe. +- Politique de confidentialité répondant aux exigences définies par le RGPD. +- Ne doit pas être hébergé aux États-Unis en raison de [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) qui doit [encore être réformé](https://epic.org/ecpa/). + +**Dans le meilleur des cas :** + +- Accepte des [options de paiement anonymes](advanced/payments.md) ([crypto-monnaie](cryptocurrency.md), argent liquide, cartes cadeaux, etc.) + +### Sécurité + +Les serveurs mail traitent un grand nombre de données très sensibles. Nous nous attendons à ce que les prestataires adoptent les meilleures pratiques du secteur afin de protéger leurs membres. + +**Minimum pour se qualifier :** + +- Protection du webmail avec 2FA, tel que TOTP. +- Le chiffrement à accès zéro, qui complète le chiffrement au repos. Le fournisseur ne dispose pas des clés de déchiffrement des données qu'il détient. Cela permet d'éviter qu'un employé malhonnête ne divulgue les données auxquelles il a accès ou qu'un adversaire distant ne divulgue les données qu'il a volées en obtenant un accès non autorisé au serveur. +- Prise en charge de [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). +- Aucune erreurs ou vulnérabilités TLS lors du profilage par des outils tels que [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), ou [Qualys SSL Labs](https://www.ssllabs.com/ssltest); cela inclut les erreurs liées aux certificats et les paramètres DH faibles, tels que ceux qui ont conduit à [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- Une préférence, pour les serveurs (facultatif sur TLSv1.3), pour les suites de chiffrement fortes qui prennent en charge la confidentialité persistante et le chiffrement authentifié. +- Une politique valide [MTA-STS](https://tools.ietf.org/html/rfc8461) et [TLS-RPT](https://tools.ietf.org/html/rfc8460). +- Des enregistrements [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) valides. +- Des enregistrements [SPF](https://fr.wikipedia.org/wiki/Sender_Policy_Framework) et [DKIM](https://fr.wikipedia.org/wiki/DomainKeys_Identified_Mail) valides. +- Disposer d'un enregistrement et d'une politique [DMARC](https://fr.wikipedia.org/wiki/DMARC) appropriés ou utiliser [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) pour l'authentification. Si l'authentification DMARC est utilisée, la politique doit être définie comme suit : `reject` ou `quarantine`. +- Une préférence pour une suite de serveur TLS 1.2 ou plus récente et un plan pour [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- Une soumission [SMTPS](https://en.wikipedia.org/wiki/SMTPS), en supposant que le SMTP est utilisé. +- Des normes de sécurité des sites web telles que : + - [HTTP Strict Transport Security](https://fr.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - Une [Intégrité des sous-ressources](https://en.wikipedia.org/wiki/Subresource_Integrity) si des éléments sont chargés depuis des domaines externes. +- Doit prendre en charge l'affichage des [en-têtes de message](https://en.wikipedia.org/wiki/Email#Message_header), car il s'agit d'une fonction d'analyse scientifique essentielle pour déterminer si un email est une tentative de hammeçonnage. + +**Dans le meilleur des cas :** + +- Prise en charge de l'authentification matérielle, à savoir U2F et [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F et WebAuthn sont plus sûrs car ils utilisent une clé privée stockée sur un dispositif matériel côté client pour authentifier les personnes, par opposition à un secret partagé qui est stocké sur le serveur web et côté client lors de l'utilisation de TOTP. De plus, U2F et WebAuthn sont plus résistants au phishing car leur réponse d'authentification est basée sur le [nom de domaine](https://en.wikipedia.org/wiki/Domain_name) authentifié. +- Un [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) en plus de la prise en charge de DANE. +- Prise en charge de [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), utile pour les personnes qui publient sur des listes de diffusion [RFC8617](https://tools.ietf.org/html/rfc8617). +- Des programmes de primes aux bugs et/ou un processus coordonné de divulgation des vulnérabilités. +- Des normes de sécurité des sites web telles que : + - [Content Security Policy (CSP)](https://fr.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Confiance + +Vous ne confieriez pas vos finances à une personne ayant une fausse identité, alors pourquoi lui confier vos emails ? Nous exigeons de nos fournisseurs recommandés qu'ils rendent public leur propriété ou leur direction. Nous aimerions également voir des rapports de transparence fréquents, notamment en ce qui concerne la manière dont les demandes de gouvernement sont traitées. + +**Minimum pour se qualifier :** + +- Une direction ou un propriétaire public. + +**Dans le meilleur des cas :** + +- Une direction publique. +- Rapports de transparence fréquents. + +### Marketing + +Avec les fournisseurs d'email que nous recommandons, nous aimons voir un marketing responsable. + +**Minimum pour se qualifier :** + +- Doit héberger lui-même ses outils d'analyse de traffic (pas de Google Analytics, Adobe Analytics, etc.). Le site du fournisseur doit également se conformer à [DNT (Do Not Track)](https://fr.wikipedia.org/wiki/Do_Not_Track) pour ceux qui souhaitent refuser. + +Ne doit pas avoir de marketing irresponsable : + +- Prétendre à un "chiffrement incassable". Le chiffrement doit être utilisé en supposant qu'il ne soit plus secret dans le futur, lorsque la technologie existera pour le décrypter. +- Garantir la protection de l'anonymat à 100%. Lorsque quelqu'un prétend que quelque chose est à 100%, cela signifie qu'il n'y a aucune certitude d'échec. Nous savons que les gens peuvent assez facilement se désanonymiser de plusieurs façons, par exemple : + +- Réutiliser des informations personnelles (comptes de messagerie, pseudonymes uniques, etc.) auxquelles ils ont eu accès sans logiciel d'anonymat (Tor, VPN, etc.). +- [Empreinte numérique des navigateurs](https://fr.wikipedia.org/wiki/Empreinte_digitale_d%27appareil) + +**Dans le meilleur des cas :** + +- Une documentation claire et facile à lire. Notamment pour la mise en place du 2FA, des clients d'email tiers, d'OpenPGP, etc. + +### Fonctionnalités supplémentaires + +Bien qu'il ne s'agisse pas d'exigences strictes, nous avons pris en compte d'autres facteurs liés à la commodité ou à la confidentialité pour déterminer les fournisseurs à recommander. diff --git a/i18n/fr/encryption.md b/i18n/fr/encryption.md new file mode 100644 index 00000000..27913481 --- /dev/null +++ b/i18n/fr/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Logiciels de chiffrement" +icon: material/file-lock +description: Le chiffrement des données est le seul moyen de contrôler qui peut y accéder. Ces outils vous permettent de chiffrer vos emails et tout autre fichier. +--- + +Le chiffrement des données est le seul moyen de contrôler qui peut y accéder. Si vous n'utilisez pas actuellement de logiciel de chiffrement pour votre disque dur, vos e-mails ou vos fichiers, vous devriez choisir une option ici. + +## Multi-plateforme + +Les options répertoriées ici sont multiplateformes et parfaites pour créer des sauvegardes chiffrées de vos données. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Logo Cryptomator](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** est une solution de chiffrement conçue pour enregistrer vos fichiers de manière privée vers n'importe quel fournisseur de cloud. Il vous permet de créer des coffres-forts qui sont stockés sur un disque virtuel, dont le contenu est chiffré et synchronisé avec votre fournisseur de stockage cloud. + + [:octicons-home-16: Page d'accueil](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Code Source" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator utilise le chiffrement AES-256 pour chiffrer les fichiers et les noms de fichiers. Cryptomator ne peut pas chiffrer certaines métadonnées telles que les dates et heures d'accès, de modification et de création, ni le nombre et la taille des fichiers et des dossiers. + +Certaines bibliothèques cryptographiques de Cryptomator ont été [auditées](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) par Cure53. La portée des bibliothèques auditées comprend: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) et [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). L'audit ne s'est pas étendu à [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), qui est une bibliothèque utilisée par Cryptomator pour iOS. + +La documentation de Cryptomator détaille sa [cible de sécurité](https://docs.cryptomator.org/en/latest/security/security-target/), son [architecture de sécurité](https://docs.cryptomator.org/en/latest/security/architecture/), et ses [meilleures pratiques](https://docs.cryptomator.org/en/latest/security/best-practices/) prévues pour une utilisation de manière plus détaillée. + +### Picocrypt (Fichier) + +!!! recommendation + + ![Logo de Picocrypt](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** est un outil de chiffrement léger et simple qui fournit un chiffrement moderne. Picocrypt utilise le chiffrement sécurisé XChaCha20 et la fonction de dérivation de clé Argon2id pour assurer un haut niveau de sécurité. Il utilise les modules x/crypto standards de Go pour ses fonctions de chiffrement. + + [:octicons-repo-16: Dépôt](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Code source" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disque) + +!!! recommendation + + ![logo VeraCrypt](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![logo VeraCrypt](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** est un utilitaire gratuit et open source pour le chiffrement de fichiers/dossiers à la volée. Il peut créer un disque virtuel chiffré dans un fichier, chiffrer une partition ou l'ensemble du périphérique de stockage avec une authentification avant le démarrage. + + [:octicons-home-16: Page d'accueil](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Code source" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt est un dérivé du projet TrueCrypt, qui a été abandonné. Selon ses développeurs, des améliorations de la sécurité ont été apportées et les problèmes soulevés par l'audit initial du code de TrueCrypt ont été résolus. + +Lors du chiffrement avec VeraCrypt, vous avez la possibilité de choisir parmi différentes [fonctions de hachage](https://fr.wikipedia.org/wiki/VeraCrypt#Syst%C3%A8me_de_chiffrement). Nous vous suggérons de **seulement** sélectionner [SHA-512](https://fr.wikipedia.org/wiki/SHA-2) et de vous en tenir au [chiffrement par blocs AES](https://fr.wikipedia.org/wiki/Advanced_Encryption_Standard). + +Truecrypt a été [audité un certain nombre de fois](https://fr.wikipedia.org/wiki/TrueCrypt#Audit_global_du_logiciel_en_2013) et VeraCrypt a également été [audité séparément](https://fr.wikipedia.org/wiki/VeraCrypt#Audit). + +## Chiffrement complet du disque du système d'exploitation + +Les systèmes d'exploitation modernes incluent le [Chiffrement de Disque](https://fr.wikipedia.org/wiki/Chiffrement_de_disque) et utiliseront un [cryptoprocesseur sécurisé](https://fr.wikipedia.org/wiki/Cryptoprocesseur_s%C3%A9curis%C3%A9). + +### BitLocker + +!!! recommendation + + ![Logo BitLocker](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** est la solution de chiffrement intégral de volume fournie avec Microsoft Windows. La principale raison pour laquelle nous le recommandons est son [utilisation du TPM](https://docs.microsoft.com/fr-fr/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), une entreprise de forensique, a écrit à ce sujet dans [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/fr-fr/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker est [uniquement pris en charge](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) sur les éditions Pro, Entreprise et Éducation de Windows. Il peut être activé sur les éditions Famille à condition qu'elles remplissent les pré-requis. + +??? example "Activer BitLocker sur Windows Famille" + + Pour activer BitLocker sur les éditions "Famille" de Windows, vous devez formater vos partitions avec une [Table de Partitionnement GUID](https://fr.wikipedia.org/wiki/GUID_Partition_Table) et disposer d'un module TPM dédié (v1.2, 2.0+). + + 1. Ouvrez une invite de commande et vérifiez le format de la table de partition de votre disque à l'aide de la commande suivante. Vous devriez voir "**GPT**" listé sous "Style de partition" : + + ``` + powershell Get-Disk + ``` + + 2. Exécutez cette commande (dans une invite de commande administrateur) pour vérifier la version de votre TPM. Vous devriez voir `2.0` ou `1.2` listé à côté de `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Accédez à [Options de démarrage avancées](https://support.microsoft.com/fr-fr/windows/options-de-d%C3%A9marrage-avanc%C3%A9es-y-compris-le-mode-sans-%C3%A9chec-b90e7808-80b5-a291-d4b8-1a1af602b617). Vous devez redémarrer en appuyant sur la touche F8 avant que Windows ne démarre et aller dans l'*invite de commande* dans **Dépannage** → **Options avancées** → **Invite de commande**. + + 4. Connectez-vous avec votre compte administrateur et tapez ceci dans l'invite de commande pour lancer le chiffrement: + + ``` + manage-bde -on c: -used + ``` + + 5. Fermez l'invite de commande et continuez le démarrage vers Windows normalement. + + 6. Ouvrez une invite de commande administrateur et exécutez les commandes suivantes: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip "Conseil" + + Sauvegardez le fichier `BitLocker-Recovery-Key.txt` de votre ordinateur de bureau sur un périphérique de stockage distinct. La perte de ce code de récupération peut entraîner la perte de données. + +### FileVault + +!!! recommendation + + ![Logo FileVault](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** est la solution de chiffrement de volume à la volée intégrée à macOS. FileVault est recommandé parce qu'il [tire profit](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) de capacités de sécurité matérielle présentes sur un SoC de silicium Apple ou une Puce de Sécurité T2. + + [:octicons-info-16:](https://support.apple.com/fr-fr/guide/mac-help/mh11785/mac){ .card-link title=Documentation} + +Nous recommandons de stocker une clé de récupération locale dans un endroit sûr plutôt que d'utiliser votre compte iCloud pour la récupération. + +### Linux Unified Key Setup + +!!! recommendation + + ![Logo LUKS](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** est la méthode de chiffrement de disque par défaut pour Linux. Elle peut être utilisée pour chiffrer des volumes complets, des partitions ou créer des conteneurs chiffrés. + + [:octicons-home-16: Page d'accueil](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Code source" } + +??? example "Créer et ouvrir des conteneurs chiffrés" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Ouvrir des conteneurs chiffrés + Nous recommandons d'ouvrir les conteneurs et les volumes avec `udisksctl` car cela utilise [Polkit](https://fr.wikipedia.org/wiki/Polkit). La plupart des gestionnaires de fichiers, tels que ceux inclus dans les environnements de bureau les plus courants, peuvent déverrouiller les fichiers chiffrés. Des outils comme [udiskie](https://github.com/coldfix/udiskie) peuvent s'exécuter dans la barre d'état système et fournir une interface utilisateur utile. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "N'oubliez pas de sauvegarder les en-têtes de volume" + + Nous vous recommandons de toujours [sauvegarder vos en-têtes LUKS](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) en cas de panne partielle du lecteur. Cela peut être fait avec : + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Basé sur le navigateur + +Le chiffrement basé sur le navigateur peut être utile lorsque vous avez besoin de chiffrer un fichier, mais que vous ne pouvez pas installer de logiciel ou d'applications sur votre appareil. + +### hat.sh + +!!! recommendation + + ![logo hat.sh](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![logo hat.sh](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** est une application web qui fournit un chiffrement sécurisé des fichiers dans votre navigateur. Il peut également être auto-hébergé et est utile si vous devez chiffrer un fichier mais que vous ne pouvez pas installer de logiciel sur votre appareil en raison de politiques d'entreprises. + + [:octicons-globe-16: Page d'accueil](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Les méthodes de dons se trouvent au bas du site web" } + +## Ligne de commande + +Les outils dotés d'une interface de ligne de commande sont utiles pour intégrer des [scripts shell](https://fr.wikipedia.org/wiki/Script_shell). + +### Kryptor + +!!! recommendation + + ![Logo Kryptor](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** est un outil gratuit et open source de chiffrement et de signature de fichiers qui utilise des algorithmes cryptographiques modernes et sécurisés. Il vise à être une meilleure version d'[age](https://github.com/FiloSottile/age) et [Minisign](https://jedisct1.github.io/minisign/) pour fournir une alternative simple et facile à GPG. + + [:octicons-home-16: Page d'accueil](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Logo de Tomb](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** est un outil pour LUKS en ligne de commande shell. Il prend en charge la stéganographie via des [outils tiers](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Page d'accueil](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribuer } + +## OpenPGP + +OpenPGP est parfois nécessaire pour des tâches spécifiques telles que la signature numérique et le chiffrage des e-mails. PGP possède de nombreuses fonctionnalités et est [complexe](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) car il existe depuis longtemps. Pour des tâches telles que la signature ou le chiffrement des fichiers, nous suggérons les options ci-dessus. + +Lorsque vous chiffrez avec PGP, vous avez la possibilité de configurer différentes options dans votre fichier `gpg.conf` . Nous recommandons de suivre les options standard spécifiées dans la [FAQ de l'utilisateur de GnuPG](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Utiliser future-defaults lors de la génération d'une clé" + + Lorsque vous [générez des clés](https://www.gnupg.org/gph/en/manual/c14.html), nous vous suggérons d'utiliser la commande `future-default` car elle demandera à GnuPG d'utiliser de la cryptographie moderne telle que [Curve25519](https://fr.wikipedia.org/wiki/Curve25519) et [Ed25519](https://ed25519.cr.yp.to/) : + + ```bash + gpg --quick-gen-key alice@exemple.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![Logo de GNU Privacy Guard](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** est une alternative sous licence GPL de la suite de logiciels cryptographiques PGP. GnuPG est conforme [RFC 4880](https://tools.ietf.org/html/rfc4880), qui est la spécification actuelle de l'IETF pour OpenPGP. Le projet GnuPG a travaillé sur une [nouvelle ébauche](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) dans le but de moderniser OpenPGP. GnuPG fait partie du projet logiciel GNU de la Free Software Foundation et a reçu un [financement](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) majeur du gouvernement allemand. + + [:octicons-home-16: Page d'accueil](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![Logo GPG4win](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** est un paquet pour Windows de [Intevation et g10 Code](https://gpg4win.org/impressum.html). Il comprend [divers outils](https://gpg4win.org/about.html) qui peuvent vous aider à utiliser GPG sous Microsoft Windows. Le projet a été lancé et initialement [financé par](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) l'Office Fédéral allemand pour la Sécurité de l'Information (BSI) en 2005. + + [:octicons-home-16: Page d'accueil](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Code source" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note "À noter" + + Nous suggérons [Canary Mail](email-clients.md#canary-mail) pour utiliser PGP avec les e-mails sur les appareils iOS. + +!!! recommendation + + ![Logo de GPG Suite](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** fournit un support OpenPGP pour [Courrier Apple](email-clients.md#apple-mail) et macOS. + + Nous vous recommandons de consulter leurs [Premiers pas](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) et leur [Base de connaissances](https://gpgtools.tenderapp.com/kb) pour obtenir de l'aide. + + [:octicons-home-16: Page d'accueil](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![Logo OpenKeychain](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** est une implémentation Android de GnuPG. Elle est généralement requise par les clients de messagerie comme [K-9 Mail](email-clients.md#k-9-mail) et [FairEmail](email-clients.md#fairemail) et d'autres applications Android pour fournir la prise en charge du chiffrement. Cure53 a réalisé un [audit de sécurité](https://www.openkeychain.org/openkeychain-3-6) d'OpenKeychain 3.6 en octobre 2015. Les détails techniques concernant l'audit et les solutions d'OpenKeychain peuvent être trouvés [ici](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Page d'accueil](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Qualifications minimales + +- Les applications de chiffrement multiplateforme doivent être open-source. +- Les applications de chiffrement de fichiers doivent prendre en charge le déchiffrement sur Linux, macOS et Windows. +- Les applications de chiffrement de disques externes doivent prendre en charge le déchiffrement sur Linux, macOS et Windows. +- Les applications de chiffrement de disques internes (OS) doivent être multiplateforme ou intégrées nativement au système d'exploitation. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Les applications de chiffrement du système d'exploitation (FDE) devraient utiliser une sécurité matérielle telle qu'un TPM ou Secure Enclave. +- Les applications de chiffrement de fichiers doivent bénéficier d'une prise en charge native ou tierce pour les plateformes mobiles. diff --git a/i18n/fr/file-sharing.md b/i18n/fr/file-sharing.md new file mode 100644 index 00000000..35afc507 --- /dev/null +++ b/i18n/fr/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "Partage et synchronisation de fichiers" +icon: material/share-variant +description: Découvrez comment partager vos fichiers en toute confidentialité entre vos appareils, avec vos amis et votre famille, ou de manière anonyme en ligne. +--- + +Découvrez comment partager vos fichiers en toute confidentialité entre vos appareils, avec vos amis et votre famille, ou de manière anonyme en ligne. + +## Partage de fichiers + +### Send + +!!! recommendation + + ![Logo de Send](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** est un fork du service Firefox Send de Mozilla, qui a été abandonné, et qui vous permet d'envoyer des fichiers à d'autres personnes à l'aide d'un lien. Les fichiers sont chiffrés sur votre appareil afin qu'ils ne puissent pas être lus par le serveur, et ils peuvent également être protégés par un mot de passe. Le responsable de Send héberge une [instance publique](https://send.vis.ee/). Vous pouvez utiliser d'autres instances publiques, ou vous pouvez héberger Send vous-même. + + [:octicons-home-16: Page d'accueil](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Instances publiques"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribuer } + +Send peut être utilisé via son interface web ou via le CLI [ffsend](https://github.com/timvisee/ffsend) . Si vous êtes familier avec la ligne de commande et que vous envoyez fréquemment des fichiers, nous vous recommandons d'utiliser le client CLI pour éviter le chiffrement basé sur JavaScript. Vous pouvez spécifier le flag `--host` pour utiliser un serveur spécifique : + +```bash +ffsend upload --host https://send.vis.ee/ FICHIER +``` + +### OnionShare + +!!! recommendation + + ![Logo OnionShare](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** est un outil open-source qui vous permet de partager de manière sécurisée et anonyme un fichier de n'importe quelle taille. Il fonctionne en démarrant un serveur web accessible en tant que service oignon Tor, avec une URL non devinable que vous pouvez partager avec les destinataires pour télécharger ou envoyer des fichiers. + + [:octicons-home-16: Page d'accueil](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Service onion" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Ne doit pas stocker des données déchiffrées sur un serveur distant. +- Doit être un logiciel open source. +- Doit avoir soit des clients pour Linux, macOS et Windows, soit une interface web. + +## FreedomBox + +!!! recommendation + + ![Logo FreedomBox](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** est un système d'exploitation conçu pour être exécuté sur un [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). L'objectif est de faciliter la mise en place d'applications serveur que vous pourriez vouloir auto-héberger. + + [:octicons-home-16: Page d'accueil](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Code source" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribuer } + +## Synchronisation de fichiers + +### Nextcloud (Client-Serveur) + +!!! recommendation + + ![Logo Nextcloud](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** est une suite de logiciels client-serveur gratuits et open-source permettant de créer vos propres services d'hébergement de fichiers sur un serveur privé que vous contrôlez. + + [:octicons-home-16: Page d'accueil](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Code source" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Danger" + + Nous ne recommandons pas l'utilisation de [l'application E2EE](https://apps.nextcloud.com/apps/end_to_end_encryption) pour Nextcloud car elle peut entraîner une perte de données ; elle est hautement expérimentale et n'est pas de qualité de production. + +### Syncthing (P2P) + +!!! recommendation + + ![Logo de Syncthing](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** est un utilitaire open-source de synchronisation continue de fichiers de pair à pair. Il est utilisé pour synchroniser des fichiers entre deux ou plusieurs appareils via le réseau local ou internet. Syncthing n'utilise pas de serveur centralisé ; il utilise le [Protocole d'Échange de Blocs](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) pour transférer les données entre appareils. Toutes les données sont chiffrées à l'aide de TLS. + + [:octicons-home-16: Page d'accueil](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Code source" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +#### Exigences minimales + +- Ne doit pas nécessiter un serveur distant/cloud tiers. +- Doit être un logiciel open source. +- Doit avoir soit des clients pour Linux, macOS et Windows, soit une interface web. + +#### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Dispose de clients mobiles pour iOS et Android, qui permettent au moins de prévisualiser les documents. +- Prend en charge la sauvegarde des photos à partir d'iOS et d'Android et, en option, la synchronisation des fichiers/dossiers sur Android. diff --git a/i18n/fr/financial-services.md b/i18n/fr/financial-services.md new file mode 100644 index 00000000..cd0982af --- /dev/null +++ b/i18n/fr/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Services financiers +icon: material/bank +--- + +Effectuer des paiements en ligne est l'un des plus grands défis en matière de protection de la vie privée. Ces services peuvent vous aider à protéger votre vie privée contre les marchands et autres traqueurs, à condition que vous ayez une bonne compréhension de la façon d'effectuer des paiements privés de manière efficace. Nous vous encourageons vivement à lire notre article sur les paiements avant d'effectuer tout achat : + +[Effectuer des paiements privés :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Services de masquage des paiements + +Il existe un certain nombre de services qui fournissent des "cartes de débit virtuelles" que vous pouvez utiliser avec les commerçants en ligne sans révéler vos informations bancaires ou de facturation réelles dans la plupart des cas. Il est important de noter que ces services financiers ne sont **pas** anonymes et qu'ils sont soumis aux lois relatives à la connaissance du client (KYC) et peuvent nécessiter une pièce d'identité ou d'autres informations d'identification. Ces services sont principalement utiles pour vous protéger contre les fuites de données des commerçants, le pistage peu sophistiqué ou la corrélation des achats par les agences de marketing, et le vol de données en ligne ; et **non pas** pour effectuer un achat de manière totalement anonyme. + +!!! tip "Vérifiez votre banque" + + De nombreuses banques et fournisseurs de cartes de crédit proposent une fonctionnalité native de carte virtuelle. Si vous en utilisez une qui offre déjà cette option, vous devriez, dans la plupart des cas, l'utiliser plutôt que de suivre les recommandations suivantes. De cette manière, vous ne confiez pas vos informations personnelles à plusieurs personnes. + +### Privacy.com (États-Unis) + +!!! recommendation + + ![logo Privacy.com](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![logo Privacy.com](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + L'offre gratuite de **Privacy.com** vous permet de créer jusqu'à 12 cartes virtuelles par mois, de fixer des limites de dépenses pour ces cartes et de les arrêter instantanément. Son offre payante vous permet de créer jusqu'à 36 cartes par mois, d'obtenir 1 % de remise en argent sur vos achats et de masquer les informations relatives aux transactions à votre banque. + + [:octicons-home-16: Page d'accueil](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com transmet par défaut à votre banque des informations sur les commerçants auprès desquels vous effectuez des achats. La fonction payante "marchands discrets" cache les informations relatives aux marchands à votre banque, de sorte que votre banque voit seulement qu'un achat a été effectué auprès de Privacy.com, mais pas où l'argent a été dépensé, mais ce n'est pas infaillible et, bien sûr, Privacy.com a toujours connaissance des marchands auprès desquels vous dépensez de l'argent. + +### MySudo (États-Unis, payant) + +!!! recommendation + + ![logo MySudo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![logo MySudo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** fournit jusqu'à 9 cartes virtuelles en fonction de l'offre que vous prenez. Leurs offres payantes comprennent en outre des fonctionnalités qui peuvent être utiles pour effectuer des achats de façon privée, telles que des numéros de téléphone et des adresses email virtuels, bien que nous recommandions généralement d'autres [fournisseurs d'alias d'email](email.md) pour une utilisation plus poussée des alias d'email. + + [:octicons-home-16: Page d'accueil](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Permet de créer plusieurs cartes qui servent de bouclier entre le commerçant et vos finances personnelles. +- Les cartes ne doivent pas vous obliger à fournir au commerçant des informations exactes sur l'adresse de facturation. + +## Marchés de cartes-cadeaux + +Ces services vous permettent d'acheter des cartes-cadeaux pour une variété de marchands en ligne avec de la [crypto-monnaie](cryptocurrency.md). Certains de ces services proposent des options de vérification d'identité pour des limites plus élevées, mais ils permettent également d'ouvrir des comptes avec une simple adresse email. Les limites de base commencent généralement à 5 000 - 10 000 $ par jour pour les comptes de base, et des limites nettement plus élevées sont proposées pour les comptes à identité vérifiée (le cas échéant). + +### Cake Pay + +!!! recommendation + + ![Logo CakePay](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** vous permet d'acheter des cartes-cadeaux et des produits connexes avec du Monero. Les achats auprès de commerçants américains sont disponibles dans l'application mobile Cake Wallet, tandis que l'application web Cake Pay comprend une large sélection de commerçants internationaux. + + [:octicons-home-16: Page d'accueil](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![Logo CakePay](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (disponible aux États-Unis, au Canada et au Royaume-Uni) vous permet d'acheter des cartes-cadeaux auprès d'un grand nombre de commerçants. + + [:octicons-home-16: Page d'accueil](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Accepte les paiements dans [une crypto-monnaie recommandée](cryptocurrency.md). +- Pas d'obligation d'identification. diff --git a/i18n/fr/frontends.md b/i18n/fr/frontends.md new file mode 100644 index 00000000..1e24dce2 --- /dev/null +++ b/i18n/fr/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Clients applicatifs" +icon: material/flip-to-front +description: Ces clients applicatifs open source pour divers services internet vous permettent d'accéder au contenu sans JavaScript ou d'autres inconvénients. +--- + +Parfois, des services tentent de vous obliger à créer un compte en bloquant l'accès au contenu par des fenêtres pop-up gênantes. Ils peuvent également ne pas fonctionner sans JavaScript activé. Ces interfaces client peuvent vous permettre de contourner ces restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Logo Librarian](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Logo Librarian](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** est une interface client web gratuite et open source pour le réseau de partage vidéo [Odysee](https://odysee.com/) (LBRY) qui est également auto-hébergeable. + + Il existe un certain nombre d'instances publiques, dont certaines bénéficient de la prise en charge des services oignon [Tor](https://www.torproject.org). + + [:octicons-repo-16: Page d'accueil](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning "Avertissement" + + Par défaut Librarian n'utilise pas de proxy pour les flux vidéo. Les vidéos regardées via Librarian feront toujours l'objet de connexions directes aux serveurs d'Odysee (par exemple `odycdn.com`) ; cependant, certaines instances peuvent activer le proxy, ce qui serait détaillé dans la politique de confidentialité de l'instance. + +!!! tip "Conseil" + + Librarian est utile si vous voulez regarder du contenu LBRY sur votre mobile sans télémétrie obligatoire et si vous voulez désactiver JavaScript dans votre navigateur, comme c'est le cas avec [le navigateur Tor](https://www.torproject.org/) au niveau de sécurité Le plus sûr. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez Librarian, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance de Librarian, veillez à lire la politique de confidentialité de cette instance spécifique. Les instances Librarian peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter la politique de confidentialité qui leur est associée. Les instances Librarian comportent une "étiquette nutritionnelle de confidentialité" pour donner un aperçu de leur politique. Dans certains cas, les adresses Tor .onion peuvent garantir une certaine confidentialité tant que les requêtes de recherche ne contiennent pas d'informations personnelles identifiables. + +## Twitter + +### Nitter + +!!! recommendation + + ![Logo Nitter](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** est un frontal libre et open-source pour [Twitter](https://twitter.com) qui est également auto-hébergeable. + + Il existe un certain nombre d'instances publiques, dont certaines bénéficient de la prise en charge des services oignon [Tor](https://www.torproject.org). + + [:octicons-repo-16: Dépôt](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Instances Publiques"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Code Source" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribuer } + +!!! tip "Conseil" + + Nitter est utile si vous souhaitez naviguer sur le contenu de Twitter sans avoir à vous connecter et si vous souhaitez désactiver JavaScript dans votre navigateur, comme c'est le cas avec [Tor Browser](https://www.torproject.org/) au niveau de sécurité le plus sûr. Il vous permet également de [créer des flux RSS pour Twitter] (news-aggregators.md#twitter). + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez Nitter, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance de Nitter, assurez-vous de lire la politique de confidentialité de cette instance spécifique. Les instances Nitter peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter la politique par défaut. Dans certains cas, les adresses Tor .onion peuvent garantir une certaine confidentialité tant que les requêtes de recherche ne contiennent pas d'informations personnelles identifiables. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![Logo ProxiTok](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** est une interface client open source du site [TikTok](https://www.tiktok.com) qui est également auto-hébergeable. + + Il existe un certain nombre d'instances publiques, dont certaines bénéficient de la prise en charge des services oignon [Tor](https://www.torproject.org). + + [:octicons-repo-16: Dépôt](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Instances Publiques"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Code Source" } + +!!! tip "Conseil" + + ProxiTok est utile si vous souhaitez désactiver JavaScript dans votre navigateur, comme avec le [Navigateur Tor](https://www.torproject.org/) sur le niveau de sécurité Le plus sûr. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez ProxiTok, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance de ProxiTok, veillez à lire la politique de confidentialité de cette instance spécifique. Les instances ProxiTok peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter la politique de confidentialité qui leur est associée. Dans certains cas, les adresses Tor .onion peuvent garantir une certaine confidentialité tant que les requêtes de recherche ne contiennent pas d'informations personnelles identifiables. + +## YouTube + +### FreeTube + +!!! recommendation + + ![Logo FreeTube](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** est une application de bureau gratuite et open-source pour [YouTube](https://youtube.com). Lorsque vous utilisez FreeTube, votre liste d'abonnement et vos listes de lecture sont enregistrées localement sur votre appareil. + + Par défaut, FreeTube bloque toutes les publicités YouTube. En outre, FreeTube intègre en option [SponsorBlock](https://sponsor.ajay.app) pour vous aider à sauter les segments de vidéos sponsorisées. + + [:octicons-home-16: Page d'accueil](https://freetubeapp.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://docs.freetubeapp.io){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Code Source" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning "Avertissement" + + Lorsque vous utilisez FreeTube, votre adresse IP peut encore être connue de YouTube, [Invidious](https://instances.invidious.io) ou [SponsorBlock](https://sponsor.ajay.app/) selon votre configuration. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +### Yattee + +!!! recommendation + + ![Logo Yattee](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** est un lecteur vidéo gratuit et open-source orienté vie privée pour iOS, tvOS et macOS pour [YouTube](https://youtube.com). Lorsque vous utilisez Yattee, votre liste d'abonnement est enregistrée localement sur votre appareil. + + Vous devrez suivre quelques [étapes supplémentaires](https://gonzoknows.com/posts/Yattee/) avant de pouvoir utiliser Yattee pour regarder YouTube, en raison des restrictions de l'App Store. + + [:octicons-home-16: Page d'accueil](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Code Source" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning "Avertissement" + + Lorsque vous utilisez Yattee, votre adresse IP peut encore être connue de YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) ou [SponsorBlock](https://sponsor.ajay.app/) selon votre configuration. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +Par défaut, Yattee bloque toutes les publicités YouTube. En outre, Yattee s'intègre en option à [SponsorBlock](https://sponsor.ajay.app) pour vous aider à sauter les segments vidéo sponsorisés. + +### LibreTube (Android) + +!!! recommendation + + ![Logo LibreTube](assets/img/frontends/libretube.svg#only-light){ align=right } + ![Logo LibreTube](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** est une application Android gratuite et open-source pour [YouTube](https://youtube.com) qui utilise l'API [Piped](#piped). + + LibreTube vous permet de stocker votre liste d'abonnement et vos listes de lecture localement sur votre appareil Android, ou dans un compte sur l'instance Piped de votre choix, ce qui vous permet d'y accéder de manière transparente sur d'autres appareils également. + + [:octicons-home-16: Homepage ](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning "Avertissement" + + Lorsque vous utilisez LibreTube, votre adresse IP sera visible par l'instance [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) que vous avez choisie et/ou [SponsorBlock](https://sponsor.ajay.app/) en fonction de votre configuration. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +Par défaut, LibreTube bloque toutes les publicités YouTube. En outre, Libretube utilise [SponsorBlock](https://sponsor.ajay.app) pour vous aider à sauter les segments vidéo sponsorisés. Vous pouvez configurer entièrement les types de segments que SponsorBlock va ignorer, ou le désactiver complètement. Il existe également un bouton sur le lecteur vidéo lui-même pour le désactiver pour une vidéo spécifique si vous le souhaitez. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Logo Newpipe](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** est une application Android gratuite et open-source pour [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), et [PeerTube](https://joinpeertube.org/) (1). + + Votre liste d'abonnement et vos listes de lecture sont enregistrées localement sur votre appareil Android. + + [:octicons-home-16: Homepage ](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Code source" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. L'instance par défaut est [FramaTube](https://framatube.org/), mais d'autres peuvent être ajoutées via **Paramètres** → **Contenu** → **Instances PeerTube** + +!!! warning "Avertissement" + + Lorsque vous utilisez NewPipe, votre adresse IP sera visible par les fournisseurs vidéo utilisés. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** est une interface gratuite et open-source pour [YouTube](https://youtube.com) qui est également auto-hébergable. + + Il existe un certain nombre d'instances publiques, dont certaines bénéficient de la prise en charge des services oignon [Tor](https://www.torproject.org). + + [:octicons-home-16: Homepage ](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Instances publiques"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribuer } + +!!! warning "Avertissement" + + Invidious n'utilise pas de proxy pour les flux vidéo par défaut. Les vidéos regardées via Invidious seront toujours connectées directement aux serveurs de Google (par exemple, `googlevideo.com`) ; cependant, certaines instances prennent en charge la vidéo par proxy : il suffit d'activer *Proxy videos* dans les paramètres des instances ou d'ajouter `&local=true` à l'URL. + +!!! tip "Conseil" + + Invidious est utile si vous souhaitez désactiver JavaScript dans votre navigateur, comme c'est le cas avec [le navigateur Tor](https://www.torproject.org/) au niveau de sécurité le plus sûr. Il ne garantit pas la vie privée en soi, et nous ne recommandons pas de vous connecter à un compte quelconque. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez Invidious, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance d'Invidious, veillez à lire la politique de confidentialité de cette instance spécifique. Les instances involontaires peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter leur politique de confidentialité associée. Dans certains cas, les adresses Tor .onion peuvent garantir une certaine confidentialité tant que les requêtes de recherche ne contiennent pas d'informations personnelles identifiables. + +### Piped + +!!! recommendation + + ![Logo Piped](assets/img/frontends/piped.svg){ align=right } + + **Piped** est une interface gratuite et open-source pour [YouTube](https://youtube.com) qui est également auto-hébergeable. + + Piped nécessite JavaScript pour fonctionner et il existe un certain nombre d'instances publiques. + + [:octicons-repo-16: Dépôt](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Instances Publiques"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Code Source" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribuer } + +!!! tip "Conseil" + + Piped est utile si vous souhaitez utiliser [SponsorBlock](https://sponsor.ajay.app) sans installer d'extension ou pour accéder à des contenus limités en âge sans compte. Il ne garantit pas la vie privée en soi, et nous ne recommandons pas de vous connecter à un compte quelconque. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devez faire attention à l'endroit et à la manière dont vous hébergez Piped, car l'utilisation par d'autres personnes sera liée à votre hébergement. + +Lorsque vous utilisez une instance de Piped, veillez à lire la politique de confidentialité de cette instance spécifique. Les instances Piped peuvent être modifiées par leurs propriétaires et peuvent donc ne pas refléter la politique de confidentialité qui leur est associée. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +Clients recommandés... + +- Doit être un logiciel open source. +- Doit être auto-hébergeable. +- Doit fournir toutes les fonctionnalités de base du site web accessibles aux utilisateurs anonymes. + +Nous ne prenons en compte que les clients des sites web qui sont... + +- Normalement non accessible sans JavaScript. diff --git a/i18n/fr/index.md b/i18n/fr/index.md new file mode 100644 index 00000000..bbb0ab52 --- /dev/null +++ b/i18n/fr/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.fr.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## En quoi ça me concerne ? + +##### « Je n'ai rien à cacher. Pourquoi devrais-je me soucier de ma vie privée? » + +Tout comme le droit au mariage mixte, le droit de vote des femmes, la liberté d'expression et bien d'autres, notre droit à la vie privée n'a pas toujours été respecté. Dans plusieurs dictatures, ce n'est toujours pas le cas. Nombreux sont nos ancêtres qui se sont battus pour notre droit à la vie privée. ==La vie privée est un droit humain inhérent à chacun d'entre nous== auquel nous avons droit sans discrimination. + +Il ne faut pas confondre la vie privée et le secret. Même si on sait ce qui se passe dans la salle de bain, vous fermez quand même la porte. C'est parce que vous voulez une vie privée, et non pas du secret. **Tout le monde** a quelque chose à protéger. La vie privée est quelque chose qui nous rend humains. + +[:material-target-account: Menaces courantes sur internet](basics/common-threats.md ""){.md-button.md-button--primary} + +## Que dois-je faire ? + +##### Tout d'abord, vous devez établir un plan + +Essayer de protéger toutes vos données contre tout le monde, tout le temps, est peu pratique, coûteux et épuisant. Mais ne vous en faites pas ! La sécurité est un processus et, en anticipant, vous pouvez élaborer un plan qui vous convient. La sécurité ne concerne pas seulement les outils que vous utilisez ou les logiciels que vous téléchargez. Au contraire, elle commence par une compréhension des menaces uniques auxquelles vous êtes confrontés, et comment les atténuer. + +==Ce processus d'identification des menaces et de définition des contre-mesures est appelé la **modélisation des menaces**==, et constitue la base de tout bon plan de sécurité et de vie privée. + +[:material-book-outline: En savoir plus sur la modélisation des menaces](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## On a besoin de vous ! Voici comment vous pouvez vous impliquer + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Rejoignez notre forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Suivez-nous sur Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribuez à ce site web" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Aidez à traduire ce site" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Discutez avec nous sur Matrix" } +[:material-information-outline:](about/index.md){ title="En savoir plus sur nous" } +[:material-hand-coin-outline:](about/donate.md){ title="Soutenir le projet" } + +Il est important pour un site web comme Privacy Guides de toujours rester à jour. Nous avons besoin que notre public garde un œil sur les mises à jour logicielles des applications répertoriées sur notre site et suive l'actualité récente des fournisseurs que nous recommandons. Internet évolue à une vitesse telle, qu'il est difficile de suivre le rythme, mais nous faisons de notre mieux. Si vous repérez une erreur, que vous pensez qu'un fournisseur ne devrait pas figurer dans la liste, remarquez l'absence d'un fournisseur qualifié, pensez qu'un plugin de navigateur n'est plus le meilleur choix ou si vous découvrez tout autre problème, veuillez nous en informer. diff --git a/i18n/fr/kb-archive.md b/i18n/fr/kb-archive.md new file mode 100644 index 00000000..a5e91e87 --- /dev/null +++ b/i18n/fr/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: Archives +icon: material/archive +description: Certaines pages qui se trouvaient auparavant dans notre base de connaissances peuvent désormais être consultées sur notre blog. +--- + +# Pages déplacées vers le blog + +Certaines pages qui se trouvaient auparavant dans notre base de connaissances peuvent désormais être consultées sur notre blog : + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Renforcement de la configuration de Signal](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Renforcement du système](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Sandboxing des applications](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Effacement sécurisé des données](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Intégration de la suppression des métadonnées](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [Guide de configuration iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/fr/meta/brand.md b/i18n/fr/meta/brand.md new file mode 100644 index 00000000..9b129772 --- /dev/null +++ b/i18n/fr/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Consignes relatives à la marque +--- + +Le nom du site web est **Privacy Guides** et ne devrait **pas** être changé en : + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +Le nom du subreddit est **r/PrivacyGuides** ou **the Privacy Guides Subreddit**. + +D'autres directives relatives à l'image de marque sont disponibles à l'adresse [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Marque déposée + +"Privacy Guides" et le logo du bouclier sont des marques déposées appartenant à Jonah Aragon, l'utilisation illimitée est accordée au projet Privacy Guides. + +Sans renoncer à aucun de ses droits, Privacy Guides ne conseille pas les autres sur l'étendue de ses droits de propriété intellectuelle. Privacy Guides ne permet ni ne consent à aucune utilisation de ses marques déposées d'une manière qui est susceptible de causer une confusion en impliquant une association avec ou un parrainage par Privacy Guides. Si vous avez connaissance d'une telle utilisation, veuillez contacter Jonah Aragon à l'adresse jonah@privacyguides.org. Consultez votre conseiller juridique si vous avez des questions. diff --git a/i18n/fr/meta/git-recommendations.md b/i18n/fr/meta/git-recommendations.md new file mode 100644 index 00000000..93590d9c --- /dev/null +++ b/i18n/fr/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Recommandations Git +--- + +Si vous apportez des modifications à ce site web directement sur l'éditeur web de GitHub.com, vous ne devriez pas avoir à vous en soucier. Si vous développez localement et/ou êtes un éditeur du site web à long terme (qui devrait probablement développer localement !), tenez compte de ces recommandations. + +## Activer la signature de commit par clé SSH + +Vous pouvez utiliser une clé SSH existante pour la signature, ou [en créer une nouvelle](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configurez votre client Git pour signer les commits et les tags par défaut (supprimez `--global` pour ne signer par défaut que pour ce dépôt) : + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copiez votre clé publique SSH dans votre presse-papiers, par exemple : + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Définissez votre clé SSH pour la signature dans Git avec la commande suivante, en remplaçant la dernière chaîne entre guillemets par la clé publique dans votre presse-papiers : + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Assurez-vous que vous [ajoutez votre clé SSH à votre compte GitHub](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **en tant que clé de signature** (par opposition ou en plus qu'en tant que clé d'authentification). + +## Rebase on Git pull + +Utilisez `git pull --rebase` au lieu de `git pull` pour transférer les modifications de GitHub vers votre machine locale. De cette façon, vos modifications locales seront toujours "au dessus" des dernières modifications sur GitHub, et vous évitez les commits de merge (qui sont interdits dans ce dépôt). + +Vous pouvez définir cette option comme étant le comportement par défaut : + +``` +git config --global pull.rebase true +``` + +## Rebase depuis `main` avant de soumettre une PR + +Si vous travaillez sur votre propre branche, exécutez ces commandes avant de soumettre une PR : + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/fr/meta/uploading-images.md b/i18n/fr/meta/uploading-images.md new file mode 100644 index 00000000..fa2bf899 --- /dev/null +++ b/i18n/fr/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Envoi d'images +--- + +Voici quelques règles générales pour contribuer à Privacy Guides : + +## Images + +- Nous **préférons** des images SVG, mais si celles-ci n'existent pas, nous pouvons utiliser des images PNG + +Les logos d'entreprise ont une taille canvas de : + +- 128x128px +- 384x128px + +## Optimisation + +### PNG + +Utilisez le logiciel [OptiPNG](https://sourceforge.net/projects/optipng/) pour optimiser l'image PNG : + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) toutes les images SVG. + +Dans Inkscape : + +1. Fichier Enregistrer sous.. +2. Définir le type à SVG optimisé (*.svg) + +Dans l'onglet **Options** : + +- **Nombre de chiffres significatifs pour les coordonnées** > **5** +- [x] Activez **Raccourcir les valeurs de couleur** +- [x] Activez **Convertir les attributs CSS en attributs XML** +- [x] Activez **Réduire les groupes** +- [x] Activez **Créer des groupes pour des attributs similaires** +- [ ] Désactivez **Conserver les données de l'éditeur** +- [ ] Désactivez **Conserver les définitions non référencées** +- [x] Activez **Contourner les bugs du moteur de rendu** + +Dans l'onglet **Sortie SVG** sous **Options du document** : + +- [ ] Désactivez **Supprimer la déclaration XML** +- [x] Activez **Supprimer les métadonnées** +- [x] Activez **Supprimer les commentaires** +- [x] Activez **Images matricielles incorporées** +- [x] Activez **Activer le viewboxing** + +Dans le document **Sortie SVG** sous **Pretty-printing** : + +- [ ] Désactivez **Formatage de la sortie avec sauts de ligne et indentation** +- **Caractères d'indentation** > Sélectionnez **Espace** +- **Profondeur de l'indentation** > **1** +- [ ] Désactivez **Supprimer l'attribut "xml:space" de l'élément SVG racine** + +Dans l'onglet **identifiants** : + +- [x] Activez **Supprimer les identifiants inutilisés** +- [ ] Désactivez **Raccourcir les identifiants** +- **Préfixer les identifiants raccourcis avec** > `leave blank` +- [x] Activez **Préserver les identifiants créés manuellement ne se terminant pas par des chiffres** +- **Conserver les identifiants suivants** > `leave blank` +- **Préserver les identifiants commençant par** > `leave blank` + +#### Invite de commande + +La même chose peut être réalisée avec la commande [Scour](https://github.com/scour-project/scour) : + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/fr/meta/writing-style.md b/i18n/fr/meta/writing-style.md new file mode 100644 index 00000000..949175c4 --- /dev/null +++ b/i18n/fr/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Style d'écriture +--- + +Privacy Guides est rédigé en anglais américain, et vous devez vous référer aux directives de [style APA](https://apastyle.apa.org/style-grammar-guidelines/grammar) en cas de doute. + +En général, les [directives fédérales américaines en matière de langage clair](https://www.plainlanguage.gov/guidelines/) fournissent un bon aperçu de la manière d'écrire de façon claire et concise. Nous soulignons ci-dessous quelques notes importantes de ces directives. + +## Écrire pour notre public + +Le [public](https://www.plainlanguage.gov/guidelines/audience/) visé par Privacy Guides est principalement constitué d'adultes moyens, utilisant la technologie. Ne simplifiez pas le contenu comme si vous vous adressiez à une classe d'école primaire, mais n'abusez pas d'une terminologie compliquée concernant des concepts que l'utilisateur moyen d'un ordinateur ne connaît pas. + +### N'aborder que ce que les gens veulent savoir + +Les gens n'ont pas besoin d'articles trop complexes et peu pertinents pour eux. Déterminez ce que vous voulez que les gens accomplissent en écrivant un article, et n'incluez que ces détails. + +> Expliquez à votre public pourquoi le contenu est important pour lui. Dites : "Si vous voulez une bourse de recherche, voici ce que vous devez faire." Ou, "Si vous voulez exploiter le charbon fédéral, voici ce que vous devez savoir." Ou, "Si vous prévoyez un voyage au Rwanda, lisez ça d'abord." + +### S'adresser directement aux gens + +Nous écrivons *pour* une grande variété de personnes, mais nous écrivons *à* la personne qui le lit. Utilisez le "vous" pour vous adresser directement au lecteur. + +> Plus que toute autre technique, l'utilisation du "vous" attire les utilisateurs vers l'information et la rend pertinente pour eux. +> +> Lorsque vous utilisez le "vous" pour vous adresser aux utilisateurs, ceux-ci sont plus susceptibles de comprendre quelle est leur responsabilité. + +Source : [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Évitez les "utilisateurs" + +Évitez d'appeler les gens "utilisateurs", en faveur de "personnes", ou d'une description plus spécifique du groupe de personnes pour lequel vous écrivez. + +## Organiser le contenu + +L'organisation est clé. Le contenu doit aller de l'information la plus importante à l'information la moins importante, et utiliser les en-têtes autant que nécessaire pour séparer logiquement les différentes idées. + +- Limitez le document à environ cinq ou six sections. Les documents longs devraient probablement être divisés en pages séparées. +- Marquez les idées importantes avec **du gras** ou *de l'italique*. + +Source : [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Commencez par une phrase sujet + +> Si vous indiquez à votre lecteur le sujet qu'il va lire, il est moins susceptible de devoir relire votre paragraphe. Les titres sont utiles, mais ils ne suffisent pas. Établissez un contexte pour votre public avant de lui fournir les détails. +> +> Nous écrivons souvent de la même manière que nous pensons, en mettant nos prémisses en premier et ensuite notre conclusion. C'est peut-être la façon naturelle de développer des pensées, mais nous nous retrouvons avec la phrase sujet à la fin du paragraphe. Déplacez-la au début et laissez les utilisateurs savoir où vous allez. N'obligez pas les lecteurs à retenir un grand nombre d'informations dans leur tête avant d'en venir au fait. + +Source : [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choisissez vos mots avec soin + +> Les mots sont importants. Ils constituent les éléments de base de la communication écrite et orale. Ne compliquez pas les choses en utilisant du jargon, des termes techniques ou des abréviations que les gens ne comprendront pas. + +Nous devrions essayer d'éviter les abréviations dans la mesure du possible, mais la technologie est pleine d'abréviations. En général, il faut épeler l'abréviation/acronyme la première fois qu'elle est utilisée sur une page, et l'ajouter au fichier du glossaire des abréviations lorsqu'elle est utilisée à plusieurs reprises. + +> Kathy McGinty propose des instructions ironiques pour étoffer vos phrases simples et directes : +> +> > On ne peut échapper au fait qu'il est considéré comme très important de noter qu'un certain nombre d'études disponibles applicables ont ipso facto généralement identifié le fait que des emplois nocturnes supplémentaires appropriés pourraient généralement empêcher les adolescents mineurs de circuler sur les voies publiques pendant les heures de nuit, y compris, mais sans s'y limiter, avant minuit les soirs de semaine et/ou 2 heures du matin. Les week-ends. +> +> Et l'original, en utilisant des mots plus forts et plus simples : +> +> > La multiplication des emplois de nuit éloignerait les jeunes de la rue. + +## Soyez concis + +> Les mots inutiles font perdre du temps à votre public. Une bonne écriture est comme une conversation. Omettez les informations que le public n'a pas besoin de connaître. Cela peut s'avérer difficile pour un expert en la matière. Il est donc important que quelqu'un examine les informations du point de vue du public. + +Source : [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Garder le texte conversationnel + +> Les verbes sont le carburant de l'écriture. Ils donnent à vos phrases un pouvoir et une direction. Ils animent vos écrits et les rendent plus intéressants. +> +> Les verbes indiquent à votre public ce qu'il doit faire. Ils veillent à ce que la répartition des tâches soit claire. + +### Utilisez la voix active + +> La voix active indique clairement qui est censé faire quoi. Il élimine toute ambiguïté quant aux responsabilités. Pas "Il faut le faire", mais "Vous devez le faire" + +Source : [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Utilisez "doit" pour les exigences + +> - "doit" pour une obligation +> - "ne doit pas" pour une interdiction +> - "peut" pour une action discrétionnaire +> - "devrait" pour une recommandation diff --git a/i18n/fr/mobile-browsers.md b/i18n/fr/mobile-browsers.md new file mode 100644 index 00000000..3890e77f --- /dev/null +++ b/i18n/fr/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Navigateurs mobiles" +icon: material/cellphone-information +description: Ces navigateurs sont ceux que nous recommandons actuellement pour la navigation internet standard/non anonyme sur votre téléphone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +Il s'agit des navigateurs web mobiles et des configurations que nous recommandons actuellement. Si vous avez besoin de naviguer anonymement sur Internet, vous devriez plutôt utiliser [Tor](tor.md). D'une manière générale, nous vous recommandons de limiter au maximum les extensions ; elles ont un accès privilégié dans votre navigateur, vous obligent à faire confiance au développeur, peuvent vous faire sortir du lot [](https://fr.wikipedia.org/wiki/Empreinte_digitale_d%27appareil), et [affaiblissent l'isolation du site](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) . + +## Android + +Sur Android, Firefox est toujours moins sûr que les alternatives basées sur Chromium : Le moteur de Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), doit encore prendre en charge [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) ou activer [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Logo Brave](assets/img/browsers/brave.svg){ align=right } + + **Le navigateur Brave** comprend un bloqueur de contenu intégré et des [fonctions de confidentialité](https://brave.com/privacy-features/), dont la plupart sont activées par défaut. + + Brave est basé sur le projet de navigateur Web Chromium. Il devrait donc vous être familier et présenter un minimum de problèmes de compatibilité avec les sites Web. + + [:octicons-home-16: Page d'accueil](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Code source" } + + ??? downloads annotate "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Configuration recommandée + +Le navigateur Tor est le seul moyen de vraiment naviguer anonymement sur Internet. Lorsque vous utilisez Brave, nous vous recommandons de modifier les paramètres suivants afin de protéger votre vie privée de certains tiers, mais tous les navigateurs autres que le [Navigateur Tor](tor.md#tor-browser) seront traçables par *quelqu'un* d'une manière ou d'une autre. + +Ces options se trouvent dans :material-menu: → **Paramètres** → **Brave Shields & confidentialité** + +##### Shields + +Brave inclut certaines mesures contre la prise d'empreinte numérique dans sa fonction [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Nous vous suggérons de configurer ces options [de manière globale](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) sur toutes les pages que vous visitez. + +##### Les valeurs par défaut de Brave Shields + +Les options Shields peuvent être réduites par site selon les besoins, mais par défaut, nous recommandons de définir les paramètres suivants: + +
+ +- [x] Sélectionnez **Agressif** sous Bloquer les balises & pubs + + ??? warning "Utiliser les listes de filtres par défaut" + Brave vous permet de sélectionner des filtres de contenu supplémentaires dans la page interne `brave://adblock`. Nous vous déconseillons d'utiliser cette fonctionnalité ; conservez plutôt les listes de filtres par défaut. L'utilisation de listes supplémentaires vous distinguera des autres utilisateurs de Brave et peut également augmenter la surface d'attaque s'il y a une faille dans Brave et qu'une règle malveillante est ajoutée à l'une des listes que vous utilisez. + +- [x] Sélectionnez **Mettre à niveau les connexions vers HTTPS** +- [x] Sélectionnez **Toujours utiliser des connexions sécurisées** +- [x] (Facultatif) Sélectionnez **Bloquer les scripts** (1) +- [x] Sélectionnez **Strict, peut casser les sites** sous **Bloquer les empreintes numériques** + +
+ +1. Cette option fournit une fonctionnalité similaire aux [modes de blocage](https://github.com/gorhill/uBlock/wiki/Blocking-mode) avancés de uBlock Origin ou l'extension [NoScript](https://noscript.net/). + +##### Effacer les données de navigation + +- [x] Sélectionner **Effacer les données en quittant** + +##### Blocage des Réseaux Sociaux + +- [ ] Décochez toutes les fonctionnalités de médias sociaux + +##### Autres paramètres de confidentialité + +
+ +- [x] Sélectionnez **Désactiver l'UDP pas en proxy** sous [Politique de gestion des adresses IP WebRTC](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Décochez **Autoriser les sites à vérifier si vous avez enregistré des modes de paiement** +- [ ] Décochez **Passerelle IPFS** (1) +- [x] Sélectionnez **Fermer les onglets à la sortie** +- [ ] Décochez **Autoriser les analyses de produits préservant la vie privée (P3A)** +- [ ] Décochez **Envoyer automatiquement des rapports de diagnostic** +- [ ] Décochez **Envoyer automatiquement un ping d'utilisation quotidienne à Brave** + +
+ +1. InterPlanetary File System (IPFS) est un réseau décentralisé, de pair à pair, permettant de stocker et de partager des données dans un système de fichiers distribué. À moins que vous n'utilisiez cette fonctionnalité, désactivez-la. + +#### Synchronisation Brave + +La [Synchronisation Brave](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permet à vos données de navigation (historique, signets, etc.) d'être accessibles sur tous vos appareils sans nécessiter de compte et les protège avec E2EE. + +## iOS + +Sur iOS, toute application capable de naviguer sur le web est [](https://developer.apple.com/app-store/review/guidelines) limitée à l'utilisation du cadre WebKit [fourni par Apple](https://developer.apple.com/documentation/webkit), de sorte qu'il y a peu de raisons d'utiliser un navigateur web tiers. + +### Safari + +!!! recommendation + + ![Logo Safari](assets/img/browsers/safari.svg){ align=right } + + **Safari** est le navigateur par défaut dans iOS. Il comprend des [fonctions de confidentialité](https://support.apple.com/fr-fr/guide/iphone/iphb01fc3c85/15.0/ios/15.0) telles que la Protection Intelligente contre le Pistage, le Rapport de Confidentialité, les Onglets de Navigation Privée isolés, le Relais Privé iCloud et les mises à niveau HTTPS automatiques. + + [:octicons-home-16: Page d'accueil](https://www.apple.com/fr/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/fr/safari/){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://support.apple.com/fr-fr/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Configuration recommandée + +Ces options se trouvent dans :gear: **Paramètres** → **Safari** → **Confidentialité et sécurité**. + +##### Prévention du Pistage Intersite + +- [x] Activer **Empêcher le Pistage Intersite** + +Cela active la [Protection Intelligente contre le Pistage](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp) de WebKit. Cette fonction permet de se protéger contre les pistages non désirés en utilisant un apprentissage machine sur l'appareil pour arrêter les traqueurs. ITP protège contre de nombreuses menaces courantes, mais il ne bloque pas toutes les voies de pistage, car il est conçu pour ne pas interférer avec la convivialité des sites Web. + +##### Rapport de Confidentialité + +Le Rapport de Confidentialité donne un aperçu des traqueurs intersites qui sont actuellement bloqués sur le site Web que vous visitez et ne peuvent pas vous profiler. Il peut également afficher un rapport hebdomadaire pour montrer quels traqueurs ont été bloqués au fil du temps. + +Le Rapport de Confidentialité est accessible via le menu Paramètres de Page. + +##### Mesure Publicitaire Préservant la vie privée + +- [ ] Désactiver **Mesure Publicitaire Préservant la vie privée** + +La mesure des clics publicitaires a traditionnellement utilisé une technologie de suivi qui porte atteinte à la vie privée des utilisateurs. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) est une fonctionnalité de WebKit et une proposition de norme web visant à permettre aux annonceurs de mesurer l'efficacité des campagnes web sans compromettre la confidentialité des utilisateurs. + +Cette fonction ne pose que peu de problèmes de confidentialité en soi, et même si vous pouvez choisir de la laisser activée, nous considérons que le fait qu'elle soit automatiquement désactivée en Navigation Privée est un indicateur pour la désactiver. + +##### Navigation Privée Permanente + +Ouvrez Safari et appuyez sur le bouton Onglets, situé en bas à droite. Ensuite, développez la liste des Groupes d'Onglets. + +- [x] Sélectionner **Privé** + +Le mode de Navigation Privée de Safari offre des protections supplémentaires en matière de confidentialité. La Navigation Privée utilise une nouvelle session [éphémère](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) pour chaque onglet, ce qui signifie que les onglets sont isolés les uns des autres. La Navigation Privée présente également d'autres avantages mineurs en matière de protection de la vie privée, comme le fait de ne pas envoyer l'adresse d'une page web à Apple lors de l'utilisation de la fonction de traduction de Safari. + +Notez que la Navigation Privée n'enregistre pas les cookies et les données des sites web. Il ne sera donc pas possible de rester connecté aux sites. Cela peut être un inconvénient. + +##### Synchronisation iCloud + +La synchronisation de l'Historique de Safari, des Groupes d'Onglets, des Onglets iCloud et des mots de passe enregistrés est E2EE. Cependant, les signets ne le sont [pas](https://support.apple.com/fr-fr/HT202303). Apple peut les déchiffrer et y accéder conformément à sa [politique de confidentialité](https://www.apple.com/fr/legal/privacy/fr-ww/). + +Si vous utilisez iCloud, nous vous recommandons également de vérifier que l'emplacement de téléchargement par défaut de Safari est défini sur "localement sur votre appareil". Accédez à votre **nom d'identifiant Apple → iCloud → Protection Avancée des Données**. + +- [x] Activez **Protection Avancée des Données** + +Si vous utilisez iCloud avec la Protection Avancée des Données désactivée, nous vous recommandons également de vérifier que l'emplacement de téléchargement par défaut de Safari est défini sur localement sur votre appareil. Cette option se trouve dans :gear: **Paramètres** → **Safari** → **Général** → **Téléchargements**. + +### AdGuard + +!!! recommendation + + ![Logo AdGuard](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard pour iOS** est une extension gratuite et open-source de blocage de contenu pour Safari qui utilise nativement le [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard pour iOS dispose de quelques fonctions payantes, mais le blocage standard du contenu de Safari est gratuit. + + [:octicons-home-16: Page d'accueil](https://adguard.com/fr/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/fr/privacy/ios.html){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Code Source" } + + ??? downloads "Téléchargements" + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Les listes de filtres supplémentaires ralentissent la navigation et peuvent augmenter votre surface d'attaque. N'appliquez donc que ce dont vous avez besoin. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Exigences minimales + +- Doit prendre en charge les mises à jour automatiques. +- Doit recevoir les mises à jour du moteur dans un délai de 1 jour à partir de la publication en amont. +- Les modifications nécessaires pour rendre le navigateur plus respectueux de la vie privée ne devraient pas avoir d'impact négatif sur l'expérience des utilisateurs. +- Les navigateurs Android doivent utiliser le moteur Chromium. + - Malheureusement, Mozilla GeckoView est toujours moins sécurisé que Chromium sur Android. + - Les navigateurs iOS sont limités à WebKit. + +### Critères d'extension + +- Ne doit pas dupliquer une fonctionnalité intégrée dans le navigateur ou dans le système d'exploitation. +- Doit avoir un impact direct sur la vie privée des utilisateurs, c'est-à-dire qu'il ne doit pas simplement fournir des informations. diff --git a/i18n/fr/multi-factor-authentication.md b/i18n/fr/multi-factor-authentication.md new file mode 100644 index 00000000..6de452b8 --- /dev/null +++ b/i18n/fr/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Outils d'authentification multi-facteurs" +icon: 'material/two-factor-authentication' +description: Ces outils vous aident à sécuriser vos comptes internet grâce à l'authentification multifactorielle sans transmettre vos secrets à un tiers. +--- + +## Clés de sécurité matérielles + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + Les **YubiKeys** font partie des clés de sécurité les plus populaires. Certains modèles de YubiKey disposent d'un large éventail de fonctionnalités telles que : [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 et WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP et HOTP](https://developers.yubico.com/OATH). + + L'un des avantages de la YubiKey est qu'une seule clé peut faire presque tout (YubiKey 5) ce que vous pouvez attendre d'une clé de sécurité matérielle. Nous vous encourageons à faire le [quiz](https://www.yubico.com/quiz/) avant d'acheter afin d'être sûr de faire le bon choix. + + [:octicons-home-16: Page d'accueil](https://www.yubico.com/?lang=fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +Le [tableau de comparaison](https://www.yubico.com/store/compare/) montre les fonctionnalités de chaque YubiKeys et leurs différences. Nous vous recommandons vivement de choisir des clés de la série YubiKey 5. + +Les YubiKeys peuvent être programmées à l'aide du [Gestionnaire YubiKey](https://www.yubico.com/support/download/yubikey-manager/) ou de l'[Outil de Personnalisation YubiKey](https://www.yubico.com/support/download/yubikey-personalization-tools/). Pour gérer les codes TOTP, vous pouvez utiliser le [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). Tous les clients de Yubico sont open source. + +Pour les modèles qui supportent HOTP et TOTP, il y a 2 emplacements dans l'interface OTP qui peuvent être utilisés pour HOTP et 32 emplacements pour stocker les secrets TOTP. Ces secrets sont stockés et chiffrés sur la clé et ne sont jamais exposés aux appareils sur lesquels elle est branchée. Une fois qu'une graine (secret partagé) est donnée à l'authentificateur Yubico, celui-ci ne donnera que les codes à six chiffres, mais jamais la graine. Ce modèle de sécurité permet de limiter ce qu'un attaquant peut faire s'il compromet l'un des appareils exécutant le Yubico Authenticator et rend la YubiKey résistante à un attaquant physique. + +!!! warning "Avertissement" + Le micrologiciel des YubiKeys n'est pas open source et ne peut pas être mis à jour. Si vous souhaitez obtenir des fonctionnalités dans des versions plus récentes du firmware, ou si la version du firmware que vous utilisez présente une vulnérabilité, vous devrez acheter une nouvelle clé. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** possède une clé de sécurité qui prend en charge [FIDO2 et WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) appelée la **Nitrokey FIDO2**. Pour la prise en charge de PGP, vous devez acheter l'une de leurs autres clés comme la **Nitrokey Start**, la **Nitrokey Pro 2** ou la **Nitrokey Storage 2**. + + [:octicons-home-16: Page d'accueil](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +Le [tableau de comparaison](https://www.nitrokey.com/#comparison) montre les fonctionnalités de chaque Nitrokey et leurs différences. La **Nitrokey 3** répertoriée aura un ensemble de fonctionnalités combinées. + +Les modèles de Nitrokey peuvent être configurés à l'aide de l'[application Nitrokey](https://www.nitrokey.com/download). + +Pour les modèles qui supportent HOTP et TOTP, il y a 3 emplacements pour HOTP et 15 pour TOTP. Certaines Nitrokeys peuvent faire office de gestionnaire de mots de passe. Ils peuvent stocker 16 identifiants différents et les chiffrer en utilisant le même mot de passe que l'interface OpenPGP. + +!!! warning "Avertissement" + + Bien que les Nitrokeys ne divulguent pas les secrets HOTP/TOTP à l'appareil auquel ils sont connectés, le stockage HOTP et TOTP n'est **pas** chiffré et est vulnérable aux attaques physiques. Si vous cherchez à stocker ces secrets HOTP ou TOTP, nous vous recommandons vivement d'utiliser plutôt un Yubikey. + +!!! warning "Avertissement" + + La réinitialisation de l'interface OpenPGP sur une Nitrokey rendra également la base de données des mots de passe [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + +La Nitrokey Pro 2, la Nitrokey Storage 2 et la Nitrokey 3 à venir prennent en charge la vérification de l'intégrité du système pour les ordinateurs portables dotés du micrologiciel [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) . + +Le micrologiciel de la Nitrokey est open-source, contrairement à la YubiKey. Le micrologiciel des modèles NitroKey modernes (à l'exception de la **NitroKey Pro 2**) peut être mis à jour. + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +#### Exigences minimales + +- Doit utiliser des modules de sécurité matériels de haute qualité et resistant aux attaques physiques. +- Doit prendre en charge la dernière spécification FIDO2. +- Ne doit pas permettre l'extraction de la clé privée. +- Les appareils qui coûtent plus de 35 $ doivent prendre en charge la gestion d'OpenPGP et de S/MIME. + +#### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Devrait être disponible en format USB-C. +- Devrait être disponible avec NFC. +- Devrait prendre en charge le stockage de secrets de TOTP. +- Devrait prendre en charge les mises à jour sécurisées du micrologiciel. + +## Applications d'authentification + +Les applications d'authentification implémentent une norme de sécurité adoptée par l'Internet Engineering Task Force (IETF) appelée **Mots de Passe à Usage Unique Basé sur le Temps**, ou **Time based One Time Password (TOTP)**. Il s'agit d'une méthode par laquelle les sites web partagent avec vous un secret qui est utilisé par votre application d'authentification pour générer un code à six chiffres (généralement) basé sur l'heure actuelle, que vous saisissez lorsque vous vous connectez pour que le site web puisse le vérifier. En général, ces codes sont régénérés toutes les 30 secondes, et dès qu'un nouveau code est généré, l'ancien devient inutile. Même si un pirate obtient un code à six chiffres, il n'a aucun moyen d'inverser ce code pour obtenir le secret original, ni de prédire quels seront les codes futurs. + +Nous vous recommandons vivement d'utiliser des applications TOTP mobiles plutôt que des alternatives de bureau, car Android et IOS offrent une meilleure sécurité et une meilleure isolation des applications que la plupart des systèmes d'exploitation de bureau. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Logo Aegis](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** est une application gratuite, sécurisée et open source pour gérer les doubles authentifications de vos services en ligne. + + [:octicons-home-16: Page d'accueil](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Logo Raivo OTP](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** est un client natif, léger et sécurisé pour gérer des mots de passe basés sur le temps (TOTP) & basés sur un compteur (HOTP) pour iOS. Raivo OTP offre une sauvegarde & une synchronisation iCloud optionnelle. Raivo OTP est également disponible pour macOS sous la forme d'une application de barre d'état, mais l'application Mac ne fonctionne pas indépendamment de l'application iOS. + + [:octicons-home-16: Page d'accueil](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Code source" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Le code source doit être accessible au public. +- Ne doit pas nécessiter de connexion à internet. +- Ne doit pas se synchroniser avec un service tiers de synchronisation/sauvegarde cloud. + - La prise en charge **facultative** de la synchronisation E2EE avec des outils natifs du système d'exploitation est acceptable, par exemple la synchronisation chiffrée via iCloud. diff --git a/i18n/fr/news-aggregators.md b/i18n/fr/news-aggregators.md new file mode 100644 index 00000000..ecbf72c6 --- /dev/null +++ b/i18n/fr/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "Agrégateurs d'actualités" +icon: material/rss +description: Ces clients agrégateurs d'actualités vous permettent de suivre vos blogs et sites d'information préférés en utilisant des normes internet telles que RSS. +--- + +Un [agrégateur d'actualités](https://en.wikipedia.org/wiki/News_aggregator) est un moyen de suivre vos blogs et sites d'actualités préférés. + +## Clients agrégateurs + +### Akregator + +!!! recommendation + + ![Logo Akregator](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** est un lecteur de flux d'actualités qui fait partie du projet [KDE](https://kde.org). Il est doté d'une fonction de recherche rapide, d'une fonctionnalité d'archivage avancée et d'un navigateur interne pour faciliter la lecture des actualités. + + [:octicons-home-16: Page d'accueil](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Code source" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Logo de Feeder](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** est un client RSS moderne pour Android qui possède de nombreuses [fonctionnalités](https://gitlab.com/spacecowboy/Feeder#features) et fonctionne bien avec des dossiers de flux RSS. Il prend en charge [RSS](https://fr.wikipedia.org/wiki/RSS), [Atom](https://fr.wikipedia.org/wiki/Atom_Syndication_Format), [RDF](https://fr.wikipedia.org/wiki/RDF/XML) et [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Dépôt](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Code source" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Logo de Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** est un agrégateur d'actualités multiplateforme sécurisé qui possède des fonctionnalités de confidentialité utiles telles que la suppression des cookies à la fermeture, des [politiques de sécurité du contenu (CSP)](ghttps://fr.wikipedia.org/wiki/Content_Security_Policy) strictes et un support proxy, ce qui signifie que vous pouvez l'utiliser en passant par[Tor](tor.md). + + [:octicons-home-16: Page d'accueil](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![Logo GNOME Feeds](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** est un lecteur d'actualités [RSS](https://fr.wikipedia.org/wiki/RSS) et [Atom](https://fr.wikipedia.org/wiki/Atom_Syndication_Format) pour [GNOME](https://www.gnome.org). Il possède une interface simple et est assez rapide. + + [:octicons-home-16: Page d'accueil](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Code source" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Logo Miniflux](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Logo Miniflux](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** est un agrégateur d'actualités basé sur le web que vous pouvez héberger vous-même. Il prend en charge [RSS](https://fr.wikipedia.org/wiki/RSS), [Atom](https://fr.wikipedia.org/wiki/Atom_Syndication_Format), [RDF](https://fr.wikipedia.org/wiki/RDF/XML) et [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Page d'accueil](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Code source" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribuer } + +### NetNewsWire + +!!! recommendation + + ![Logo NetNewsWire](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** est un lecteur de flux gratuit et open-source pour macOS et iOS qui met l'accent sur un design et des fonctionnalités natives. Il prend en charge les formats de flux habituels, ainsi que les flux Twitter et Reddit. + + [:octicons-home-16: Page d'accueil](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Logo Newsboat](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** est un lecteur de flux RSS/Atom pour les consoles texte. C'est un fork activement maintenu de [Newsbeuter](https://fr.wikipedia.org/wiki/Newsbeuter). Il est très léger et idéal pour une utilisation via [Secure Shell](https://fr.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Page d'accueil](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Code source" } + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit être un logiciel open source. +- Doit fonctionner localement, c'est-à-dire qu'il ne doit pas s'agir d'un service cloud. + +## Support RSS pour les médias sociaux + +Certains services de médias sociaux prennent également en charge le RSS, bien que cela ne soit pas souvent mis en avant. + +### Reddit + +Reddit prend également en charge l'abonnement via RSS. + +!!! example "Exemple" + Remplacez `nom_du_subbreddit` par le subreddit auquel vous souhaitez vous abonner. + + ```text + https://www.reddit.com/r/{{ nom_du_subbreddit }}/new/.rss + ``` + +### Twitter + +En utilisant l'une des [instances](https://github.com/zedeus/nitter/wiki/Instances) de Nitter vous pouvez facilement vous abonner en utilisant le RSS. + +!!! example "Exemple" + 1. Choisissez une instance et définissez `nitter_instance`. + 2. Remplacez `twitter_account` par le nom du compte. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +Vous pouvez vous abonner aux chaînes YouTube sans vous connecter et sans associer des informations d'utilisation à votre compte Google. + +!!! example "Exemple" + + Pour s'abonner à une chaîne YouTube avec un client RSS, cherchez d'abord votre [code de chaîne](https://support.google.com/youtube/answer/6180214), remplacez `[CHANNEL ID]` ci-dessous : + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/fr/notebooks.md b/i18n/fr/notebooks.md new file mode 100644 index 00000000..a3ef7a22 --- /dev/null +++ b/i18n/fr/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Bloc-notes" +icon: material/notebook-edit-outline +description: Ces applications de prise de notes chiffrées vous permettent de garder une trace de vos notes sans les transmettre à un tiers. +--- + +Gardez une trace de vos notes et de vos journaux sans les donner à un tiers. + +Si vous utilisez actuellement une application comme Evernote, Google Keep, ou Microsoft OneNote, nous vous suggérons de choisir ici une alternative qui supporte l'E2EE. + +## Basé sur le cloud + +### Joplin + +!!! recommendation + + ![Logo Joplin](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** est une application gratuite, open-source et complète de prise de notes et de tâches à accomplir qui peut gérer un grand nombre de notes écrites en markdown organisées en carnets et en balises. Il offre E2EE et peut se synchroniser via Nextcloud, Dropbox, et plus encore. Il permet également d'importer facilement des notes d'Evernote et des notes en texte brut. + + [:octicons-home-16: Page d'accueil](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Code source" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin ne prend pas en charge la protection par mot de passe/PIN de [l'application elle-même ou des notes et cahiers individuels](https://github.com/laurent22/joplin/issues/289). Les données sont toujours chiffrées en transit et à l'emplacement de la synchronisation à l'aide de votre clé principale. Depuis janvier 2023, Joplin prend en charge le verrouillage biométrique des applications pour [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) et [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Logo de Standard Notes](assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes est une application de notes simple et privée qui rend vos prises de notes faciles et disponibles partout où vous êtes. Il propose E2EE sur toutes les plateformes et une expérience de bureau puissante avec des thèmes et des éditeurs personnalisés. Il a également fait l'objet d'un [audit indépendant (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Page d'accueil](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Code source" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Logo Cryptee](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Logo Cryptee](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** est un éditeur de documents E2EE et une application de stockage de photos à code source ouvert, basés sur le web. Cryptee est une PWA, ce qui signifie qu'elle fonctionne de manière transparente sur tous les appareils modernes sans nécessiter d'applications natives pour chaque plate-forme respective. + + [:octicons-home-16: Page d'accueil](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offre 100 Mo de stockage gratuit, avec des options payantes si vous avez besoin de plus. L'inscription ne nécessite pas d'e-mail ou d'autres informations permettant d'identifier la personne. + +## Blocs-notes locaux + +### Org-mode + +!!! recommendation + + ![Logo Org-mode](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** est un [mode majeur](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) pour GNU Emacs. Org-mode permet de prendre des notes, de tenir à jour des listes TODO, de planifier des projets et de rédiger des documents à l'aide d'un système de texte brut rapide et efficace. La synchronisation est possible avec des outils de [synchronisation de fichiers](file-sharing.md#file-sync). + + [:octicons-home-16: Page d'accueil](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Code source" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribuer } + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Les clients doivent être open-source. +- Toute fonctionnalité de synchronisation cloud doit être E2EE. +- Doit permettre l'export de documents dans un format standard. + +### Dans le meilleur des cas + +- La fonctionnalité de sauvegarde/synchronisation locale doit prendre en charge le chiffrement. +- Les plateformes basées sur le cloud doivent permettre le partage de documents. diff --git a/i18n/fr/os/android-overview.md b/i18n/fr/os/android-overview.md new file mode 100644 index 00000000..39605b62 --- /dev/null +++ b/i18n/fr/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Introduction à Android +icon: simple/android +description: Android est un système d'exploitation open source doté de solides protections de sécurité, ce qui en fait notre premier choix pour les téléphones. +--- + +Android est un système d'exploitation sécurisé qui dispose d'un [sandboxing](https://source.android.com/security/app-sandbox) solide, du [Démarrage Vérifié](https://source.android.com/security/verifiedboot) (AVB), et d'un système de contrôle des [autorisations](https://developer.android.com/guide/topics/permissions/overview) robuste. + +## Choisir une distribution Android + +Lorsque vous achetez un téléphone Android, le système d'exploitation par défaut de l'appareil s'accompagne souvent d'une intégration envahissante des applications et des services qui ne font pas partie de l'[Android Open-Source Project](https://source.android.com/). C'est le cas par exemple de l'application Services Google Play, qui dispose de privilèges irrévocables pour accéder à vos fichiers, au stockage de vos contacts, aux journaux d'appels, aux SMS, à votre localisation, à votre appareil photo, à votre microphone, aux identifiants matériels, etc. Ces applications et ces services augmentent la surface d'attaque de votre appareil et sont à l'origine de divers problèmes d'invasion de la vie privée sur Android. + +Ce problème pourrait être résolu en utilisant une distribution Android qui n'est pas fournie avec une intégration de ces applications invasives. Malheureusement, de nombreuses distributions d'Android enfreignent souvent le modèle de sécurité d'Android en ne prenant pas en charge les fonctions de sécurité essentielles telles que l'AVB, le rollback protection, les mises à jour du firmware, etc. Certaines distributions fournissent également des builds [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) qui permettent le root via [ADB](https://developer.android.com/studio/command-line/adb) et nécessitent [des politiques SELinux plus permissives](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) pour prendre en compte les fonctionnalités de débogage, ce qui augmente encore plus la surface d'attaque et affaiblit grandement le modèle de sécurité. + +Idéalement, lorsque vous choisissez une distribution Android, vous devez vous assurer qu'elle respecte le modèle de sécurité Android. Au minimum, la distribution doit disposer de builds de production, d'un support pour AVB, d'une rollback protection, de mises à jour dans les meilleurs délais du firmware et du système d'exploitation, et de SELinux en [mode enforcing](https://source.android.com/security/selinux/concepts#enforcement_levels). Toutes les distributions Android que nous recommandons répondent à ces critères. + +[Nos recommandations de distributions Android :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Éviter le rootage + +[Le rootage](https://en.wikipedia.org/wiki/Rooting_(Android)) des téléphones Android peut diminuer la sécurité de manière significative car il affaiblit complétement le modèle de sécurité d'[Android](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). Cela peut nuire à la protection de la vie privée en cas d'exploitation facilitée par la diminution de la sécurité. Les méthodes courantes de rootage impliquent une modification directe de la partition de démarrage, ce qui rend impossible l'exécution du Démarrage Vérifié. Les applications qui requièrent un Android rooté modifieront également la partition du système, ce qui signifie que le Démarrage Vérifié devra rester désactivé. Le fait que le root soit exposé directement dans l'interface utilisateur augmente également la [surface d'attaque](https://en.wikipedia.org/wiki/Attack_surface) de votre appareil et peut contribuer aux vulnérabilités [d'élévation de privilèges](https://en.wikipedia.org/wiki/Privilege_escalation) et aux contournements de la politique SELinux. + +Les bloqueurs de publicités, qui modifient le [fichier hosts](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) et les pare-feu (AFWall+ ) qui requièrent un accès root de manière persistante sont dangereux et ne doivent pas être utilisés. Ils ne sont pas non plus la bonne façon de résoudre les problèmes auxquels ils sont destinés. Pour le blocage des publicités, nous suggérons plutôt des serveurs [DNS](../dns.md) chiffrés ou un [VPN](../vpn.md). RethinkDNS, TrackerControl et AdAway en mode non root occuperont l'emplacement VPN (afin de rediriger tout le trafic vers l'application), ce qui vous empêchera d'utiliser des vrais services améliorant votre vie privée tels qu'Orbot ou un vrai serveur VPN. + +AFWall+ fonctionne sur le [filtrage des paquets](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) et peut être contourné dans certaines situations. + +Nous ne pensons pas que les sacrifices de sécurité en rootant un smartphone valent les avantages discutables de ces applications en matière de vie privée. + +## Démarrage Vérifié + +Le [Démarrage Vérifié](https://source.android.com/security/verifiedboot) est un élément important du modèle de sécurité d'Android. Il fournit une protection contre les attaques de type [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack), la persistance de logiciels malveillants et garantit que les mises à jour de sécurité ne peuvent pas être rétrogradées grâce au [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Les versions supérieures à Android 10 ont abandonné le chiffrement complet du disque au profit d'un chiffrement plus souple [basé sur les fichiers](https://source.android.com/security/encryption/file-based). Vos données sont chiffrées à l'aide de clés de chiffrement propres à chaque utilisateur, tandis que les fichiers du système d'exploitation ne sont pas chiffrés. + +Le Démarrage Vérifié garantit l'intégrité des fichiers du système d'exploitation, empêchant un adversaire disposant d'un accès physique d'altérer ou d'installer des logiciels malveillants sur l'appareil. Dans le cas improbable où un logiciel malveillant parviendrait à exploiter d'autres parties du système et à obtenir un accès privilégié, le Démarrage Vérifié empêchera et annulera toutes modifications apportées à la partition système lors du redémarrage de l'appareil. + +Malheureusement, les fabricants sont tenus de prendre uniquement en charge le Démarrage Vérifié que sur leurs distributions Android. Seuls quelques fabricants OEM, tels que Google, supportent l'enrolement de clés AVB personnalisées sur leurs appareils. De plus, certaines ROM dérivées d'AOSP tels que LineageOS ou /e/ OS ne prennent pas en charge le Démarrage Vérifié, même si le matériel peut le prendre en charge. Nous vous recommandons de vérifier le support de cette fonctionnalité **avant** d'acheter un nouvel appareil. Les dérivés d'AOSP qui ne prennent pas en charge le Démarrage Vérifié ne sont **pas** recommandés. + +De nombreux contructeurs ont également une implémentation défectueuse du Démarrage Vérifié dont vous devez être conscient au-delà de leur marketing. Par exemple, les Fairphone 3 et 4 ne sont pas sécurisés par défaut, car le [chargeur d'amorçage de base fait confiance à la clé de signature AVB publique](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). Cela contourne le Démarrage Vérifié sur un appareil Fairphone d'origine, car le système démarrera des systèmes d'exploitation Android alternatifs tels que (comme /e/) [sans aucun avertissement](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) sur l'utilisation d'un système d'exploitation personnalisé. + +## Mises à jour du micrologiciel + +Les mises à jour du micrologiciel sont essentielles au maintien de la sécurité. Sans elles, votre appareil ne peut être sécurisé. Les fabriquants ont conclu des accords de prise de en charge avec leurs partenaires pour fournir les mises à jour des composants closed-source pendant une période limitée. Celles-ci sont détaillées dans les [Bulletins de Sécurité Android](https://source.android.com/security/bulletin) mensuels. + +Comme les composants du téléphone, tels que le processeur et les technologies radio, reposent sur des composants closed-source, les mises à jour doivent être fournies par leur fabricants respectifs. Par conséquent, il est important que vous achetiez un appareil qui reçoit activement des mises à jours. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) et [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) prennent en charge leurs appareils pendant 4 ans, tandis que les produits moins chers ont souvent des cycles de mises à jour plus courts. Avec l'introduction du [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google fabrique maintenant son propre SoC et fournira un minimum de 5 ans de mises à jour. + +Les appareils qui ne sont plus pris en charge par le fabricant du SoC ne peuvent pas recevoir de mises à jour du micrologiciel de la part des fabricants ou des distributeurs. Cela signifie que les problèmes de sécurité de ces appareils ne seront pas corrigés. + +Fairphone, par exemple, commercialise ses appareils comme bénéficiant de 6 ans de mises à jour. Cependant, le SoC (Qualcomm Snapdragon 750G sur le Fairphone 4) a une date de fin de vie (EOL) beaucoup plus courte. Cela signifie que les mises à jour de sécurité du micrologiciel de Qualcomm pour le Fairphone 4 prendront fin en septembre 2023, que Fairphone continue ou non à publier des mises à jour de sécurité logicielle. + +## Versions d'Android + +Il est important de ne pas utiliser une version d'Android [en fin de vie](https://endoflife.date/android). Les nouvelles versions d'Android reçoivent non seulement des mises à jour de sécurité pour le système d'exploitation, mais aussi d'importantes mises à jour destinées à améliorer votre vie privée. Par exemple, [avant Android 10](https://developer.android.com/about/versions/10/privacy/changes), toute application disposant de l'autorisation [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) pouvait accéder aux numéros de série uniques et sensibles de votre téléphone, tels que l'[IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), le [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), et l'[IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity) de votre carte SIM, alors qu'aujourd'hui les applications soivent désormais être des des applications système pour lire ces données sensibles. Les applications système sont uniquement fournies par le fabricant ou la distribution Android. + +## Autorisations d'Android + +Les [autorisations sur Android](https://developer.android.com/guide/topics/permissions/overview) vous permettent de contrôler ce que les applications ont le droit d'accéder. Google apporte régulièrement des [améliorations](https://developer.android.com/about/versions/11/privacy/permissions) sur le système d'autorisations à chaque nouvelle version d'Android. Toutes les applications que vous installez sont strictement [isolées](https://source.android.com/security/app-sandbox), il n'est donc pas nécessaire d'installer des applications antivirus. + +Un smartphone équipé de la dernière version d'Android sera toujours plus sûr qu'un vieux smartphone équipé d'un antivirus que vous avez payé. Il est préférable de ne pas payer pour un logiciel antivirus et d'économiser pour acheter un nouveau smartphone, comme un Google Pixel. + +Android 10 : + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) vous donne plus de contrôle sur vos fichiers et peut limiter ce qui peut [accéder au stockage externe](https://developer.android.com/training/data-storage?hl=fr#permissions). Les applications peuvent avoir un répertoire spécifique dans le stockage externe ainsi que la possibilité d'y stocker des types de médias spécifiques. +- Un acès plus strict à l'emplacement du dispositif [](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) en introduisant la permission `ACCESS_BACKGROUND_LOCATION` . Cela empêche les applications d'accéder à l'emplacement lorsqu'elles fonctionnent en arrière-plan sans l'autorisation expresse de l'utilisateur. + +Android 11 : + +- [Permissions uniques](https://developer.android.com/about/versions/11/privacy/permissions#one-time) qui vous permet d'accorder une permission à une application une seule fois. +- [Réinitialisation automatique des autorisations](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), qui réinitialise [les autorisations d'exécution](https://developer.android.com/guide/topics/permissions/overview#runtime) accordées lors de l'ouverture de l'application. +- Autorisations granulaires pour accéder aux fonctions liées au numéro de téléphone [](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers). + +Android 12 : + +- Une permission d'accorder uniquement l'emplacement approximatif [](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Réinitialisation automatique des [applications en hibernation](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Audit de l'accès aux données](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) qui permet de déterminer plus facilement quelle partie d'une application effectue un type spécifique d'accès aux données. + +Android 13 : + +- Une autorisation pour [un accès wifi à proximité](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). Les adresses MAC des points d'accès WiFi à proximité étaient un moyen populaire pour les applications de suivre la localisation d'un utilisateur. +- Plus d'[autorisations granulaires pour les médias](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), ce qui signifie que vous pouvez accorder l'accès uniquement aux images, aux vidéos ou aux fichiers audio. +- L'utilisation de capteurs en arrière-plan nécessite désormais l'autorisation [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) . + +Une application peut demander une autorisation pour une fonction spécifique qu'elle possède. Par exemple, toute application permettant de scanner des codes QR nécessitera l'autorisation de l'appareil photo. Certaines applications peuvent demander plus de permissions qu'elles n'en ont besoin. + +[Exodus](https://exodus-privacy.eu.org/fr//) peut être utile pour comparer des applications ayant des objectifs similaires. Si une application nécessite de nombreuses autorisations et comporte beaucoup de publicité et d'analyses, c'est probablement un mauvais signe. **Nous vous recommandons de regarder les trackers individuels et de lire leurs descriptions plutôt que de vous contenter de compter le total** et de supposer que tous les éléments énumérés sont égaux. + +!!! warning "Avertissement" + + Si une application est principalement un service web, le suivi peut se faire du côté du serveur. [Facebook](https://reports.exodus-privacy.eu.org/fr/reports/com.facebook.katana/latest/) n'affiche "aucun traceur" mais suit certainement les intérêts et le comportement des utilisateurs sur le site. Les applications peuvent échapper à la détection en n'utilisant pas les bibliothèques de code standard produites par le secteur de la publicité, bien que cela soit peu probable. + +!!! note "À noter" + + Les applications respectueuses de la vie privée telles que [Bitwarden](https://reports.exodus-privacy.eu.org/fr/reports/com.x8bit.bitwarden/latest/) peuvent afficher certains traceurs tels que [Google Firebase Analytics] (https://reports.exodus-privacy.eu.org/fr/trackers/49/). Cette bibliothèque comprend [Firebase Cloud Messaging] (https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) qui peut fournir des [notifications push] (https://fr.wikipedia.org/wiki/Server_push) dans les applications. C'est le cas (https://fosstodon.org/@bitwarden/109636825700482007) avec Bitwarden. Cela ne signifie pas que Bitwarden utilise toutes les fonctionnalités d'analyse fournies par Google Firebase Analytics. + +## Accès aux médias + +De nombreuses applications vous permettent de "partager" un fichier avec elles pour le téléchargement de médias. Si vous voulez, par exemple, envoyer une photo sur Twitter, n'accordez pas à Twitter l'accès à vos "médias et photos", car il aura alors accès à toutes vos photos. Au lieu de cela, allez dans votre gestionnaire de fichiers (documentsUI), appuyez longuement sur l'image, puis partagez-la avec Twitter. + +## Profils Utilisateurs + +Les profils d'utilisateurs multiples se trouvent dans **Paramètres** → **Système** → **Utilisateurs multiples** et constituent le moyen le plus simple d'isoler dans Android. + +Avec les profils d'utilisateur, vous pouvez imposer des restrictions à un profil spécifique, par exemple : passer des appels, utiliser des SMS ou installer des applications sur l'appareil. Chaque profil est chiffré à l'aide de sa propre clé de chiffrement et ne peut accéder aux données d'aucun autre profil. Même le propriétaire de l'appareil ne peut pas voir les données des autres profils sans connaître leur mot de passe. Les profils d'utilisateurs multiples est une méthode d'isolement plus sécurisée. + +## Profil Professionnel + +Les [Profils Professionnels](https://support.google.com/work/android/answer/6191949?hl=fr) sont une autre façon d'isoler des applications de manière individuelles et peuvent s'avérer plus pratiques que des profils d'utilisateur séparés. + +Une application de **gestionnaire d'appareil** telle que [Shelter](#recommended-apps) est nécessaire pour créer un profil professionnel sans MDM d'entreprise, à moins que vous n'utilisiez un OS Android personnalisé qui en comprend une. + +Le profil professionnel dépend d'un gestionnaire d'appareil pour fonctionner. Les fonctionnalités telles que la *Navigation de Fichiers* et le *blocage de la recherche de contacts* ou tout autre type de fonctionnalités d'isolation doivent être implémentées par le gestionnaire. Vous devez également faire entièrement confiance à l'application de gestionnaire d'appareil, car elle a un accès total à vos données au sein du profil professionnel. + +Cette méthode est généralement moins sûre qu'un profil utilisateur secondaire, mais elle vous permet d'exécuter simultanément des applications dans les profils professionnel et personnel. + +## Arrêt d'Urgence VPN + +Android 7 et plus prennent en charge un arrêt d'urgence de VPN et il est disponible sans qu'il soit nécessaire d'installer des applications tierces. Cette fonction permet d'éviter les fuites si le VPN est déconnecté. Il se trouve dans :gear: **Paramètres** → **Réseau & internet** → **VPN** → :gear: → **Bloquer les connexions sans VPN**. + +## Boutons à Bascule Globaux + +Les appareils Android modernes disposent de boutons à bascule permettant de désactiver les services Bluetooth et de localisation. Android 12 a introduit des boutons à bascule pour l'appareil photo et le microphone. Lorsque vous n'utilisez pas ces fonctions, nous vous recommandons de les désactiver. Les applications ne peuvent pas utiliser les fonctions désactivées (même si elles ont reçu une autorisation individuelle) jusqu'à ce qu'elles soient réactivées. + +## Google + +Si vous utilisez un appareil doté des services Google, qu'il s'agisse de votre système d'exploitation d'origine ou d'un système d'exploitation qui intègre les services Google Play sandboxed en toute sécurité, comme GrapheneOS, vous pouvez apporter un certain nombre de modifications supplémentaires pour améliorer votre confidentialité. Nous recommandons toujours d'éviter complètement les services Google ou de limiter les services Google Play à un profil utilisateur/professionnel spécifique en combinant un contrôleur d'appareil comme *Shelter* avec le Sandboxed Google Play de GrapheneOS. + +### Programme de Protection Avancé + +Si vous avez un compte Google, nous vous suggérons de vous inscrire au [Programme de Protection Avancée](https://landing.google.com/advancedprotection/). Il est disponible gratuitement pour toute personne possédant au moins deux clés de sécurité physiques qui prennent en charge le protocole [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online). + +Le Programme de Protection Avancée offre une surveillance accrue des menaces et permet : + +- Une authentification à deux facteurs plus stricte; par exemple, seul [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **doit** être utilisé et toute autre type de double autentification tels que [SMS OTP](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) et [OAuth](https://en.wikipedia.org/wiki/OAuth) sont bloqués +- Seul Google et les applications tierces vérifiées peuvent accéder aux données du compte +- Une analyse des e-mails entrants sur les comptes Gmail pour détecter les tentatives de [hameçonnage](https://en.wikipedia.org/wiki/Phishing#Email_phishing) +- Une plus stricte [analyse de sécurité du navigateur](https://www.google.com/chrome/privacy/whitepaper.html#malware) avec Google Chrome +- Un processus de récupération plus strict pour les comptes ayant perdu leurs informations d'identification + + Si vous utilisez des services Google Play non sandboxés (courants sur les systèmes d'exploitation d'origine), l'Advanced Protection Program est également accompagné d'[avantages supplémentaires](https://support.google.com/accounts/answer/9764949?hl=en) tels que : + +- Ne pas autoriser l'installation d'applications en dehors du Google Play Store, en dehors de la boutique d'applications du fournisseur du système d'exploitation ou via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Analyse automatique obligatoire des appareils avec [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Avertissement des applications non vérifiées + +### Mise à jour du système avec Google Play + +Dans le passé, les mises à jour de sécurité d'Android devaient être envoyées par le fournisseur du système d'exploitation. Android est devenu plus modulaire à partir d'Android 10, et Google peut envoyer des mises à jour de sécurité pour **certains** composants du système via les services Google Play privilégiés. + +Si vous avez un appareil sous Android 10 minimum qui n'est plus supporté et que vous ne pouvez pas installer l'un des systèmes d'exploitation que nous recommandons sur votre appareil, vous feriez mieux de vous en tenir à votre installation Android d'origine (par opposition à un système d'exploitation non répertorié ici, tel que LineageOS ou /e/ OS). Cela vous permettra de recevoir **certains** correctifs de sécurité de Google, sans enfreindre le modèle de sécurité Android en utilisant par exemple un dérivé d'Android non sécurisé et augmentant votre surface d'attaque. Nous vous recommanderions néanmoins de passer à un appareil qui est toujours supporté dès que possible. + +### L'Identifiant Publicitaire + +Tous les appareils sur lesquels les Google Play Services sont installés génèrent automatiquement un [identifiant publicitaire](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) utilisé pour la publicité ciblée. Désactivez cette fonctionnalité pour limiter les données collectées à votre sujet. + +Sur les distributions Android avec [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), allez dans :gear: **Paramètres** → **Applications** → **Sandboxed Google Play** → **Paramètres Google** → **Annonces**, et sélectionnez *Supprimer l'ID publicitaire*. + +Sur les distributions Android avec des services Google Play privilégiés (comme les systèmes d'exploitation d'origines), le paramètre peut se trouver à plusieurs endroits. Vérifiez: + +- :gear: **Paramètres** → **Google** → **Annonces** +- :gear: **Paramètres** → **Confidentialité** → **Annonces** + +Vous aurez la possibilité de supprimer votre identifiant publicitaire ou de *refuser les publicités basées sur les centres d'intérêt*, cela varie selon les distributions OEM d'Android. Si l'on vous présente l'option de supprimer l'identifiant publicitaire, faites-le. Si ce n'est pas le cas, veillez à refuser la personnalisation des publicités puis à réinitialiser votre identifiant publicitaire. + +### SafetyNet et Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) et les [API Play Integrity](https://developer.android.com/google/play/integrity) sont généralement utilisés pour des [applications bancaires](https://grapheneos.org/usage#banking-apps). De nombreuses applications bancaires fonctionneront sans problème sur GrapheneOS avec les services Google Play en sandbox, mais certaines applications non financières ont leurs propres mécanismes anti-tampering rudimentaires qui peuvent échouer. GrapheneOS passe le contrôle `basicIntegrity`, mais pas le contrôle de certification `ctsProfileMatch`. Les appareils équipés d'Android 8 ou d'une version ultérieure sont dotés d'un système d'attestation matérielle qui ne peut être contourné qu'en cas de fuite de clés ou de vulnérabilité grave. + +Quant à Google Wallet, nous ne le recommandons pas en raison de sa [politique de confidentialité](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), qui stipule que vous devez manuellement refuser si vous ne voulez pas que votre note de crédit et vos informations personnelles soient partagées avec des services de marketing affilié. diff --git a/i18n/fr/os/linux-overview.md b/i18n/fr/os/linux-overview.md new file mode 100644 index 00000000..aa9fc776 --- /dev/null +++ b/i18n/fr/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Introduction à Linux +icon: simple/linux +description: Linux est un système d'exploitation de bureau alternatif open source, axé sur la protection de la vie privée, mais toutes les distributions ne sont pas créées égales. +--- + +On croit souvent que les logiciels [open source](https://en.wikipedia.org/wiki/Open-source_software) sont intrinsèquement sûrs parce que le code source est disponible. On s'attend à ce que la vérification de la communauté ait lieu régulièrement ; cependant, ce n'est pas toujours [le cas](https://seirdy.one/posts/2022/02/02/floss-security/). Cela dépend d'un certain nombre de facteurs, tels que l'activité du projet, l'expérience du développeur, le niveau de rigueur appliqué aux [revues de code](https://en.wikipedia.org/wiki/Code_review), et la fréquence de l'attention accordée à certaines parties spécifiques du [codebase](https://en.wikipedia.org/wiki/Codebase) qui peuvent rester à l'abandon pendant des années. + +À l'heure actuelle, les systèmes GNU/Linux de bureau ont certains domaines qui pourraient être améliorés par rapport à leurs homologues propriétaires, par exemple : + +- Une chaîne de démarrage vérifiée, telle que le [Démarage Sécurisé d'Apple](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (avec l'[Enclave Sécurisée](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), le [Démarrage Vérifié d'Android](https://source.android.com/security/verifiedboot), le [Démarrage vérifié de ChromeOS](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), ou le processus de démarrage de [Microsoft Windows](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) avec le [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). Ces fonctionnalités et technologies matérielles peuvent toutes contribuer à empêcher une altération persistante par des logiciels malveillants ou des [attaques de personnel de ménage malfaisant](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- Une solution de sandboxing forte, comme celle que l'on trouve dans [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), et [Android](https://source.android.com/security/app-sandbox). Les solutions de sandboxing Linux couramment utilisées, telles que [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) et [Firejail](https://firejail.wordpress.com/) , ont encore beaucoup de chemin à parcourir +- Forte [atténuation des exploits](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Malgré ces inconvénients, les distributions GNU/Linux de bureau sont excellentes si vous souhaitez : + +- Évitez la télémétrie qui accompagne souvent les systèmes d'exploitation propriétaires +- Maintenir [la liberté des logiciels](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Disposer de systèmes axés sur la protection de la vie privée tels que [Whonix](https://www.whonix.org) ou [Tails](https://tails.boum.org/) + +Notre site web utilise généralement le terme "Linux" pour décrire les distributions GNU/Linux de bureau. Les autres systèmes d'exploitation qui utilisent également le noyau Linux, tels que ChromeOS, Android et Qubes OS, ne sont pas abordés ici. + +[Nos recommandations Linux :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choisir sa distribution + +Toutes les distributions Linux ne sont pas créées égales. Bien que notre page de recommandations Linux ne soit pas censée être une source faisant autorité sur la distribution que vous devriez utiliser, il y a quelques éléments que vous devriez garder à l'esprit lors du choix de la distribution à utiliser. + +### Cycle de mises à jour + +Nous vous recommandons vivement de choisir des distributions qui restent proches des versions stables des logiciels en amont, souvent appelées distributions à publications continues. En effet, les distributions à cycle de publication gelé ne mettent souvent pas à jour les versions des paquets et prennent du retard sur les mises à jour de sécurité. + +Pour les distributions gelées telles que [Debian](https://www.debian.org/security/faq#handling), les responsables de paquets sont censés rapporter les correctifs pour corriger les vulnérabilités plutôt que de faire passer le logiciel à la "prochaine version" publiée par le développeur en amont. Certains correctifs de sécurité ne reçoivent [pas du tout](https://arxiv.org/abs/2105.14565) de [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (en particulier les logiciels moins populaires) et ne sont donc pas intégrés à la distribution avec ce modèle de correctifs. Par conséquent, les corrections de sécurité mineures sont parfois reportées à la prochaine version majeure. + +Nous ne pensons pas que retenir les paquets et appliquer des correctifs provisoires soit une bonne idée, car cela s'écarte de la manière dont le développeur aurait pu vouloir que le logiciel fonctionne. [Richard Brown](https://rootco.de/aboutme/) propose une présentation à ce sujet : + +
+ +
+ +### Mises à jour traditionnelles et atomiques + +Traditionnellement, les distributions Linux se mettent à jour en mettant séquentiellement à jour les paquets souhaités. Les mises à jour traditionnelles, telles que celles utilisées dans les distributions basées sur Fedora, Arch Linux et Debian, peuvent être moins fiables si une erreur se produit lors de la mise à jour. + +Les distributions à mises à jour atomiques appliquent les mises à jour dans leur intégralité ou pas du tout. En général, les systèmes de mise à jour transactionnelle sont également atomiques. + +Un système de mise à jour transactionnelle crée un instantané qui est réalisé avant et après l'application d'une mise à jour. Si une mise à jour échoue à un moment donné (par exemple en raison d'une panne de courant), elle peut facilement être ramenée au "dernier état correct connu." + +La méthode de mise à jour atomique est utilisée pour les distributions immuables comme Silverblue, Tumbleweed et NixOS et permet d'atteindre la fiabilité avec ce modèle. [Adam Šamalík](https://twitter.com/adsamalik) a fait une présentation sur le fonctionnement de `rpm-ostree` avec Silverblue : + +
+ +
+ +### "Distributions "axées sur la sécurité + +Il y a souvent une certaine confusion entre les distributions "axées sur la sécurité" et les distributions pour les "tests de pénétration". Une recherche rapide de "la distribution Linux la plus sûre" donne souvent des résultats comme Kali Linux, Black Arch et Parrot OS. Ces distributions sont des distributions de tests de pénétration offensifs qui regroupent des outils pour tester d'autres systèmes. Elles n'incluent pas de "sécurité supplémentaire" ni de mesures d'atténuation défensives destinées à une utilisation régulière. + +### Distributions basées sur Arch Linux + +Les distributions basées sur Arch ne sont pas recommandées pour les débutants en Linux (quelle que soit la distribution) car elles nécessitent une [maintenance régulière du système](https://wiki.archlinux.org/title/System_maintenance). Arch ne dispose pas d'un mécanisme de mise à jour de la distribution pour les choix logiciels sous-jacents. Par conséquent, vous devez rester au courant des tendances actuelles et adopter les technologies au fur et à mesure qu'elles remplacent les anciennes pratiques. + +Pour un système sécurisé, vous êtes également censé avoir une connaissance suffisante de Linux pour configurer correctement la sécurité de votre système, par exemple en adoptant un système de [contrôle d'accès obligatoire](https://en.wikipedia.org/wiki/Mandatory_access_control), en configurant des listes noires de [modules du noyau](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security), en renforçant les paramètres de démarrage, en manipulant les paramètres [sysctl](https://en.wikipedia.org/wiki/Sysctl), et en sachant de quels composants ils ont besoin, comme [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Toute personne utilisant l'[Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **doit** être à l'aise pour auditer les PKGBUILDs qu'elle installe à partir de ce service. Les paquets AUR sont des contenus produits par la communauté et ne font l'objet d'aucune vérification. Ils sont donc vulnérables aux attaques de la chaîne d'approvisionnement des logiciels, ce qui s'est d'ailleurs produit [dans le passé](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR doit toujours être utilisé avec parcimonie et il existe souvent de nombreux mauvais conseils sur diverses pages qui incitent les gens à utiliser aveuglément [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) sans avertissement suffisant. Des avertissements similaires s'appliquent à l'utilisation d'Archives de Paquets Personnels (PPA) de tiers sur les distributions basées sur Debian ou de Projets Communautaires (COPR) sur Fedora. + +Si vous avez de l'expérience avec Linux et souhaitez utiliser une distribution basée sur Arch, nous recommandons uniquement Arch Linux, et non ses dérivés. Nous déconseillons spécifiquement ces deux dérivés de Arch : + +- **Manjaro**: Cette distribution bloque les mises à jour des paquets pendant 2 semaines pour s'assurer que leurs propres changements ne cassent pas, et non pas pour s'assurer que l'amont est stable. Lorsque des paquets AUR sont utilisés, ils sont souvent construits avec les dernières [bibliothèques](https://en.wikipedia.org/wiki/Library_(computing)) des dépôts d'Arch. +- **Garuda**: Ils utilisent [Chaotic-AUR](https://aur.chaotic.cx/) qui compile automatiquement et aveuglément les paquets de l'AUR. Il n'existe aucun processus de vérification pour s'assurer que les paquets AUR ne souffrent pas d'attaques de la chaîne d'approvisionnement. + +### Kicksecure + +Bien que nous déconseillions fortement l'utilisation de distributions obsolètes comme Debian, il existe un système d'exploitation basé sur Debian qui a été renforcé pour être beaucoup plus sûr que les distributions Linux habituelles : [Kicksecure](https://www.kicksecure.com/). Kicksecure, en termes très simplifiés, est un ensemble de scripts, de configurations et de paquets qui réduisent considérablement la surface d'attaque de Debian. Il couvre par défaut un grand nombre de recommandations en matière de confidentialité et de durcissement. + +### Le noyau Linux-libre et les distributions "libres" + +Nous recommandons fortement **de ne pas** utiliser le noyau Linux-libre, car il [supprime des mesures de sécurité et d'atténuation](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) et [supprime des avertissements de noyau](https://news.ycombinator.com/item?id=29674846) concernant les microcodes vulnérables pour des raisons idéologiques. + +## Recommandations générales + +### Chiffrement de disque + +La plupart des distributions Linux ont une option dans leur installateur pour activer [LUKS](../encryption.md#linux-unified-key-setup) FDE. Si cette option n'est pas définie au moment de l'installation, vous devrez sauvegarder vos données et réinstaller, car le chiffrement est appliqué après le [partitionnement du disque](https://en.wikipedia.org/wiki/Disk_partitioning), mais avant le formatage des [systèmes de fichiers](https://en.wikipedia.org/wiki/File_system). Nous vous suggérons également d'effacer de façon sécurisée votre dispositif de stockage : + +- [Effacement sécurisé des données :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Envisagez l'utilisation de [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) ou du [swap chiffré](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) au lieu du swap non chiffré pour éviter les problèmes de sécurité potentiels avec des données sensibles poussées vers [l'espace swap](https://en.wikipedia.org/wiki/Memory_paging). Les distributions basées sur Fedora [utilisent ZRAM par défaut](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +Nous recommandons l'utilisation d'un environnement de bureau prenant en charge le protocole d'affichage [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) car il a été développé dans [un souci](https://lwn.net/Articles/589147/) de sécurité. Son prédécesseur, [X11](https://en.wikipedia.org/wiki/X_Window_System), ne prend pas en charge l'isolation de l'interface graphique, ce qui permet à toutes les fenêtres [d'enregistrer l'écran, d'enregistrer et d'injecter des entrées dans d'autres fenêtres](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), rendant toute tentative de sandboxing futile. Bien qu'il existe des options pour faire du X11 imbriqué telles que [Xpra](https://en.wikipedia.org/wiki/Xpra) ou [Xephyr](https://en.wikipedia.org/wiki/Xephyr), elles ont souvent des conséquences négatives sur les performances, ne sont pas pratiques à mettre en place et ne sont pas préférables à Wayland. + +Heureusement, des environnements courants tels que [GNOME](https://www.gnome.org), [KDE](https://kde.org), et le gestionnaire de fenêtres [Sway](https://swaywm.org) prennent en charge Wayland. Certaines distributions comme Fedora et Tumbleweed l'utilisent par défaut, et d'autres pourraient le faire à l'avenir car X11 est en [mode maintenance limitée](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). Si vous utilisez l'un de ces environnements, il vous suffit de sélectionner la session "Wayland" dans le gestionnaire d'affichage du bureau ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +Nous recommandons **de ne pas** utiliser des environnements de bureau ou des gestionnaires de fenêtres qui ne prennent pas en charge Wayland, comme Cinnamon (par défaut sur Linux Mint), Pantheon (par défaut sur Elementary OS), MATE, Xfce et i3. + +### Micrologiciel propriétaire (mises à jour du microcode) + +Les distributions Linux telles que celles qui sont [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) ou DIY (Arch Linux) ne sont pas fournies avec les mises à jour propriétaires [microcode](https://en.wikipedia.org/wiki/Microcode) qui corrigent souvent des vulnérabilités. Voici quelques exemples notables de ces vulnérabilités : [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), et d'autres [vulnérabilités matérielles](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +Nous **recommandons vivement** d'installer les mises à jour du microcode, car votre CPU exécute déjà le microcode propriétaire depuis l'usine. Fedora et openSUSE ont tous deux les mises à jour du microcode appliquées par défaut. + +### Mises à jour + +La plupart des distributions Linux installent automatiquement les mises à jour ou vous rappellent de le faire. Il est important de maintenir votre système d'exploitation à jour afin que votre logiciel soit corrigé lorsqu'une vulnérabilité est découverte. + +Certaines distributions (notamment celles destinées aux utilisateurs avancés) sont plus bruts et vous demandent de faire les choses vous-même (par exemple Arch ou Debian). Il faudra manuellement exécuter le "gestionnaire de paquets" (`apt`, `pacman`, `dnf`, etc.) afin de recevoir les mises à jour de sécurité importantes. + +En outre, certaines distributions ne téléchargent pas automatiquement les mises à jour du micrologiciel. Pour cela, vous devrez installer [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Ajustements de confidentialité + +### Adresse MAC aléatoire + +De nombreuses distributions Linux de bureau (Fedora, openSUSE, etc.) sont fournies avec [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), pour configurer les paramètres Ethernet et Wi-Fi. + +Il est possible de [changer aléatoirement](https://fedoramagazine.org/randomize-mac-address-nm/) l'[adresse MAC](https://en.wikipedia.org/wiki/MAC_address) en utilisant NetworkManager. Cela permet de protéger un peu plus la vie privée sur les réseaux Wi-Fi, car il est plus difficile de suivre des appareils spécifiques sur le réseau auquel vous êtes connecté. Cela ne vous rend [**pas**](https://papers.mathyvanhoef.com/wisec2016.pdf) anonyme. + +Nous recommandons de changer le paramètre et mettre **aléatoire** plutôt que **stable**, comme suggéré dans l'[article](https://fedoramagazine.org/randomize-mac-address-nm/). + +Si vous utilisez [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), vous devrez définir [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) qui activera [RFC 7844 (Profils d'anonymat pour les clients DHCP)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +Il n'y a pas beaucoup d'intérêt à rendre aléatoire l'adresse MAC pour les connexions Ethernet car un administrateur système peut vous trouver en regardant le port que vous utilisez sur le [commutateur réseau](https://en.wikipedia.org/wiki/Network_switch). Rendre aléatoire les adresses MAC Wi-Fi dépend de la prise en charge par le micrologiciel du Wi-Fi. + +### Autres identifiants + +Il existe d'autres identifiants de système auxquels vous devez faire attention. Vous devriez y réfléchir pour voir si cela s'applique à votre [modèle de menace](../basics/threat-modeling.md) : + +- **Noms d'hôte :** Le nom d'hôte de votre système est partagé avec les réseaux auxquels vous vous connectez. Vous devriez éviter d'inclure des termes d'identification comme votre nom ou votre système d'exploitation dans votre nom d'hôte, et vous en tenir plutôt à des termes génériques ou à des chaînes aléatoires. +- **Noms d'utilisateur :** De même, votre nom d'utilisateur est utilisé de diverses manières dans votre système. Envisagez d'utiliser des termes génériques comme "utilisateur" plutôt que votre nom réel. +- **Identifiant machine :**: Pendant l'installation, un identifiant machine unique est généré et stocké sur votre appareil. Envisagez de [le régler sur un identifiant générique](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### Comptage des systèmes + +Le projet Fedora [compte](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) le nombre de systèmes uniques qui accèdent à ses miroirs en utilisant une variable [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) au lieu d'un identifiant unique. Fedora fait cela pour déterminer la charge et fournir de meilleurs serveurs pour les mises à jour si nécessaire. + +Cette [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) est actuellement désactivée par défaut. Nous recommandons d'ajouter `countme=false` à `/etc/dnf/dnf.conf` juste au cas où il serait activé dans le futur. Sur les systèmes qui utilisent `rpm-ostree` tels que Silverblue, l'option countme est désactivée en masquant le compteur [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/). + +openSUSE utilise également un [identifiant unique](https://en.opensuse.org/openSUSE:Statistics) pour compter les systèmes, qui peut être désactivé en supprimant le fichier `/var/lib/zypp/AnonymousUniqueId`. diff --git a/i18n/fr/os/qubes-overview.md b/i18n/fr/os/qubes-overview.md new file mode 100644 index 00000000..e9a26073 --- /dev/null +++ b/i18n/fr/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Introduction à Qubes" +icon: simple/qubesos +description: Qubes est un système d'exploitation conçu pour isoler les applications au sein de machines virtuelles afin de renforcer la sécurité. +--- + +[**Qubes OS**](../desktop.md#qubes-os) est un système d'exploitation qui utilise l'hyperviseur [Xen](https://en.wikipedia.org/wiki/Xen) pour fournir une sécurité forte pour l'informatique de bureau par le biais de machines virtuelles isolées. Chaque VM est appelée un *Qube* et vous pouvez attribuer à chaque Qube un niveau de confiance en fonction de son objectif. Étant donné que le système d'exploitation Qubes assure la sécurité en utilisant l'isolation et en n'autorisant des actions qu'au cas par cas, il est à l'opposé de [l'énumération de méchanceté](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Comment fonctionne Qubes OS ? + +Qubes utilise la [compartimentation](https://www.qubes-os.org/intro/) pour assurer la sécurité du système. Les Qubes sont créés à partir de modèles, les valeurs par défaut étant pour Fedora, Debian et [Whonix](../desktop.md#whonix). Qubes OS vous permet également de créer des machines virtuelles à usage unique [jetable](https://www.qubes-os.org/doc/how-to-use-disposables/) . + +![Architecture de Qubes](../assets/img/qubes/qubes-trust-level-architecture.png) +
Architecture de Qubes, Crédit : Intro de Qu'est-ce que Qubes OS
+ +Chaque application Qubes possède une [bordure colorée](https://www.qubes-os.org/screenshots/) qui peut vous aider à garder une trace de la machine virtuelle dans laquelle elle est exécutée. Vous pouvez, par exemple, utiliser une couleur spécifique pour votre navigateur bancaire, tout en utilisant une couleur différente pour un navigateur général non fiable. + +![Bordure colorée](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Bordures de fenêtres de Qubes, Crédit : Captures d'écran Qubes
+ +## Pourquoi devrais-je utiliser Qubes ? + +Qubes OS est utile si votre [modèle de menace](../basics/threat-modeling.md) exige une compartimentation et une sécurité fortes, par exemple si vous pensez ouvrir des fichiers non fiables provenant de sources non fiables. Une raison typique d'utiliser Qubes OS est d'ouvrir des documents provenant de sources inconnues. + +Qubes OS utilise la VM Xen [Dom0](https://wiki.xenproject.org/wiki/Dom0) (c'est-à-dire une "AdminVM") pour contrôler d'autres VM invitées ou Qubes sur l'OS hôte. Les autres VMs affichent des fenêtres d'applications individuelles dans l'environnement de bureau de Dom0. Cela vous permet d'attribuer un code de couleur aux fenêtres en fonction des niveaux de confiance et d'exécuter des applications qui peuvent interagir les unes avec les autres avec un contrôle très granulaire. + +### Copier et coller du texte + +Vous pouvez [copier et coller du texte](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) en utilisant `qvm-copy-to-vm` ou les instructions ci-dessous : + +1. Appuyez sur **Ctrl+C** pour indiquer à la VM dans laquelle vous vous trouvez que vous souhaitez copier quelque chose. +2. Appuyez sur **Ctrl+Maj+C** pour dire à la VM de rendre ce tampon disponible au presse-papiers global. +3. Appuyez sur **Ctrl+Shift+V** dans la VM de destination pour rendre le presse-papiers global disponible. +4. Appuyez sur **Ctrl+V** dans la VM de destination pour coller le contenu dans le tampon. + +### Échange de fichiers + +Pour copier et coller des fichiers et des répertoires (dossiers) d'une VM à l'autre, vous pouvez utiliser l'option **Copier vers une autre AppVM...** ou **Déplacer vers une autre AppVM...**. La différence est que l'option **Déplacer** supprime le fichier d'origine. L'une ou l'autre de ces options protégera votre presse-papiers contre les fuites vers d'autres Qubes. C'est plus sûr que le transfert de fichiers par ordinateur non connectés car un ordinateur sera toujours obligé d'analyser les partitions ou les systèmes de fichiers. Cela n'est pas nécessaire avec le système de copie inter-qube. + +??? info "Les AppVMs ou les qubes n'ont pas leur propre système de fichiers" + + Vous pouvez [copier et déplacer des fichiers](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) entre les Qubes. Ce faisant, les changements ne sont pas immédiats et peuvent être facilement annulés en cas d'accident. + +### Interactions inter-VM + +L'[environnement qrexec](https://www.qubes-os.org/doc/qrexec/) est une partie essentielle de Qubes qui permet la communication des machines virtuelles entre les domaines. Il est construit sur la bibliothèque Xen *vchan*, qui facilite [l'isolation de par le biais de politiques](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Ressources supplémentaires + +Pour de plus amples informations, nous vous encourageons à consulter les pages de documentation complètes de Qubes OS, situées sur le [site web de Qubes OS](https://www.qubes-os.org/doc/). Des copies hors ligne peuvent être téléchargées à partir du [dépôt de documentationde](https://github.com/QubesOS/qubes-doc) Qubes OS. + +- Open Technology Fund : [*Sans doute le système d'exploitation le plus sûr au monde*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska : [*Compartimentage logiciel vs. séparation physique*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska : [*Partitionnement de ma vie numérique en domaines de sécurité*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS : [*Articles connexes*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/fr/passwords.md b/i18n/fr/passwords.md new file mode 100644 index 00000000..dbe9f955 --- /dev/null +++ b/i18n/fr/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Gestionnaires de mots de passe" +icon: material/form-textbox-password +description: Les gestionnaires de mots de passe vous permettent de stocker et de gérer en toute sécurité des mots de passe et autres informations d'identification. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Gestionnaire de mots de passe + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Gestionnaire de mots de passe + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Gestionnaire de mots de passe + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Gestionnaire de mots de passe + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Gestionnaire de mots de passe + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Gestionnaire de mots de passe + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Gestionnaire de mots de passe + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Les gestionnaires de mots de passe vous permettent de stocker et de gérer en toute sécurité des mots de passe et autres informations d'identification à l'aide d'un mot de passe principal. + +[Introduction aux mots de passe :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info "Information" + + Les gestionnaires de mots de passe intégrés dans des logiciels tels que les navigateurs et les systèmes d'exploitation ne sont parfois pas aussi performants que les logiciels de gestion de mots de passe dédiés. L'avantage d'un gestionnaire de mots de passe intégré est une bonne intégration avec le logiciel, mais il peut souvent être très simpliste et manquer de fonctions de confidentialité et de sécurité dont disposent les offres dissociées. + + Par exemple, le gestionnaire de mots de passe de Microsoft Edge ne propose pas du tout E2EE. Le gestionnaire de mots de passe de Google dispose d'un E2EE [facultatif](https://support.google.com/accounts/answer/11350823), et [celui d'Apple](https://support.apple.com/fr-fr/HT202303) propose E2EE par défaut. + +## Basé sur le cloud + +Ces gestionnaires de mots de passe synchronisent vos mots de passe sur un serveur cloud pour un accès facile à partir de tous vos appareils et une sécurité contre la perte d'appareils. + +### Bitwarden + +!!! recommendation + + ![Logo Bitwarden](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** est un gestionnaire de mots de passe gratuit et open-source. Il vise à résoudre les problèmes de gestion des mots de passe pour les individus, les équipes et les organisations commerciales. Bitwarden est l'une des solutions les plus simples et les plus sûres pour stocker tous vos identifiants et mots de passe tout en les synchronisant de manière pratique entre tous vos appareils. + + [:octicons-home-16: Page d'accueil](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden propose également [Bitwarden Send](https://bitwarden.com/products/send/), qui vous permet de partager du texte et des fichiers en toute sécurité grâce au [chiffrement de bout en bout](https://bitwarden.com/help/send-encryption). Un [mot de passe](https://bitwarden.com/help/send-privacy/#send-passwords) peut être demandé avec le lien d'envoi. Bitwarden Send dispose également d'une fonction de [suppression automatique](https://bitwarden.com/help/send-lifespan). + +Vous devez disposer de [l'offre Premium](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) pour pouvoir partager des fichiers. L'offre gratuite ne permet que le partage de texte. + +Le code côté serveur de Bitwarden est [open-source](https://github.com/bitwarden/server), donc si vous ne voulez pas utiliser le cloud Bitwarden, vous pouvez facilement héberger votre propre serveur de synchronisation Bitwarden. + +**Vaultwarden** est une implémentation alternative du serveur de synchronisation de Bitwarden écrite en Rust et compatible avec les clients officiels de Bitwarden. Elle est parfaite pour les déploiements auto-hébergés où l'utilisation du service officiel, lourd en ressources, n'est pas idéale. Si vous cherchez à héberger Bitwarden sur votre propre serveur, vous voudrez certainement utiliser Vaultwarden plutôt que le code serveur officiel de Bitwarden. + +[:octicons-repo-16: Dépôt Vaultwarden](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Code source" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribuer } + +### 1Password + +!!! recommendation + + ![Logo 1Password](assets/img/password-management/1password.svg){ align=right } + + **1Password** est un gestionnaire de mots de passe qui met l'accent sur la sécurité et la facilité d'utilisation. Il vous permet de stocker des mots de passe, des cartes de crédit, des licences de logiciels et toute autre information sensible dans un coffre-fort numérique sécurisé. Votre chambre forte est hébergée sur les serveurs de 1Password pour un [tarif mensuel](https://1password.com/sign-up/). 1Password est [audité](https://support.1password.com/security-assessments/) régulièrement et fournit un support client exceptionnel. 1Password est closed source ; cependant, la sécurité du produit est documentée de manière approfondie dans leur [livre blanc sur la sécurité](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Page d'accueil](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionnellement, **1Password** offrait la meilleure expérience utilisateur en matière de gestion de mots de passe pour les personnes utilisant macOS et iOS ; cependant, il a désormais atteint la parité de fonctionnalités sur toutes les plateformes. Il présente de nombreuses caractéristiques destinées aux familles et aux personnes moins techniques, ainsi que des fonctionnalités avancées. + +Votre coffre-fort 1Password est sécurisé à la fois par votre mot de passe principal et par une clé de sécurité aléatoire de 34 caractères pour chiffrer vos données sur leurs serveurs. Cette clé de sécurité ajoute une couche de protection à vos données, car celles-ci sont sécurisées par une entropie élevée, indépendamment de votre mot de passe principal. De nombreuses autres solutions de gestion des mots de passe dépendent entièrement de la force de votre mot de passe principal pour sécuriser vos données. + +Un avantage de 1Password sur Bitwarden est sa prise en charge de première classe pour les clients natifs. Alors que Bitwarden relègue de nombreuses fonctions, notamment les fonctions de gestion de compte, à son interface de coffre-fort web, 1Password met à disposition presque toutes les fonctions disponibles dans ses clients natifs mobiles ou de bureau. Les clients de 1Password ont également une interface utilisateur plus intuitive, ce qui les rend plus faciles à utiliser et à parcourir. + +### Psono + +!!! recommendation + + ![Logo Psono](assets/img/password-management/psono.svg){ align=right } + + **Psono** est un gestionnaire de mots de passe gratuit et open source d'Allemagne, avec un accent sur la gestion des mots de passe pour les équipes. Il peut être [auto-hébergé](#password-management-servers). Psono prend en charge le partage sécurisé de mots de passe, de fichiers, de signets et d'e-mails. + + [:octicons-home-16: Page d'accueil](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono fournit une documentation complète pour son produit. Le client web de Psono peut être hébergé par vous-même ; vous pouvez également choisir l'édition Community complète ou l'édition Enterprise avec des fonctionnalités supplémentaires. + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +#### Exigences minimales + +- Doit utiliser un système E2EE solide, basé sur des normes et moderne. +- Doit avoir des pratiques de chiffrement et de sécurité soigneusement documentées. +- Doit disposer d'un audit publié par une tierce partie indépendante et réputée. +- Toute télémétrie non essentielle doit être facultative. +- Ne doit pas collecter plus de DPI que nécessaire à des fins de facturation. + +#### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- La télémétrie devrait être optionnelle (désactivée par défaut) ou ne pas être collectée du tout. +- Devrait être open-source et raisonnablement auto-hébergeable. + +## Stockage local + +Ces options vous permettent de gérer une base de données de mots de passe chiffrés localement. + +### KeePassXC + +!!! recommendation + + ![Logo KeePassXC](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** est un fork communautaire de KeePassX, un portage natif multiplateforme de KeePass Password Safe, dans le but de l'étendre et de l'améliorer avec de nouvelles fonctionnalités et des corrections de bugs afin de fournir un gestionnaire de mots de passe open-source riche en fonctionnalités, multiplateforme et moderne. + + [:octicons-home-16: Page d'accueil](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Code source" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stocke ses données d'exportation sous forme de fichiers [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Cela peut entraîner une perte de données si vous importez ce fichier dans un autre gestionnaire de mots de passe. Nous vous conseillons de vérifier chaque entrée manuellement. + +### KeePassDX (Android) + +!!! recommendation + + ![Logo KeePassDX](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** est un gestionnaire de mots de passe léger pour Android. Il permet de modifier des données chiffrées dans un seul fichier au format KeePass et de remplir les formulaires de manière sécurisée. [Contributeur Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) permet de débloquer du contenu cosmétique et des fonctions de protocole non standard, mais surtout, il aide et encourage le développement. + + [:octicons-home-16: Page d'accueil](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Logo Strongbox](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** est un gestionnaire de mots de passe natif et open-source pour iOS et macOS. Prenant en charge les formats KeePass et Password Safe, Strongbox peut être utilisé en tandem avec d'autres gestionnaires de mots de passe, comme KeePassXC, sur des plateformes autres qu'Apple. En utilisant un [modèle freemium](https://strongboxsafe.com/pricing/), Strongbox propose la plupart des fonctionnalités dans son volet gratuit, tandis que les fonctions plus pratiques [features](https://strongboxsafe.com/comparison/) - telles que l'authentification biométrique - sont verrouillées par un abonnement ou une licence perpétuelle. + + [:octicons-home-16: Page d'accueil](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribuer } + + ??? downloads "Téléchagements" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +En outre, une version hors ligne est proposée : [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Cette version est dépouillée dans le but de réduire la surface d'attaque. + +### Ligne de commande + +Ces produits sont des gestionnaires de mots de passe minimaux qui peuvent être utilisés dans des applications de script. + +#### gopass + +!!! recommendation + + ![logo gopass](assets/img/password-management/gopass.svg){ align=right } + + **gopass** est un gestionnaire de mots de passe pour ligne de commande écrit en Go. Il fonctionne sur tous les principaux systèmes d'exploitation de bureau et de serveur (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Page d'accueil](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Code source" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit être multiplateforme. diff --git a/i18n/fr/productivity.md b/i18n/fr/productivity.md new file mode 100644 index 00000000..e4f01b4a --- /dev/null +++ b/i18n/fr/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Outils de productivité" +icon: material/file-sign +description: La plupart des suites bureautiques en ligne ne prennent pas en charge l'E2EE, ce qui signifie que le fournisseur de cloud a accès à tout ce que vous faites. +--- + +La plupart des suites bureautiques en ligne ne prennent pas en charge l'E2EE, ce qui signifie que le fournisseur de cloud a accès à tout ce que vous faites. La politique de confidentialité peut protéger légalement vos droits, mais elle ne fournit pas de contraintes techniques d'accès. + +## Plateformes de collaboration + +### Nextcloud + +!!! recommendation + + ![Logo Nextcloud](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** est une suite de logiciels client-serveur gratuits et open-source permettant de créer vos propres services d'hébergement de fichiers sur un serveur privé que vous contrôlez. + + [:octicons-home-16: Page d'accueil](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Code source" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Danger" + + Nous ne recommandons pas l'utilisation de [l'application E2EE](https://apps.nextcloud.com/apps/end_to_end_encryption) pour Nextcloud car elle peut entraîner une perte de données ; elle est hautement expérimentale et n'est pas de qualité de production. Pour cette raison, nous ne recommandons pas les fournisseurs Nextcloud tiers. + +### CryptPad + +!!! recommendation + + ![Logo CryptPad](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** est une alternative privée par conception aux outils de bureautique populaires. Tout le contenu de ce service web est chiffré de bout en bout et peut être partagé facilement avec d'autres utilisateurs. + + [:octicons-home-16: Page d'accueil](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Code source" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribuer } + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +En général, nous définissons les plateformes de collaboration comme des suites complètes qui pourraient raisonnablement remplacer des plateformes de collaboration comme Google Drive. + +- Open-source. +- Rend les fichiers accessibles via WebDAV, sauf si cela est impossible en raison de l'E2EE. +- Possède des clients de synchronisation pour Linux, macOS et Windows. +- Prend en charge l'édition de documents et de feuilles de calcul. +- Prend en charge la collaboration de documents en temps réel. +- Prend en charge l'export de documents vers des formats de documents standard (par exemple ODF). + +#### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Devrait stocker les fichiers dans un système de fichiers conventionnel. +- Devrait prendre en charge l'authentification multifactorielle TOTP ou FIDO2, ou les connexions par Passkey. + +## Suites bureautiques + +### LibreOffice + +!!! recommendation + + ![Logo de LibreOffice](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** est une suite bureautique gratuite et open-source aux fonctionnalités étendues. + + [:octicons-home-16: Page d'accueil](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Code source" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![Logo OnlyOffice](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** est une suite bureautique gratuite et open-source basée sur le cloud et dotée de nombreuses fonctionnalités, notamment l'intégration avec Nextcloud. + + [:octicons-home-16: Page d'accueil](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +En général, nous définissons les suites bureautiques comme des applications qui pourraient raisonnablement remplacer Microsoft Word pour la plupart des besoins. + +- Doit être multiplateforme. +- Doit être un logiciel open source. +- Doit fonctionner hors ligne. +- Doit prendre en charge l'édition de documents, de feuilles de calcul et de diaporamas. +- Doit exporter les fichiers vers des formats de document standard. + +## Services de collage + +### PrivateBin + +!!! recommendation + + ![Logo PrivateBin](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** est un service de collage en ligne minimaliste et open-source où le serveur n'a aucune connaissance des données collées. Les données sont chiffrées/déchiffrées dans le navigateur en utilisant AES 256 bits. Il s'agit de la version améliorée de ZeroBin. Il existe une [liste d'instances](https://privatebin.info/directory/). + + [:octicons-home-16: Page d'accueil](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Instances publiques"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Code source" } diff --git a/i18n/fr/real-time-communication.md b/i18n/fr/real-time-communication.md new file mode 100644 index 00000000..6ab9be2c --- /dev/null +++ b/i18n/fr/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Communication en temps réel" +icon: material/chat-processing +description: Les autres messageries instantanées mettent toutes vos conversations privées à la disposition de la société qui les gère. +--- + +Voici nos recommandations pour de la communication en temps réel chiffrée. + +[Types de réseaux de communication :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Messageries instantanées chiffrées + +Ces messageries sont idéales pour sécuriser vos communications sensibles. + +### Signal + +!!! recommendation + + ![Logo de Signal](assets/img/messengers/signal.svg){ align=right } + + **Signal** est une application mobile développée par Signal Messenger LLC. L'application offre une messagerie instantanée, ainsi que des appels vocaux et vidéo. + + Toutes les communications sont E2EE. Les listes de contacts sont chiffrées à l'aide de votre code PIN de connexion et le serveur n'y a pas accès. Les profils personnels sont également chiffrés et ne sont partagés qu'avec les contacts qui vous ajoutent. + + [:octicons-home-16: Page d'accueil](https://signal.org/fr/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.signal.org/hc/fr){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Code source" } + [:octicons-heart-16:](https://signal.org/fr/donate/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal prend en charge les [groupes privés](https://signal.org/blog/signal-private-group-system/). Le serveur n'a aucune trace de votre appartenance à un groupe, de vos titres de groupe, de vos avatars de groupe ou de vos attributs de groupe. Signal expose un minimum de métadonnées lorsque l'option [Expéditeur Scellé](https://signal.org/blog/sealed-sender/) est activée. L'adresse de l'expéditeur est chiffrée avec le corps du message, et seule l'adresse du destinataire est visible par le serveur. Expéditeur Scellé est uniquement activé pour les personnes de votre liste de contacts, mais peut être activé pour tous les destinataires avec le risque accru de recevoir du spam. Signal requiert votre numéro de téléphone comme identifiant personnel. + +Le protocole a fait l'objet d'un [audit](https://eprint.iacr.org/2016/1013.pdf) indépendant en 2016. La spécification du protocole Signal se trouve dans leur [documentation](https://signal.org/docs/). + +Nous avons quelques conseils supplémentaires pour configurer et renforcer votre installation Signal : + +[Configuration et renforcement de Signal :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Logo Simplex](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat est une messagerie instantanée décentralisée qui ne dépend d'aucun identifiant unique tel qu'un numéro de téléphone ou un nom d'utilisateur. Les utilisateurs de SimpleX Chat peuvent scanner un code QR ou cliquer sur un lien d'invitation pour participer à des conversations de groupe. + + [:octicons-home-16: Page d'accueil](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [a été audité](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) par Trail of Bits en Octobre 2022. + +Actuellement, SimpleX Chat ne fournit qu'un client pour Android et iOS. Les fonctionnalités de base de conversation de groupe, la conversation directe, l'édition des messages et le markdown sont pris en charge. Les appels audio et vidéo E2EE sont également pris en charge. + +Vos données peuvent être exportées et importées sur un autre appareil, car il n'y a pas de serveur central où elles sont sauvegardées. + +### Briar + +!!! recommendation + + ![Logo Briar](assets/img/messengers/briar.svg){ align=right } + + **Briar** est une messagerie instantanée chiffrée qui se [connecte](https://briarproject.org/how-it-works/) à d'autres clients par le réseau Tor. Briar peut également se connecter par Wi-Fi ou Bluetooth lorsqu'il se trouve à proximité. Le mode de maillage local de Briar peut être utile lorsque la disponibilité d’internet pose problème. + + [:octicons-home-16: Page d'accueil](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Code source" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Les options de dons sont listées en bas de la page d'accueil" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +Pour ajouter un contact sur Briar, vous devez d'abord vous ajouter tous les deux. Vous pouvez soit échanger des liens `briar://` soit scanner le QR code d'un contact s'il se trouve à proximité. + +Le logiciel client a été indépendamment [audité](https://briarproject.org/news/2017-beta-released-security-audit/) et le protocole de routage anonyme utilise le réseau Tor qui a également été audité. + +Briar a un [cahier des charges](https://code.briarproject.org/briar/briar-spec) entièrement publié. + +Briar prend en charge la confidentialité persistante en utilisant le protocole de [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) et [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) Bramble. + +## Autres options + +!!! warning "Avertissement" + + Ces messagers ne disposent pas de la fonction Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), et bien qu'ils répondent à certains besoins que nos recommandations précédentes ne peuvent pas satisfaire, nous ne les recommandons pas pour les communications sensibles ou à long terme. Toute compromission de la clé parmi les destinataires du message affecterait la confidentialité de **toutes** les communications passées. + +### Element + +!!! recommendation + + ![Logo d'Element](assets/img/messengers/element.svg){ align=right } + + **Element** est le client de référence pour le protocole [Matrix](https://matrix.org/docs/guides/introduction), un [standard ouvert](https://matrix.org/docs/spec) pour la communication décentralisée sécurisée en temps réel. + + Les messages et les fichiers partagés dans les salons privés (ceux qui nécessitent une invitation) sont par défaut E2EE, tout comme les appels vocaux et vidéo individuels. + + [:octicons-home-16: Page d'accueil](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Les photos de profil, les réactions et les surnoms ne sont pas chiffrés. + +Les appels vocaux et vidéo de groupe ne sont [pas](https://github.com/vector-im/element-web/issues/12878) E2EE, et utilisent Jitsi, mais cela devrait changer avec [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Les appels de groupe n'ont [pas d'authentification](https://github.com/vector-im/element-web/issues/13074) actuellement, ce qui signifie que les participants ne faisant pas partie de la salle peuvent également se joindre aux appels. Nous vous recommandons de ne pas utiliser cette fonctionnalité pour les réunions privées. + +Le protocole Matrix lui-même [prend théoriquement en charge la PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), mais ce [n'est pas actuellement pris en charge par Element](https://github.com/vector-im/element-web/issues/7101) car elle rompt certains aspects de l'expérience utilisateur tels que la sauvegarde des clés et l'historique des messages partagés. + +Le protocole a fait l'objet d'un [audit](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) indépendant en 2016. La spécification du protocole Matrix se trouve dans leur [documentation](https://spec.matrix.org/latest/). Le cliquet cryptographique [Olm](https://matrix.org/docs/projects/other/olm) utilisé par Matrix est une implémentation de l'[algorithme Cliquet Double](https://signal.org/docs/specifications/doubleratchet/) de Signal. + +### Session + +!!! recommendation + + ![Logo de Session](assets/img/messengers/session.svg){ align=right } + + **Session** est une messagerie décentralisée axée sur les communications privées, sécurisées et anonymes. Session prend en charge les messages directs, les discussions de groupe et les appels vocaux. + + Session utilise le réseau décentralisé [Oxen Service Node Network](https://oxen.io/) pour stocker et acheminer les messages. Chaque message chiffré est acheminé via trois nœuds dans le Oxen Service Node Network, ce qui rend pratiquement impossible pour les nœuds de compiler des informations significatives sur ceux qui utilisent le réseau. + + [:octicons-home-16: Page d'accueil](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session permet l'E2EE dans les chats individuels ou des groupes fermés pouvant compter jusqu'à 100 membres. Les groupes ouverts n'ont aucune restriction sur le nombre de membres, mais sont ouverts par conception. + +Session ne prend [pas](https://getsession.org/blog/session-protocol-technical-information) en charge PFS, c'est-à-dire lorsqu'un système de chiffrement change automatiquement et fréquemment les clés qu'il utilise pour chiffrer et déchiffrer des informations, de sorte que si la dernière clé est compromise, elle expose une plus petite partie des informations sensibles. + +Oxen a demandé un audit indépendant pour Session en mars 2020. L'audit [s'est conclu](https://getsession.org/session-code-audit) en Avril 2021 : "Le niveau de sécurité global de cette application est bon et la rend utilisable pour les personnes soucieuses de la protection de leur vie privée." + +Session a un [livre blanc](https://arxiv.org/pdf/2002.04609.pdf) décrivant les spécifications techniques de l'application et du protocole. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit avoir des clients open-source. +- Doit utiliser E2EE pour les messages privés par défaut. +- Doit supporter E2EE pour tous les messages. +- Doit avoir fait l'objet d'un audit indépendant. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Devrait prendre en charge la Confidentialité Persistante. +- Devrait avoir des serveurs open-source. +- Devrait être décentralisé, c'est-à-dire fédéré ou P2P. +- Devrait utiliser E2EE pour tous les messages par défaut. +- Devrait prendre en charge Linux, macOS, Windows, Android et iOS. diff --git a/i18n/fr/router.md b/i18n/fr/router.md new file mode 100644 index 00000000..a4eeba72 --- /dev/null +++ b/i18n/fr/router.md @@ -0,0 +1,50 @@ +--- +title: "Micrologiciel de routeur" +icon: material/router-wireless +description: Ces systèmes d'exploitation alternatifs peuvent être utilisés pour sécuriser votre routeur ou votre point d'accès Wi-Fi. +--- + +Vous trouverez ci-dessous quelques systèmes d'exploitation alternatifs, qui peuvent être utilisés sur des routeurs, des points d'accès Wi-Fi, etc. + +## OpenWrt + +!!! recommendation + + ![Logo OpenWrt](assets/img/router/openwrt.svg#only-light){ align=right } + ![Logo OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** est un système d'exploitation basé sur Linux ; il est principalement utilisé sur les périphériques embarqués pour acheminer le trafic réseau. Il comprend util-linux, uClibc, et BusyBox. Tous les composants ont été optimisés pour les routeurs domestiques. + + [:octicons-home-16: Page d'accueil](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Code source" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribuer } + +Vous pouvez consulter le [tableau de matériel](https://openwrt.org/toh/start) d'OpenWrt pour vérifier si votre périphérique est pris en charge. + +## OPNsense + +!!! recommendation + + ![logo OPNsense](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** est une plateforme de routage et de pare-feu open source basée sur FreeBSD qui intègre de nombreuses fonctionnalités avancées telles que la mise en forme du trafic, l'équilibrage de charge et des capacités VPN, avec de nombreuses autres fonctionnalités disponibles sous forme de plugins. OPNsense est généralement déployé comme pare-feu de périmètre, routeur, point d'accès sans fil, serveur DHCP, serveur DNS et point de terminaison VPN. + + [:octicons-home-16: Page d'accueil](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Code source" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribuer } + +OPNsense a été développé à l'origine comme un fork de [pfSense](https://fr.wikipedia.org/wiki/PfSense), et les deux projets sont connus pour être des distributions de pare-feu gratuites et fiables qui offrent des fonctionnalités que l'on ne trouve souvent que dans les pare-feu commerciaux coûteux. Lancé en 2015, les développeurs d'OPNsense [ont cité](https://docs.opnsense.org/history/thefork.html) un certain nombre de problèmes de sécurité et de qualité du code de pfSense qui, selon eux, nécessitaient un fork du projet, ainsi que des préoccupations concernant l'acquisition majoritaire de pfSense par Netgate et l'orientation future du projet pfSense. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Doit être open-source. +- Doit recevoir des mises à jour régulières. +- Doivent prendre en charge une grande variété de matériel. diff --git a/i18n/fr/search-engines.md b/i18n/fr/search-engines.md new file mode 100644 index 00000000..2139625b --- /dev/null +++ b/i18n/fr/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Moteurs de recherche" +icon: material/search-web +description: Ces moteurs de recherche respectueux de la vie privée n'établissent pas de profil publicitaire sur la base de vos recherches. +--- + +Utilisez un moteur de recherche qui ne construit pas un profil publicitaire en fonction de vos recherches. + +Les recommandations formulées ici sont fondées sur les mérites de la politique de confidentialité de chaque service. Il n'y a **aucune garantie** que ces politiques de confidentialité soient respectées. + +Envisagez d'utiliser un [VPN](vpn.md) ou [Tor](https://www.torproject.org/) si votre modèle de menace nécessite de cacher votre adresse IP du fournisseur de recherche. + +## Brave Search + +!!! recommendation + + ![Logo de Brave Search](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** est développé par Brave et fournit des résultats provenant principalement de son propre index indépendant. L'index est optimisé en se basant sur Google Search et peut donc fournir des résultats contextuellement plus précis que d'autres solutions. + + Brave Search comprend des fonctionnalités uniques telles que Discussions, qui met en évidence les résultats axés sur la conversation, comme les messages des forums. + + Nous vous recommandons de désactiver [Mesures d'utilisation anonymes](https://search.brave.com/help/usage-metrics) car ells sont activées par défaut et peuvent être désactivées dans les paramètres. + + [:octicons-home-16: Page d'accueil](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search est basé aux États-Unis. Leur [politique de confidentialité](https://search.brave.com/help/privacy-policy) indique qu'ils collectent des données d'utilisation agrégées, notamment le système d'exploitation et le navigateur utilisés, mais qu'aucune information permettant d'identifier une personne n'est collectée. Les adresses IP sont traitées temporairement, mais ne sont pas conservées. + +## DuckDuckGo + +!!! recommendation + + ![Logo DuckDuckGo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** est l'un des moteurs de recherche privés les plus populaires. Parmi les fonctionnalités de recherche notables de DuckDuckGo figurent les [bangs](https://duckduckgo.com/bang) et de nombreuses [réponses instantanées](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). Le moteur de recherche s'appuie sur une API commerciale de Bing pour fournir la plupart des résultats, mais il utilise également de nombreuses [autres sources](https://help.duckduckgo.com/results/sources/) pour les réponses instantanées et d'autres résultats non primaires. + + DuckDuckGo est le moteur de recherche par défaut du navigateur Tor et l'une des rares options disponibles sur le navigateur Safari d'Apple. + + [:octicons-home-16: Page d'accueil](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo est basé aux États-Unis. Leur [politique de confidentialité](https://duckduckgo.com/privacy) indique qu'ils **font** enregistrer vos recherches à des fins d'amélioration des produits, mais pas votre adresse IP ou toute autre information d'identification personnelle. + +DuckDuckGo propose deux [autres versions](https://help.duckduckgo.com/features/non-javascript/) de son moteur de recherche, toutes deux ne nécessitant pas de JavaScript. Ces versions manquent toutefois de fonctionnalités. Ces versions peuvent également être utilisées conjointement avec leur [adresse oignon Tor](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) en ajoutant [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) ou [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) pour la version respective. + +## SearXNG + +!!! recommendation + + ![Logo SearXNG](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** est un métamoteur de recherche open-source, auto-hébergeable, qui agrège les résultats d'autres moteurs de recherche sans stocker lui-même d'informations. C'est un fork activement maintenu de [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Page d'accueil](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Instances publiques"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Code source" } + +SearXNG est un proxy entre vous et les moteurs de recherche qu'il agrège. Vos requêtes de recherche seront toujours envoyées aux moteurs de recherche dont SearXNG tire ses résultats. + +Lorsque vous auto-hébergez, il est important que d'autres personnes utilisent également votre instance pour que vous puissiez vous fondre dans la masse. Vous devriez faire attention à l'endroit et à la manière dont vous hébergez SearXNG, car les personnes qui recherchent du contenu illégal sur votre instance pourraient attirer l'attention des autorités. + +Lorsque vous utilisez une instance SearXNG, assurez-vous d'aller lire sa politique de confidentialité. Les instances SearXNG pouvant être modifiées par leurs propriétaires, elles ne reflètent pas nécessairement leur politique de confidentialité. Certaines instances fonctionnent en tant que service caché Tor, ce qui peut garantir une certaine confidentialité tant que vos requêtes de recherche ne contiennent pas de DCP (données à caractère personnelles). + +## Startpage + +!!! recommendation + + ![Logo de Startpage](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Logo de Startpage](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** est un moteur de recherche privé connu pour servir les résultats de recherche de Google. L'une des caractéristiques uniques de Startpage est la [Vue anonyme](https://www.startpage.com/en/anonymous-view/), qui s'efforce de normaliser l'activité des utilisateurs afin de rendre plus difficile leur identification. Cette fonction peut être utile pour masquer [quelques](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) propriétés du réseau et du navigateur. Contrairement à ce que son nom suggère, il ne faut pas compter sur cette fonction pour assurer l'anonymat. Si vous recherchez l'anonymat, utilisez plutôt le [Navigateur Tor](tor.md#tor-browser). + + [:octicons-home-16: Page d'accueil](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning "Avertissement" + + Startpage limite régulièrement l'accès au service à certaines adresses IP, comme les IP réservées aux VPN ou à Tor. [DuckDuckGo](#duckduckgo) et [Brave Search](#brave-search) sont des options plus conviviales si votre modèle de menace nécessite de cacher votre adresse IP au fournisseur de recherche. + +Startpage est basée aux Pays-Bas. Selon leur [politique de confidentialité](https://www.startpage.com/en/privacy-policy/), ils enregistrent des détails tels que : le système d'exploitation, le type de navigateur et la langue. Ils n'enregistrent pas votre adresse IP, vos requêtes de recherche ou d'autres informations à caractère personnel. + +L'actionnaire majoritaire de Startpage est System1 qui est une société de technologie publicitaire. Nous ne pensons pas que ce soit un problème car ils ont une [politique de confidentialité](https://system1.com/terms/privacy-policy)distincte. L'équipe de Privacy Guides a contacté Startpage [en 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) pour dissiper toute inquiétude quant à l'investissement considérable de System1 dans ce service. Nous avons été satisfaits des réponses que nous avons reçues. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +### Exigences minimales + +- Ne doit pas collecter d'informations permettant d'identifier une personne, conformément à sa politique de confidentialité. +- Ne doit pas permettre aux utilisateurs de créer un compte chez eux. + +### Dans le meilleur des cas + +Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page. + +- Doit être basé sur des logiciels open-source. +- Ne doit pas bloquer les adresses IP des nœuds de sortie Tor. diff --git a/i18n/fr/tools.md b/i18n/fr/tools.md new file mode 100644 index 00000000..65ac90ff --- /dev/null +++ b/i18n/fr/tools.md @@ -0,0 +1,476 @@ +--- +title: "Outils de protection de la vie privée" +icon: material/tools +hide: + - toc +description: Privacy Guides est le site web le plus transparent et le plus fiable pour trouver des logiciels, des applications et des services qui protègent vos données personnelles des programmes de surveillance de masse et d'autres menaces internet. +--- + +Si vous cherchez une solution spécifique à un problème, voici les outils matériels et logiciels que nous recommandons dans diverses catégories. Les outils de protection de la vie privée que nous recommandons sont principalement choisis en fonction de leurs fonctionnalités de sécurité, tout en mettant l'accent sur les outils décentralisés et à code source ouvert. Ils sont applicables à divers modèles de menaces, allant de la protection contre les programmes mondiaux de surveillance de masse à l'atténuation des attaques en passant par l'évitement des grandes entreprises technologiques, mais vous seul pouvez déterminer ce qui répondra le mieux à vos besoins. + +Si vous souhaitez obtenir de l'aide pour déterminer les meilleurs outils de protection de la vie privée et les programmes alternatifs adaptés à vos besoins, lancez une discussion sur notre [forum](https://discuss.privacyguides.net/) ou sur notre communauté [Matrix](https://matrix.to/#/#privacyguides:matrix.org) ! + +Pour plus de détails sur chaque projet, les raisons pour lesquelles ils ont été choisis, et d'autres conseils ou astuces que nous recommandons, cliquez sur le lien "En savoir plus" dans chaque section, ou cliquez sur la recommandation en question pour accéder à cette section spécifique de la page. + +## Réseau Tor + +
+ +- ![Logo Tor Browser](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Logo Orbot](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Logo Snowflake](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Logo Snowflake](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake n'augmente pas la confidentialité, mais il vous permet de contribuer facilement au réseau Tor et d'aider les personnes dans les réseaux censurés à obtenir une meilleure confidentialité. + +[En savoir plus :material-arrow-right-drop-circle:](tor.md) + +## Navigateurs web de bureau + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Ressources supplémentaires + +
+ +- ![Logo uBlock Origin](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Navigateurs web mobiles + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Ressources supplémentaires + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Systèmes d'exploitation + +### Mobile + +
+ +- ![Logo GrapheneOS](assets/img/android/grapheneos.svg#only-light){ .twemoji }![Logo GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![Logo DivestOS](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](android.md) + +#### Applications Android + +
+ +- ![Logo Aurora Store](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (client Google Play)](android.md#aurora-store) +- ![Logo Shelter](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Profils de travail)](android.md#shelter) +- ![Logo Auditor](assets/img/android/auditor.svg#only-light){ .twemoji }![Logo GrapheneOS](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Appareils pris en charge)](android.md#auditor) +- ![Logo Secure Camera](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Logo Secure Camera](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Logo Secure PDF Viewer](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![Logo Secure PDF Viewer](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](android.md#general-apps) + +### Bureau/PC + +
+ +- ![Logo Qubes OS](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Logo Fedora](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![logo openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![logo Arch](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Logo Fedora Silverblue](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![Logo nixOS](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Logo Whonix](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Logo Tails](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](desktop.md) + +### Micrologiciel de routeur + +
+ +- ![Logo OpenWrt](assets/img/router/openwrt.svg#only-light){ .twemoji }![Logo OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![Logo OPNsense](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](router.md) + +## Fournisseurs de services + +### Stockage cloud + +
+ +- ![Logo Proton Drive](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Logo Tresorit](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### Fournisseurs de DNS + +Nous [recommandons](dns.md#recommended-providers) un certain nombre de serveurs DNS chiffrés en fonction de divers critères, tels que [Mullvad](https://mullvad.net/fr/help/dns-over-https-and-dns-over-tls) et [Quad9](https://quad9.net/) entre autres. Nous vous recommandons de lire nos pages sur les DNS avant de choisir un fournisseur. Dans de nombreux cas, l'utilisation d'un autre fournisseur de DNS n'est pas recommandée. + +[En savoir plus :material-arrow-right-drop-circle:](dns.md) + +#### Proxys DNS chiffrés + +
+ +- ![Logo RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![Logo RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![Logo dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Solutions auto-hébergées + +
+ +- ![Logo AdGuard Home](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Logo Pi-hole](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Logo Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Logo Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![logo StartMail](assets/img/email/startmail.svg#only-light){ .twemoji } ![logo StartMail](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![logo Tutanota](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](email.md) + +#### Services d'alias d'email + +
+ +- ![Logo AnonAddy](assets/img/email/anonaddy.svg#only-light){ .twemoji }![Logo AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![Logo SimpleLogin](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Email auto-hébergé + +
+ +- ![Logo mailcow](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Logo Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Services financiers + +#### Services de masquage des paiements + +
+ +- ![Logo Privacy.com](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Logo Privacy.com](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![Logo MySudo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![Logo MySudo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[En savoir plus :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Marchés de cartes-cadeaux en ligne + +
+ +- ![Logo Cake Pay](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![Logo CoinCards](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Moteurs de Recherche + +
+ +- ![Logo Brave Search](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![Logo DuckDuckGo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![Logo SearXNG](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Logo Startpage](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](search-engines.md) + +### Fournisseurs de VPN + +??? danger "Les VPN ne fournissent pas l'anonymat" + + L'utilisation d'un VPN ne rendra **pas** votre navigation anonyme et n'ajoutera pas de sécurité supplémentaire à un trafic non sécurisé (HTTP). + + Si vous recherchez l' **anonymat**, vous devriez utiliser le navigateur Tor **au lieu** d'un VPN. + + Si vous recherchez plus de **sécurité**, vous devez toujours vous assurer que vous vous connectez aux sites web en utilisant HTTPS. Un VPN ne remplace pas les bonnes pratiques de sécurité. + + [En savoir plus :material-arrow-right:](vpn.md) + +
+ +- ![Logo IVPN](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Logo Mullvad](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Logo Proton VPN](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](vpn.md) + +## Logiciels + +### Synchronisation de calendrier + +
+ +- ![Logo Tutanota](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Logo Calendrier Proton](assets/img/calendar/proton-calendar.svg){ .twemoji } [Calendrier Proton](calendar.md#proton-calendar) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](calendar.md) + +### Crypto-monnaie + +
+ +- ![Logo Monero](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Rédaction de données et de métadonnées + +
+ +- ![Logo MAT2](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![Logo ExifEraser](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Logo Metapho](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![Logo PrivacyBlur](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![Logo ExifTool](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](data-redaction.md) + +### Logiciels de messagerie électronique + +
+ +- ![Logo Thunderbird](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Logo Apple Mail](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Logo Canary Mail](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![Logo FairEmail](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![Logo GNOME Evolution](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![Logo K-9 Mail](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Logo Kontact](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Logo Mailvelope](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP dans le webmail standard)](email-clients.md#mailvelope-browser) +- ![Logo NeoMutt](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](email-clients.md) + +### Logiciels de chiffrement + +??? info "Chiffrement du disque du système d'exploitation" + + Pour chiffrer le disque de votre système d'exploitation, nous recommandons généralement d'utiliser l'outil de chiffrement fourni par votre système d'exploitation, qu'il s'agisse de **BitLocker** sur Windows, **FileVault** sur macOS ou **LUKS** sur Linux. Ces outils sont inclus dans le système d'exploitation et utilisent généralement des éléments de chiffrement matériel tels qu'un TPM, ce que ne font pas d'autres logiciels de chiffrement intégral de disque comme VeraCrypt. VeraCrypt convient toujours aux disques qui ne contiennent pas de systèmes d'exploitation, comme les disques externes, en particulier les disques auxquels on peut accéder à partir de plusieurs systèmes d'exploitation. + + [En savoir plus :material-arrow-right:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Logo Cryptomator](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Logo Picocrypt](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![Logo VeraCrypt](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![Logo VeraCrypt](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Logo Hat.sh](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Logo Hat.sh](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Logo Kryptor](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Logo Tomb](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](encryption.md) + +#### Clients OpenPGP + +
+ +- ![Logo GnuPG](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![Logo GPG4Win](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![Logo GPG Suite](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![Logo OpenKeychain](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Partage et synchronisation de fichiers + +
+ +- ![Logo Send](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![Logo OnionShare](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![Logo FreedomBox](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Logo Nextcloud](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Logo Syncthing](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](file-sharing.md) + +### Clients applicatifs + +
+ +- ![Logo du bibliothécaire](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Logo du bibliothécaire](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Logo Nitter](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![Logo FreeTube](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Logo Yattee](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube ; iOS, tvOS, macOS)](frontends.md#yattee) +- ![Logo NewPipe](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Logo Invidious](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Logo Invidious](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Logo Piped](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](frontends.md) + +### Outils d'authentification multi-facteurs + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Logo Aegis](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Logo Raivo OTP](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Agrégateurs d'actualités + +
+ +- ![Logo Akregator](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Logo Feeder](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Logo Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![Logo GNOME Feeds](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Logo Miniflux](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Logo Miniflux](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![Logo NetNewsWire](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Logo Newsboat](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](news-aggregators.md) + +### Bloc-notes + +
+ +- ![Logo Joplin](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Logo Standard Notes](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Logo Cryptee](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Logo Cryptee](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Logo Org-mode](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](notebooks.md) + +### Gestionnaires de mots de passe + +
+ +- ![Logo Bitwarden](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![Logo 1Password](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Logo Psono](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![Logo KeePassXC](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![Logo KeePassDX](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Logo Strongbox](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![Logo gopass](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](passwords.md) + +### Outils de productivité + +
+ +- ![Logo Nextcloud](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Logo LibreOffice](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![Logo OnlyOffice](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](productivity.md) + +### Communication en temps réel + +
+ +- ![Logo Signal](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Logo Briar](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![Logo SimpleX Chat](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Logo Element](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Logo Session](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](real-time-communication.md) + +### Clients de streaming vidéo + +
+ +- ![Logo LBRY](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[En savoir plus :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/fr/tor.md b/i18n/fr/tor.md new file mode 100644 index 00000000..0a7fcb6a --- /dev/null +++ b/i18n/fr/tor.md @@ -0,0 +1,119 @@ +--- +title: "Réseau Tor" +icon: simple/torproject +description: Protégez votre navigation sur internet des regards indiscrets en utilisant le réseau Tor, un réseau sécurisé qui contourne la censure. +--- + +![Logo Tor](assets/img/self-contained-networks/tor.svg){ align=right } + +Le réseau **Tor** est un groupe de serveurs gérés par des bénévoles qui vous permet de vous connecter gratuitement et d'améliorer votre confidentialité et votre sécurité sur Internet. Les particuliers et les organisations peuvent également partager des informations sur le réseau Tor avec des "services cachés .onion" sans compromettre leur vie privée. Parce que le trafic Tor est difficile à bloquer et à tracer, Tor est un outil efficace pour contourner la censure. + +[:octicons-home-16:](https://www.torproject.org/fr/){ .card-link title="Page d'accueil"} +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/fr/){ .card-link title="Service Onion" } +[:octicons-info-16:](https://tb-manual.torproject.org/fr/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Code Source" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuer } + +Tor fonctionne en acheminant votre trafic Internet via ces serveurs gérés par des volontaires, au lieu d'établir une connexion directe avec le site que vous essayez de visiter. Cela permet de masquer la provenance du trafic, et aucun serveur sur le chemin de la connexion n'est en mesure de voir le chemin complet de la provenance et de la destination du trafic, ce qui signifie que même les serveurs que vous utilisez pour vous connecter ne peuvent pas briser votre anonymat. + +[Introduction détaillée de Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Se connecter à Tor + +Il existe plusieurs façons de se connecter au réseau Tor à partir de votre appareil, la plus utilisée étant le **Navigateur Tor**, un fork de Firefox conçu pour la navigation anonyme sur les ordinateurs de bureau et Android. En plus des applications listées ci-dessous, il existe également des systèmes d'exploitation conçus spécifiquement pour se connecter au réseau Tor tels que [Whonix](desktop.md#whonix) sur [Qubes OS](desktop.md#qubes-os), qui offrent une sécurité et des protections encore plus importantes que le navigateur Tor standard. + +### Navigateur Tor + +!!! recommendation + + ![Logo de Tor Browser](assets/img/browsers/tor.svg){ align=right } + + Le **Navigateur Tor** est le choix idéal si vous avez besoin d'anonymat, car il vous donne accès au réseau et aux ponts Tor, et il inclut des paramètres par défaut et des extensions qui sont automatiquement configurées par les niveaux de sécurité par défaut : *Normal*, *Plus sûr* et *Le plus sûr*. + + [:octicons-home-16: Page d'accueil](https://www.torproject.org/fr/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/fr/){ .card-link title="Service Onion" } + [:octicons-info-16:](https://tb-manual.torproject.org/fr/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Code Source" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger "Danger" + + Vous ne devriez **jamais** installer des extensions supplémentaires sur le navigateur Tor, y compris celles que nous suggérons pour Firefox. Les extensions de navigateur et les paramètres non standard vous distinguent des autres sur le réseau Tor, rendant ainsi votre navigateur plus facile à la [prise d'empreintes numérique](https://support.torproject.org/fr/glossary/browser-fingerprinting/). + +Le Navigateur Tor est conçu pour empêcher la prise d'empreintes numérique, ou l'identification en fonction de la configuration de votre navigateur. Par conséquent, il est impératif de ne **pas** modifier le navigateur au-delà des [niveaux de sécurité](https://tb-manual.torproject.org/fr/security-settings/) par défaut. + +### Orbot + +!!! recommendation + + ![Logo Orbot](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** est un VPN Tor gratuit pour smartphones qui achemine le trafic de n'importe quelle application sur votre appareil à travers le réseau Tor. + + [:octicons-home-16: Page d'accueil](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Politique de Confidentialité" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Code Source" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +Nous avons précédemment recommandé d'activer la préférence *Isolate Destination Address* dans les paramètres d'Orbot. Bien que ce paramètre puisse théoriquement améliorer la confidentialité en imposant l'utilisation d'un circuit différent pour chaque adresse IP à laquelle vous vous connectez, il n'offre pas d'avantage pratique pour la plupart des applications (en particulier la navigation sur le web), peut s'accompagner d'une pénalité de performance significative et augmente la charge sur le réseau Tor. Nous ne recommandons plus d'ajuster ce paramètre par rapport à sa valeur par défaut, sauf si vous savez que vous en avez besoin.[^1] + +!!! tip "Astuces pour Android" + + Orbot peut proxy des applications individuelles si elles supportent le proxying SOCKS ou HTTP. Il peut également proxy toutes vos connexions réseau en utilisant [VpnService](https://developer.android.com/reference/android/net/VpnService) et peut être utilisé avec le killswitch VPN dans :gear: **Paramètres** → **Réseau & internet** → **VPN** → :gear: → **Bloquer les connexions sans VPN**. + + Orbot est souvent obsolète sur le [dépôt F-Droid](https://guardianproject.info/fdroid) du Guardian Project et sur le [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), alors envisagez à la place de télécharger directement depuis le [dépôt GitHub](https://github.com/guardianproject/orbot/releases). + + Toutes les versions sont signées en utilisant la même signature, elles devraient donc être compatibles entre elles. + +## Relais et Ponts + +### Snowflake + +!!! recommendation + + ![Logo Snowflake](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Logo Snowflake](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** vous permet de donner de la bande passante au Projet Tor en faisant fonctionner un "proxy Snowflake" dans votre navigateur. + + Les personnes censurées peuvent utiliser les proxys Snowflake pour se connecter au réseau Tor. Snowflake est un excellent moyen de contribuer au réseau même si vous n'avez pas le savoir-faire technique pour gérer un relais ou un pont Tor. + + [:octicons-home-16: Page d'accueil](https://snowflake.torproject.org/?lang=fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Code Source" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuer } + + ??? downloads "Téléchargements" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/fr-fr/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Laissez cette page ouverte pour être un proxy Snowflake") + +??? tip "Snowflake intégré" + + Vous pouvez activer Snowflake dans votre navigateur en cliquant sur le bouton ci-dessous et en laissant cette page ouverte. Vous pouvez également installer Snowflake en tant qu'extension de navigateur pour qu'il s'exécute toujours lorsque votre navigateur est ouvert, mais l'ajout d'extensions tierces peut augmenter votre surface d'attaque. + +
+ Si l'intégration n'apparaît pas pour vous, assurez-vous que vous ne bloquez pas le cadre tiers de `torproject.org`. Vous pouvez également consulter [cette page](https://snowflake.torproject.org/embed.html). + +Snowflake n'améliore en rien votre vie privée et n'est pas utilisé pour se connecter au réseau Tor dans votre navigateur personnel. Toutefois, si votre connexion Internet n'est pas censurée, vous devriez envisager de l'utiliser pour aider les personnes se trouvant sur des réseaux censurés à améliorer elles-mêmes leur vie privée. Il n'y a pas besoin de s'inquiéter des sites web auxquels les gens accèdent via votre proxy - leur adresse IP de navigation visible correspondra à leur nœud de sortie Tor, pas à la vôtre. + +Faire fonctionner un proxy Snowflake est peu risqué, encore moins que de faire fonctionner un relais ou un pont Tor qui ne sont déjà pas des entreprises particulièrement risquées. Toutefois, il achemine le trafic par le biais de votre réseau, ce qui peut avoir un impact à certains égards, surtout si votre réseau a une bande passante limitée. Assurez-vous de comprendre [le fonctionnement de Snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) avant de décider de faire tourner un proxy. + +[^1]: Le paramètre `IsolateDestAddr` est discuté sur la [liste de diffusion Tor](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) et [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), où les deux projets suggèrent que ce n'est généralement pas une bonne approche pour la plupart des gens. diff --git a/i18n/fr/video-streaming.md b/i18n/fr/video-streaming.md new file mode 100644 index 00000000..51ad22f6 --- /dev/null +++ b/i18n/fr/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Streaming vidéo" +icon: material/video-wireless +description: Ces réseaux vous permettent de consommer du contenu internet sans établir de profil publicitaire basé sur vos centres d'intérêt. +--- + +La principale menace liée à l'utilisation d'une plateforme de streaming vidéo est que vos habitudes de streaming et vos listes d'abonnement pourraient être utilisées pour établir votre profil. Vous devriez combiner ces outils avec un [VPN](vpn.md) ou [Tor](https://www.torproject.org/) pour rendre plus difficile le profilage de votre utilisation. + +## LBRY + +!!! recommendation + + ![Logo LBRY](assets/img/video-streaming/lbry.svg){ align=right } + + **Le réseau LBRY** est un réseau décentralisé de partage de vidéos. Il utilise un réseau de type [BitTorrent](https://fr.wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [chaîne de blocs](https://fr.wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. Le principal avantage de cette conception est la résistance à la censure. + + **Le client de bureau LBRY** vous aide à regarder des vidéos à partir du réseau LBRY et stocke votre liste d'abonnement dans votre propre portefeuille LBRY. + + [:octicons-home-16: Page d'accueil](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note "À noter" + + Seul le client de bureau **LBRY** est recommandé, car le site web [Odysee](https://odysee.com) et les clients LBRY dans F-Droid, le Play Store et l'App Store ont une synchronisation et une télémétrie obligatoires. + +!!! warning "Avertissement" + + Lorsque vous regardez et hébergez des vidéos, votre adresse IP est visible par le réseau LBRY. Il utilise un réseau de type [BitTorrent](https://wikipedia.org/wiki/BitTorrent) pour stocker le contenu vidéo, et une [blockchain](https://wikipedia.org/wiki/Blockchain) pour stocker les index de ces vidéos. + +Nous vous recommandons **d'éviter** de synchroniser votre portefeuille avec LBRY Inc., car la synchronisation des portefeuilles chiffrés n'est pas encore prise en charge. note + +Vous pouvez désactiver l'option *Enregistrer les données d'hébergement pour aider le réseau LBRY* dans :gear: **Paramètres** → **Paramètres Avancés**, pour éviter d'exposer votre adresse IP et les vidéos regardées lorsque vous utilisez LBRY pendant une période prolongée. + +## Critères + +**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous. + +!!! example "Cette section est récente" + + Nous travaillons à l'établissement de critères définis pour chaque section de notre site, et celles-ci peuvent être sujet à changement. Si vous avez des questions sur nos critères, veuillez [poser la question sur notre forum](https://discuss.privacyguides.net/latest) et ne supposez pas que nous n'avons pas pris en compte un élément dans nos recommandations s'il ne figure pas dans la liste. De nombreux facteurs sont pris en compte et discutés lorsque nous recommandons un projet, et la documentation de chacun d'entre eux est en cours. + +- Ne doit pas nécessiter un compte centralisé pour visionner les vidéos. + - L'authentification décentralisée, par exemple via la clé privée d'un portefeuille mobile, est acceptable. diff --git a/i18n/fr/vpn.md b/i18n/fr/vpn.md new file mode 100644 index 00000000..ad83dbe9 --- /dev/null +++ b/i18n/fr/vpn.md @@ -0,0 +1,327 @@ +--- +title: "Services VPN" +icon: material/vpn +description: Voici les meilleurs services VPN pour protéger votre vie privée et votre sécurité en ligne. Trouvez ici un fournisseur qui ne cherche pas à vous espionner. +--- + +Si vous recherchez à protéger votre **vie privée** vis-à-vis de votre FAI, sur un réseau Wi-Fi public ou lorsque vous téléchargez des fichiers en torrent, un VPN peut être la solution pour vous, à condition que vous compreniez les risques encourus. Nous pensons que ces fournisseurs se distinguent des autres : + +
+ +- ![Logo IVPN](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Logo Mullvad](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Logo Proton VPN](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "Les VPN ne fournissent pas l'anonymat" + + L'utilisation d'un VPN ne rendra **pas** votre navigation anonyme et n'ajoutera pas de sécurité supplémentaire à un trafic non sécurisé (HTTP). + + Si vous recherchez l'**anonymat**, vous devriez utiliser le navigateur Tor **au lieu** d'un VPN. + + Si vous recherchez plus de **sécurité**, vous devez toujours vous assurer que vous vous connectez aux sites web en utilisant HTTPS. Un VPN ne remplace pas les bonnes pratiques de sécurité. + + [Télécharger Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Mythes sur Tor & FAQ](advanced/tor-overview.md){ .md-button } + +[Présentation détaillée des VPNs :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Fournisseurs recommandés + +Les fournisseurs que nous recommandons utilisent le chiffrement, acceptent le Monero, prennent en charge WireGuard & OpenVPN, et ont une politique de non journalisation. Lisez notre [liste complète de critères](#criteria) pour plus d'informations. + +### IVPN + +!!! recommendation + + ![Logo IVPN](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** est un autre fournisseur de VPN haut de gamme, et il est en activité depuis 2009. IVPN est basé à Gibraltar. + + [:octicons-home-16: Page d'accueil](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 pays + +IVPN a ses [serveurs dans 35 pays](https://www.ivpn.net/server-locations).(1) Choisir un fournisseur VPN avec un serveur le plus proche de vous réduira la latence du trafic réseau que vous envoyez. Cela est dû à un itinéraire plus court (moins de sauts) vers la destination. +{ .annotate } + +1. En date du : 2022-09-16 + +Nous pensons également qu'il est préférable pour la sécurité des clés privées du fournisseur VPN d'utiliser des [serveurs dédiés](https://fr.wikipedia.org/wiki/Serveur_d%C3%A9di%C3%A9), plutôt que des solutions partagées (avec d'autres clients) moins chères telles que les [serveurs privés virtuels](https://fr.wikipedia.org/wiki/Serveur_d%C3%A9di%C3%A9_virtuel). + +#### :material-check:{ .pg-green } Audit indépendant + +IVPN a fait l'objet d'un [audit de non-journalisation par Cure53](https://cure53.de/audit-report_ivpn.pdf) qui a conclu à la validité de l'affirmation d'IVPN concernant l'absence d'enregistrement. IVPN a également terminé un [rapport complet de test d'intrusion par Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) en janvier 2020. IVPN a également indiqué qu'elle prévoyait à l'avenir de mettre à disposition les [rapports annuels](https://www.ivpn.net/blog/independent-security-audit-concluded). Une nouvelle étude a été réalisée [en avril 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) et a été mise à disposition par Cure53 sur [leur site web](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Clients open source + +Depuis février 2020, [les applications IVPN sont désormais open source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Le code source peut être obtenu auprès de leur [organisation GitHub](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepte l'argent liquide et le Monero + +En plus d'accepter les cartes de crédit/débit et PayPal, IVPN accepte le Bitcoin, **le Monero** et **les espèces/la monnaie locale** (sur les abonnements annuels) comme formes de paiement anonymes. + +#### :material-check:{ .pg-green } Prise en charge de WireGuard + +IVPN prend en charge le protocole WireGuard®. [WireGuard](https://www.wireguard.com) est un protocole plus récent qui utilise une [cryptographie](https://www.wireguard.com/protocol/) de pointe. De plus, WireGuard vise à être plus simple et plus performant. + +IVPN [recommande](https://www.ivpn.net/wireguard/) l'utilisation de WireGuard avec leur service et, en tant que tel, le protocole est par défaut sur toutes les applications d'IVPN. IVPN propose également un générateur de configuration WireGuard à utiliser avec les [applications](https://www.wireguard.com/install/) officielles WireGuard. + +#### :material-check:{ .pg-green } Redirection de port + +La [redirection de port](https://fr.wikipedia.org/wiki/Redirection_de_port) est possible avec une offre Pro. La redirection de port [peut être activée](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via l'espace client. La redirection de port n'est disponible sur IVPN que lorsque l'on utilise les protocoles WireGuard ou OpenVPN et est [désactivée sur les serveurs américains](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Clients mobiles + +En plus de fournir des fichiers de configuration OpenVPN standard, IVPN a des clients mobiles pour l'[App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), le [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), et [GitHub](https://github.com/ivpn/android-app/releases) permettant des connexions faciles à leurs serveurs. + +#### :material-information-outline:{ .pg-blue } Fonctionnalités supplémentaires + +Les clients IVPN prennent en charge l'authentification à deux facteurs (les clients de Mullvad ne le font pas). IVPN propose également la fonctionnalité "[AntiTracker](https://www.ivpn.net/antitracker)", qui bloque les réseaux publicitaires et les traqueurs au niveau du réseau. + +### Mullvad + +!!! recommendation + + ![Logo Mullvad](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** est un VPN rapide et peu coûteux qui met l'accent sur la transparence et la sécurité. Il est en activité depuis **2009**. Mullvad est basé en Suède et n'a pas de période d'essai gratuit. + + [:octicons-home-16: Page d'accueil](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Service onion" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 pays + +Mullvad a des [serveurs dans 41 pays](https://mullvad.net/servers/).(1) Choisir un fournisseur VPN avec un serveur le plus proche de vous réduira la latence du trafic réseau que vous envoyez. Cela est dû à un itinéraire plus court (moins de sauts) vers la destination. +{ .annotate } + +1. En date du : 2023-01-19 + +Nous pensons également qu'il est préférable pour la sécurité des clés privées du fournisseur VPN d'utiliser des [serveurs dédiés](https://fr.wikipedia.org/wiki/Serveur_d%C3%A9di%C3%A9), plutôt que des solutions partagées (avec d'autres clients) moins chères telles que les [serveurs privés virtuels](https://fr.wikipedia.org/wiki/Serveur_d%C3%A9di%C3%A9_virtuel). + +#### :material-check:{ .pg-green } Audit indépendant + +Les clients VPN de Mullvad ont été audités par Cure53 et Assured AB dans un rapport de test d'intrusion [publié sur cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). Les chercheurs en sécurité ont conclu : + +> Cure53 et Assured AB sont satisfaits des résultats de l'audit et le logiciel laisse une impression générale positive. Grâce au dévouement de l'équipe interne du complexe du VPN Mullvad, les testeurs n'ont aucun doute sur le fait que le projet est sur la bonne voie du point de vue de la sécurité. + +En 2020, un deuxième audit [a été annoncé](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) et le [rapport d'audit final](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) a été publié sur le site web de Cure53 : + +> Les résultats de ce projet de mai-juin 2020 ciblant le complexe de Mullvad sont assez positifs. [...] L'écosystème applicatif utilisé par Mullvad laisse une impression solide et structurée. La structure globale de l'application permet de déployer facilement des correctifs et corrections de manière structurée. Plus que tout, les résultats repérés par Cure53 montrent l'importance d'un audit et d'une réévaluation constante des vecteurs de fuite actuels, afin de toujours garantir la confidentialité des utilisateurs finaux. Ceci étant dit, Mullvad fait un excellent travail en protégeant l'utilisateur final contre les fuites courantes de DCP et les risques liés à la confidentialité. + +En 2021, un audit des infrastructures [a été annoncé](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) et le [rapport d'audit final](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) a été publié sur le site web de Cure53. Un autre rapport a été commandé [en juin 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) et est disponible sur le [site web d'Assured](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Clients open source + +Mullvad fournit le code source pour leurs clients de bureau et mobiles dans leur [organisation GitHub](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepte l'argent liquide et le Monero + +Mullvad, en plus d'accepter les cartes de crédit/débit et PayPal, accepte le Bitcoin, le Bitcoin Cash, **le Monero** et **les espèces/la monnaie locale** comme formes de paiement anonymes. Ils acceptent également Swish et les virements bancaires. + +#### :material-check:{ .pg-green } Prise en charge de WireGuard + +Mullvad prend en charge le protocole WireGuard®. [WireGuard](https://www.wireguard.com) est un protocole plus récent qui utilise une [cryptographie](https://www.wireguard.com/protocol/) de pointe. De plus, WireGuard vise à être plus simple et plus performant. + +Mullvad [recommande](https://mullvad.net/en/help/why-wireguard/) l'utilisation de WireGuard avec leur service. C'est le protocole par défaut ou le seul sur les applications Android, iOS, macOS et Linux de Mullvad, mais sur Windows, vous devez [activer manuellement](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad propose également un générateur de configuration WireGuard à utiliser avec les [applications](https://www.wireguard.com/install/) officielles WireGuard. + +#### :material-check:{ .pg-green } Prise en charge de l'IPv6 + +Mullvad soutient l'avenir des réseaux [IPv6](https://fr.wikipedia.org/wiki/IPv6). Leur réseau vous permet d'accéder aux [services hébergés sur IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/), contrairement à d'autres fournisseurs qui bloquent les connexions IPv6. + +#### :material-check:{ .pg-green } Redirection de port + +La [redirection de port](https://en.wikipedia.org/wiki/Port_forwarding) est autorisée pour les personnes qui effectuent des paiements ponctuels, mais pas pour les comptes ayant un mode de paiement récurrent ou par abonnement. Ceci afin d'empêcher Mullvad de pouvoir vous identifier sur la base de votre utilisation du port et des informations d'abonnement stockées. Voir [Redirection de port avec Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) pour plus d'informations. + +#### :material-check:{ .pg-green } Clients mobiles + +Mullvad a publié des clients [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) et [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), tous deux avec une interface simple à utiliser plutôt que nécessiter de votre part une configuration manuelle de votre connexion WireGuard. Le client Android est également disponible sur [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Fonctionnalités supplémentaires + +Mullvad est très transparent quant aux nœuds qu'il possède [ou qu'il loue](https://mullvad.net/en/servers/). Ils utilisent [ShadowSocks](https://shadowsocks.org/) dans leur configuration ShadowSocks + OpenVPN, ce qui les rend plus résistants aux pare-feux avec de l'[inspection profonde de paquets](https://fr.wikipedia.org/wiki/Deep_packet_inspection) qui tentent de bloquer les VPNs. Il semblerait que [la Chine utilise une méthode différente pour bloquer les serveurs ShadowSocks](https://github.com/net4people/bbs/issues/22). Le site web de Mullvad est également accessible via Tor à l'adresse suivante [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** est un concurrent de poids dans l'espace VPN, et il est en service depuis 2016. Proton AG est basé en Suisse et propose une offre gratuite limitée, ainsi qu'une option premium plus complète. + + [:octicons-home-16: Page d'accueil](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Politique de confidentialité" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Code source" } + + ??? downloads "Téléchargements" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 pays + +Proton VPN a des [serveurs dans 67 pays](https://protonvpn.com/vpn-servers).(1) Choisir un fournisseur VPN avec un serveur le plus proche de vous réduira la latence du trafic réseau que vous envoyez. Cela est dû à un itinéraire plus court (moins de sauts) vers la destination. +{ .annotate } + +1. En date du : 2022-09-16 + +Nous pensons également qu'il est préférable pour la sécurité des clés privées du fournisseur VPN d'utiliser des [serveurs dédiés](https://fr.wikipedia.org/wiki/Serveur_d%C3%A9di%C3%A9), plutôt que des solutions partagées (avec d'autres clients) moins chères telles que les [serveurs privés virtuels](https://fr.wikipedia.org/wiki/Serveur_d%C3%A9di%C3%A9_virtuel). + +#### :material-check:{ .pg-green } Audit indépendant + +Depuis janvier 2020, Proton VPN a fait l'objet d'un audit indépendant réalisé par SEC Consult. SEC Consult a trouvé quelques vulnérabilités à risque moyen et faible dans les applications Windows, Android et iOS de Proton VPN, qui ont toutes été "correctement corrigées" par Proton VPN avant la publication des rapports. Aucun des problèmes identifiés n'aurait permis à un attaquant d'accéder à distance à votre appareil ou à votre trafic. Vous pouvez consulter les rapports individuels pour chaque plateforme sur [protonvpn.com](https://protonvpn.com/blog/open-source/). En avril 2022, Proton VPN a fait l'objet d'un [autre audit](https://protonvpn.com/blog/no-logs-audit/) et le rapport a été [produit par Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). Une [lettre d'attestation](https://proton.me/blog/security-audit-all-proton-apps) a été fournie pour les applications de Proton VPN le 9 novembre 2021 par [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Clients open source + +Proton VPN fournit le code source de ses clients bureau et mobile dans son [organisation GitHub](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepte l'argent liquide + +Proton VPN, en plus d'accepter les cartes de crédit/débit, PayPal, et [le Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), accepte également **les espèces/la monnaie locale** comme forme de paiement anonyme. + +#### :material-check:{ .pg-green } Prise en charge de WireGuard + +Proton VPN prend principalement en charge le protocole WireGuard®. [WireGuard](https://www.wireguard.com) est un protocole plus récent qui utilise une [cryptographie](https://www.wireguard.com/protocol/) de pointe. De plus, WireGuard vise à être plus simple et plus performant. + +Proton VPN [recommande](https://protonvpn.com/blog/wireguard/) l'utilisation de WireGuard avec leur service. Sur les applications Windows, macOS, iOS, Android, ChromeOS et Android TV de Proton VPN, WireGuard est le protocole par défaut ; cependant, la [prise en charge](https://protonvpn.com/support/how-to-change-vpn-protocols/) du protocole n'est pas présente dans leur application Linux. + +#### :material-alert-outline:{ .pg-orange } Redirection de port + +Proton VPN ne prend actuellement en charge que la [redirection de port](https://protonvpn.com/support/port-forwarding/) sous Windows, ce qui peut avoir un impact sur certaines applications. En particulier les applications pair à pair comme les clients Torrent. + +#### :material-check:{ .pg-green } Clients mobiles + +En plus de fournir des fichiers de configuration OpenVPN standard, Proton VPN a des clients mobiles pour l'[App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), le [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), et [GitHub](https://github.com/ProtonVPN/android-app/releases) permettant des connexions faciles à leurs serveurs. + +#### :material-information-outline:{ .pg-blue } Fonctionnalités supplémentaires + +Les clients VPN de Proton prennent en charge l'authentification à deux facteurs sur toutes les plateformes, sauf Linux pour le moment. Proton VPN possède ses propres serveurs et centres de données en Suisse, en Islande et en Suède. Ils proposent le blocage des publicités et des domaines de logiciels malveillants connus avec leur service DNS. En outre, Proton VPN propose également des serveurs "Tor" vous permettant de vous connecter facilement aux sites onion, mais nous recommandons fortement d'utiliser [le navigateur officiel Tor](https://www.torproject.org/) à cette fin. + +#### :material-alert-outline:{ .pg-orange } La fonction d'arrêt d'urgence ne fonctionne pas sur les Macs à processeur Intel + +Des pannes du système [peuvent se produire](https://protonvpn.com/support/macos-t2-chip-kill-switch/) sur les Mac basés sur Intel lors de l'utilisation de l'arrêt d'urgence du VPN. Si vous avez besoin de cette fonction, et que vous utilisez un Mac avec un chipset Intel, vous devriez envisager d'utiliser un autre service VPN. + +## Critères + +!!! danger "Danger" + + Il est important de noter que l'utilisation d'un fournisseur VPN ne vous rendra pas anonyme, mais qu'elle vous permettra de mieux protéger votre vie privée dans certaines situations. Un VPN n'est pas un outil pour des activités illégales. Ne vous fiez pas à une politique de "non-journalisation". + +**Veuillez noter que nous ne sommes affiliés à aucun des fournisseurs que nous recommandons. Cela nous permet de fournir des recommandations totalement objectives.** En plus de [nos critères standards](about/criteria.md), nous avons développé un ensemble d'exigences claires pour tout fournisseur de VPN souhaitant être recommandé, y compris un chiffrement fort, des audits de sécurité indépendants, une technologie moderne, et plus encore. Nous vous suggérons de vous familiariser avec cette liste avant de choisir un fournisseur VPN, et de mener vos propres recherches pour vous assurer que le fournisseur VPN que vous choisissez est le plus digne de confiance possible. + +### Technologie + +Nous exigeons de tous nos fournisseurs VPN recommandés qu'ils fournissent des fichiers de configuration OpenVPN utilisables dans n'importe quel client. **Si** un VPN fournit son propre client personnalisé, nous exigeons un killswitch pour bloquer les fuites de données du réseau lors de la déconnexion. + +**Minimum pour se qualifier :** + +- Prise en charge de protocoles forts tels que WireGuard & OpenVPN. +- Arrêt d'urgence intégré dans les clients. +- Prise en charge du multi-sauts. Le multi-sauts est important pour garder les données privées en cas de compromission d'un seul noeud. +- Si des clients VPN sont fournis, ils doivent être [open source](https://en.wikipedia.org/wiki/Open_source), comme le logiciel VPN qui y est généralement intégré. Nous pensons que la disponibilité du [code source](https://en.wikipedia.org/wiki/Source_code) offre une plus grande transparence sur ce que fait réellement votre appareil. + +**Dans le meilleur des cas :** + +- Prise en charge de WireGuard et d'OpenVPN. +- Un arrêt d'urgence avec des options hautement configurables (activer/désactiver sur certains réseaux, au démarrage, etc.) +- Clients VPN faciles à utiliser +- Prend en charge [IPv6](https://en.wikipedia.org/wiki/IPv6). Nous nous attendons à ce que les serveurs autorisent les connexions entrantes via IPv6 et vous permettent d'accéder aux services hébergés sur des adresses IPv6. +- La capacité de [redirection de port](https://fr.wikipedia.org/wiki/Redirection_de_port) aide à créer des connexions lors de l'utilisation de logiciels de partage de fichiers P2P ( +נדרשים הרבה [אנשים](https://github.com/privacyguides/privacyguides.org/graphs/contributors) ו[עבודה](https://github.com/privacyguides/privacyguides.org/pulse/monthly) כדי לעדכן את Privacy Guides ולהפיץ את הבשורה על פרטיות ומעקב המוני. אם אתה אוהב את מה שאנחנו עושים, שקול להיות מעורב על ידי [עריכת האתר](https://github.com/privacyguides/privacyguides.org) או [תרומה בתרגום](https://crowdin.com/project/privacyguides). + +אם אתה רוצה לתמוך בנו כלכלית, השיטה הנוחה ביותר עבורנו היא תרומה באמצעות Open Collective, אתר אינטרנט המופעל על ידי המארח הפיסקאלי שלנו. Open Collective מקבל תשלומים באמצעות כרטיס אשראי/חיוב, PayPal והעברות בנקאיות. + +[לתרומה ב - OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +תרומות שנעשו ישירות אלינו ב-Open Collective ניתנות לניכוי מס בדרך כלל בארה"ב, מכיוון שהמארח הפיסקאלי שלנו (The Open Collective Foundation) הוא ארגון רשום 501(c)3. לאחר התרומה תקבלו קבלה מקרן הקולקטיב הפתוח. Privacy Guides אינם מספקים ייעוץ פיננסי, ועליכם ליצור קשר עם יועץ המס שלכם כדי לברר אם זה חל עליכם. + +אם אתה כבר עושה שימוש בחסויות GitHub, אתה יכול גם לתת חסות לארגון שלנו שם. + +[תנו לנו חסות ב-GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## תומכים + +תודה מיוחדת לכל אלה שתומכים במשימה שלנו! :heart: + +*שימו לב: סעיף זה טוען ווידג'ט ישירות מ-Open Collective. סעיף זה אינו משקף תרומות שניתנו מחוץ לקולקטיב הפתוח, ואין לנו שליטה על התורמים הספציפיים המופיעים בסעיף זה.* + + + +## כיצד אנו משתמשים בתרומות + +Privacy Guides הוא ארגון **ללא מטרות רווח **. אנו משתמשים בתרומות למגוון מטרות, כולל: + +**רישומי דומיין** +: + +יש לנו כמה שמות דומיין כמו `privacyguides.org` שעולים לנו בסביבות 10 דולר בשנה כדי לשמור על הרישום שלהם. + +**אחסון אתרים** +: + +התנועה לאתר זה משתמשת במאות גיגה-בייט של נתונים בחודש, אנו משתמשים במגוון ספקי שירותים כדי לעמוד בקצב התנועה הזו. + +**שירותים מקוונים** +: + +אנו מארחים [שירותי אינטרנט](https://privacyguides.net) לבדיקה והצגה של מוצרי פרטיות שונים שאנחנו אוהבים ו[ממליצים](../tools.md) עליהם. חלקם זמינים לציבור לשימוש הקהילה שלנו (SearXNG, Tor וכו '), וחלקם מסופקים עבור חברי הצוות שלנו (דוא"ל וכו '). + +**רכישת מוצרים** +: + +מדי פעם אנו רוכשים מוצרים ושירותים לצורך בדיקת [הכלים המומלצים שלנו](../tools.md). + +אנחנו עדיין עובדים עם המארח הפיסקאלי שלנו (הקרן הקולקטיבית הפתוחה) כדי לקבל תרומות של מטבעות קריפטוגרפיים, כרגע החשבונאות אינה אפשרית להרבה עסקאות קטנות יותר, אבל זה אמור להשתנות בעתיד. בינתיים, אם ברצונך לבצע תרומה גדולה (> $100) של מטבע מוצפן, אנא צור קשר עם [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/he/about/index.md b/i18n/he/about/index.md new file mode 100644 index 00000000..fd9c883f --- /dev/null +++ b/i18n/he/about/index.md @@ -0,0 +1,102 @@ +--- +title: "אודות Privacy Guides" +description: Privacy Guides הוא אתר בעל מוטיבציה חברתית המספק מידע להגנה על אבטחת הנתונים ופרטיותך. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** הוא אתר בעל מוטיבציה חברתית המספק [מידע](/kb) להגנה על אבטחת הנתונים ופרטיותך. המשימה שלך היא ליידע את הציבור על הערך של פרטיות דיגיטלית, ויוזמות ממשלתיות גלובליות שמטרתן לנטר את הפעילות המקוונת שלך. אנחנו קולקטיב ללא מטרות רווח המופעל כולו על ידי [חברי צוות](https://discuss.privacyguides.net/g/team) מתנדבים ותורמים. האתר שלנו נקי מפרסומות ואינו מזוהה עם אף אחד מהספקים הרשומים. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=דף הבית } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="קוד מקור" } +[:octicons-heart-16:](donate.md){ .card-link title=לתרומה } + +> כדי למצוא אפליקציות [אלטרנטיביות ממוקדות פרטיות], בדוק אתרים כמו Good Reports ו-**Privacy Guides**, המפרטים אפליקציות ממוקדות פרטיות במגוון קטגוריות, כולל ספקי אימייל (בדרך כלל בתוכניות בתשלום) שאינן מנוהלות על ידי הגדולים חברות טכנולוגיה. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> אם אתה מחפש VPN חדש, אתה יכול ללכת לקוד ההנחה של כמעט כל פודקאסט. אם אתה מחפש VPN **טוב**, אתה צריך עזרה מקצועית. אותו דבר לגבי לקוחות אימייל, דפדפנים, מערכות הפעלה ומנהלי סיסמאות. איך אתה יודע איזו מבין אלה היא האפשרות הטובה והידידותית ביותר לפרטיות? בשביל זה יש **Privacy Guides**, פלטפורמה שבה מספר מתנדבים מחפשים מדי יום ביומו את הכלים הידידותיים לפרטיות הטובים ביותר לשימוש באינטרנט. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [תורגם מהולנדית] + +מוצג גם ב: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), ו- [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## היסטוריה + +מדריכי הפרטיות הושקו בספטמבר 2021 כהמשך לפרויקט החינוכי "PrivacyTools" [שהוצא](privacytools.md) משימוש בקוד פתוח. זיהינו את החשיבות של המלצות מוצר עצמאיות, ממוקדות קריטריונים וידע כללי במרחב הפרטיות, ולכן היינו צריכים לשמר את העבודה שנוצרה על ידי תורמים רבים מאז 2015 ולוודא כי למידע יש בית יציב באינטרנט ללא הגבלת זמן. + +בשנת 2022, השלמנו את המעבר של מסגרת האתר הראשית שלנו מ-Jekyll ל-MkDocs, באמצעות תוכנת התיעוד `mkdocs-material`. השינוי הזה הפך את תרומות הקוד הפתוח לאתר שלנו לקלות משמעותית עבור זרים, מכיוון שבמקום צורך לדעת תחביר מסובך כדי לכתוב פוסטים בצורה יעילה, התרומה קלה כעת כמו כתיבת מסמך Markdown סטנדרטי. + +בנוסף השקנו את פורום הדיון החדש שלנו בכתובת [discuss.privacyguides.net](https://discuss.privacyguides.net/) כפלטפורמה קהילתית לחלוק רעיונות ולשאול שאלות על המשימה שלנו. זה מגדיל את הקהילה הקיימת שלנו ב-Matrix, והחליף את פלטפורמת הדיונים הקודמת של GitHub שלנו, מה שמפחית את ההסתמכות שלנו על פלטפורמות דיון קנייניות. + +עד כה בשנת 2023 השקנו תרגומים בינלאומיים של האתר שלנו ב[צרפתית](/fr/), [עברית](/he/), וגם [הולנדית](/nl/), שפות נוספות בדרך, התאפשרה על ידי צוות התרגום המצוין שלנו ב-[Crowdin](https://crowdin.com/project/privacyguides). אנו מתכננים להמשיך ולקדם את משימתנו של הסברה וחינוך, למצוא דרכים להדגיש בצורה ברורה יותר את הסכנות של חוסר מודעות לפרטיות בעידן הדיגיטלי המודרני ואת השכיחות והנזקים של פרצות אבטחה בכל תעשיית הטכנולוגיה. + +## הצוות שלנו + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: דף הבית](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: אימייל](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: אימייל](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: דף הבית](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: דף הבית](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +בנוסף, [אנשים רבים](https://github.com/privacyguides/privacyguides.org/graphs/contributors) תרמו לפרויקט. גם אתה יכול, אנחנו בקוד פתוח ב-GitHub ומקבלים הצעות תרגום ב-[Crowdin](https://crowdin.com/project/privacyguides). + +חברי הצוות שלנו בודקים את כל השינויים שבוצעו באתר ומטפלים בתפקידים אדמיניסטרטיביים כגון אירוח אתרים ופיננסים, אולם הם אינם מרוויחים באופן אישי מכל תרומה כלשהי לאתר זה. הדוחות הכספיים שלנו מתארחים באופן שקוף על ידי Open Collective Foundation 501(c)( 3) בכתובת [opencollective.com/privacyguides](https://opencollective.com/privacyguides). תרומות ל-Privacy Guides ניתנות לניכוי מס בדרך כלל בארצות הברית. + +## רישיון אתר + +!!! danger "" + + להלן סיכום הניתן לקריאה על ידי אדם של (ולא תחליף ל) ה-[רישיון](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: אלא אם צוין אחרת, התוכן המקורי באתר זה זמין תחת [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). משמעות הדבר היא שאתה חופשי להעתיק ולהפיץ מחדש את החומר בכל מדיום או פורמט לכל מטרה, אפילו מסחרית; כל עוד אתה נותן קרדיט מתאים ל`Privacy Guides (www.privacyguides.org)` ומספק קישור לרישיון. אתה רשאי לעשות זאת בכל דרך סבירה, אך לא בכל דרך שמציעה שPrivacy Guides מאשרים אותך או את השימוש שלך. אם תערבב מחדש, תשנה או תבנה על התוכן של אתר זה, אינך רשאי להפיץ את החומר שהשתנה. + +רישיון זה נועד למנוע מאנשים לחלוק את עבודתנו מבלי לתת קרדיט מתאים, וכדי למנוע מאנשים לשנות את העבודה שלנו באופן שעלול לשמש כדי להטעות אנשים. אם אתה מוצא את התנאים של רישיון זה מגבילים מדי עבור הפרויקט שאתה עובד עליו, אנא פנה אלינו בכתובת `jonah@privacyguides.org`. אנו שמחים לספק אפשרויות רישוי חלופיות לפרויקטים בעלי כוונות טובות במרחב הפרטיות! diff --git a/i18n/he/about/notices.md b/i18n/he/about/notices.md new file mode 100644 index 00000000..3261902f --- /dev/null +++ b/i18n/he/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "הודעות וכתבי ויתור" +--- + +## הצהרה משפטית + +Privacy Guides אינו משרד עורכי דין. ככזה, אתר Privacy Guides והתורמים אינם מספקים ייעוץ משפטי. החומר וההמלצות באתר ובמדריכים שלנו אינם מהווים ייעוץ משפטי ואף לא תרומה לאתר או תקשורת עם מדריכי פרטיות או תורמים אחרים על האתר שלנו יוצרים יחסי עורך דין-לקוח. + +הפעלת אתר זה, כמו כל מאמץ אנושי, כרוכה בחוסר ודאות ובפשרות. אנו מקווים שהאתר הזה יעזור, אבל הוא עשוי לכלול טעויות ולא יכול לטפל בכל מצב. אם יש לך שאלות כלשהן לגבי מצבך, אנו ממליצים לך לעשות מחקר משלך, לחפש מומחים אחרים ולהשתתף בדיונים עם קהילת Privacy Guides. אם יש לך שאלות משפטיות, עליך להתייעץ עם היועץ המשפטי שלך לפני שתמשיך הלאה. + +Privacy Guides הוא פרויקט קוד פתוח שנתרם לו תחת רישיונות הכוללים תנאים שלצורך הגנה על האתר והתורמים לו, מבהירים שהפרויקט ואתר מדריכי הפרטיות מוצעים "כפי שהם", ללא אחריות, ומתנערים מאחריות עבור נזקים הנובעים משימוש באתר או כל המלצות הכלולות בו. Privacy Guides אינם מתחייבים או מציגים מצגים כלשהם בנוגע לדיוק, התוצאות הסבירות או המהימנות של השימוש בחומרים באתר או הקשורים אחרת לחומרים כאלה באתר או באתרי צד שלישי כלשהם המקושרים באתר זה. + +Privacy Guides בנוסף אינם מתחייבים כי אתר זה יהיה זמין כל הזמן, או זמין בכלל. + +## סקירת רישוי + +!!! danger "" + + להלן סיכום הניתן לקריאה על ידי אדם של (ולא תחליף ל) ה-[רישיון](/license). + +אלא אם צוין אחרת, כל ה**תוכן** באתר זה זמין תחת תנאי הרישיון [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). **קוד המקור** הבסיסי המשמש ליצירת אתר זה ולהצגת תוכן זה משוחרר תחת [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +זה לא כולל קוד של צד שלישי המוטמע במאגר זה, או קוד שבו צוין אחרת רישיון מחליף. להלן דוגמאות בולטות, אך ייתכן שרשימה זו אינה כוללת: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) מורשה תחת רישיון [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* גופן הכותרת של [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) מורשה תחת רישיון [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* הגופן [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) המשמש לרוב הטקסט באתר הינו מורשה בתנאים המפורטים [כאן](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* הגופן [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) המשמש עבור טקסט מונו-רווח באתר הוא מורשה תחת [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +משמעות הדבר היא שאתה יכול להשתמש בתוכן הניתן לקריאה על ידי אדם במאגר זה עבור הפרויקט שלך, לפי התנאים המפורטים בטקסט של Creative Commons Attribution-NoDerivatives 4.0 International Public License. אתה רשאי לעשות זאת בכל דרך סבירה, אך לא בכל דרך שמציעה שPrivacy Guides מאשרים אותך או את השימוש שלך. **אינך רשאי** להשתמש במיתוג Privacy Guides בפרויקט שלך ללא אישור מפורש מפרויקט זה. סימני המסחר של המותג של מדריכי הפרטיות כוללים את סימן המילה "Privacy Guides" ואת לוגו המגן. + +אנו מאמינים שסמלי הלוגו ותמונות אחרות ב`נכסים` המתקבלים מספקי צד שלישי הם נחלת הכלל או ב**שימוש הוגן**. על קצה המזלג, [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) החוקית יכולה להשתמש בתמונות המוגנות בזכויות יוצרים על מנת לזהות את הנושא לצורך הערות הציבור. עם זאת, ייתכן שסמלים אלה ותמונות אחרות עדיין יהיו כפופות לחוקי סימנים מסחריים בתחומי שיפוט אחד או יותר. לפני השימוש בתוכן זה, אנא ודא שהוא משמש לזיהוי הישות או הארגון המחזיקים בסימן המסחרי וכי יש לך את הזכות להשתמש בו לפי החוקים החלים בנסיבות השימוש המיועד שלך. *בעת העתקת תוכן מאתר זה, אתה האחראי הבלעדי לוודא שאינך מפר סימן מסחרי או זכויות יוצרים של מישהו אחר.* + +כאשר אתה תורם לאתר שלנו אתה עושה זאת תחת הרישיונות הנ"ל, ואתה מעניק ל-Privacy Guides רישיון תמידי, כלל עולמי, לא בלעדי, ניתן להעברה, ללא תמלוגים, בלתי חוזר עם הזכות לתת רישיון משנה לזכויות כאלה באמצעות שכבות מרובות של בעלי רישיונות משנה., לשכפל, לשנות, להציג, לבצע ולהפיץ את התרומה שלך כחלק מהפרויקט שלנו. + +## שימוש מקובל + +אין להשתמש באתר זה בכל דרך שגורמת או עלולה לגרום נזק לאתר או פגיעה בזמינות או נגישותם של מדריכי הפרטיות, או בכל דרך שהיא בלתי חוקית, בלתי חוקית, הונאה, מזיקה, או בקשר לכל לא חוקי, מטרה או פעילות בלתי חוקית, הונאה או מזיקה. + +אין לערוך פעילויות איסוף נתונים שיטתיות או אוטומטיות באתר זה או ביחס אליו ללא הסכמה מפורשת בכתב, לרבות: + +* סריקות אוטומטיות מוגזמות +* התקפות מניעת שירות +* גירוד +* כריית נתונים +* 'מסגור' (IFrames) + +--- + +*חלקים מההודעה הזו עצמה אומצו מ [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) ב- GitHub. משאב זה והדף עצמו משוחררים תחת [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/he/about/privacy-policy.md b/i18n/he/about/privacy-policy.md new file mode 100644 index 00000000..5571577e --- /dev/null +++ b/i18n/he/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "מדיניות פרטיות" +--- + +Privacy Guides הוא פרויקט קהילתי המופעל על ידי מספר תורמים מתנדבים פעילים. הרשימה הציבורית של חברי הצוות נמצא [ב - GitHub](https://github.com/orgs/privacyguides/people). + +## נתונים שאנו אוספים ממבקרים + +הפרטיות של המבקרים באתר שלנו חשובה לנו, לכן איננו עוקבים אחר אנשים בודדים. כמבקר באתר שלנו: + +- לא נאסף מידע אישי +- לא מאוחסן בדפדפן מידע כגון עוגיות +- אין מידע משותף עם, שנשלח או נמכר לצדדים שלישיים +- אין שיתוף מידע עם חברות פרסום +- שום מידע לא נכרה ונקצר עבור מגמות אישיות והתנהגותיות +- שום מידע אינו מפיק רווחים + +תוכל לצפות בנתונים שאנו אוספים בדף ה[סטטיסטיקה](statistics.md) שלנו. + +אנו מפעילים התקנה באחסון עצמי של [Plausible Analytics](https://plausible.io) כדי לאסוף נתוני שימוש אנונימיים למטרות סטטיסטיות. המטרה היא לעקוב אחר מגמות כוללות בתנועה באתר שלנו, זה לא לעקוב אחר מבקרים בודדים. כל הנתונים הם במצטבר בלבד. לא נאספים נתונים אישיים. + +הנתונים שנאספו כוללים את מקורות ההפניה, הדפים העליונים, משך הביקור, מידע מהמכשירים (סוג המכשיר, מערכת ההפעלה, המדינה והדפדפן) שבהם נעשה שימוש במהלך הביקור ועוד. ניתן לקבל מידע נוסף על האופן שבו מתקבל על הדעת ואוסף מידע באופן שמכבד פרטיות [כאן](https://plausible.io/data-policy). + +## נתונים שאנו אוספים מבעלי חשבונות + +באתרים ובשירותים מסוימים שאנו מספקים, תכונות רבות עשויות לדרוש חשבון. לדוגמה, ייתכן שחשבון יידרש לפרסם ולהשיב לנושאים בפלטפורמת פורום. + +כדי להירשם לרוב החשבונות, נאסוף שם, שם משתמש, אימייל וסיסמה. במקרה שאתר דורש יותר מידע מאשר רק נתונים אלה, זה יסומן באופן ברור ויצוין בהצהרת פרטיות נפרדת לכל אתר. + +אנו משתמשים בנתוני החשבון שלך כדי לזהות אותך באתר וליצור דפים ספציפיים לך, כגון דף הפרופיל שלך. אנחנו גם נשתמש בנתוני החשבון שלך כדי לפרסם פרופיל ציבורי עבורך בשירותים שלנו. + +אנו משתמשים בדוא"ל שלך כדי: + +- להודיע לך על פוסטים ופעילות אחרת באתרים או בשירותים. +- אפס את הסיסמא שלך ועזור לשמור על אבטחת החשבון שלך. +- ליצור עמך קשר בנסיבות מיוחדות הקשורות לחשבון שלך. +- פנה אליך בנוגע לבקשות משפטיות, כגון בקשות הסרה של DMCA. + +באתרים ובשירותים מסוימים תוכל לספק מידע נוסף עבור חשבונך, כגון ביוגרפיה קצרה, אווטאר, המיקום שלך או תאריך הלידה שלך. אנו הופכים מידע זה לזמין לכל מי שיכול לגשת לאתר או לשירות המדובר. מידע זה אינו נדרש כדי להשתמש באף אחד מהשירותים שלנו וניתן למחוק אותו בכל עת. + +אנו נאחסן את נתוני החשבון שלך כל עוד חשבונך יישאר פתוח. לאחר סגירת חשבון, אנו עשויים לשמור חלק מנתוני החשבון שלך או את כולם בצורה של גיבויים או ארכיונים למשך עד 90 יום. + +## יצירת קשר + +לצוות Privacy Guides אין בדרך כלל גישה לנתונים אישיים מחוץ לגישה מוגבלת הניתנת דרך חלק מלוחות הניהול. פניות בנוגע למידע האישי שלך יש לשלוח ישירות אל: + +```text +Jonah Aragon +מנהל שירותים +jonah@privacyguides.org +``` + +לכל השאלות האחרות, ניתן ליצור קשר עם כל חבר בצוות שלנו. + +עבור תלונות במסגרת GDPR באופן כללי יותר, אתה יכול להגיש תלונות לרשויות הפיקוח המקומיות על הגנת הנתונים שלך. בצרפת זו הנציבות הלאומית למידע אינפורמטיקה וחופשיות שמטפלת ומטפלת בתלונות. הם מספקים [תבנית מכתב תלונה](https://www.cnil.fr/en/plaintes) לשימוש. + +## אודות מדיניות זו + +אנו נפרסם גרסאות חדשות של הצהרה זו [כאן](privacy-policy.md). אנו עשויים לשנות את האופן שבו אנו מכריזים על שינויים בגרסאות עתידיות של מסמך זה. בינתיים אנו עשויים לעדכן את פרטי הקשר שלנו בכל עת מבלי להודיע על שינוי. אנא עיין ב[מדיניות הפרטיות](privacy-policy.md) לקבלת הפרטים העדכניים ביותר ליצירת קשר בכל עת. + +ניתן למצוא גרסה מלאה של [היסטוריה](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) של דף זה ב-GitHub. diff --git a/i18n/he/about/privacytools.md b/i18n/he/about/privacytools.md new file mode 100644 index 00000000..a63dfb96 --- /dev/null +++ b/i18n/he/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "שאלות נפוצות PrivacyTools" +--- + +# למה עברנו מ - PrivacyTools + +בספטמבר 2021, כל תורם פעיל הסכים פה אחד לעבור מ- PrivacyTools לעבודה באתר זה: Privacy Guides. החלטה זו התקבלה מכיוון שהמייסד והבקר של PrivacyTools על שם הדומיין נעלם לתקופה ממושכת ולא ניתן היה ליצור איתו קשר. + +לאחר שבנה אתר מכובד ומערכת של שירותים על PrivacyTools.io, זה גרם לדאגות חמורות לעתיד של PrivacyTools, כמו כל הפרעה עתידית יכולה לחסל את הארגון כולו ללא שיטת התאוששות. המעבר הזה הועבר לקהילת ה - PrivacyTools חודשים רבים מראש באמצעות מגוון ערוצים, כולל הבלוג שלה, טוויטר, רדיט ו - ומסטודון, כדי להבטיח שהתהליך כולו יעבור בצורה חלקה ככל האפשר. עשינו זאת כדי להבטיח שאף אחד לא יישמר באפלה, שהייתה דרך הפעולה שלנו מאז שנוצר הצוות שלנו, וכדי לוודא שמדריכי הפרטיות הוכרו כאותו ארגון אמין ש - PrivacyTools היה לפני המעבר. + +לאחר שהמהלך הארגוני הושלם, המייסד של PrivacyTools חזר והחל להפיץ מידע מוטעה על פרויקט מדריכי הפרטיות (Privacy Guides). הם ממשיכים להפיץ מידע מוטעה בנוסף להפעלת חוות קישורים בתשלום בדומיין PrivacyTools. אנו יוצרים דף זה כדי להבהיר את כל התפיסות המוטעות. + +## מה זה PrivacyTools? + +PrivacyTools נוצרה בשנת 2015 על ידי "BurungHantu", שרצתה ליצור משאב מידע על פרטיות - כלים מועילים בעקבות גילויי סנודן. האתר צמח לפרויקט קוד פתוח משגשג עם [תורמים רבים](https://github.com/privacytools/privacytools.io/graphs/contributors), חלקם קיבלו בסופו של דבר אחריות ארגונית שונה, כגון הפעלת שירותים מקוונים כמו מטריקס ומסטודון, ניהול ובדיקה של שינויים באתר ב- GitHub, מציאת נותני חסות לפרויקט, כתיבת פוסטים בבלוגים והפעלת פלטפורמות הסברה למדיה חברתית כמו טוויטר וכו '. + +החל משנת 2019, BurungHantu התרחק יותר ויותר מהפיתוח הפעיל של האתר והקהילות, והחל לעכב תשלומים שהוא היה אחראי עליהם הקשורים לשרתים שהפעלנו. כדי להימנע מכך שמנהל המערכת שלנו ישלם את עלויות השרת מכיסו הפרטי, שינינו את שיטות התרומה המפורטות באתר מחשבונות PayPal והקריפטו האישיים של BurungHantu לדף OpenCollective חדש ב- [אוקטובר 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). היו לכך יתרונות נוספים של הפיכת הכספים שלנו לשקופים לחלוטין, ערך שאנו מאמינים בו מאוד, ופטורים ממס בארצות הברית, מכיוון שהם הוחזקו על ידי הקרן הקולקטיבית הפתוחה 501(c)3. שינוי זה הוסכם פה אחד על ידי הקבוצה ועבר ללא עוררין. + +## למה המשכנו הלאה + +בשנת 2020, היעדרותו של BurungHantu גדלה הרבה יותר מורגשת. בשלב מסוים, נדרשנו לשנות את שרתי השמות של הדומיין לשרתי השמות הנשלטים על ידי מנהל המערכת שלנו כדי להימנע משיבושים עתידיים, ושינוי זה הושלם רק חודש לאחר הבקשה הראשונית. הוא היה נעלם מחדרי הצ'אט הציבורי והצ'אט של הצוות הפרטי במטריקס במשך חודשים בכל פעם, מדי פעם צץ כדי לתת משוב קטן או להבטיח להיות פעיל יותר לפני שייעלם שוב. + +באוקטובר 2020, מנהל מערכת PrivacyTools (Jonah) [עזב](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) הפרויקט בגלל קשיים אלה, והעביר את השליטה לתורם ותיק אחר. Jonah הפעיל כמעט כל שירות של PrivacyTools ושימש *דה פקטו* כמוביל פרויקט לפיתוח אתרים בהיעדרו של BurungHantu, ולכן עזיבתו הייתה שינוי משמעותי בארגון. בזמנו, בגלל השינויים הארגוניים המשמעותיים הללו, הבטיח BurungHantu לצוות הנותר שהוא יחזור לקחת פיקוד על הפרויקט בהמשך. ==צוות PrivacyTools פנה באמצעות מספר שיטות תקשורת במהלך החודשים הבאים, אך לא קיבל כל תגובה.== + +## הסתמכות על שם דומיין + +בתחילת 2021, צוות PrivacyTools הגביר את הדאגה לגבי עתיד הפרויקט, מכיוון ששם הדומיין היה אמור לפוג ב-1 במרץ 2021. הדומיין חודש בסופו של דבר על ידי BurungHantu ללא תגובה. + +החששות של הצוות לא טופלו, והבנו שזו תהיה בעיה בכל שנה: אם הדומיין היה פג הוא היה מאפשר לגנוב אותו על ידי פולשים או ספאמרים, ובכך להרוס את המוניטין של הארגון. כמו כן, לא היינו מצליחים ליצור קשר עם הקהילה כדי להודיע להם על מה שהתרחש. + +מבלי ליצור קשר עם BurungHantu, החלטנו שדרך הפעולה הטובה ביותר תהיה לעבור לדומיין חדש בזמן שעדיין הייתה לנו שליטה מובטחת על הדומיין הישן, מתישהו לפני מרץ 2022. כך נוכל להפנות באופן נקי את כל משאבי ה - PrivacyTools לאתר החדש ללא כל הפרעה בשירות. החלטה זו התקבלה חודשים רבים מראש והועברה לכל הצוות בתקווה שבורונגהאנטו ייצור קשר ויבטיח את המשך תמיכתו בפרויקט, מכיוון שעם שם מותג מוכר וקהילות גדולות באינטרנט, ההתרחקות מ -" PrivacyTools "הייתה התוצאה הפחות רצויה האפשרית. + +באמצע שנת 2021 צוות PrivacyTools פנה לJonah, שהסכים להצטרף מחדש לצוות כדי לעזור במעבר. + +## קריאה לקהילה לפעולה + +בסוף יולי 2021, אנחנו [הודענו](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) לקהילת PrivacyTools של הכוונה שלנו לבחור שם חדש ולהמשיך את הפרויקט על דומיין חדש, להיות [נבחר](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) ב-2 אוגוסט 2022. בסופו של דבר, "מדריכי פרטיות" נבחר,`privacyguides.org` כאשר הדומיין כבר היה בבעלות יונה(Jonah) לפרויקט צדדי משנת 2020 שלא פותח. + +## שליטה ב - r/privacytoolsIO + +במקביל לבעיות המתמשכות באתר האינטרנט של privacytools.io, צוות המודים r/privacytoolsIO התמודד עם אתגרים בניהול הסאב רדיט (subreddit). הסאב - רדיט תמיד הופעל באופן עצמאי מפיתוח האתר, אך BurungHantu היה גם המנחה הראשי של הסאב - רדיט, והוא היה המנחה היחיד שקיבל הרשאות "שליטה מלאה ". u/trai_dep היה המנחה הפעיל היחיד באותה תקופה, and [פורסם](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) בקשה למנהלי Reddit ב-28 ביוני 2021, בבקשה לקבל את תפקיד המנחה הראשי והרשאות שליטה מלאה, על מנת לבצע את השינויים הדרושים ב- Subreddit. + +Reddit דורש כי subreddits יהיו מנחים פעילים. אם המנחה הראשי אינו פעיל במשך תקופה ארוכה (כגון שנה) ניתן למנות מחדש את מנחה הראשי בתור. כדי שבקשה זו תיענה, בורונגהאנטו (BurungHantu) היה חייב להיעדר לחלוטין מכל פעילות Reddit למשך תקופה ארוכה, דבר שעלה בקנה אחד עם התנהגותו בפלטפורמות אחרות. + +> אם הוסרת בתור מנחה מ - subreddit באמצעות בקשה ל Reddit, זה בגלל שחוסר התגובה שלך וחוסר הפעילות שלך הכשירו את ה - subreddit להעברת r/redditrequest. +> +> r/redditrequest היא הדרך של Reddit לוודא שלקהילות יש מנחים פעילים והיא חלק מ [הקוד התנהגות של מנחה](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## תחילת המעבר + +ב -14 בספטמבר 2021, הכרזנו [:](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) על תחילת ההגירה שלנו לדומיין חדש זה: + +> [...] מצאנו צורך לבצע את ההחלפה מוקדם מאשר מאוחר כדי להבטיח שאנשים יגלו על המעבר הזה בהקדם האפשרי. זה נותן לנו מספיק זמן כדי להעביר את שם הדומיין, שכרגע מפנה ל - www.privacyguides.org, ובתקווה נותן לכולם מספיק זמן להבחין בשינוי, לעדכן סימניות ואתרים וכו '. + +השינוי [כרוך:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- מפנה את www.privacytools.io אל [www.privacyguides.org](https://www.privacyguides.org). +- אחסון קוד המקור בארכיון ב- GitHub כדי לשמר את העבודה הקודמת שלנו ואת מעקב הבעיות שלנו, שבו המשכנו להשתמש במשך חודשים של פיתוח עתידי של אתר זה. +- פרסום הודעות ב - subreddit שלנו ובקהילות שונות אחרות המודיעות לאנשים על השינוי הרשמי. +- סגירה רשמית של שירותי privacytools.io, כמו Matrix ו - Mastodon, ועידוד משתמשים קיימים לעבור בהקדם האפשרי. + +נראה שהדברים מתנהלים בצורה חלקה, ורוב הקהילה הפעילה שלנו עברה לפרויקט החדש שלנו בדיוק כפי שקיווינו. + +## בעקבות האירועים + +בערך שבוע לאחר המעבר, BurungHantu חזר לאינטרנט בפעם הראשונה מזה כמעט שנה, אולם אף אחד בצוות שלנו לא היה מוכן לחזור ל- PrivacyTools בגלל חוסר האמינות ההיסטורי שלו. במקום להתנצל על היעדרותו הממושכת, הוא מיד יצא להתקפה ומיצב את המעבר למדריכי פרטיות כהתקפה נגדו ונגד הפרויקט שלו. לאחר מכן הוא[ מחק ](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) רבים מהפוסטים הללו כאשר צוין על ידי הקהילה כי הוא נעדר ונטש את הפרויקט. + +בשלב זה, BurungHantu טען שהוא רוצה להמשיך לעבוד על privacytools.io בכוחות עצמו וביקש שנסיר את ההפניה מ- www.privacytools.io ל-[www.privacyguides.org](https://www.privacyguides.org). אנו מחויבים ומבקשים ממנו לשמור על תת - הדומיינים של Matrix, Mastodon ו - Peer YouTube פעילים כדי שנוכל להפעיל כשירות ציבורי לקהילה שלנו למשך מספר חודשים לפחות, כדי לאפשר למשתמשים בפלטפורמות אלה לעבור בקלות לחשבונות אחרים. בשל האופי הפדרלי של השירותים שסיפקנו, הם היו קשורים לשמות דומיין ספציפיים, דבר שהקשה מאוד על ההעברה (ובמקרים מסוימים בלתי אפשרי). + +לצערנו, מכיוון שהשליטה ב - r/privacytoolsIO subreddit לא הוחזרה לבורונגהאנטו על פי דרישתו (מידע נוסף בהמשך), סאב-דומיינים אלה נותקו [](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) בתחילת אוקטובר, ובכך הסתיימו כל אפשרויות ההעברה למשתמשים שעדיין משתמשים בשירותים אלה. + +בעקבות זאת, BurungHantu עשה האשמות שווא על Jonah כדי לגנוב תרומות מהפרויקט. לBurungHantu הייתה יותר משנה מאז האירוע לכאורה, אך הוא מעולם לא הודיע על כך לאיש עד לאחר העברת מדריכי הפרטיות. בורונגהאנטו התבקש שוב ושוב להוכיח ולהגיב על הסיבה לשתיקתו על ידי הקבוצה [והקהילה](https://twitter.com/TommyTran732/status/1526153536962281474), ולא עשה זאת. + +BurungHantu גם עשה פוסט טוויטר בטענה כי "עורך דין" פנה אליו בטוויטר והיה מתן ייעוץ, בניסיון נוסף להציק לנו לתת לו שליטה על ה subreddit שלנו, וכחלק ממסע ההכפשה שלו למי בוץ סביב ההשקה של מדריכי פרטיות תוך התחזות לקורבן. + +## PrivacyTools.io עכשיו + +נכון ל -25 בספטמבר 2022, אנו רואים שהתוכניות הכוללות של BurungHantu מתגשמות ב - privacytools.io, וזו בדיוק הסיבה שהחלטנו ליצור את הדף המסביר את זה היום. האתר שהוא מפעיל נראה כגרסה מותאמת SEO של האתר שממליצה על כלים בתמורה לפיצוי כספי. לאחרונה, IVPN ו - Mullvad, שני ספקי VPN כמעט - באופן אוניברסלי [המומלצים](../vpn.md) על ידי קהילת הפרטיות וראוי לציון על עמדתם נגד תוכניות שותפים הוסרו מ PrivacyTools. במקומם? NordVPN, ‏ Surfshark, ‏ Express_end} ו - hide.me; תאגידי VPN ענקיים עם פלטפורמות ונהלים עסקיים לא אמינים, הידועים לשמצה בזכות השיווק האגרסיבי שלהם ותוכניות השותפים שלהם. + +==**PrivacyTools הפך בדיוק לסוג האתר [שהזהרנו מפניו](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) בבלוג PrivacyTools ב-2019 blog in 2019.**== ניסינו לשמור על מרחק מ-PrivacyTools מאז המעבר, אבל ההטרדה המתמשכת שלהם כלפי הפרויקט שלנו ועכשיו הניצול האבסורדי שלהם את האמינות שהמותג שלהם זכה לה במשך 6 שנים של תרומות קוד פתוח מטריד אותנו מאוד. אלה מאיתנו שנלחמים למען הפרטיות לא נלחמים אחד נגד השני, ולא מקבלים את עצתנו מהמציע הגבוה ביותר. + +## r/privacytoolsIO עכשיו + +לאחר השקת [r/privacyGuides](https://www.reddit.com/r/privacyguides), זה לא היה מעשי עבור u/trai_dep להמשיך ולנהל את שתי subreddits, ועם הקהילה על לוח המעבר, r/privacytoolsIO [יצר](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) הגבלה על הסאב ופוסט ב -1 בנובמבר, 2021: + +> [...] הצמיחה של הסאב הזה הייתה תוצאה של מאמץ רב, לאורך מספר שנים, על ידי צוות privacyGuides.org. ועל ידי כל אחד מכם. +> +> Subreddit הוא עבודה רבה לאדמינים ולמודים. כמו גינה, היא דורשת טיפול סבלני וטיפול יומיומי. זו לא משימה עבור חובבנים או אנשים מאותגרים במחויבות. הוא לא יכול לשגשג תחת גנן שנוטש אותו לכמה שנים, ואז מופיע ודורש את היבול של השנה כמחווה בשבילם. זה לא הוגן כלפי הקבוצה שנוצרה לפני שנים. זה לא הוגן כלפיך. [...] + +Subreddits אינם שייכים לאף אחד, והם במיוחד לא שייכים לבעלי מותג. הם שייכים לקהילות שלהם, והקהילה ומנהליה החליטו לתמוך במעבר ל - r/PrivacyGuides. + +בחודשים שחלפו מאז, BurungHantu איים והתחנן להחזרת שליטה subreddit לחשבונו ב [הפרה](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) של כללי Reddit: + +> נקמה מכל מנחה בנוגע לבקשות הסרה אסורה. + +עבור קהילה עם אלפים רבים של מנויים שנותרו, אנו מרגישים שזה יהיה מאוד לא מכובד להחזיר את השליטה בפלטפורמה המסיבית לאדם שנטש אותה במשך יותר משנה, וכיום מפעיל אתר שלדעתנו מספק מידע באיכות נמוכה מאוד. שימור השנים של דיונים קודמים בקהילה זו חשוב לנו יותר, ולכן u/trai_dep ושאר צוות המתינות של ה subreddit קיבל את ההחלטה לשמור על r/privacytoolsIO כפי שהוא. + +## OpenCollective עכשיו + +פלטפורמת גיוס הכספים שלנו, OpenCollective, היא מקור נוסף למחלוקת. עמדתנו היא כי OpenCollective הוקמה על ידי הצוות שלנו ומנוהלת על ידי הצוות שלנו כדי לממן שירותים שאנו מפעילים כיום ואשר PrivacyTools כבר לא עושה. [פנינו](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) לכל התורמים שלנו בנוגע למעבר שלנו למדריכי פרטיות, וקיבלנו תמיכה פה אחד מהספונסרים והקהילה שלנו. + +לפיכך, הכספים ב - OpenCollective שייכים למדריכי פרטיות, הם ניתנו לפרויקט שלנו, ולא לבעלים של דומיין ידוע. בהודעה שניתנה לתורמים ב -17 בספטמבר 2021, הצענו החזרים לכל תורם שלא מסכים עם העמדה שנקטנו, אבל אף אחד לא קיבל את ההצעה הזו: + +> אם נותני החסות או התומכים לא מסכימים עם האירועים האחרונים האלה או מרגישים שהוטעו על ידם ורוצים לבקש החזר כספי בנסיבות חריגות אלה, יש ליצור קשר עם מנהל הפרויקט שלנו על ידי שליחת אימייל לכתובת jonah@triplebit.net. + +## קריאה נוספת + +נושא זה נדון בהרחבה בקהילותינו במקומות שונים, ונראה כי רוב האנשים הקוראים דף זה כבר מכירים את האירועים שהובילו למעבר למדריכי הפרטיות. חלק מהפוסטים הקודמים שלנו בעניין עשויים לכלול פרטים נוספים שהשמטנו כאן לקיצור. הקישורים למטה למען ההשלמה. + +- [28 ביוני 2021 בקשה לשליטה ב - r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 ביולי 2021 הודעה על כוונותינו לעבור לבלוג PrivacyTools, נכתב על ידי הצוות](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 בספטמבר 2021 הודעה על תחילת המעבר שלנו למדריכי פרטיות ב - r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [17 בספטמבר 2021 הכרזה על OpenCollective מאת Jona](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 בספטמבר 2021 שרשור טוויטר המפרט את רוב האירועים המתוארים כעת בדף זה](https://twitter.com/privacy_guides/status/1443633412800225280) +- [1 באוקטובר 2021 פוסט מאת u/dng99 שציין כשל בתת - דומיין](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 באפריל 2022 תגובה מאת u/dng99 לפוסט ההאשמות של PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 במאי 2022 מענה @TommyTran732 בטוויטר](https://twitter.com/TommyTran732/status/1526153497984618496) +- [ספטמבר 3, 2022 פוסט על הפורום של Techlore על ידי @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/he/about/services.md b/i18n/he/about/services.md new file mode 100644 index 00000000..ef8357cf --- /dev/null +++ b/i18n/he/about/services.md @@ -0,0 +1,38 @@ +# שירותי Privacy Guides + +אנו מפעילים מספר שירותי אינטרנט כדי לבדוק תכונות ולקדם פרויקטים מגניבים מבוזרים, מאוחדים ו/או בקוד פתוח. רבים מהשירותים הללו זמינים לציבור והם מפורטים להלן. + +[:material-comment-alert: דווח על בעיה](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- דומיין: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- זמינות: ציבורית +- מקור: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- דומיין: [code.privacyguides.dev](https://code.privacyguides.dev) +- זמינות: להזמנה בלבד + ניתן להעניק גישה לפי בקשה לכל צוות שעובד על פיתוח או תוכן הקשורים ל*Privacy Guides*. +- מקור: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- דומיין: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- זמינות: להזמנה בלבד + ניתן להעניק גישה על פי בקשה לחברי צוות Privacy Guides, מנהלי Matrix, מנהלי קהילת Matrix של צד שלישי, מפעילי בוטים של Matrix ואנשים אחרים הזקוקים לנוכחות אמינה של Matrix. +- מקור: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- דומיין: [search.privacyguides.net](https://search.privacyguides.net) +- זמינות: ציבורית +- מקור: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- דומיין: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- זמינות: חצי ציבורי + אנו מארחים את Invidious בעיקר כדי להגיש סרטוני YouTube משובצים באתר האינטרנט שלנו, מופע זה אינו מיועד לשימוש כללי ועשוי להיות מוגבל בכל עת. +- מקור: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/he/about/statistics.md b/i18n/he/about/statistics.md new file mode 100644 index 00000000..d59eac11 --- /dev/null +++ b/i18n/he/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: סטטיסטיקת תנועה +--- + +## סטטיסטיקה לאתר + + +
סטטיסטיקה מופעלת על ידי Plausible Analytics
+ + + + +## סטטיסטיקת בלוג + + +
סטטיסטיקה מופעלת על ידי Plausible Analytics
+ + + diff --git a/i18n/he/advanced/communication-network-types.md b/i18n/he/advanced/communication-network-types.md new file mode 100644 index 00000000..a1f62c45 --- /dev/null +++ b/i18n/he/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "סוגי רשתות תקשורת" +icon: 'material/transit-connection-variant' +description: סקירה כללית של מספר ארכיטקטורות רשת הנפוצות בשימוש יישומי הודעות מיידיות. +--- + +ישנן מספר ארכיטקטורות רשת הנפוצות להעברת הודעות בין אנשים. רשתות אלו יכולות לספק הבטחות פרטיות שונות, וזו הסיבה שכדאי לקחת בחשבון את [מודל האיום](../basics/threat-modeling.md) שלך בעת ההחלטה באיזו אפליקציה להשתמש. + +[מסנג'רים (הודעות מיידיות) מומלצות](../real-time-communication.md ""){.md-button} + +## רשתות מרכזיות + +![דיאגרמת רשתות מרכזיות](../assets/img/layout/network-centralized.svg){ align=left } + +מסנג'רים מרכזיים הם אלה שבהם כל המשתתפים נמצאים באותו שרת או רשת של שרתים הנשלטים על ידי אותו ארגון. + +כמה מהמסנג'רים שמאפשרים לך באחסון עצמי להגדיר שרת משלך. אירוח עצמי יכול לספק הבטחות פרטיות נוספות, כגון ללא יומני שימוש או גישה מוגבלת למטא נתונים (נתונים על מי מדבר עם מי). מסנג'רים מרכזיים המתארחים בעצמם מבודדים וכולם חייבים להיות באותו שרת כדי לתקשר. + +**יתרונות:** + +- ניתן ליישם תכונות ושינויים חדשים מהר יותר. +- קל יותר להתחיל איתו ולמצוא אנשי קשר. +- רוב הבוגרות והיציבות כוללות מערכות אקולוגיות, מכיוון שקל יותר לתכנת אותן בתוכנה מרכזית. +- בעיות פרטיות עשויות להצטמצם כאשר אתה סומך על שרת שאתה מארח בעצמך. + +**חסרונות:** + +- יכול לכלול <[שליטה או גישה מוגבלת](https://drewdevault.com/2018/08/08/Signal.html). זה יכול לכלול דברים כמו: +- [אסור לחבר לקוחות צד שלישי](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) לרשת הריכוזית שעשויה לספק התאמה אישית גדולה יותר או חוויה טובה יותר. לרוב מוגדר בתנאים והגבלות של שימוש. +- תיעוד לקוי או ללא תיעוד עבור מפתחי צד שלישי. +- [הבעלות](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), מדיניות הפרטיות והתפעול של השירות יכול להשתנות בקלות כאשר ישות יחידה שולטת בו, ועלולה לסכן את השירות מאוחר יותר. +- אירוח עצמי דורש מאמץ וידע כיצד להקים שירות. + +## רשתות פדרציה + +![דיאגרמת רשתות מאוחדות](../assets/img/layout/network-decentralized.svg){ align=left } + +מסנג'רים מאוחדים משתמשים במספר שרתים עצמאיים מבוזרים המסוגלים לדבר זה עם זה (אימייל הוא דוגמה אחת לשירות מאוחד). הפדרציה מאפשרת למנהלי מערכת לשלוט בשרת שלהם ועדיין להיות חלק מרשת התקשורת הגדולה יותר. + +כאשר הם באירוח עצמי, חברי שרת מאוחד יכולים לגלות ולתקשר עם חברים בשרתים אחרים, אם כי שרתים מסוימים עשויים לבחור להישאר פרטיים על ידי שהם לא מאוחדים (למשל, שרת צוות עבודה). + +**יתרונות:** + +- מאפשר שליטה רבה יותר על הנתונים שלך בעת הפעלת השרת שלך. +- מאפשר לך לבחור עם מי לסמוך על הנתונים שלך על ידי בחירה בין מספר שרתים "ציבוריים ". +- לעתים קרובות מאפשר לקוחות צד שלישי שיכולים לספק חוויה מקורית, מותאמת אישית או נגישה יותר. +- ניתן לאמת שתוכנת השרת תואמת לקוד המקור הציבורי, בהנחה שיש לך גישה לשרת או שאתה בוטח באדם שעושה זאת (למשל, בן משפחה). + +**חסרונות:** + +- הוספת תכונות חדשות היא מורכבת יותר מכיוון שיש לתקנן ולבדוק תכונות אלה כדי להבטיח שהן פועלות עם כל השרתים ברשת. +- בשל הנקודה הקודמת, תכונות יכולות להיות חסרות, או לא שלמות או לעבוד בדרכים בלתי צפויות בהשוואה לפלטפורמות מרכזיות, כגון העברת הודעות במצב לא מקוון או מחיקת הודעות. +- מטא נתונים מסוימים עשויים להיות זמינים (לדוגמה, מידע כמו "מי מדבר עם מי", אך לא תוכן הודעה בפועל אם נעשה שימוש ב-E2EE). +- שרתים מאוחדים דורשים בדרך כלל לתת אמון במנהל השרת שלך. הם עשויים להיות חובבים או לא "מקצוענים באבטחה" ועשויים שלא להגיש מסמכים סטנדרטיים כמו מדיניות פרטיות או תנאי שירות המפרטים את אופן השימוש בנתונים שלך. +- מנהלי שרתים בוחרים לפעמים לחסום שרתים אחרים, המהווים מקור להתעללות בלתי מנוונת או לשבור כללים כלליים של התנהגות מקובלת. זה יפריע ליכולת שלך לתקשר עם חברי שרתים אלה. + +## רשתות עמית לעמית + +![דיאגרמת P2P](../assets/img/layout/network-distributed.svg){ align=left } + +מסנג'רים P2P מתחברים ל[רשת מבוזרת](https://en.wikipedia.org/wiki/Distributed_networking) של צמתים כדי להעביר הודעה לנמען ללא שרת של צד שלישי. + +לקוחות (עמיתים) מוצאים זה את זה בדרך כלל באמצעות [רשת מחשוב מבוזרת](https://en.wikipedia.org/wiki/Distributed_computing). דוגמאות לכך כוללות [טבלאות Hash מפוזרות](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), המשמשות את [טורנטים](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) ו[IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) למשל. גישה נוספת היא רשתות מבוססות קרבה, שבהן נוצר חיבור באמצעות WiFi או Bluetooth (לדוגמה, Briar או פרוטוקול הרשת החברתית [Scuttlebutt](https://www.scuttlebutt.nz)). + +לאחר שעמית מצא מסלול ליצירת קשר באמצעות כל אחת מהשיטות הללו, נוצר קשר ישיר ביניהן. למרות שהודעות מוצפנות בדרך כלל, צופה עדיין יכול להסיק את המיקום והזהות של השולח והנמען. + +רשתות P2P אינן משתמשות בשרתים, שכן עמיתים מתקשרים ישירות ביניהם ולכן לא ניתן לארח אותם בעצמם. עם זאת, חלק מהשירותים הנוספים עשויים להסתמך על שרתים מרכזיים, כגון גילוי משתמשים או העברת הודעות לא מקוונות, שיכולים להפיק תועלת מאירוח עצמי. + +**יתרונות:** + +- מידע מינימלי חשוף לצדדים שלישיים. +- פלטפורמות P2P מודרניות מיישמות E2EE כברירת מחדל. אין שרתים שעלולים ליירט ולפענח את השידורים שלך, בניגוד למודלים מרכזיים ומאגדים. + +**חסרונות:** + +- סט תכונות מצומצם: +- ניתן לשלוח הודעות רק כאשר שני העמיתים מחוברים, עם זאת, הלקוח שלך עשוי לאחסן הודעות באופן מקומי כדי לחכות לאיש הקשר שיחזור לאינטרנט. +- בדרך כלל מגביר את השימוש בסוללה במכשירים ניידים, מכיוון שהלקוח חייב להישאר מחובר לרשת המבוזרת כדי ללמוד מי מחובר. +- ייתכן שחלק מתכונות המסנג'ר הנפוצות לא יושמו או בצורה חלקית, כגון מחיקת הודעות. +- כתובת ה-IP שלך ושל אנשי הקשר איתם אתה מתקשר עשויה להיחשף אם לא תשתמש בתוכנה בשילוב עם [VPN](../vpn.md) או [Tor](../tor.md). במדינות רבות יש צורה כלשהי של מעקב המוני ו/או שמירת מטא נתונים. + +## ניתוב אנונימי + +![דיאגרמת ניתוב אנונימית](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +מסנג'ר המשתמש ב[ניתוב אנונימי](https://doi.org/10.1007/978-1-4419-5906-5_628) מסתיר את זהות השולח, המקבל או ראיות לכך שהם תקשרו. באופן אידיאלי, מסנג'ר צריך להסתיר את שלושתם. + +ישנן [הרבה](https://doi.org/10.1145/3182658) דרכים שונות ליישם ניתוב אנונימי. אחד המפורסמים ביותר הוא [ניתוב בצל](https://en.wikipedia.org/wiki/Onion_routing) (כלומר [Tor](tor-overview.md)), שמתקשרת הודעות מוצפנות באמצעות [רשת שכבת-על](https://en.wikipedia.org/wiki/Overlay_network) וירטואלית המסתירה את המיקום של כל צומת כמו גם את הנמען והשולח של כל הודעה. השולח והנמען לעולם אינם מקיימים אינטראקציה ישירה ורק נפגשים דרך צומת מפגש סודי כך שאין דליפה של כתובות IP או מיקום פיזי. צמתים אינם יכולים לפענח הודעות, וגם לא את היעד הסופי; רק הנמען יכול. כל צומת מתווך יכול לפענח רק חלק שמציין לאן לשלוח את ההודעה שעדיין מוצפנת בשלב הבא, עד שהוא מגיע לנמען שיכול לפענח אותה במלואה, ומכאן "שכבות הבצל." + +אירוח עצמי של צומת ברשת ניתוב אנונימית אינו מספק למארח יתרונות פרטיות נוספים, אלא תורם לעמידות הרשת כולה בפני התקפות זיהוי לטובת כולם. + +**יתרונות:** + +- מידע מינימלי עד לא נחשף לגורמים אחרים. +- ניתן להעביר הודעות בצורה מבוזרת גם אם אחד הצדדים לא מקוון. + +**חסרונות:** + +- הפצת הודעות איטית. +- לעתים קרובות מוגבל לפחות סוגי מדיה, בעיקר טקסט, מכיוון שהרשת איטית. +- פחות אמין אם צמתים נבחרים על ידי ניתוב אקראי, חלק מהצמתים עשויים להיות רחוקים מאוד מהשולח והמקבל, להוסיף זמן השהייה או אפילו לא לשדר הודעות אם אחד הצמתים אינו מקוון. +- מורכב יותר להתחיל, שכן נדרשת יצירה וגיבוי מאובטח של מפתח פרטי קריפטוגרפי. +- בדיוק כמו פלטפורמות מבוזרות אחרות, הוספת תכונות מורכבת יותר עבור מפתחים מאשר בפלטפורמה מרכזית. לפיכך, תכונות עשויות להיות חסרות או מיושמות באופן חלקי, כגון העברת הודעות לא מקוונות או מחיקת הודעות. diff --git a/i18n/he/advanced/dns-overview.md b/i18n/he/advanced/dns-overview.md new file mode 100644 index 00000000..9a83088c --- /dev/null +++ b/i18n/he/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "סקירה כללית של DNS" +icon: material/dns +description: מערכת שמות הדומיין היא "ספר הטלפונים של האינטרנט", שעוזרת לדפדפן שלך למצוא את האתר שהוא מחפש. +--- + +[מערכת שמות הדומיין](https://en.wikipedia.org/wiki/Domain_Name_System) היא 'ספר הטלפונים של האינטרנט'. DNS מתרגם שמות דומיין לכתובות IP כך שדפדפנים ושירותים אחרים יכולים לטעון משאבי אינטרנט, דרך רשת מבוזרת של שרתים. + +## מה זה DNS? + +כאשר אתה מבקר באתר אינטרנט, מוחזרת כתובת מספרית. לדוגמה, כאשר אתה מבקר ב-`privacyguides.org`, הכתובת `192.98.54.105` מוחזרת. + +DNS קיים מאז [הימים הראשונים](https://en.wikipedia.org/wiki/Domain_Name_System#History) של האינטרנט. בקשות DNS המבוצעות אל ומשרתי DNS **אינן** מוצפנות בדרך כלל. בסביבה מגורים, לקוח מקבל שרתים על ידי ספק שירותי האינטרנט באמצעות [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +בקשות DNS לא מוצפנות יכולות להיות **למעקב** בקלות ו**לשנות** בזמן העברה. בחלקים מסוימים של העולם, ספקי האינטרנט מצווים לבצע [סינון DNS](https://en.wikipedia.org/wiki/DNS_blocking) פרימיטיבי. כאשר אתה מבקש כתובת IP של דומיין חסום, ייתכן שהשרת לא יגיב או שיגיב עם כתובת IP אחרת. מכיוון שפרוטוקול ה-DNS אינו מוצפן, ספק שירותי האינטרנט (או כל מפעיל רשת) יכול להשתמש ב-[DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) כדי לנטר בקשות. ספקי שירותי אינטרנט יכולים גם לחסום בקשות על סמך מאפיינים משותפים, ללא קשר לשרת ה-DNS שבו נעשה שימוש. DNS לא מוצפן משתמש תמיד ב[פורט](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 ותמיד משתמש ב-UDP. + +להלן, אנו דנים ומספקים מדריך כדי להוכיח את מה שצופה מבחוץ עשוי לראות באמצעות DNS רגיל לא מוצפן ו[DNS מוצפן](#what-is-encrypted-dns). + +### DNS לא מוצפן + +1. שימוש ב-[`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (חלק מ-[>פרויקט Wireshark](https://en.wikipedia.org/wiki/Wireshark)) אנו יכולים לנטר ולתעד את זרימת מנות האינטרנט. פקודה זו מתעדת מנות העומדות בכללים שצוינו: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. לאחר מכן נוכל להשתמש ב[`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS וכו') או [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) כדי לשלוח את בדיקת ה-DNS לשני השרתים. תוכנות כגון דפדפני אינטרנט מבצעות חיפושים אלו באופן אוטומטי, אלא אם כן הם מוגדרים לשימוש ב-DNS מוצפן. + + === "לינוקס, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "ווינדוס" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. לאחר מכן, אנו רוצים [לנתח](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) את התוצאות: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +אם אתה מפעיל את פקודת Wireshark למעלה, החלונית העליונה מציגה את "[מסגרות](https://en.wikipedia.org/wiki/Ethernet_frame)", והחלונית התחתונה מציגה את כל הנתונים אודות המסגרת שנבחרה. פתרונות סינון וניטור ארגוניים (כגון אלה שנרכשו על ידי ממשלות) יכולים לבצע את התהליך באופן אוטומטי, ללא אינטראקציה אנושית, ויכולים לצבור מסגרות אלה כדי לייצר נתונים סטטיסטיים שימושיים לצופה ברשת. + +| מספר. | זמן | מקור | יעד | פרוטוקול | אורך | מידע | +| ----- | -------- | --------- | --------- | -------- | ---- | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +צופה יכול לשנות כל אחת מהחבילות הללו. + +## מה זה "DNS מוצפן"? + +DNS מוצפן יכול להתייחס לאחד ממספר פרוטוקולים, הנפוצים שבהם הם: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) הייתה אחת השיטות הראשונות להצפנת שאילתות DNS. DNSCrypt פועל על יציאה 443 ועובד עם פרוטוקולי התחבורה TCP או UDP. DNSCrypt מעולם לא הוגש ל[כוח המשימה להנדסת אינטרנט (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) וגם לא עבר דרך [בקשה להערות (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments), כך שלא נעשה בו שימוש נרחב מחוץ לכמה [יישומים](https://dnscrypt.info/implementations). כתוצאה מכך, הוא הוחלף במידה רבה על ידי [DNS על HTTPS](#dns-over-https-doh) הפופולרי יותר. + +### DNS על TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) היא שיטה נוספת להצפנת תקשורת DNS שהיא מוגדרת ב-[RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). התמיכה יושמה לראשונה ב-Android 9, iOS 14 וב-Linux ב-[systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) בגרסה 237. ההעדפה בתעשייה התרחקה מ-DoT ל-DoH בשנים האחרונות, מכיוון ש-DoT הוא [פרוטוקול מורכב](https://dnscrypt.info/faq/) ובעל תאימות משתנה ל-RFC על פני המימושים הקיימים. Dot פועלת גם על פורט ייעודי 853 שניתן לחסום בקלות על ידי חומות אש מגבילות. + +### DNS דרך HTTPS (DoH) + +[**DNS דרך HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) כפי שהוגדר ב [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) חבילות שאילתות ב [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) פרוטוקול ומספק אבטחה עם HTTPS. תמיכה נוספה לראשונה בדפדפני אינטרנט כגון Firefox 60 ו-Chrome 83. + +יישום מקורי של DoH הופיע ב-iOS 14, macOS 11, Microsoft Windows ו-אנדרואיד 13 (עם זאת, הוא לא יופעל [>כברירת מחדל](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). תמיכת שולחן העבודה הכללית של לינוקס ממתינה ל[יישום](https://github.com/systemd/systemd/issues/8639) של systemd כך ש[עדיין נדרשת התקנת תוכנת צד שלישי](../dns.md#encrypted-dns-proxies). + +## מה יכול גורם חיצוני לראות? + +בדוגמה זו נתעד מה קורה כאשר אנו מבקשים בקשת DoH: + +1. ראשית, התחל `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. שנית, הגש בקשה עם `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. לאחר הגשת הבקשה, נוכל לעצור את לכידת החבילות עם CTRL + C. + +4. נתח את התוצאות ב-Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +אנו יכולים לראות את [הקמת החיבור](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) ואת [לחיצת יד TLS](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) המתרחשת עם כל חיבור מוצפן. כאשר מסתכלים על חבילות "האפליקציה" שלאחר מכן, אף אחת מהן לא מכילה את הדומיין שביקשנו או את כתובת ה-IP שהוחזרה. + +## מדוע **אסור** לי להשתמש ב-DNS מוצפן? + +במקומות שבהם קיים סינון (או צנזורה) באינטרנט, לביקור במשאבים אסורים עשויות להיות השלכות משלו, שכדאי לשקול ב[מודל האיומים](../basics/threat-modeling.md) שלך. אנו **לא** מציעים להשתמש ב-DNS מוצפן למטרה זו. השתמש ב-[Tor](https://torproject.org) או ב-[VPN](../vpn.md) במקום זאת. אם אתה משתמש ב-VPN, עליך להשתמש בשרתי ה-DNS של ה-VPN שלך. כשאתה משתמש ב-VPN, אתה כבר סומך עליהם בכל פעילות הרשת שלך. + +כאשר אנו מבצעים חיפוש DNS, זה בדרך כלל בגלל שאנו רוצים לגשת למשאב. להלן, נדון בכמה מהשיטות שעלולות לחשוף את פעילויות הגלישה שלך גם בעת שימוש ב-DNS מוצפן: + +### כתובת IP + +הדרך הפשוטה ביותר לקבוע את פעילות הגלישה עשויה להיות להסתכל על כתובות ה-IP שהמכשירים שלך ניגשים אליהם. לדוגמה, אם הצופה יודע ש-`privacyguides.org` נמצא בכתובת `198.98.54.105`, והמכשיר שלך מבקש נתונים מ-`198.98.54.105`, יש יש סיכוי טוב שאתה מבקר בPrivacy Guides. + +שיטה זו שימושית רק כאשר כתובת ה-IP שייכת לשרת המארח רק מעט אתרים. זה גם לא מאוד שימושי אם האתר מתארח בפלטפורמה משותפת (למשל Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger וכו'). זה גם לא מאוד שימושי אם השרת מתארח מאחורי [פרוקסי הפוך](https://en.wikipedia.org/wiki/Reverse_proxy), הנפוץ מאוד באינטרנט המודרני. + +### ציון שם השרת (SNI) + +ציון שם שרת משמש בדרך כלל כאשר כתובת IP מארחת אתרים רבים. זה יכול להיות שירות כמו Cloudflare, או הגנה אחרת של [מניעת מניעת שירות](https://en.wikipedia.org/wiki/Denial-of-service_attack). + +1. התחל לתעד שוב עם `tshark`. הוספנו מסנן עם כתובת ה-IP שלנו כדי שלא תלכוד הרבה מנות: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. לאחר מכן נבקר בכתובת [https://privacyguides.org](https://privacyguides.org). + +3. לאחר ביקור באתר, אנו רוצים לעצור את לכידת החבילה עם CTRL + C. + +4. בשלב הבא אנו רוצים לנתח את התוצאות: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + אנו נראה את יצירת החיבור, ולאחר מכן את לחיצת היד TLS עבור אתר מדריכי הפרטיות Privacy Guides. סביב מסגרת 5. אתה תראה "שלום לקוח ". + +5. מרחיבים את המשולש ▸ ליד כל שדה: + + ```text + אבטחת שכבת▸ תחבורה + ▸ TLSv1.3 שכבת שיא: פרוטוקול לחיצת יד: לקוח שלום + פרוטוקול ▸ לחיצת יד: לקוח שלום + ▸ סיומת: server_name (len=22) + סיומת סימון שם ▸ שרת + ``` + +6. אנו יכולים לראות את ערך SNI אשר חושף את האתר בו אנו מבקרים. הפקודה `tshark` יכולה לתת לך את הערך ישירות עבור כל החבילות המכילות ערך SNI: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +משמעות הדבר היא שגם אם אנו משתמשים בשרתי "DNS מוצפן", הדומיין ככל הנראה ייחשף דרך SNI. פרוטוקול [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) מביא איתו את [לקוח מוצפן Hello](https://blog.cloudflare.com/encrypted-client-hello/), המונע דליפה מסוג זה. + +ממשלות, ובפרט סין [](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) ורוסיה [](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), כבר החלו לחסום את סין [](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) או הביעו רצון לעשות זאת. לאחרונה רוסיה [החלה לחסום אתרים](https://github.com/net4people/bbs/issues/108) המשתמשים בתקן זה [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) סטנדרטי. הסיבה לכך היא ש [QUIC](https://en.wikipedia.org/wiki/QUIC) פרוטוקול המהווה חלק מ HTTP/3 דורש שגם `ClientHello` יהיה מוצפן. + +### פרוטוקול סטטוס תעודה מקוון (OCSP) + +דרך נוספת שהדפדפן שלך יכול לחשוף את פעילויות הגלישה שלך היא באמצעות [פרוטוקול מצב אישור מקוון](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). בעת ביקור באתר HTTPS, הדפדפן עשוי לבדוק אם [אישור](https://en.wikipedia.org/wiki/Public_key_certificate) של האתר בוטלה. זה נעשה בדרך כלל באמצעות פרוטוקול HTTP, כלומר הוא **לא** מוצפן. + +בקשת ה-OCSP מכילה את האישור "[מספר סידורי](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", שהוא ייחודי. הוא נשלח ל"מגיב OCSP" על מנת לבדוק את מצבו. + +אנו יכולים לדמות מה דפדפן יעשה באמצעות הפקודה [`openssl`](https://en.wikipedia.org/wiki/OpenSSL). + +1. קבל את אישור השרת והשתמש ב-[`sed`](https://en.wikipedia.org/wiki/Sed) כדי לשמור רק על החלק החשוב ולכתוב אותו לקובץ: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. קבלו את תעודת הביניים. [רשויות אישורים (CA)](https://en.wikipedia.org/wiki/Certificate_authority) בדרך כלל אינן חותמות ישירות על אישור; הם משתמשים במה שמכונה תעודת "ביניים". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. האישור הראשון ב-`pg_and_intermediate.cert` הוא למעשה אישור השרת משלב 1. נוכל להשתמש שוב ב-`sed` כדי למחוק עד למופע הראשון של END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. קבל את מגיב OCSP עבור אישור השרת: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + התעודה שלנו מציגה את מגיב האישורים של Let's Encrypt. אם אנחנו רוצים לראות את כל הפרטים של התעודה נוכל להשתמש ב: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. התחל את לכידת החבילה: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. הגש את בקשת ה - OCSP: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. פתח את הלכידה: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + יהיו שתי חבילות עם פרוטוקול "OCSP": "בקשה" ו"תגובה". עבור ה"בקשה" נוכל לראות את ה"מספר הסידורי" על ידי הרחבת המשולש ▸ ליד כל שדה: + + ```bash + ▸ פרוטוקול מצב אישור מקוון + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + עבור ה"תגובה" נוכל לראות גם את ה"מספר הסידורי": + + ```bash + פרוטוקול מצב אישור▸ מקוון + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ תגובות: פריט 1 + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. או השתמש ב-`tshark` כדי לסנן את החבילות עבור המספר הסידורי: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +אם למשקיף הרשת יש את האישור הציבורי, הזמין לציבור, הוא יכול להתאים את המספר הסידורי לאישור הזה ולכן לקבוע את האתר שבו אתה מבקר. התהליך יכול להיות אוטומטי ויכול לשייך כתובות IP למספרים סידוריים. אפשר גם לבדוק ביומני [שקיפות אישורים](https://en.wikipedia.org/wiki/Certificate_Transparency) עבור המספר הסידורי. + +## האם להשתמש ב - DNS מוצפן? + +הכנו את תרשים הזרימה הזה כדי לתאר מתי *כדאי* להשתמש ב-DNS מוצפן: + +``` mermaid +graph TB + התחל[התחל] --> אנונימי{מנסה להיות
אנונימי?} + אנונימי--> | כן | tor(השתמש בTor) + אנונימי --> | לא | צנזורה{הימנעות
מצנזורה?} + צנזורה --> | כן | vpnאוTor(השתמש ב-
VPN או Tor) + צנזורה --> | לא | פרטיות{רוצה פרטיות
מ-ISP?} + פרטיות --> | כן | vpnאוTor + פרטיות --> | לא | מעצבן{ISP מייצרת
הפניות
מעצבנות?} + מעצבן --> | כן | מוצפןDNS(השתמש ב
מוצפן DNS
עם צד שלישי) + מעצבן --> | לא | ispDNS{האם ISP תומך ב
מוצפן DNS?} + ispDNS --> | כן | השתמשISP(השתמש
מוצפן DNS
עם ISP) + ispDNS --> | לא | כלום(לא לעשות כלום) +``` + +יש להשתמש ב-DNS מוצפן עם צד שלישי רק כדי לעקוף הפניות מחדש ו[חסימת DNS](https://en.wikipedia.org/wiki/DNS_blocking) בסיסית כאשר אתה יכול להיות בטוח שלא יהיו השלכות או שאתה מעוניין בספק שיבצע סינון ראשוני. + +[רשימת שרתי DNS מומלצים](../dns.md ""){.md-button} + +## מהו DNSSEC? + +[תוספי אבטחת מערכת שמות דומיין](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) היא תכונה של DNS המאמתת תגובות לחיפושי שמות דומיין. הוא אינו מספק הגנת פרטיות לאותם חיפושים, אלא מונע מתוקפים לתמרן או להרעיל את התגובות לבקשות DNS. + +במילים אחרות, DNSSEC חותם נתונים דיגיטליים כדי להבטיח את תקפותם. על מנת להבטיח חיפוש מאובטח, החתימה מתרחשת בכל רמה בתהליך חיפוש ה-DNS. כתוצאה מכך, ניתן לסמוך על כל התשובות מה-DNS. + +תהליך החתימה של DNSSEC דומה למישהו שחתום על מסמך משפטי בעט; אותו אדם חותם בחתימה ייחודית שאף אחד אחר לא יכול ליצור, ומומחה בית המשפט יכול להסתכל על החתימה הזו ולוודא שהמסמך נחתם על ידי אותו אדם. חתימות דיגיטליות אלו מבטיחות שלא בוצע שיבוש בנתונים. + +DNSSEC מיישמת מדיניות חתימה דיגיטלית היררכית בכל שכבות ה-DNS. לדוגמה, במקרה של חיפוש `privacyguides.org`, שרת DNS שורש יחתום על מפתח עבור שרת השמות `.org` ו-`.org` nameserver יחתום על מפתח עבור שרת השמות הסמכותי של `privacyguides.org`. + +מותאם מ[סקירה כללית של תוספי אבטחת DNS (DNSSEC)](https://cloud.google.com/dns/docs/dnssec) על ידי Google ו-DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) מאת Cloudflare, שניהם ברישיון תחת [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## מהו מזעור QName? + +QNAME הוא "שם מוסמך", לדוגמה`privacyguides.org`. מזעור QName מצמצם את כמות המידע הנשלחת משרת ה - DNS לשרת [שם סמכותי](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +במקום לשלוח את הדומיין `privacyguides.org`, מזעור QNAME פירושו ששרת ה- DNS ישאל בשביל כל הרשומות המסתיימות ב-`.org`. תיאור טכני נוסף מוגדר ב [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## מהי רשת משנה של לקוח EDNS (ECS)? + +[רשת המשנה של לקוח EDNS](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) היא שיטה לפותר DNS רקורסיבי לציון [רשת משנה](https://en.wikipedia.org/wiki/Subnetwork) עבור [המארח או הלקוח](https://en.wikipedia.org/wiki/Client_(computing)) שמבצע את שאילתת ה-DNS. + +זה נועד "לזרז" את מסירת הנתונים על ידי מתן תשובה ללקוח השייך לשרת הקרוב אליו כגון [תוכן רשת מסירה](https://en.wikipedia.org/wiki/Content_delivery_network), המשמשות לעתים קרובות בהזרמת וידאו והגשת יישומי אינטרנט של JavaScript. + +תכונה זו כרוכה בעלות פרטיות, מכיוון שהיא מספרת לשרת ה-DNS מידע על מיקומו של הלקוח. diff --git a/i18n/he/advanced/payments.md b/i18n/he/advanced/payments.md new file mode 100644 index 00000000..7fa7b7fe --- /dev/null +++ b/i18n/he/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: תשלומים פרטיים +icon: material/hand-coin +--- + +יש סיבה לכך שנתונים על הרגלי הקנייה שלך נחשבים לגביע הקדוש של מיקוד מודעות: הרכישות שלך יכולות להדליף אוצר אמיתי של נתונים עליך. למרבה הצער, המערכת הפיננסית הנוכחית נוגדת פרטיות בעיצובה, ומאפשרת לבנקים, לחברות אחרות ולממשלות לעקוב בקלות אחר עסקאות. עם זאת, יש לך אפשרויות רבות בכל הנוגע לביצוע תשלומים באופן פרטי. + +## מזומן + +במשך מאות שנים, **מזומן** תפקד כצורת התשלום הפרטית העיקרית. למזומן יש מאפייני פרטיות מצוינים ברוב המקרים, הוא מקובל ברוב המדינות ו**ניתן לשינוי**, כלומר אינו ייחודי וניתן להחלפה לחלוטין. + +חוקי התשלום במזומן משתנים בהתאם למדינה. בארצות הברית, נדרש גילוי מיוחד עבור תשלומים במזומן מעל $10,000 ל-IRS ב[טופס 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). העסק המקבל נדרש לזהות את שמו, כתובתו, עיסוקו, תאריך הלידה ומספר תעודת הזהות/אמצעי זיהוי אחרים של מקבל התשלום (עם כמה חריגים). גבולות נמוכים יותר ללא תעודת זהות כגון $3,000 או פחות קיימות עבור החלפות והעברת כסף. מזומן מכיל גם מספרים סידוריים. כמעט אף פעם לא עוקבים אחר אלה על ידי סוחרים, אבל הם יכולים לשמש את רשויות אכיפת החוק בחקירות ממוקדות. + +למרות זאת, זו בדרך כלל האפשרות הטובה ביותר. + +## כרטיסים בתשלום מראש & כרטיסי מתנה + +קל יחסית לרכוש כרטיסי מתנה וכרטיסים משולמים ברוב חנויות המכולת וחנויות הנוחות במזומן. בכרטיסי מתנה בדרך כלל אין עמלה, אם כי לרוב יש בכרטיסים משולמים מראש, אז שימו לב היטב לעמלות ולתאריכי התפוגה הללו. חנויות מסוימות עשויות לבקש לראות את תעודת הזהות שלך בקופה כדי להפחית הונאה. + +לכרטיסי מתנה יש בדרך כלל מגבלות של עד $200 לכרטיס, אבל חלקם מציעים הגבלה של עד $2,000 לכרטיס. לכרטיסים משולמים מראש (למשל: מוויזה או מאסטרקארד) יש בדרך כלל מגבלות של עד $1,000 לכרטיס. + +לכרטיסי מתנה יש את החיסרון שהם כפופים למדיניות הסוחר, שיכולה להיות לה תנאים והגבלות איומים. לדוגמה, סוחרים מסוימים אינם מקבלים תשלום בכרטיסי מתנה באופן בלעדי, או שהם עשויים לבטל את ערך הכרטיס אם הם מחשיבים אותך כמשתמש בסיכון גבוה. ברגע שיש לך אשראי סוחר, לסוחר יש מידה חזקה של שליטה על אשראי זה. + +כרטיסים בתשלום מראש אינם מאפשרים משיכת מזומן מכספומטים או תשלומים "עמית לעמית" ב-Venmo ובאפליקציות דומות. + +מזומן נשאר האפשרות הטובה ביותר עבור רכישות אישיות עבור רוב האנשים. כרטיסי מתנה יכולים להיות שימושיים עבור החיסכון שהם מביאים. כרטיסים משולמים מראש יכולים להיות שימושיים עבור מקומות שאינם מקבלים מזומן. קל יותר להשתמש בכרטיסי מתנה וכרטיסים משולמים באינטרנט מאשר במזומן, וקל יותר לרכוש אותם עם מטבעות קריפטוגרפיים מאשר במזומן. + +### חנויות אונליין + +אם יש לך [מטבע קריפטוגרפי](../cryptocurrency.md), אתה יכול לרכוש כרטיסי מתנה עם שוק כרטיסי מתנה אונליין. חלק מהשירותים הללו מציעים אפשרויות אימות מזהה עבור מגבלות גבוהות יותר, אך הם גם מאפשרים חשבונות עם כתובת אימייל בלבד. מגבלות בסיסיות מתחילות ב-$5,000-10,000 ליום עבור חשבונות בסיסיים, ומגבלות גבוהות משמעותית עבור חשבונות מאומתים מזהים (אם מוצעים). + +בקניית כרטיסי מתנה באינטרנט, בדרך כלל יש הנחה קלה. כרטיסים משולמים מראש בדרך כלל נמכרים באינטרנט במחיר נקוב או בתשלום. אם אתה קונה כרטיסים משולמים מראש וכרטיסי מתנה עם מטבעות קריפטוגרפיים, אתה צריך מאוד להעדיף לשלם עם Monero שמספק פרטיות חזקה, עוד על כך בהמשך. תשלום עבור כרטיס מתנה עם שיטת תשלום שניתן לעקוב אחריהם שולל את היתרונות שכרטיס מתנה יכול לספק ברכישה במזומן או ב-Monero. + +- [שווקים של כרטיסי מתנה אונליין :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## כרטיסים וירטואליים + +דרך נוספת להגן על המידע שלך מפני סוחרים מקוונים היא להשתמש בכרטיסים וירטואליים חד פעמיים המסווים את פרטי הבנק או החיוב בפועל שלך. זה שימושי בעיקר להגנה עליך מפני הפרות נתונים של סוחרים, מעקב פחות מתוחכם או מתאם רכישה על ידי סוכנויות שיווק וגניבת נתונים מקוונים. הם **לא** מסייעים לך לבצע רכישה באופן אנונימי לחלוטין, וגם לא מסתירים מידע כלשהו מהמוסד הבנקאי עצמו. מוסדות פיננסיים רגילים המציעים כרטיסים וירטואליים כפופים לחוקי "הכר את הלקוח שלך" (KYC), כלומר הם עשויים לדרוש את תעודת הזהות שלך או מידע מזהה אחר. + +- [שירותי מיסוך תשלום מומלצים :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +אלו נוטות להיות אפשרויות טובות לתשלומים חוזרים/מנויים באינטרנט, בעוד שכרטיסי מתנה משולמים מראש מועדפים לעסקאות חד פעמיות. + +## מטבעות קריפטוגרפיים + +מטבעות קריפטוגרפיים הם מטבע דיגיטלי שנועד לעבוד ללא רשויות מרכזיות כמו ממשלה או בנק. בעוד ש*כמה* פרויקטים של מטבעות קריפטוגרפיים יכולים לאפשר לך לבצע עסקאות פרטיות באופן מקוון, רבים משתמשים בבלוקצ'יין ציבורי שאינו מספק פרטיות עסקה כלשהי. מטבעות קריפטוגרפיים נוטים להיות נכסים מאוד תנודתיים, כלומר ערכם יכול להשתנות במהירות ובאופן משמעותי בכל עת. ככזה, אנו בדרך כלל לא ממליצים להשתמש במטבעות קריפטוגרפיים כמאגר ערך לטווח ארוך. אם תחליט להשתמש במטבעות קריפטוגרפיים באינטרנט, וודא שיש לך הבנה מלאה של היבטי הפרטיות שלו מראש, והשקיע רק סכומים שלא יהיה אסון להפסיד. + +!!! danger "סַכָּנָה" + + הרוב המכריע של מטבעות הקריפטו פועלים על בלוקצ'יין **ציבורי**, כלומר כל עסקה היא ידע ציבורי. זה כולל אפילו את רוב מטבעות הקריפטו הידועים כמו ביטקוין ואת'ריום. עסקאות עם מטבעות קריפטוגרפיים אלה לא צריכות להיחשב פרטיות ולא יגנו על האנונימיות שלך. + + בנוסף, רבים אם לא רוב המטבעות הקריפטו הם הונאות. בצע עסקאות בזהירות עם רק פרויקטים שאתה סומך עליהם. + +### מטבעות פרטיות + +ישנם מספר פרויקטים של מטבעות קריפטוגרפיים שמתיימרים לספק פרטיות על ידי הפיכת עסקאות לאנונימיות. אנו ממליצים להשתמש באחד המספק אנונימיות לעסקה **כברירת מחדל** כדי למנוע שגיאות תפעול. + +- [מטבעות קריפטוגרפיים מומלצים :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +מטבעות פרטיות היו נתונים לבדיקה גוברת של סוכנויות ממשלתיות. בשנת 2020, [ IRS פרסם פרס של $625,000 ](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) עבור כלים שיכולים לשבור את פרטיות העסקאות של Bitcoin Lightning Network ו/או של Monero. בסופו של דבר [הם שילמו לשתי חברות](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis ו-Integra Fec) סך של 1.25 מיליון דולר עבור כלים שמתיימרים לעשות זאת (לא ידוע לאיזו רשת מטבעות קריפטוגרפיים מכוונים הכלים הללו). בשל הסודיות סביב כלים כמו אלה, ==אף אחת מהשיטות הללו למעקב אחר מטבעות קריפטוגרפיים לא אושרה באופן עצמאי.== עם זאת, סביר מאוד להניח שקיימים כלים המסייעים לחקירות ממוקדות של עסקאות מטבעות פרטיות, ושמטבעות פרטיות מצליחים רק בסיכול מעקב המוני. + +### מטבעות אחרים (ביטקוין, את'ריום וכו') + +הרוב המכריע של פרויקטים של מטבעות קריפטוגרפיים משתמשים בבלוקצ'יין ציבורי, כלומר כל העסקאות הן ניתנות למעקב בקלות וקבועות. ככזה, אנו מונעים בתוקף את השימוש ברוב מטבעות הקריפטו מסיבות הקשורות לפרטיות. + +עסקאות אנונימיות בבלוקצ'יין ציבורי אפשריות *תיאורטית*, וויקי הביטקוין [נותן דוגמה אחת לעסקה "אנונימית לחלוטין"](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). עם זאת, לעשות זאת דורשת הגדרה מסובכת הכוללת Tor ו"כריית סולו" של בלוק ליצירת מטבעות קריפטוגרפיים עצמאיים לחלוטין, פרקטיקה שלא הייתה מעשית עבור כמעט אף חובב במשך שנים רבות. + +==האפשרות הטובה ביותר שלך היא להימנע לחלוטין ממטבעות קריפטוגרפיים אלה ולהישאר עם אחד שמספק פרטיות כברירת מחדל.== ניסיון להשתמש במטבעות קריפטוגרפיים אחרים הוא מחוץ לתחום של אתר זה ומומלץ מאוד. + +### משמורת ארנק + +עם מטבעות קריפטוגרפיים יש שתי צורות של ארנקים: ארנקים משמורת וארנקים לא משמורים. ארנקי משמורת מופעלים על ידי חברות/בורסות מרכזיות, כאשר המפתח הפרטי של הארנק שלך מוחזק על ידי אותה חברה, ואתה יכול לגשת אליהם בכל מקום בדרך כלל עם שם משתמש וסיסמה רגילים. ארנקים לא משמורים הם ארנקים שבהם אתה שולט ומנהל את המפתחות הפרטיים כדי לגשת אליו. בהנחה שאתה שומר על המפתחות הפרטיים של הארנק שלך מאובטחים ומגובים, ארנקים לא משמורים מספקים אבטחה ועמידות גבוהה יותר לצנזורה על פני ארנקים משמורים, מכיוון שהמטבע הקריפטוגרפי שלך לא יכול להיגנב או להקפיא על ידי חברה עם משמורת על המפתחות הפרטיים שלך. שמירת מפתח חשובה במיוחד כשמדובר במטבעות פרטיות: ארנקי משמורת מעניקים לחברה המפעילה את היכולת לצפות בעסקאות שלך, מה ששולל את יתרונות הפרטיות של אותם מטבעות קריפטוגרפיים. + +### רכישה + +רכישת [מטבעות קריפטוגרפיים](../cryptocurrency.md) כמו Monero באופן פרטי יכולה להיות קשה. שוקי P2P כמו [LocalMonero](https://localmonero.co/), פלטפורמה המאפשרת עסקאות בין אנשים, הן אפשרות אחת שניתן להשתמש בה. אם השימוש בבורסה הדורשת KYC מהווה סיכון מקובל עבורך כל עוד לא ניתן לאתר עסקאות עוקבות, אפשרות הרבה יותר קלה היא לרכוש Monero בבורסה כמו [Kraken](https://kraken.com/), או רכשו ביטקוין/לייטקוין מבורסת KYC אשר לאחר מכן ניתן להחליף למונרו. לאחר מכן, אתה יכול למשוך את ה-Monero שנרכש לארנק הלא משמורן שלך כדי להשתמש בו באופן פרטי מנקודה זו ואילך. + +אם אתם הולכים בדרך זו, דאגו לרכוש את Monero בזמנים שונים ובסכומים שונים מהמקום שבו תוציאו אותו. אם אתה רוכש 5,000$ של Monero בבורסה ותבצע רכישה של 5,000$ במונרו שעה לאחר מכן, פעולות אלו עשויות להיות מתואם על ידי צופה מבחוץ, ללא קשר לנתיב שהמונרו עבר. רכישות מדהימות ורכישת כמויות גדולות יותר של Monero מראש כדי לבזבז מאוחר יותר על מספר עסקאות קטנות יותר יכולות למנוע את המלכודת הזו. + +## שיקולים נוספים + +כאשר אתה מבצע תשלום באופן אישי במזומן, הקפד לשמור על הפרטיות האישית שלך בחשבון. מצלמות אבטחה נמצאות בכל מקום. שקול ללבוש בגדים לא מובחנים ומסיכת פנים (כגון מסכה כירורגית או N95). אל תירשם לתוכניות תגמולים ואל תספק מידע אחר על עצמך. + +בעת רכישה מקוונת, באופן אידיאלי עליך לעשות זאת דרך [Tor](tor-overview.md). עם זאת, סוחרים רבים אינם מאפשרים רכישות עם Tor. אתה יכול לשקול להשתמש ב-[VPN מומלץ ](../vpn.md) (בתשלום במזומן, כרטיס מתנה או Monero), או לבצע את הרכישה מבית קפה או ספרייה עם Wi-Fi בחינם. אם אתם מזמינים פריט פיזי שצריך לשלוח, תצטרכו לספק כתובת למשלוח. כדאי לשקול שימוש בתיבת דואר, תיבת דואר פרטית או כתובת עבודה. diff --git a/i18n/he/advanced/tor-overview.md b/i18n/he/advanced/tor-overview.md new file mode 100644 index 00000000..41509a85 --- /dev/null +++ b/i18n/he/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "סקירה כללית של Tor" +icon: 'simple/torproject' +description: Tor היא רשת מבוזרת בחינם לשימוש המיועדת לשימוש באינטרנט עם כמה שיותר פרטיות. +--- + +Tor היא רשת מבוזרת בחינם לשימוש המיועדת לשימוש באינטרנט עם כמה שיותר פרטיות. בשימוש נכון, הרשת מאפשרת גלישה ותקשורת פרטית ואנונימית. + +## בניית נתיב לשירותי Clearnet + +"שירותי Clearnet" הם אתרים אליהם אתה יכול לגשת עם כל דפדפן, כמו [privacyguides.org](https://www.privacyguides.org). Tor מאפשר לך להתחבר לאתרים אלה באופן אנונימי על ידי ניתוב התנועה שלך דרך רשת המורכבת מאלפי שרתים המנוהלים על ידי מתנדבים הנקראים צמתים (או ממסרים). + +בכל פעם שאתה [מתחבר ל-](../tor.md)Tor, הוא יבחר שלושה צמתים כדי לבנות נתיב לאינטרנט - נתיב זה נקרא "מעגל" + +
+ ![נתיב טור המראה את המכשיר שלך מתחבר לצומת כניסה, צומת אמצע וצומת יציאה לפני הגעה לאתר היעד](../assets/img/how-tor-works/tor-path.svg#only-light) + ![נתיב טור המציג את המכשיר שלך מתחבר לצומת כניסה, צומת אמצע וצומת יציאה לפני הגעה לאתר היעד](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
מסלול מעגל טור
+
+ +לכל אחד מהצמתים הללו יש פונקציה משלו: + +### צומת הכניסה + +צומת הכניסה, המכונה לעתים קרובות צומת השמירה, הוא הצומת הראשון שאליו מתחבר לקוח ה-Tor שלך. צומת הכניסה מסוגל לראות את כתובת ה-IP שלך, אולם הוא לא יכול לראות למה אתה מתחבר. + +שלא כמו הצמתים האחרים, לקוח Tor יבחר באקראי צומת כניסה ויישאר איתו במשך חודשיים עד שלושה כדי להגן עליך מפני התקפות מסוימות.[^1] + +### הצומת האמצעי + +הצומת האמצעי הוא הצומת השני שאליו מתחבר לקוח ה-Tor שלך. הוא יכול לראות מאיזה צומת הגיעה התנועה - צומת הכניסה - ולאיזה צומת היא עוברת הבא. הצומת האמצעי לא יכול לראות את כתובת ה-IP שלך או את הדומיין שאליו אתה מתחבר. + +עבור כל מעגל חדש, הצומת האמצעי נבחר באקראי מבין כל צמתי ה- Tor הזמינים. + +### צומת היציאה + +צומת היציאה הוא הנקודה שבה תעבורת האינטרנט שלך עוזבת את רשת Tor ומועברת ליעד הרצוי. צומת היציאה לא יכול לראות את כתובת ה-IP שלך, אבל הוא יודע לאיזה אתר הוא מתחבר. + +צומת היציאה ייבחר באקראי מבין כל צמתי ה-Tor הזמינים שהופעלו עם דגל ממסר יציאה.[^2] + +## בניית נתיב לשירותי Clearnet + +"שירותי בצל" (המכונה בדרך כלל "שירותים נסתרים") הם אתרים שניתן לגשת אליהם רק על ידי דפדפן Tor. לאתרים אלה יש שם דומיין ארוך שנוצר באקראי המסתיים ב-`.onion`. + +התחברות לשירות Onion ב-Tor עובד בצורה דומה מאוד לחיבור לשירות clearnet, אבל התעבורה שלך מנותבת דרך סך של **שישה** צמתים לפני שהיא מגיעה לשרת היעד. עם זאת, בדיוק כמו בעבר, רק שלושה מהצמתים הללו תורמים לאנונימיות *שלך*, שלושת הצמתים האחרים מגינים על *שירות הבצל* אנונימיות, הסתרת ה-IP והמיקום האמיתיים של האתר באותו אופן שבו דפדפן Tor מסתיר את שלך. + +
+ ![נתיב Tor המראה את התנועה שלך מנותבת דרך שלושת צמתי ה-Tor שלך בתוספת שלושה צמתי Tor נוספים המסתירים את זהות האתר](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![נתיב Tor המראה את התנועה שלך מנותבת דרך שלושת צמתי ה-Tor שלך בתוספת שלושה צמתי Tor נוספים המסתירים את זהות האתר](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
מסלול מעגל טור עם שירותי Onion. צמתים בגדר הכחולה שייכים לדפדפן שלך, בעוד צמתים בגדר האדומה שייכים לשרת, כך שזהותם מוסתרת ממך.
+
+ +## הצפנה + +Tor מצפין כל חבילה (גוש של נתונים משודרים) שלוש פעמים עם המפתחות מצומת היציאה, האמצע והכניסה - בסדר הזה. + +לאחר ש-Tor בנה מעגל, העברת הנתונים מתבצעת באופן הבא: + +1. ראשית: כאשר החבילה מגיעה לצומת הכניסה, השכבה הראשונה של ההצפנה מוסרת. בחבילה מוצפנת זו, צומת הכניסה ימצא חבילה מוצפנת נוספת עם כתובת הצומת האמצעית. לאחר מכן צומת הכניסה יעביר את החבילה לצומת האמצעי. + +2. שנית: כאשר הצומת האמצעי מקבל את החבילה מצומת הכניסה, גם הוא יסיר שכבת הצפנה עם המפתח שלו, והפעם ימצא חבילה מוצפנת עם כתובת צומת היציאה. הצומת האמצעי יעביר את החבילה לצומת היציאה. + +3. לבסוף: כאשר צומת היציאה יקבל את החבילה שלו, הוא יסיר את שכבת ההצפנה האחרונה עם המפתח שלו. צומת היציאה יראה את כתובת היעד ויעביר את החבילה לכתובת זו. + +להלן תרשים חלופי המציג את התהליך. כל צומת מסיר את שכבת ההצפנה שלו, וכאשר שרת היעד מחזיר נתונים, אותו תהליך קורה לגמרי הפוך. למשל, צומת היציאה לא יודע מי אתה, אבל הוא כן יודע מאיזה צומת הוא הגיע, ולכן הוא מוסיף שכבת הצפנה משלו ושולח אותו בחזרה. + +
+ ![הצפנת Tor](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![הצפנת Tor](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
שליחה וקבלה של נתונים דרך רשת Tor
+
+ +Tor מאפשר לנו להתחבר לשרת מבלי שאף גורם אחד ידע את כל הנתיב. צומת הכניסה יודע מי אתה, אבל לא לאן אתה הולך; הצומת האמצעי לא יודע מי אתה או לאן אתה הולך; וצומת היציאה יודע לאן אתה הולך, אבל לא מי אתה. מכיוון שצומת היציאה הוא זה שיוצר את החיבור הסופי, שרת היעד לעולם לא יידע את כתובת ה-IP שלך. + +## הסתייגויות + +למרות ש-Tor מספקת ערובות פרטיות חזקות, צריך להיות מודע לכך ש-Tor אינו מושלם: + +- ליריבים ממומנים היטב עם יכולת לצפות באופן פסיבי ברוב תעבורת הרשת על פני הגלובוס יש סיכוי לבטל את האנונימיות של משתמשי Tor באמצעות ניתוח תעבורה מתקדם. Tor גם לא מגן עליך מפני חשיפת עצמך בטעות, כגון אם אתה חולק יותר מדי מידע על זהותך האמיתית. +- צמתי יציאה של Tor יכולים גם לנטר את התעבורה שעוברת דרכם. המשמעות היא שתעבורה שאינה מוצפנת, כגון תעבורת HTTP רגילה, יכולה להיות מתועדת ולמעקב. אם תעבורה כזו מכילה מידע אישי מזהה, היא יכולה להפוך אותך לאנונימית לאותו צומת יציאה. לפיכך, אנו ממליצים להשתמש ב-HTTPS על פני Tor במידת האפשר. + +אם ברצונך להשתמש ב- Tor לגלישה באינטרנט, אנו ממליצים רק על דפדפן ה**רשמי** Tor - הוא נועד למנוע טביעת אצבע. + +- [דפדפן Tor :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## מקורות נוספים + +- [מדריך למשתמש של דפדפן Tor](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (יוטיוב) +- [Tor שירותי בצל - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (יוטיוב) + +[^1]: הממסר הראשון במעגל שלך נקרא "שומר כניסה" או "שומר". זהו ממסר מהיר ויציב שנשאר הראשון במעגל שלך למשך 2-3 חודשים על מנת להגן מפני התקפה ידועה לשבירת אנונימיות. שאר המעגל שלך משתנה עם כל אתר חדש שאתה מבקר בו, וכולם ביחד מספקים ממסרים אלה את הגנת הפרטיות המלאה של Tor. לקבלת מידע נוסף על אופן הפעולה של ממסרי מגן, עיין במאמר זה [בלוג פוסט](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) וגם [דף](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) על שומרי כניסה. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: דגל ממסר: (אי)-הסמכה מיוחדת של ממסרים עבור עמדות מעגל (לדוגמה, "שומר", "יציאה", "יציאה-גרועה"), מאפייני מעגל (לדוגמה, "מהיר", "יציב"), או תפקידים (לדוגמה, "רשות", "HSDir"), כפי שהוקצו על ידי רשויות המדריכים ומוגדרים יותר במפרט פרוטוקול הספרייה. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/he/android.md b/i18n/he/android.md new file mode 100644 index 00000000..579afaea --- /dev/null +++ b/i18n/he/android.md @@ -0,0 +1,426 @@ +--- +title: "אנדרואיד" +icon: 'simple/android' +description: אתה יכול להחליף את מערכת ההפעלה בטלפון האנדרואיד שלך בחלופות מאובטחות ומכבדות פרטיות אלה. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: מערכות הפעלה פרטיות לאנדרואיד + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: אנדרואיד + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: גוגל + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: אנדרואיד + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: אנדרואיד + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: אנדרואיד + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: אנדרואיד +--- + +![לוגו אנדרואיד](assets/img/android/android.svg){ align=right } + +**פרויקט הקוד הפתוח של אנדרואיד** היא מערכת הפעלה ניידת בקוד פתוח בהובלת גוגל, המניעה את רוב המכשירים הניידים בעולם. רוב הטלפונים הנמכרים עם אנדרואיד שונו כך שיכללו אינטגרציות פולשניות ואפליקציות כגון שירותי Google Play, כך שתוכל לשפר משמעותית את הפרטיות שלך במכשיר הנייד שלך על ידי החלפת התקנת ברירת המחדל של הטלפון שלך בגרסת אנדרואיד ללא תכונות פולשניות אלו. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=דף הבית } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=תיעוד} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="קוד מקור" } + +אלו הן מערכות ההפעלה, המכשירים והאפליקציות של אנדרואיד שאנו ממליצים על מנת למקסם את האבטחה והפרטיות של המכשיר הנייד שלך. למידע נוסף על אנדרואיד: + +[סקירה כללית של אנדרואיד :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[מדוע אנו ממליצים על GrapheneOS על פני CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## נגזרות AOSP + +אנו ממליצים להתקין במכשיר שלך אחת ממערכות ההפעלה המותאמות אישית של אנדרואיד, המפורטות לפי סדר העדפה, בהתאם לתאימות המכשיר שלך למערכות הפעלה אלו. + +!!! note "הערה" + + למכשירי סוף החיים (כגון מכשירי "תמיכה מורחבת" של GrapheneOS או CalyxOS) אין תיקוני אבטחה מלאים (עדכוני קושחה) עקב הפסקת התמיכה של OEM. מכישירים אלה אינם יכולים להיחשב מאובטחים לחלוטין ללא קשר לתוכנה המותקנת. + +### GrapheneOS + +!!! recommendation + + ![לוגו GrapheneOS](assets/img/android/grapheneos.svg#only-light){ align=right } + ![לוגו GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** היא הבחירה הטובה ביותר בכל הנוגע לפרטיות ואבטחה. + + GrapheneOS מספקת [הקשחת אבטחה](https://en.wikipedia.org/wiki/Hardening_(computing)) ושיפורי פרטיות נוספים. יש לו [מקצה זיכרון מוקשה](https://github.com/GrapheneOS/hardened_malloc), הרשאות רשת וחיישנים ועוד [תכונות אבטחה](https://grapheneos.org/features) שונות. GrapheneOS מגיעה גם עם עדכוני קושחה מלאים ו-builds חתומים, כך שאתחול מאומת נתמך באופן מלא. + + [:octicons-home-16: דף הבית](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=תרומה } + +GrapheneOS תומך ב-[Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), המריץ את [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) בארגז חול מלא כמו כל אפליקציה רגילה אחרת. משמעות הדבר היא שאתה יכול לנצל את רוב שירותי Google Play, כגון [הודעות דחיפה](https://firebase.google.com/docs/cloud-messaging/), תוך מתן שליטה מלאה על ההרשאות והגישה שלהם, ותוך כדי הכללתן ב[פרופיל עבודה](os/android-overview.md#work-profile) או [פרופיל משתמש](os/android-overview.md#user-profiles) ספציפי לבחירתך. + +טלפונים של Google Pixel הם המכשירים היחידים שעומדים כרגע ב[דרישות אבטחת החומרה](https://grapheneos.org/faq#device-support) של GrapheneOS. + +### DivestOS + +!!! recommendation + + ![לוגו של DivestOS](assets/img/android/divestos.svg){ align=right } + + **DivestOS** הוא נגזרת חלקית של [LineageOS](https://lineageos.org/). + DivestOS יורשת [מכשירים נתמכים](https://divestos.org/index.php?page=devices&base=LineageOS) רבים מ-LineageOS. יש לו builds חתומים, מה שמאפשר לקבל [אתחול מאומת](https://source.android.com/security/verifiedboot) בחלק מהמכשירים שאינם Pixel. + + [:octicons-home-16: דף הבית](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="שירות בצל" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=לתרומה } + +ל - DivestOS יש פגיעות ליבה ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [שמתוקן](https://gitlab.com/divested-mobile/cve_checker) אוטומטית, פחות בועות קנייניות, וקובץ [מארחים](https://divested.dev/index.php?page=dnsbl) מותאם. ה-WebView המוקשה שלו, [Mulch](https://gitlab.com/divested-mobile/mulch), מאפשר [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) עבור כל הארכיטקטורות ו[חלוקת מצבי רשת](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), ומקבל עדכונים מחוץ לפס. DivestOS כוללת גם תיקוני ליבה מ-GrapheneOS ומאפשרת את כל תכונות האבטחה הזמינות של הליבה באמצעות [הקשחת defconfig](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). כל הליבות החדשות יותר מגרסה 3.4 כוללים עמוד מלא [חיטוי](https://lwn.net/Articles/334747/) ולכל ~22 הליבות המחוברים יש Clang [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) מופעל. + +DivestOS מיישמת כמה תיקוני הקשחת מערכת שפותחו במקור עבור GrapheneOS. DivestOS 16.0 ומעלה מיישמת את החלפת הרשאות [`אינטרנט`](https://developer.android.com/training/basics/network-ops/connecting) וחיישנים של GrapheneOS, [מקצית זיכרון מוקשחת](https://github.com/GrapheneOS/hardened_malloc), [השרצת מנהלים](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [קונסטיפיקציה](https://en.wikipedia.org/wiki/Const_(computer_programming)) של [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) ותיקוני התקשות [ביונית](https://en.wikipedia.org/wiki/Bionic_(software)) חלקית. תכונות 17.1 ומעלה של GrapheneOS לכל רשת [אפשרות אקראיות מלאה של ](https://en.wikipedia.org/wiki/MAC_address#Randomization)MAC, בקרת [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) ואתחול אוטומטי/Wi-Fi/Bluetooth [אפשרויות פסק זמן](https://grapheneos.org/features). + +DivestOS משתמשת ב-F-Droid כחנות האפליקציות המוגדרת כברירת מחדל. בדרך כלל, אנו ממליצים להימנע מ-F-Droid עקב [בעיות האבטחה](#f-droid) הרבות שלו. עם זאת, לעשות זאת ב-DivestOS לא כדאי; המפתחים מעדכנים את האפליקציות שלהם באמצעות מאגרי F-Droid משלהם ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) ו- [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). אנו ממליצים להשבית את אפליקציית F-Droid הרשמית ולהשתמש ב-[Neo Store](https://github.com/NeoApplications/Neo-Store/) עם מאגרי DivestOS מופעלים כדי לשמור על רכיבים אלה מעודכנים. לגבי אפליקציות אחרות, השיטות המומלצות שלנו להשגתן עדיין חלות. + +!!! warning "אזהרה" + + עדכון קושחה של DivestOS [סטטוס](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) ובקרת איכות משתנים בין המכשירים שבהם הוא תומך. אנו עדיין ממליצים על GrapheneOS בהתאם לתאימות המכשיר שלך. עבור מכשירים אחרים, DivestOS היא אלטרנטיבה טובה. + + לא לכל המכשירים הנתמכים יש אתחול מאומת, וחלקם מבצעים אותו טוב יותר מאחרים. + +## מכשירי אנדרואיד + +בעת רכישת מכשיר, אנו ממליצים לרכוש אחד חדש ככל האפשר. התוכנה והקושחה של מכשירים ניידים נתמכות רק לזמן מוגבל, כך שקנייה חדשה מאריכה את תוחלת החיים עד כמה שניתן. + +הימנע מרכישת טלפונים ממפעילי רשתות סלולריות. לאלה יש לרוב **מאתחול נעול** ואינם תומכים ב[פתיחת נעילה של OEM](https://source.android.com/devices/bootloader/locking_unlocking). גרסאות טלפון אלה ימנעו ממך להתקין כל סוג של הפצת אנדרואיד חלופית. + +היה מאוד **זהיר** בקניית טלפונים יד שנייה משוק אונליין. בדוק תמיד את המוניטין של המוכר. אם המכשיר נגנב, קיימת אפשרות ל[רשימה שחורה של IMEI](https://www.gsma.com/security/resources/imei-blacklisting/). קיים גם סיכון שכרוך בהיותך קשור לפעילות של הבעלים הקודם. + +עוד כמה טיפים לגבי מכשירי אנדרואיד ותאימות מערכות הפעלה: + +- אל תקנו מכשירים שהגיעו או קרובים לסוף החיים שלהם, עדכוני קושחה נוספים חייבים להיות מסופקים על ידי היצרן. +- אל תקנו טלפונים טעונים מראש של LineageOS או /e/ OS או כל טלפון אנדרואיד ללא תמיכה מתאימה של [אתחול מאומת](https://source.android.com/security/verifiedboot) ועדכוני קושחה. גם למכשירים האלה אין דרך לבדוק אם התעסקו בהם. +- בקיצור, אם לא מופיעה כאן הפצת מכשיר או אנדרואיד, כנראה שיש סיבה טובה. עיין ב[פורום](https://discuss.privacyguides.net/) שלנו כדי למצוא פרטים! + +### גוגל פיקסל + +טלפונים של גוגל פיקסל הם המכשירים **היחידים** שאנו ממליצים לרכישה. לטלפונים של Pixel יש אבטחת חומרה חזקה יותר מכל מכשירי אנדרואיד אחרים הקיימים כיום בשוק, בשל תמיכת AVB נאותה עבור מערכות הפעלה של צד שלישי ושבבי האבטחה המותאמים אישית [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) של גוגל הפועלים כ-Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + מכשירי **גוגל פיקסל** ידועים כבעלי אבטחה טובה ותומכים כראוי ב[אתחול מאומת](https://source.android.com/security/verifiedboot), גם בעת התקנת מערכות הפעלה מותאמות אישית. + + החל מ-**Pixel 6** ו-**6 Pro**, מכשירי Pixel מקבלים לפחות 5 שנים של עדכוני אבטחה מובטחים, מה שמבטיח תוחלת חיים ארוכה בהרבה בהשוואה ל-2-4 שנים שמציעות יצרניות OEM מתחרות בדרך כלל. + + [:material-shopping: חנות](https://store.google.com/category/phones){ .md-button .md-button--primary } + +רכיבים מאובטחים כמו Titan M2 מוגבלים יותר מסביבת הביצוע המהימנה של המעבד המשמשת את רוב הטלפונים האחרים מכיוון שהם משמשים רק לאחסון סודות, הוכחת חומרה והגבלת קצב, לא להפעלת תוכניות "מהימנות". טלפונים ללא Secure Element חייבים להשתמש ב-TEE עבור *כל* הפונקציות הללו, וכתוצאה מכך משטח התקפה גדול יותר. + +טלפונים של גוגל פיקסל משתמשים ב-TEE OS בשם Trusty שהיא [קוד פתוח](https://source.android.com/security/trusty#whyTrusty), בניגוד לטלפונים רבים אחרים. + +ההתקנה של GrapheneOS בטלפון Pixel קלה עם [מתקין האינטרנט שלהם](https://grapheneos.org/install/web). אם אתה לא מרגיש בנוח לעשות את זה בעצמך ומוכן להוציא קצת כסף נוסף, בדוק את ה-[NitroPhone](https://shop.nitrokey.com/shop) מכיוון שהם נטענים מראש עם GrapheneOS של חברת [Nitrokey](https://www.nitrokey.com/about) המכובדת. + +עוד כמה טיפים לרכישת Google Pixel: + +- אם אתה מחפש מציאה על מכשיר פיקסל, אנו מציעים לקנות דגם "**a**", מיד לאחר יציאת ספינת הדגל הבאה. הנחות זמינות בדרך כלל מכיוון שגוגל תנסה לסלק את המלאי שלה. +- שקול אפשרויות מכות מחיר ומבצעים המוצעים בחנויות פיזיות. +- עיין באתרי עסקאות אןנליין של קהילתיות במדינה שלך. אלה יכולים להתריע על מכירות טובות. +- Google מספקת רשימה המציגה את [מחזור התמיכה](https://support.google.com/nexus/answer/4457705) עבור כל אחד מהמכשירים שלהם. ניתן לחשב את המחיר ליום עבור מכשיר כך: $\text{עלות} \מעל \text {תאריך EOL}-\text{תאריך נוכחי}$, כלומר ככל שהשימוש ארוך יותר במכשיר כך העלות ליום נמוכה יותר. + +## אפליקציות כלליות + +אנו ממליצים על מגוון רחב של אפליקציות אנדרואיד ברחבי אתר זה. האפליקציות המפורטות כאן הן בלעדיות לאנדרואיד ומשפרות או מחליפות באופן ספציפי את פונקציונליות המערכת המרכזית. + +### Shelter + +!!! recommendation + + ![Shelter לוגו](assets/img/android/shelter.svg){ align=right } + + **Shelter** היא אפליקציה שעוזרת לך למנף את הפונקציונליות של פרופיל העבודה של אנדרואיד כדי לבודד או לשכפל אפליקציות במכשיר שלך. + + Shelter תומך בחסימת פרופילים חוצי חיפוש אנשי קשר ושיתוף קבצים בין פרופילים באמצעות מנהל הקבצים המוגדר כברירת מחדל ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: מאגר](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [simple-googleplay: Google Play:]( https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning "אזהרה" + + Shelter מומלץ מעל [Insular](https://secure-system.gitlab.io/Insular/) ו-[Island](https://github.com/oasisfeng/island) מכיוון שהוא תומך ב[חסימת חיפוש אנשי קשר](https://secure-system.gitlab.io/Insular/faq.html). + + כשאתה משתמש ב-Shelter, אתה נותן אמון מלא במפתח שלו, שכן Shelter פועל כ[מנהל מכשיר](https://developer.android.com/guide/topics/admin/device-admin) כדי ליצור את פרופיל העבודה, וכן יש לו גישה נרחבת לנתונים המאוחסנים בפרופיל העבודה. + +### Auditor + +!!! recommendation + + ![Auditor לוגו](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor לוגו](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** היא אפליקציה הממנפת תכונות אבטחת חומרה כדי לספק ניטור שלמות המכשיר עבור [מכשירים נתמכים](https://attestation.app/about#device-support). נכון לעכשיו, זה עובד רק עם GrapheneOS ומערכת ההפעלה הסטוק של המכשיר. + + [:octicons-home-16: דף הבית](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=תיעוד} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor מבצע אישור וזיהוי חדירה על ידי: + +- באמצעות מודל [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) בין *מבקר* ל*מבוקר*, הזוג יוצר מפתח פרטי ב[מאגר המפתחות המגובה בחומרה](https://source.android.com/security/keystore/) של ה*מבקר*. +- *auditor* יכול להיות מופע אחר של אפליקציית Auditor או [שירות אישור מרחוק](https://attestation.app). +- המבקר רושם את המצב הנוכחי ואת התצורה של המבוקר. ה*auditor* מתעד את המצב והתצורה הנוכחיים של ה*auditee*. +- אם התעסקות במערכת ההפעלה של ה*auditee* תתרחש לאחר השלמת ההתאמה, המבקר יהיה מודע לשינוי במצב המכשיר ובתצורות. +- תקבל התראה על השינוי. + +לא נמסר מידע מזהה אישי לשירות האישורים. אנו ממליצים להירשם עם חשבון אנונימי ולאפשר אישור מרחוק לניטור רציף. + +אם [מודל האיומים](basics/threat-modeling.md) שלך דורש פרטיות, תוכל לשקול להשתמש ב-[Orbot](tor.md#orbot)או ב-VPN כדי להסתיר את כתובת ה-IP שלך משירות האישורים. כדי לוודא שהחומרה ומערכת ההפעלה שלך מקוריות, [בצע אישור מקומי](https://grapheneos.org/install/web#verifying-installation) מיד לאחר התקנת המכשיר ולפני כל חיבור לאינטרנט. + +### Secure Camera + +!!! recommendation + + ![Secure camera לוגו](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera לוגו](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** היא אפליקציית מצלמה המתמקדת בפרטיות ואבטחה שיכולה לצלם תמונות, סרטונים וקודי QR. הרחבות של ספקי CameraX (פורטרט, HDR, ראיית לילה, ריטוש פנים ואוטומטי) נתמכות גם במכשירים זמינים. + + [:octicons-repo-16: מאגר](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +תכונות הפרטיות העיקריות כוללות: + +- הסרה אוטומטית של מטא נתונים של [Exif](https://en.wikipedia.org/wiki/Exif) (מופעל כברירת מחדל) +- שימוש בממשק ה-API החדש של ה[מדיה](https://developer.android.com/training/data-storage/shared/media), לכן אין צורך ב[הרשאות אחסון](https://developer.android.com/training/data-storage) +- אין צורך בהרשאת מיקרופון אלא אם ברצונך להקליט קול + +!!! note "הערה" + + מטא נתונים אינם נמחקים כעת מקבצי וידאו אבל זה מתוכנן. + + המטא נתונים של כיוון התמונה לא נמחקים. אם תפעיל מיקום ב(Secure Camera) זה גם **לא** יימחק. אם ברצונך למחוק זאת מאוחר יותר, יהיה עליך להשתמש באפליקציה חיצונית כגון [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer לוגו](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer לוגו](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** הוא מציג PDF המבוסס על [pdf.js](https://en.wikipedia.org/wiki/PDF.js) שאינו דורש הרשאות כלשהן. ה-PDF מוזן לתוך [ארגז חול](https://en.wikipedia.org/wiki/Sandbox_(software_development))[webview](https://developer.android.com/guide/webapps/webview). המשמעות היא שזה לא דורש הרשאה ישירה כדי לגשת לתוכן או לקבצים. + + [תוכן-אבטחה-מדיניות](https://en.wikipedia.org/wiki/Content_Security_Policy) משמש כדי לאכוף שמאפייני JavaScript והסגנון ב-WebView הם תוכן סטטי לחלוטין. + + [:octicons-repo-16: מאגר](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## קבלת בקשות + +### GrapheneOS App Store + +חנות האפליקציות של GrapheneOS זמינה ב-[GitHub](https://github.com/GrapheneOS/Apps/releases). הוא תומך באנדרואיד 12 ומעלה ומסוגל לעדכן את עצמו. לחנות האפליקציות יש יישומים עצמאיים שנבנו על ידי פרויקט GrapheneOS כגון [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), ו- [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). אם אתם מחפשים אפליקציות אלו, אנו ממליצים בחום להשיג אותן מחנות האפליקציות של GrapheneOS במקום מחנות Play, שכן האפליקציות בחנות שלהן חתומות על ידי חתימת הפרויקט של ה-GrapheneOS שלגוגל אין גישה אליה. + +### Aurora Store + +חנות Google Play דורשת חשבון Google כדי להתחבר וזה לא נהדר לפרטיות. אתה יכול לעקוף את זה על ידי שימוש בלקוח חלופי, כגון Aurora Store. + +!!! recommendation + + ![Aurora Store לוגו](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** היא לקוח של חנות Google Play שאינה דורשת חשבון Google, שירותי Google Play או microG כדי להוריד אפליקציות. + + [:octicons-home-16: דף הבית](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store לא מאפשרת להוריד אפליקציות בתשלום עם תכונת החשבון האנונימי שלהן. אתה יכול לחלופין להתחבר עם חשבון גוגל שלך ל-Aurora Store כדי להוריד אפליקציות שרכשת, מה שאכן נותן גישה לרשימת האפליקציות שהתקנת לגוגל, אולם אתה עדיין נהנה מכך שאינך דורש את לקוח Google Play המלא ואת Google Play Services או microG במכשיר שלך. + +### התראות RSS באופן ידני + +עבור אפליקציות שמשוחררות בפלטפורמות כמו GitHub ו-GitLab, ייתכן שתוכל להוסיף עדכון RSS ל[צובר החדשות](/news-aggregators) שלך שיעזור לך לעקוב אחר מהדורות חדשות. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![שינויים ב-APK](./assets/img/android/rss-changes-light.png#only-light) ![שינויים ב-APK](./assets/img/android/rss-changes-dark.png#only-dark) + +#### Github + +ב-GitHub, באמצעות [Secure Camera](#secure-camera) כדוגמה, תנווט ל[דף ההפצות](https://github.com/GrapheneOS/Camera/releases) שלו ותוסיף את `.atom` לכתובת האתר: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +ב-GitLab, באמצעות [Aurora Store](#aurora-store) כדוגמה, תנווט אל [מאגר הפרויקטים](https://gitlab.com/AuroraOSS/AuroraStore) שלו ותוסיף `/-/tags?format=atom` לכתובת האתר: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### אימות טביעות אצבע של APK + +אם אתה מוריד קבצי APK להתקנה ידנית, אתה יכול לאמת את החתימה שלהם עם הכלי [`apksigner`](https://developer.android.com/studio/command-line/apksigner), שהוא חלק מ[כלי הבנייה](https://developer.android.com/studio/releases/build-tools) של אנדרואיד. + +1. התקן [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. הורד את [כלי שורת הפקודה של אנדרואיד סטודיו](https://developer.android.com/studio#command-tools). + +3. חלץ את הארכיון שהורד: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. הפעל את פקודת אימות החתימה: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. לאחר מכן ניתן להשוות את ה-hashes המתקבלים עם מקור אחר. מפתחים מסוימים כגון Signal [מראים את טביעות האצבע](https://signal.org/android/apk/) באתר האינטרנט שלהם. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![לוגו F-Droid](assets/img/android/f-droid.svg){ align=right width=120px } + +==אנחנו **לא** ממליצים כרגע על F-Droid כדרך להשיג אפליקציות.== F-Droid מומלצת לעתים קרובות כחלופה ל-Google Play, במיוחד בפרטיות קהילה. האפשרות להוסיף מאגרי צד שלישי ולא להיות מוגבלים לגן המוקף חומה של גוגל הובילה לפופולריות שלו. ל-F-Droid יש בנוסף [בנייה הניתנת לשחזור](https://f-droid.org/en/docs/Reproducible_Builds/) עבור יישומים מסוימים והוא מוקדש לתוכנות חינמיות וקוד פתוח. עם זאת, ישנן [בעיות בולטות](https://privsec.dev/posts/android/f-droid-security-issues/) עם הלקוח הרשמי של F-Droid, בקרת האיכות שלו והאופן שבו הם בונים, חותמים ומעבירים חבילות. + +בשל תהליך בניית האפליקציות שלהם, אפליקציות במאגר ה-F-Droid הרשמי מפגרות לעתים קרובות בפיגור לגבי עדכונים. מנהלי F-Droid גם עושים שימוש חוזר במזהי חבילה בזמן חתימת אפליקציות עם המפתחות שלהם, וזה לא אידיאלי מכיוון שהוא נותן אמון אולטימטיבי לצוות F-Droid. + +מאגרים פופולריים אחרים של צד שלישי כגון [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) מקלים על חלק מהחששות הללו. מאגר IzzyOnDroid מושך רכיבים ישירות מ-GitHub והוא הדבר הטוב הבא למאגרים של המפתחים עצמם. עם זאת, זה לא משהו שאנחנו יכולים להמליץ עליו, מכיוון שבדרך כלל אפליקציות [מוסרות](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) מהמאגר הזה כשהן מגיעות למאגר F-Droid הראשי. למרות שזה הגיוני (מכיוון שהמטרה של המאגר המסוים הזה היא לארח אפליקציות לפני שהן מתקבלות למאגר ה-F-Droid הראשי), זה יכול להשאיר אותך עם אפליקציות מותקנות שכבר לא מקבלים עדכונים. + +עם זאת, מאגרי [F-Droid](https://f-droid.org/en/packages/) ו-[IzzyOnDroid](https://apt.izzysoft.de/fdroid/) הם ביתם של אינספור אפליקציות, כך שהם יכולים להיות כלי שימושי לחיפוש ולגלות אפליקציות קוד פתוח שתוכלו לאחר מכן הורד דרך Play Store, Aurora Store, או על ידי קבלת ה-APK ישירות מהמפתח. חשוב לזכור שחלק מהאפליקציות במאגרים אלו לא עודכנו במשך שנים ועשויות להסתמך על ספריות שאינן נתמכות, בין היתר, מהוות סיכון אבטחה פוטנציאלי. אתה צריך להשתמש במיטב שיקול הדעת שלך כשאתה מחפש אפליקציות חדשות בשיטה זו. + +!!! note "הערה" + + במקרים נדירים מסוימים, מפתח אפליקציה יפיץ אותה רק באמצעות F-Droid ([Gadgetbridge](https://gadgetbridge.org/) היא דוגמה אחת לכך). אם אתה באמת צריך אפליקציה כזו, אנו ממליצים להשתמש ב-[Neo Store](https://github.com/NeoApplications/Neo-Store/) במקום באפליקציית F-Droid הרשמית כדי להשיג אותה. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### מערכות הפעלה + +- חייבת להיות תוכנת קוד פתוח. +- חייב לתמוך בנעילת bootloader עם תמיכת מפתח AVB מותאמת אישית. +- חייב לקבל עדכוני אנדרואיד גדולים בתוך 0-1 חודשים מהשחרור. +- חייב לקבל עדכוני תכונות אנדרואיד (גרסה מינורית) בתוך 0-14 ימים מהשחרור. +- חייב לקבל תיקוני אבטחה רגילים בתוך 0-5 ימים מהשחרור. +- חייבים **לא** להיות "rooted" מהקופסה. +- חייב **לא** להפעיל את שירותי Google Play כברירת מחדל. +- חייב **לא** לדרוש שינוי מערכת כדי לתמוך בשירותי Google Play. + +### מכשירים + +- חייב לתמוך לפחות באחת ממערכות ההפעלה המומלצות שלנו. +- חייב להימכר כרגע חדש בחנויות. +- חייב לקבל לפחות 5 שנים של עדכוני אבטחה. +- חייב להיות חומרה ייעודית לרכיב מאובטח. + +### יישומים + +- יישומים בדף זה לא חייבים להיות ישימים לכל קטגוריית תוכנה אחרת באתר. +- יישומים כלליים צריכים להרחיב או להחליף את פונקציונליות הליבה של המערכת. +- יישומים צריכים לקבל עדכונים ותחזוקה שוטפים. diff --git a/i18n/he/assets/img/account-deletion/exposed_passwords.png b/i18n/he/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/he/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/he/assets/img/android/rss-apk-dark.png b/i18n/he/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/he/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/he/assets/img/android/rss-apk-light.png b/i18n/he/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/he/assets/img/android/rss-apk-light.png differ diff --git a/i18n/he/assets/img/android/rss-changes-dark.png b/i18n/he/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/he/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/he/assets/img/android/rss-changes-light.png b/i18n/he/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/he/assets/img/android/rss-changes-light.png differ diff --git a/i18n/he/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/he/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..625cb3e2 --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + המכשיר + + שלך + + + + שליחת נתונים לאתר + + + + + קבלת נתונים מאתר אינטרנט + + + + + המכשיר + + שלך + + + + כניסה + + + + + אמצע + + + + + יציאה + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + כניסה + + + + + אמצע + + + + + יציאה + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/how-tor-works/tor-encryption.svg b/i18n/he/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/how-tor-works/tor-path-dark.svg b/i18n/he/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..1b697846 --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + המכשיר + שלך + + + + כניסה + + + + + אמצע + + + + + יציאה + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/he/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..03bd5104 --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + שלך + + + מכשיר + + + + + + שומר + + + ממסר + + + ממסר + + + + + חבוי...בצל + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + מפגש + + + ממסר + + + + + כניסה + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/he/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..fd6e98d3 --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + שלך + + + מכשיר + + + + + + שומר + + + ממסר + + + ממסר + + + + + חבוי...בצל + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + מפגש + + + ממסר + + + + + כניסה + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/how-tor-works/tor-path.svg b/i18n/he/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..22ef319c --- /dev/null +++ b/i18n/he/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + המכשיר + שלך + + + + כניסה + + + + + אמצע + + + + + יציאה + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/he/assets/img/multi-factor-authentication/fido.png b/i18n/he/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..81f4332c Binary files /dev/null and b/i18n/he/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/he/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/he/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..a1e6dcd2 Binary files /dev/null and b/i18n/he/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/he/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/he/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/he/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/he/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/he/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/he/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/he/basics/account-creation.md b/i18n/he/basics/account-creation.md new file mode 100644 index 00000000..ad59cfe2 --- /dev/null +++ b/i18n/he/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "יצירת חשבון" +icon: 'material/account-plus' +description: יצירת חשבונות מקוונים היא למעשה צורך באינטרנט, בצע את הצעדים האלה כדי לוודא שאתה נשאר פרטי. +--- + +לעתים קרובות אנשים נרשמים לשירותים מבלי לחשוב. אולי זה שירות סטרימינג כדי שתוכל לצפות בתוכנית החדשה שכולם מדברים עליה, או חשבון שנותן לך הנחה למקום האוכל המהיר האהוב עליך. לא משנה מה המקרה, עליך לשקול את ההשלכות על הנתונים שלך כעת ובהמשך בהמשך הקו. + +ישנם סיכונים הקשורים לכל שירות חדש שאתה משתמש בו. פרצות מידע; חשיפת פרטי הלקוח לצדדים שלישיים; עובדים סוררים שניגשים לנתונים; כולן אפשרויות שיש לקחת בחשבון בעת מתן המידע שלך. אתה צריך להיות בטוח שאתה יכול לסמוך על השירות, ולכן אנחנו לא ממליצים לאחסן נתונים יקרי ערך על שום דבר מלבד המוצרים הבוגרים ביותר שנבדקו בקרב. זה בדרך כלל אומר שירותים המספקים E2EE ועברו ביקורת קריפטוגרפית. ביקורת מגבירה את הביטחון שהמוצר תוכנן ללא בעיות אבטחה בולטות שנגרמו על ידי מפתח חסר ניסיון. + +יכול להיות גם קשה למחוק את החשבונות בשירותים מסוימים. לפעמים [החלפת נתונים](account-deletion.md#overwriting-account-information) הקשורים לחשבון יכולה להיות אפשרית, אך במקרים אחרים השירות ישמור היסטוריה שלמה של שינויים בחשבון. + +## תנאים והגבלות & מדיניות הפרטיות + +ה-ToS הם הכללים שאתה מסכים לפעול עליהם בעת השימוש בשירות. עם שירותים גדולים יותר כללים אלה נאכפים לרוב על ידי מערכות אוטומטיות. לפעמים המערכות האוטומטיות האלה יכולות לעשות טעויות. לדוגמה, אתה עשוי להיות חסום או נעול מחוץ לחשבון שלך בשירותים מסוימים בגלל שימוש במספר VPN או VOIP. ערעור על איסורים כאלה הוא לעתים קרובות קשה, וכרוך גם בתהליך אוטומטי, שלא תמיד מצליח. זו תהיה אחת הסיבות לכך שלא היינו מציעים להשתמש ב-Gmail לאימייל כדוגמה. אימייל חיוני לגישה לשירותים אחרים שאולי נרשמת אליהם. + +מדיניות הפרטיות היא האופן שבו השירות אומר שהם ישתמשו בנתונים שלך וכדאי לקרוא כדי שתבין כיצד ישמש הנתונים שלך. ייתכן שחברה או ארגון לא יהיו מחויבים על פי חוק לציית לכל הכלול במדיניות (זה תלוי בתחום השיפוט). אנו ממליצים לקבל מושג מה הם החוקים המקומיים שלך ומה הם מאפשרים לספק לאסוף. + +אנו ממליצים לחפש מונחים מסוימים כגון "איסוף נתונים", "ניתוח נתונים", "עוגיות", "מודעות" או שירותי "צד שלישי". לפעמים תוכל לבטל את הסכמתך לאיסוף נתונים או משיתוף הנתונים שלך, אבל עדיף לבחור שירות שמכבד את פרטיותך מלכתחילה. + +זכור שאתה גם נותן אמון בחברה או בארגון ושהם יצייתו למדיניות הפרטיות שלהם. + +## שיטות אימות + +בדרך כלל ישנן מספר דרכים להירשם לחשבון, כל אחת עם היתרונות והחסרונות שלה. + +### אימייל וסיסמא + +הדרך הנפוצה ביותר ליצור חשבון חדש היא באמצעות כתובת אימייל וסיסמה. בעת שימוש בשיטה זו, עליך להשתמש במנהל סיסמאות ולפעול לפי [שיטות עבודה מומלצות](passwords-overview.md) לגבי סיסמאות. + +!!! tip "טיפ" + + אתה יכול להשתמש במנהל הסיסמאות שלך כדי לארגן גם שיטות אימות אחרות! פשוט הוסף את הערך החדש ומלא את השדות המתאימים, אתה יכול להוסיף הערות לדברים כמו שאלות אבטחה או מפתח גיבוי. + +אתה תהיה אחראי על ניהול אישורי הכניסה שלך. לאבטחה נוספת, תוכל להגדיר [MFA](multi-factor-authentication.md) בחשבונות שלך. + +[מנהלי סיסמאות מומלצים](../passwords.md ""){.md-button} + +#### כינויי אימייל + +אם אינך רוצה לתת את כתובת האימייל האמיתית שלך לשירות, יש לך אפשרות להשתמש בכינוי. תיארנו אותם ביתר פירוט בדף ההמלצות של שירותי האימייל שלנו. בעיקרון, שירותי כינוי מאפשרים לך ליצור כתובות אימייל חדשות המעבירות את כל המיילים לכתובת הראשית שלך. זה יכול לעזור למנוע מעקב אחר שירותים ולעזור לך לנהל את האימיילים השיווקיים שמגיעים לפעמים עם תהליך ההרשמה. ניתן לסנן אותם באופן אוטומטי על סמך הכינוי שאליו הם נשלחים. + +אם שירות ייפרץ, ייתכן שתתחיל לקבל הודעות דיוג או דואר זבל לכתובת שבה השתמשת כדי להירשם. שימוש בכינויים ייחודיים עבור כל שירות יכול לסייע בזיהוי בדיוק איזה שירות נפרץ. + +[שירותי כינוי אימייל מומלצים](../email.md#email-aliasing-services ""){.md-button} + +### כניסה יחידה + +!!! note "הערה" + + אנו דנים בכניסה יחידה לשימוש אישי, לא למשתמשים ארגוניים. + +כניסה יחידה (SSO) היא שיטת אימות המאפשרת לך להירשם לשירות מבלי לשתף מידע רב, אם בכלל. בכל פעם שאתה רואה משהו בסגנון "היכנס עם *שם הספק*" בטופס הרשמה, זה SSO. + +כאשר אתה בוחר בכניסה יחידה לאתר, הוא יבקש מדף הכניסה של ספק ה-SSO שלך ולאחר מכן חשבונך יחובר. הסיסמה שלך לא תשותף, אבל חלק מהמידע הבסיסי יעשה זאת (תוכל לעיין בה במהלך בקשת ההתחברות). תהליך זה נחוץ בכל פעם שאתה רוצה להיכנס לאותו חשבון. + +היתרונות העיקריים הם: + +- **אבטחה**: אין סיכון להיות מעורב ב[הפרת נתונים](https://en.wikipedia.org/wiki/Data_breach) מכיוון האתר אינו שומר את האישורים שלך. +- **קלות שימוש**: מספר חשבונות מנוהלים על ידי התחברות אחת. + +אבל יש חסרונות: + +- **פרטיות**: ספק SSO יידע באילו שירותים אתה משתמש. +- **ריכוזיות**: אם חשבון SSO שלך נפגע או שאינך יכול להתחבר אליו, כל שאר החשבונות המחוברים אליו יושפעו. + +SSO יכול להיות שימושי במיוחד במצבים שבהם אתה יכול להפיק תועלת מאינטגרציה עמוקה יותר בין שירותים. לדוגמה, אחד מהשירותים הללו עשוי להציע SSO עבור האחרים. ההמלצה שלנו היא להגביל את SSO רק למקום שבו אתה צריך את זה ולהגן על החשבון הראשי באמצעות [MFA](multi-factor-authentication.md). + +כל השירותים המשתמשים ב-SSO יהיו מאובטחים כמו חשבון SSO שלך. לדוגמה, אם אתה רוצה לאבטח חשבון עם מפתח חומרה אבל השירות הזה לא תומך במפתחות חומרה, אתה יכול לאבטח את חשבון SSO שלך עם מפתח חומרה וכעת יש לך בעצם MFA חומרה בכל החשבונות שלך. עם זאת, ראוי לציין שאימות חלש בחשבון SSO שלך אומר שכל חשבון הקשור לכניסה זו יהיה גם חלש. + +### מספר טלפון + +אנו ממליצים להימנע משירותים הדורשים מספר טלפון לצורך הרשמה. מספר טלפון יכול לזהות אותך במספר שירותים ובהתאם להסכמי שיתוף נתונים זה יקל על המעקב אחר השימוש שלך, במיוחד אם אחד מהשירותים האלה נפרץ מכיוון שמספר הטלפון הוא לרוב **לא** מוצפן. + +כדאי להימנע מלמסור את מספר הטלפון האמיתי שלך אם אתה יכול. שירותים מסוימים יאפשרו שימוש במספרי VOIP, אולם אלה מפעילים לעתים קרובות מערכות זיהוי הונאה, מה שגורם לנעילה של חשבון, ולכן איננו ממליצים על כך עבור חשבונות חשובים. + +במקרים רבים תצטרך לספק מספר שממנו תוכל לקבל SMS או שיחות, במיוחד בעת קניות בינלאומיות, למקרה שיש בעיה בהזמנה שלך בבדיקת הגבול. מקובל ששירותים משתמשים במספר שלך כשיטת אימות; אל תיתן לעצמך להינעל מחוץ לחשבון חשוב כי רצית להיות חכם ולתת מספר מזויף! + +### שם משתמש וסיסמא + +שירותים מסוימים מאפשרים לך להירשם ללא שימוש בכתובת אימייל ורק דורשים ממך להגדיר שם משתמש וסיסמה. שירותים אלה עשויים לספק אנונימיות מוגברת בשילוב עם VPN או Tor. זכור שעבור חשבונות אלה סביר להניח ש**אין דרך לשחזר את חשבונך** במקרה שתשכח את שם המשתמש או הסיסמה שלך. diff --git a/i18n/he/basics/account-deletion.md b/i18n/he/basics/account-deletion.md new file mode 100644 index 00000000..a5a80c10 --- /dev/null +++ b/i18n/he/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "מחיקת חשבון" +icon: 'material/account-remove' +description: קל לצבור מספר רב של חשבונות אינטרנט, הנה כמה טיפים כיצד לגזום את האוסף שלך. +--- + +עם הזמן, זה יכול להיות קל לצבור מספר חשבונות מקוונים, שרבים מהם אולי כבר לא תשתמשו בהם. מחיקת חשבונות שאינם בשימוש היא צעד חשוב בהחזרת הפרטיות שלך, מכיוון שחשבונות רדומים חשופים לפרצות מידע. פרצת נתונים היא כאשר אבטחת השירות נפגעת ומידע מוגן נצפה, מועבר או נגנב על ידי שחקנים לא מורשים. פרצות מידע הן למרבה הצער כולן [נפוצות מדי](https://haveibeenpwned.com/PwnedWebsites) בימינו, ולכן תרגול היגיינה דיגיטלית טובה היא הדרך הטובה ביותר למזער את ההשפעה שיש להן על חייך. המטרה של מדריך זה היא אם כן לעזור לנווט אותך בתהליך המעיק של מחיקת חשבון, שלעתים קרובות מקשה על ידי [עיצוב מטעה](https://www.deceptive.design/), למען השיפור של הנוכחות המקוונת שלך. + +## איתור חשבונות ישנים + +### מנהל הסיסמאות + +אם יש לך מנהל סיסמאות שבו השתמשת במשך כל חייך הדיגיטליים, החלק הזה יהיה קל מאוד. לעתים קרובות, הם כוללים פונקציונליות מובנית לזיהוי אם פרטי הכניסה שלך נחשפו בפריצת נתונים - כגון דוח [פריצת הנתונים של Bitwarden](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![מאפיין הדוח 'פריצת נתונים' של Bitwarden](../assets/img/account-deletion/exposed_passwords.png) +
+ +גם אם לא השתמשת במנהל סיסמאות במפורש בעבר, יש סיכוי שהשתמשת במנהל הסיסמאות בדפדפן או בטלפון שלך מבלי לשים לב. לדוגמה: [מנהל הסיסמאות של Firefox](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [מנהל הסיסמאות של גוגל](https://passwords.google.com/intro) ו - [מנהל סיסמאות של Edge](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +פלטפורמות שולחניות כוללות לעתים קרובות מנהל סיסמאות שעשוי לעזור לך לשחזר סיסמאות ששכחת מהן: + +- מנהל אישורי Windows +- macOS [סיסמאות](https://support.apple.com/en-us/HT211145) +- iOS [סיסמאות](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, שאליו ניתן לגשת דרך [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) או [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### אימייל + +אם לא השתמשת במנהל סיסמאות בעבר או שאתה חושב שיש לך חשבונות שמעולם לא נוספו למנהל הסיסמאות שלך, אפשרות נוספת היא לחפש בחשבונ(ות) הדוא"ל שאתה מאמין שנרשמת אליהם. בלקוח האימייל שלך, חפש מילות מפתח כגון "אמת" או "ברוך הבא" כמעט בכל פעם שתבצע חשבון מקוון, השירות ישלח קישור לאימות או הודעת היכרות לאימייל שלך. זו יכולה להיות דרך טובה למצוא חשבונות ישנים ונשכחים. + +## מחיקת חשבונות ישנים + +### התחברות + +כדי למחוק את החשבונות הישנים שלך, תחילה עליך לוודא שתוכל להתחבר אליהם. שוב, אם החשבון היה במנהל הסיסמאות שלך, שלב זה קל. אם לא, אפשר לנסות לנחש את הסיסמה. אם לא, יש בדרך כלל אפשרויות להחזיר את הגישה לחשבון שלך, זמין בדרך כלל באמצעות קישור "שכחתי את הסיסמה" בדף הכניסה. ייתכן גם שחשבונות שנטשת כבר נמחקו - לפעמים שירותים מוחקים את כל החשבונות הישנים. + +כאשר מנסים לקבל גישה מחדש, אם האתר מחזיר הודעת שגיאה האומרת שדוא"ל אינו משויך לחשבון, או שאתה לעולם לא מקבל קישור לאיפוס לאחר מספר ניסיונות, אז אין לך חשבון תחת כתובת דוא"ל זו ועליך לנסות אחד אחר. אם אינך מצליח להבין באיזו כתובת דוא"ל השתמשת, או שכבר אין לך גישה לדוא"ל זה, תוכל לנסות ליצור קשר עם תמיכת הלקוחות של השירות. לצערנו, אין ערובה לכך שתוכל לקבל שוב גישה לחשבון שלך. + +### GDPR (תושבי EEA בלבד) + +לתושבי האזור הכלכלי האירופי יש זכויות נוספות בנוגע למחיקת נתונים המפורטים בסעיף [17](https://www.gdpr.org/regulation/article-17.html) של ה - GDPR. אם זה רלוונטי עבורך, קרא את מדיניות הפרטיות של כל שירות נתון כדי למצוא מידע על מימוש הזכות שלך למחיקה. קריאת מדיניות הפרטיות יכולה להיות חשובה, שכן חלק מהשירותים כוללים אפשרות "מחק חשבון" המשביתה רק את החשבון שלך ולמחיקת אמיתית עליך לנקוט פעולה נוספת. לפעמים מחיקה בפועל עשויה לכלול מילוי סקרים, שליחת אימייל לקצין הגנת המידע של השירות או אפילו הוכחת מקום מגוריך ב - EEA. אם אתם מתכננים ללכת בדרך זו,** אל תעשו ** שישכתב את המידע על חשבון שיש - הזהות שלך כתושב EEA עשוי להיות נדרש. שים לב כי המיקום של השירות אינו משנה; GDPR חל על כל מי שמשרת משתמשים באירופה. אם השירות אינו מכבד את זכותך למחיקה, באפשרותך ליצור קשר עם הלאום שלך [לרשות להגנת נתונים ](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) אתה יכול להיות זכאי לפיצוי כספי. + +### עריכת פרטי החשבון הקיים + +במצבים מסוימים שבהם אתה מתכנן לנטוש חשבון, ייתכן שיהיה הגיוני להחליף את פרטי החשבון בנתונים מזויפים. לאחר שווידאת שתוכל להתחבר, שנה את כל המידע בחשבונך למידע מזויף. הסיבה לכך היא שאתרים רבים ישמרו מידע שהיה ברשותך בעבר גם לאחר מחיקת החשבון. התקווה היא שהם יחליפו את המידע הקודם בנתונים החדשים ביותר שהזנת. עם זאת, אין ערובה לכך שלא יהיו גיבויים עם המידע הקודם. + +עבור הדוא"ל של החשבון, צור חשבון דוא"ל חלופי חדש באמצעות הספק שבחרת או צור כינוי באמצעות שירות [כינויי דוא"ל](../email.md#email-aliasing-services). לאחר מכן תוכל למחוק את כתובת הדוא"ל החלופית שלך לאחר שתסיים. אנו ממליצים שלא להשתמש בספקי דוא"ל זמניים, שכן לעתים קרובות ניתן להפעיל מחדש הודעות דוא"ל זמניות. + +### מחיקה + +אתה יכול לבדוק את [JustDeleteMe](https://justdeleteme.xyz) לקבלת הוראות למחיקת החשבון עבור שירות ספציפי. בחלק מהאתרים תהיה באדיבות אפשרות "מחק חשבון", בעוד שאחרים ירחיקו עד כדי להכריח אותך לדבר עם סוכן תמיכה. תהליך המחיקה יכול להשתנות מאתר לאתר, כאשר מחיקת חשבון בלתי אפשרית בחלקם. + +עבור שירותים שאינם מאפשרים מחיקת חשבון, הדבר הטוב ביותר לעשות הוא לזייף את כל המידע שלך כפי שהוזכר קודם ולחזק את אבטחת החשבון. לשם כך, אפשר [MFA](multi-factor-authentication.md) ואת כל תכונות האבטחה הנוספות המוצעות. כמו כן, שנה את הסיסמה לאחד שנוצר באופן אקראי שהוא הגודל המרבי המותר (מנהל סיסמאות [](../passwords.md) יכול להיות שימושי עבור זה). + +אם אתה מרוצה מכך שכל המידע שחשוב לך יוסר, תוכל לשכוח בבטחה מחשבון זה. אם לא, ייתכן שכדאי לשמור את פרטי הכניסה עם הסיסמאות האחרות, ומדי פעם להתחבר מחדש כדי לאפס את הסיסמה. + +גם כאשר אתה יכול למחוק חשבון, אין ערובה לכך שכל הפרטים שלך יוסרו. למעשה, חלק מהחברות מחויבות על פי חוק לשמור מידע מסוים, במיוחד כאשר מדובר בעסקאות פיננסיות. זה בעיקר מחוץ לשליטתך מה קורה לנתונים שלך כשמדובר באתרי אינטרנט ובשירותי ענן. + +## הימנעות מחשבונות חדשים + +כפי שאומר הפתגם הישן, "גרם של מניעה שווה קילו של תרופה." בכל פעם שאתה מתפתה להירשם לחשבון חדש, שאל את עצמך, "האם אני באמת צריך את זה? האם אני יכול להשיג את מה שאני צריך בלי חשבון?" לעתים קרובות זה יכול להיות הרבה יותר קשה למחוק חשבון מאשר ליצור אחד. וגם לאחר מחיקה או שינוי של המידע בחשבונך, עשויה להיות גרסה שמור של צד שלישי - כמו [ארכיון האינטרנט](https://archive.org/). הימנע מהפיתוי כאשר אתה מסוגל - העצמי העתידי שלך יודה לך! diff --git a/i18n/he/basics/common-misconceptions.md b/i18n/he/basics/common-misconceptions.md new file mode 100644 index 00000000..c6ce6cf9 --- /dev/null +++ b/i18n/he/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "תפיסות מוטעות נפוצות" +icon: 'material/robot-confused' +description: פרטיות היא לא נושא פשוט, וקל להיקלע לטענות שיווקיות ודיסאינפורמציה אחרת. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: האם תוכנת קוד פתוח מאובטחת מטבעה? + acceptedAnswer: + "@type": Answer + text: | + האם קוד המקור זמין ואופן רישיון התוכנה אינו משפיע מטבעו על אבטחתה בשום צורה. לתוכנת קוד פתוח יש פוטנציאל להיות מאובטח יותר מתוכנה קניינית, אבל אין שום ערובה שזה המצב. כאשר אתה מעריך תוכנה, עליך להסתכל על המוניטין והאבטחה של כל כלי על בסיס אינדיבידואלי. + - + "@type": Question + name: האם העברת אמון לספק אחר יכולה להגביר את הפרטיות? + acceptedAnswer: + "@type": Answer + text: | + אנחנו מדברים הרבה על "שינוי אמון" כאשר דנים בפתרונות כמו VPNs (המסיטים את האמון שאתה נותן בספק אינטרנט שלך לספק VPN). למרות שזה מגן על נתוני הגלישה שלך מספק האינטרנט שלך באופן ספציפי, לספק ה-VPN שתבחר עדיין יש גישה לנתוני הגלישה שלך: הנתונים שלך אינם מאובטחים לחלוטין מכל הצדדים. + - + "@type": Question + name: האם פתרונות ממוקדי פרטיות אמינים מטבעם? + acceptedAnswer: + "@type": Answer + text: | + התמקדות אך ורק במדיניות הפרטיות ושיווק של כלי או ספק יכול לעוור אותך לחולשותיו. כאשר אתה מחפש פתרון פרטי יותר, עליך לקבוע מהי הבעיה הבסיסית ולמצוא פתרונות טכניים לבעיה זו. לדוגמה, ייתכן שתרצה להימנע מ Google Drive, המעניק ל - גוגל גישה לכל הנתונים שלך. הבעיה הבסיסית במקרה זה היא חוסר ב-E2EE, אז כדאי לוודא שהספק אליו אתם עוברים מיישם את E2EE, או להשתמש בכלי (כמו Cryptomator) שמספק E2EE בכל ספק ענן. מעבר לספק "ממוקד פרטיות" (שאינו מיישם E2EE) לא פותר את הבעיה שלך: הוא פשוט מעביר את האמון מגוגל לספק הזה. + - + "@type": Question + name: כמה מסובך צריך להיות מודל האיום שלי? + acceptedAnswer: + "@type": Answer + text: | + לעתים קרובות אנחנו רואים אנשים שמתארים מודלים של איום על פרטיות שהם מורכבים מדי. לעתים קרובות, פתרונות אלה כוללים בעיות כמו חשבונות דוא"ל רבים ושונים או התקנות מסובכות עם הרבה העברת חלקים ותנאים. התשובות הן בדרך כלל תשובות ל"מהי הדרך הטובה ביותר לעשות X?" + מציאת הפתרון ה"טוב ביותר" עבור עצמך לא אומר בהכרח שאתה מחפש פתרון שאין לו טעות עם עשרות תנאים - פתרונות אלו לרוב קשה לעבוד איתם באופן מציאותי. כפי שדיברנו בעבר, אבטחה לרוב באה במחיר של נוחות. +--- + +## "תוכנת קוד פתוח תמיד מאובטחת" או "תוכנה קניינית מאובטחת יותר" + +מיתוסים אלו נובעים ממספר דעות קדומות, אך האם קוד המקור זמין ואופן רישיון התוכנה אינו משפיע מטבעו על אבטחתה בשום צורה. == לתוכנת קוד פתוח יש את ה*פוטנציאל* להיות מאובטח יותר מתוכנה קניינית, אבל אין שום ערובה שזה המצב.== כאשר אתה מעריך תוכנה, עליך להסתכל על המוניטין והאבטחה של כל כלי על בסיס אישי. + +תוכנת קוד פתוח *ניתנת* לביקורת על ידי צדדים שלישיים, ולעתים קרובות היא שקופה יותר לגבי נקודות תורפה אפשריות מאשר עמיתים קנייניים. זה גם מאפשר לך לסקור את הקוד ולהשבית כל פונקציונליות חשודה שתמצא בעצמך. עם זאת, *אלא אם כן תעשה זאת*, אין ערובה שהקוד הוערך אי פעם, במיוחד עם פרויקטי תוכנה קטנים יותר. תהליך הפיתוח הפתוח נוצל לפעמים גם כדי להכניס פרצות חדשות אפילו לפרויקטים גדולים.[^1] + +בצד השני, תוכנה קניינית פחות שקופה, אבל זה לא מרמז על כך שהיא לא מאובטחת. פרויקטי תוכנה קנייניים גדולים ניתנים לביקורת פנימית ועל ידי סוכנויות צד שלישי, וחוקרי אבטחה בלתי תלויים עדיין יכולים למצוא נקודות תורפה עם טכניקות כמו הנדסה לאחור. + +כדי להימנע מהחלטות מוטות, *חיוני* שתעריך את תקני הפרטיות והאבטחה של התוכנה שבה אתה משתמש. + +## "שינוי באמון יכול להגביר את הפרטיות" + +אנחנו מדברים הרבה על "שינוי אמון" כאשר דנים בפתרונות כמו VPNs (המסיטים את האמון שאתה נותן בספק אינטרנט שלך לספק VPN). למרות שזה מגן על נתוני הגלישה שלך מספק האינטרנט שלך *באופן ספציפי*, לספק ה-VPN שתבחר עדיין יש גישה לנתוני הגלישה שלך: הנתונים שלך אינם מאובטחים לחלוטין מכל הצדדים. משמעות הדבר היא: + +1. עליך לנקוט משנה זהירות בעת בחירת ספק להעביר אליו אמון. +2. אתה עדיין צריך להשתמש בטכניקות אחרות, כמו E2EE, כדי להגן על הנתונים שלך לחלוטין. חוסר אמון בספק אחד בלבד כדי לסמוך על אחר אינו מאבטח הנתונים שלך. + +## "פתרונות המתמקדים בפרטיות הם אמינים מטבעם" + +התמקדות אך ורק במדיניות הפרטיות ושיווק של כלי או ספק יכול לעוור אותך לחולשותיו. כאשר אתה מחפש פתרון פרטי יותר, עליך לקבוע מהי הבעיה הבסיסית ולמצוא פתרונות טכניים לבעיה זו. לדוגמה, ייתכן שתרצה להימנע מ Google Drive, המעניק ל - גוגל גישה לכל הנתונים שלך. הבעיה הבסיסית במקרה זה היא חוסר ב-E2EE, אז כדאי לוודא שהספק אליו אתם עוברים מיישם את E2EE, או להשתמש בכלי (כמו [Cryptomator](../encryption.md#cryptomator-cloud)) המספק E2EE בכל ספק ענן. מעבר לספק "ממוקד פרטיות" (שאינו מיישם E2EE) לא פותר את הבעיה שלך: הוא פשוט מעביר את האמון מגוגל לספק הזה. + +מדיניות הפרטיות והנהלים העסקיים של ספקים שאתה בוחר חשובים מאוד, אך יש להתייחס אליהם כמשניים להבטחות טכניות לפרטיות שלך: אל תעביר אמון לספק אחר כאשר אמון בספק אינו דרישה כלל. + +## "מסובך זה יותר טוב" + +לעתים קרובות אנחנו רואים אנשים שמתארים מודלים של איום על פרטיות שהם מורכבים מדי. לעתים קרובות, פתרונות אלה כוללים בעיות כמו חשבונות דוא"ל רבים ושונים או התקנות מסובכות עם הרבה העברת חלקים ותנאים. התשובות הן בדרך כלל תשובות לשאלה "מהי הדרך הטובה ביותר לעשות *X*?" + +מציאת הפתרון ה"טוב ביותר" עבור עצמך לא אומר בהכרח שאתה מחפש פתרון שאין לו טעות עם עשרות תנאים - פתרונות אלו לרוב קשה לעבוד איתם באופן מציאותי. כפי שדיברנו בעבר, אבטחה לרוב באה במחיר של נוחות. בהמשך אנו מספקים כמה טיפים: + +1. ==פעולות צריכות לשרת מטרה מסוימת:== תחשוב איך לעשות מה שאתה רוצה עם הכי פחות פעולות. +2. ==הסר נקודות כשל אנושיות:== אנחנו נכשלים, מתעייפים ושוכחים דברים. כדי לשמור על אבטחה, הימנע מהסתמכות על תנאים ותהליכים ידניים שאתה צריך לזכור. +3. ==השתמש ברמת ההגנה הנכונה עבור מה שאתה מתכוון.== לעתים קרובות אנו רואים המלצות על מה שנקרא פתרונות אכיפת חוק או הוכחת זימון. אלה דורשים לעתים קרובות ידע מומחה ובדרך כלל הם לא מה שאנשים רוצים. אין טעם לבנות מודל איום מורכב לאנונימיות אם ניתן בקלות לבטל את האנונימיות באמצעות פיקוח פשוט. + +אז איך זה עשוי להיראות? + +אחד מדגמי האיום המובהקים ביותר הוא כזה שבו אנשים *יודעים מי אתה* ואחד שבו הם לא יודעים. תמיד יהיו מצבים שבהם אתה חייב להצהיר על שמך החוקי ויש אחרים שבהם אתה לא צריך. + +1. **זהות ידועה** - זהות ידועה משמשת לדברים שבהם עליך להצהיר על שמך. ישנם מסמכים וחוזים משפטיים רבים שבהם נדרשת זהות משפטית. זה יכול לנוע בין פתיחת חשבון בנק, חתימה על חוזה שכירות, השגת דרכון, הצהרות מכס בעת יבוא פריטים או התמודדות אחרת עם הממשלה שלך. דברים אלה יובילו בדרך כלל לאישורים כגון כרטיסי אשראי, בדיקות דירוג אשראי, מספרי חשבונות ואולי כתובות פיזיות. + + אנחנו לא ממליצים להשתמש ב-VPN או ב-Tor עבור אף אחד מהדברים האלה, מכיוון שהזהות שלך כבר ידועה באמצעים אחרים. + + !!! tip "טיפ" + + בעת קניות באינטרנט, השימוש ב[ארונית חבילות](https://en.wikipedia.org/wiki/Parcel_locker) יכול לעזור לשמור על פרטיות הכתובת הפיזית שלך. + +2. **זהות לא ידועה** - זהות לא ידועה יכולה להיות שם בדוי יציב שאתה משתמש בו באופן קבוע. זה לא אנונימי כי זה לא משתנה. אם אתה חלק מקהילה מקוונת, ייתכן שתרצה לשמור על דמות שאחרים מכירים. שם בדוי זה אינו אנונימי מכיוון שאם מנוטרים מספיק זמן - פרטים על הבעלים יכולים לחשוף מידע נוסף, כגון האופן שבו הם כותבים, הידע הכללי שלהם לגבי נושאים מעניינים וכו'. + + ייתכן שתרצו להשתמש ב - VPN כדי להסתיר את כתובת ה - IP שלכם. קשה יותר להסוות עסקאות פיננסיות: תוכל לשקול להשתמש במטבעות קריפטוגרפיים אנונימיים, כגון [Monero](https://www.getmonero.org/). שימוש בהעברת אלטקוין עשוי גם לעזור להסוות את מקור המטבע שלך. בדרך כלל, ההחלפות דורשות את השלמת KYC (הכר את הלקוח שלך) לפני שהן יאפשרו לך להחליף מטבע פיאט לכל סוג של מטבע קריפטוגרפי. גם אפשרויות מפגש מקומיות עשויות להוות פתרון; עם זאת, אלה לעתים קרובות יותר יקרים ולפעמים גם דורשים KYC. + +3. **זהות אנונימית** - גם עם ניסיון, זהויות אנונימיות קשות לשמירה לאורך תקופות זמן ארוכות. הן צריכות להיות זהויות קצרות טווח וקצרות מועד המסובבות באופן קבוע. + + שימוש ב- Tor יכול לעזור בזה. ראוי גם לציין כי אנונימיות רבה יותר אפשרית באמצעות תקשורת אסינכרונית: תקשורת בזמן אמת חשופה לניתוח של דפוסי הקלדה (כלומר יותר מפסקת טקסט, מופצת בפורום, באמצעות דואר אלקטרוני וכו') + +[^1]: אחת הדוגמאות הבולטות לכך היא [תקרית 2021 שבה חוקרים מאוניברסיטת מינסוטה הציגו שלוש נקודות תורפה לפרויקט פיתוח ליבת לינוקס](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/he/basics/common-threats.md b/i18n/he/basics/common-threats.md new file mode 100644 index 00000000..fad4813f --- /dev/null +++ b/i18n/he/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "איומים נפוצים" +icon: 'material/eye-outline' +description: מודל האיום שלך הוא אישי עבורך, אך אלו הם חלק מהדברים שמהם אכפת למבקרים רבים באתר זה. +--- + +באופן כללי, אנו מסווגים את ההמלצות שלנו ל[איומים](threat-modeling.md) או יעדים שחלים על רוב האנשים. ==ייתכן שאתה מודאג מאף אחת, אחת, כמה, או מכל האפשרויות האלה==, והכלים והשירותים שבהם אתה משתמש תלויים במטרותיך. ייתכן שיש לך איומים ספציפיים גם מחוץ לקטגוריות האלה, וזה בסדר גמור! החלק החשוב הוא פיתוח הבנה של היתרונות והחסרונות של הכלים שבהם אתה בוחר להשתמש, כי למעשה אף אחד מהם לא יגן עליך מכל איום. + +- :material-incognito: אנונימיות - הגנה על הפעילות המקוונת שלך מהזהות האמיתית שלך, הגנה עליך מפני אנשים שמנסים לחשוף את הזהות *שלך* ספציפית. +- :material-target-account: התקפות ממוקדות - הגנה מפני האקרים או שחקנים זדוניים אחרים שמנסים לקבל גישה לנתונים או מכשירים ספציפיים *שלך*. +- :material-bug-outline: התקפות פסיביות - הגנה מפני דברים כמו תוכנות זדוניות, פרצות נתונים והתקפות אחרות שנעשות נגד אנשים רבים בו-זמנית. +- :material-server-network: ספקי שירותים - הגנה על הנתונים שלך מפני ספקי שירות (למשל באמצעות E2EE, מה שהופך את הנתונים שלך לבלתי קריאים לשרת). +- :material-eye-outline: מעקב המוני - הגנה מפני סוכנויות ממשלתיות, ארגונים, אתרים ושירותים הפועלים יחד כדי לעקוב אחר הפעילויות שלך. +- :material-account-cash: קפיטליזם מעקב - הגנה על עצמך מפני רשתות פרסום גדולות, כמו גוגל ופייסבוק, כמו גם ממספר עצום של אוספי נתונים אחרים של צד שלישי. +- :material-account-search: חשיפה ציבורית - הגבלת המידע אודותיך הנגיש באינטרנט - למנועי חיפוש או לציבור הרחב. +- :material-close-outline: צנזורה - הימנעות מגישה מצונזרת למידע או מצונזר בעצמך כשאתה מדבר באינטרנט. + +חלק מהאיומים הללו עשויים להיות חשובים לך יותר מאחרים, בהתאם לדאגות הספציפיות שלך. לדוגמה, מפתח תוכנה עם גישה לנתונים חשובים או קריטיים עשוי להיות מודאג בעיקר ב:material-target-account: מתקפות ממוקדות, אבל כנראה שהוא עדיין רוצה להגן על נתונים אישיים שנסחפו בתוכניות :material-eye-outline: מעקב המוני. באופן דומה, אנשים רבים עשויים להיות מודאגים בעיקר מ:material-account-search: חשיפה ציבורית של הנתונים האישיים שלהם, אך הם עדיין צריכים להיזהר מבעיות ממוקדות אבטחה, כגון :material-bug-outline: התקפות פסיביות—כמו תוכנות זדוניות המשפיעות על המכשירים שלהם. + +## אנונימיות מול פרטיות + +:material-incognito: אנונימיות + +אנונימיות מבולבלת לעתים קרובות עם פרטיות, אבל הם מושגים נפרדים. בעוד שפרטיות היא קבוצה של בחירות שאתה עושה לגבי אופן השימוש והשיתוף בנתונים שלך, אנונימיות היא ניתוק מוחלט של הפעילויות המקוונות שלך מזהותך האמיתית. + +לחושפי שחיתויות ועיתונאים, למשל, יכול להיות מודל איום הרבה יותר קיצוני הדורש אנונימיות מוחלטת. זה לא רק להסתיר את מה שהם עושים, אילו נתונים יש להם, ולא להיפרץ על ידי שחקנים זדוניים או ממשלות, אלא גם להסתיר את מי שהם לגמרי. לעתים קרובות הם יקריבו כל סוג של נוחות אם זה אומר להגן על האנונימיות, הפרטיות או האבטחה שלהם, מכיוון שחייהם עשויים להיות תלויים בכך. רוב האנשים לא צריכים ללכת כל כך רחוק. + +## אבטחה ופרטיות + +:material-bug-outline: התקפות פסיביות + +גם אבטחה ופרטיות מתבלבלים לעתים קרובות, מכיוון שאתה זקוק לאבטחה כדי להשיג כל מראית עין של פרטיות: השימוש בכלים - גם אם הם פרטיים בעיצובם - הוא חסר תועלת אם הם יכולים להיות מנוצלים בקלות על ידי תוקפים שישחררו מאוחר יותר את הנתונים שלך. עם זאת, ההיפך אינו בהכרח נכון: השירות המאובטח ביותר בעולם *אינו בהכרח* פרטי. הדוגמה הטובה ביותר לכך היא מתן אמון בנתונים לגוגל, שבהתחשב בהיקף שלהם, היו מעט תקריות אבטחה על ידי העסקת מומחי אבטחה מובילים בתעשייה כדי לאבטח את התשתית שלהם. למרות שגוגל מספקת שירותים מאובטחים מאוד, מעט מאוד אנשים יחשבו שהנתונים שלהם פרטיים במוצרי הצריכה החינמיים של גוגל (Gmail, יוטיוב וכו') + +כשזה מגיע לאבטחת יישומים, אנחנו בדרך כלל לא יודעים (ולפעמים גם לא יכולים) לדעת אם התוכנה שבה אנו משתמשים היא זדונית, או עלולה להפוך יום אחד לזדונית. אפילו עם המפתחים המהימנים ביותר, בדרך כלל אין ערובה לכך שלתוכנה שלהם אין פגיעות רצינית שניתן לנצל מאוחר יותר. + +כדי למזער את הנזק שתוכנה זדונית *עלולה* לגרום, עליך להפעיל אבטחה על ידי מידור. לדוגמה, זה יכול לבוא בצורה של שימוש במחשבים שונים לעבודות שונות, שימוש במכונות וירטואליות כדי להפריד בין קבוצות שונות של יישומים קשורים, או שימוש במערכת הפעלה מאובטחת עם התמקדות חזקה בארגז חול של יישומים ובקרת גישה חובה. + +!!! tip "טיפ" + + למערכות הפעלה מובייל יש בדרך כלל ארגז חול טוב יותר לאפליקציות מאשר למערכות הפעלה שולחניות: אפליקציות אינן יכולות לקבל גישת שורש, ודורשות הרשאה לגישה למשאבי המערכת. + + מערכות הפעלה שולחניות בדרך כלל מפגרות עם ארגז חול נכון. ל-ChromeOS יש יכולות ארגז חול דומות לאנדרואיד, ול-macOS יש בקרת הרשאות מערכת מלאה (ומפתחים יכולים להצטרף לארגזי חול עבור יישומים). עם זאת, מערכות הפעלה אלו אכן משדרות מידע מזהה ליצרני ה-OEM שלהם. לינוקס נוטה לא לשלוח מידע לספקי מערכות, אך יש לה הגנה גרועה מפני ניצול ואפליקציות זדוניות. ניתן למתן את זה במידת מה עם הפצות מיוחדות שעושות שימוש משמעותי במכונות וירטואליות או קונטיינרים, כגון [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: התקפות ממוקדות + +התקפות ממוקדות נגד אדם ספציפי הן בעייתיות יותר להתמודדות. התקפות נפוצות כוללות שליחת מסמכים זדוניים באמצעות מייל, ניצול פגיעויות (למשל בדפדפנים ובמערכות הפעלה) והתקפות פיזיות. אם זה מדאיג אותך, עליך להשתמש באסטרטגיות מתקדמות יותר להפחתת איומים. + +!!! tip "טיפ" + + לפי התכנון, **דפדפני אינטרנט**, **לקוחות אימייל** ו**יישומי משרד** מריצים בדרך כלל קוד לא מהימן, שנשלח אליך מצדדים שלישיים. הפעלת מספר מכונות וירטואליות - כדי להפריד יישומים כמו אלה מהמערכת המארחת שלך, כמו גם אחד מהשני - היא טכניקה אחת שבה תוכל להשתמש כדי להפחית את הסיכוי של ניצול ביישומים אלה שיפגע בשאר המערכת שלך. לדוגמה, טכנולוגיות כמו Qubes OS או Microsoft Defender Application Guard ב-Windows מספקות שיטות נוחות לעשות זאת. + +אם אתה מודאג מ**התקפות פיזיות**, עליך להשתמש במערכת הפעלה עם יישום אתחול מאומת מאובטח, כגון Android, iOS, macOS או [Windows (עם TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). עליך גם לוודא שהכונן שלך מוצפן ושמערכת ההפעלה משתמשת ב-TPM או ב-Secure [מובלע](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) או [אלמנט](https://developers.google.com/android/security/android-ready-se) כדי להגביל ניסיונות להזין את ביטוי הסיסמה להצפנה. עליך להימנע משיתוף המחשב שלך עם אנשים שאינך סומך עליהם, מכיוון שרוב מערכות ההפעלה שולחניות אינן מצפינות נתונים בנפרד לכל משתמש. + +## פרטיות מספקי שירות + +:material-server-network: ספקי שירות + +אנחנו חיים בעולם שבו כמעט הכל מחובר לאינטרנט. ההודעות ה"פרטיות" שלנו, המיילים והאינטראקציות החברתיות שלנו מאוחסנים בדרך כלל בשרת, איפשהו. בדרך כלל, כאשר אתה שולח למישהו הודעה היא מאוחסנת בשרת, וכאשר חבר שלך רוצה לקרוא את ההודעה השרת יראה לו אותה. + +הבעיה הברורה עם זה היא שספק השירות (או האקר שפגע בשרת) יכול לגשת לשיחות שלך מתי ואיך שהם רוצים, בלי שאתה אי פעם יודע. זה חל על שירותים נפוצים רבים, כמו הודעות SMS, טלגרם ודיסקורד. + +למרבה המזל, E2EE יכול להקל על בעיה זו על ידי הצפנת התקשורת בינך לבין הנמענים הרצויים שלך לפני שהם בכלל נשלחים לשרת. סודיות ההודעות שלך מובטחת, בהנחה שלספק השירות אין גישה למפתחות הפרטיים של אף אחד מהצדדים. + +!!! note "הערה על הצפנה מבוססת אינטרנט" + + בפועל, היעילות של יישומי E2EE שונים משתנה. אפליקציות, כגון [Signal](../real-time-communication.md#signal), פועלות באופן מקורי במכשיר שלך, וכל עותק של האפליקציה זהה בהתקנות שונות. אם ספק השירות היה מציג [דלת אחורית](https://en.wikipedia.org/wiki/Backdoor_(computing)) באפליקציה שלו - בניסיון לגנוב את המפתחות הפרטיים שלך - ניתן היה לזהות אותו מאוחר יותר באמצעות [הפוך הנדסה](https://en.wikipedia.org/wiki/Reverse_engineering). + + מצד שני, יישומי E2EE מבוססי אינטרנט, כמו דואר האינטרנט של Proton Mail או *כספת האינטרנט* של Bitwarden, מסתמכים על השרת שמגיש באופן דינמי קוד JavaScript לדפדפן כדי לטפל בהצפנה. שרת זדוני יכול למקד אותך ולשלוח לך קוד JavaScript זדוני כדי לגנוב את מפתח ההצפנה שלך (והיה קשה מאוד לשים לב אליו). מכיוון שהשרת יכול לבחור לשרת לקוחות אינטרנט שונים לאנשים שונים - גם אם שמתם לב להתקפה - יהיה קשה מאוד להוכיח את אשמתו של הספק. + + לכן, עליך להשתמש ביישומים מקוריים על פני לקוחות אינטרנט במידת האפשר. + +אפילו עם E2EE, ספקי שירות עדיין יכולים ליצור פרופיל שלך על סמך **מטא נתונים**, שבדרך כלל אינם מוגנים. למרות שספק השירות לא יכול לקרוא את ההודעות שלך, הוא עדיין יכול לראות דברים חשובים, כגון עם מי אתה מדבר, באיזו תדירות אתה שולח להם הודעות ומתי אתה פעיל בדרך כלל. הגנה על מטא נתונים היא נדירה למדי, ואם היא ב[מודל האיום](threat-modeling.md) שלך - עליך לשים לב היטב לתיעוד הטכני של התוכנה שבה אתה משתמש כדי לראות אם יש מזעור או הגנה של מטא נתונים בכלל. + +## תוכניות מעקב המוני + +:material-eye-outline: מעקב המוני + +מעקב המוני הוא המאמץ המורכב לנטר את "ההתנהגות, הפעילויות הרבות או המידע" של אוכלוסייה שלמה (או חלק ניכר מאוכלוסיה).[^1] לעתים קרובות זה מתייחס לתוכניות ממשלתיות, כגון אלו [נחשף על ידי אדוארד סנודן ב-2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). עם זאת, זה יכול להתבצע גם על ידי תאגידים, בין אם מטעם סוכנויות ממשלתיות או ביוזמתם. + +!!! abstract "אטלס מעקב" + + אם אתה רוצה ללמוד עוד על שיטות מעקב וכיצד הן מיושמות בעיר שלך, תוכל גם להסתכל על [אטלס המעקב](https://atlasofsurveillance.org/) של [Electronic Frontier Foundation](https://www.eff.org/). + + בצרפת אתה יכול להסתכל על [אתר Technolopolice](https://technopolice.fr/villes/) המתוחזק על ידי העמותה ללא מטרות רווח La Quadrature du Net. + +ממשלות לעתים קרובות מצדיקות תוכניות מעקב המוניות כאמצעים הכרחיים למאבק בטרור ולמניעת פשע. עם זאת, תוך הפרת זכויות אדם, הוא משמש לרוב כדי למקד באופן לא פרופורציונלי קבוצות מיעוט ומתנגדים פוליטיים, בין היתר. + +!!! quote "ACLU: [*שיעור הפרטיות של 9/11: מעקב המוני הוא לא הדרך קדימה*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + אל מול [חשיפותיו של אדוארד סנודן לגבי תוכניות ממשלתיות כגון [PRISM](https://en.wikipedia.org/wiki/PRISM) ו-[Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], פקידי מודיעין גם הודו כי ה-NSA במשך שנים אספה בחשאי תיעוד על כמעט כל שיחות טלפון של כל אמריקאי - מי מתקשר למי, מתי השיחות הללו מבוצעות וכמה זמן הן נמשכות. מידע מסוג זה, כאשר הוא נצבר על ידי ה-NSA יום אחר יום, יכול לחשוף פרטים רגישים להפליא על חייהם והאסוציאציות של אנשים, כגון האם הם התקשרו לכומר, מטפל בהפלות, ליועצת להתמכרות או למוקד התאבדות. + +למרות המעקב ההמוני הגובר בארצות הברית, הממשלה מצאה שלתוכניות מעקב המוני כמו סעיף 215 היה "ערך ייחודי מועט" ביחס לעצירת פשעים או מזימות טרור בפועל, כאשר מאמצים משכפלים במידה רבה את תוכניות המעקב הממוקדות של ה-FBI עצמו.[^2] + +באינטרנט, ניתן לעקוב אחריך במגוון שיטות: + +- כתובת ה-IP שלך +- עוגיות דפדפן +- הנתונים שאתה מוסר לאתרים +- טביעת האצבע של הדפדפן או המכשיר שלך +- מתאם שיטת תשלום + +\[רשימה זו אינה ממצה]. + +אם אתה מודאג לגבי תוכניות מעקב המוני, אתה יכול להשתמש באסטרטגיות כמו מידור של הזהויות המקוונות שלך, השתלבות עם משתמשים אחרים, או, במידת האפשר, פשוט הימנעות מסירת מידע מזהה. + +:material-account-cash: קפיטליזם מעקב + +> קפיטליזם מעקב הוא שיטה כלכלית המרוכזת סביב לכידה וסחורה של נתונים אישיים למטרת הליבה של עשיית רווחים.[^3] + +עבור אנשים רבים, מעקב ומעקב על ידי תאגידים פרטיים הם דאגה גוברת. רשתות מודעות נרחבות, כמו אלו המופעלות על ידי גוגל ופייסבוק, משתרעות על האינטרנט הרבה מעבר לאתרים שהם שולטים בהם, ועוקבות אחר הפעולות שלך לאורך הדרך. שימוש בכלים כמו חוסמי תוכן כדי להגביל את בקשות הרשת לשרתים שלהם, וקריאת מדיניות הפרטיות של השירותים שבהם אתה משתמש יכול לעזור לך למנוע יריבים בסיסיים רבים (אם כי זה לא יכול למנוע לחלוטין מעקב).[^4] + +בנוסף, אפילו חברות מחוץ ל*AdTech* או תעשיית המעקב יכולות לשתף את המידע שלך עם [מתווכי נתונים](https://en.wikipedia.org/wiki/Information_broker) (כגון Cambridge Analytica, Experian או Datalogix) או גורמים אחרים. אתה לא יכול להניח אוטומטית שהנתונים שלך בטוחים רק בגלל שהשירות שבו אתה משתמש אינו נופל במסגרת המודל העסקי הטיפוסי של AdTech או מעקב. ההגנה החזקה ביותר מפני איסוף נתונים תאגידי היא הצפנת או ערפול הנתונים שלך בכל עת אפשרי, מה שמקשה על ספקים שונים לתאם נתונים זה עם זה ולבנות עליך פרופיל. + +## הגבלת מידע ציבורי + +:material-account-search: חשיפה ציבורית + +הדרך הטובה ביותר לשמור על פרטיות הנתונים שלך היא פשוט לא להפוך אותם לציבוריים מלכתחילה. מחיקת מידע לא רצוי שמצאת על עצמך באינטרנט היא אחד הצעדים הראשונים הטובים ביותר שתוכל לנקוט כדי להחזיר את הפרטיות שלך. + +- [עיין במדריך שלנו על מחיקת חשבון :material-arrow-right-drop-circle:](account-deletion.md) + +באתרים שבהם אתה כן משתף מידע, חשוב מאוד לבדוק את הגדרות הפרטיות של חשבונך כדי להגביל את הפצת הנתונים הללו. לדוגמה, הפעל "מצב פרטי" בחשבונות שלך אם ניתנת לך האפשרות: זה מבטיח שהחשבון שלך לא מתווסף לאינדקס על ידי מנועי חיפוש, ושלא ניתן לצפות בו ללא רשותך. + +אם כבר שלחת את המידע האמיתי שלך לאתרים שלא אמורים להיות בהם, שקול להשתמש בטקטיקות של דיסאינפורמציה, כמו שליחת מידע פיקטיבי הקשור לזהות מקוונת זו. זה הופך את המידע האמיתי שלך לבלתי ניתן להבחין מהמידע השקרי. + +## הימנעות מצנזורה + +:material-close-outline: צנזורה + +צנזורה מקוונת יכולה להתבצע (בדרגות שונות) על ידי שחקנים כולל ממשלות טוטליטריות, מנהלי רשתות וספקי שירותים. מאמצים אלה לשלוט בתקשורת ולהגביל את הגישה למידע תמיד יהיו בלתי עולים בקנה אחד עם זכות האדם לחופש הביטוי.[^5] + +צנזורה על פלטפורמות ארגוניות נפוצה יותר ויותר, שכן פלטפורמות כמו טוויטר ופייסבוק נכנעות לדרישת הציבור, לחצי השוק וללחצים של סוכנויות ממשלתיות. לחצים ממשלתיים יכולים להיות בקשות סמויות לעסקים, כמו [הבית הלבן המבקש הסרה](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) של סרטון יוטיוב פרובוקטיבי, או גלויים, כמו למשל שממשלת סין דורשת מחברות לדבוק במשטר קפדני של צנזורה. + +אנשים המודאגים מהאיום של צנזורה יכולים להשתמש בטכנולוגיות כמו [Tor](../advanced/tor-overview.md) כדי לעקוף אותו, ולתמוך בפלטפורמות תקשורת עמידות לצנזורה כמו [Matrix](../real-time-communication.md#element), שאין לה סמכות חשבון מרכזית יכול לסגור חשבונות באופן שרירותי. + +!!! tip "טיפ" + + למרות שהתחמקות מצנזורה עצמה יכולה להיות קלה, הסתרת העובדה שאתה עושה זאת יכולה להיות מאוד בעייתית. + + עליך לשקול באילו היבטים של הרשת יריבך יכול לצפות, והאם יש לך הכחשה סבירה למעשיך. לדוגמה, שימוש ב-[DNS מוצפן](../advanced/dns-overview.md#what-is-encrypted-dns) יכול לעזור לך לעקוף מערכות צנזורה בסיסיות ומבוססות DNS, אבל זה לא באמת יכול להסתיר את מה שאתה ביקור מ-ISP שלך. VPN או Tor יכולים לעזור להסתיר את מה שאתה מבקר ממנהלי רשת, אבל לא יכולים להסתיר שאתה משתמש ברשתות האלה מלכתחילה. העברות ניתנות לחיבור (כגון Obfs4proxy, Meek או Shadowsocks) יכולים לעזור לך להתחמק מחומת אש שחוסמת פרוטוקולי VPN נפוצים או Tor, אך עדיין ניתן לזהות את ניסיונות העקיפה שלך בשיטות כמו בדיקה או [בדיקת מנות עמוקה](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +אתה חייב תמיד לשקול את הסיכונים בניסיון לעקוף את הצנזורה, את ההשלכות האפשריות ועד כמה מתוחכם עלול להיות היריב שלך. אתה צריך להיות זהיר בבחירת התוכנה שלך, ולהכין תוכנית גיבוי למקרה שתיתפס. + +[^1]: ויקיפדיה: [*מעקבים המונים*](https://en.wikipedia.org/wiki/Mass_surveillance) ו[*מעקבים*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: מועצת הפיקוח על הפרטיות וחירויות האזרח של ארצות הברית: [*דיווח על תוכנית רישומי הטלפון שנערכה לפי סעיף 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: ויקיפדיה: [*מעקב קפיטליזם*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[מונה רעות](https://www.ranum.com/security/computer_security/editorials/dumb/)" (או, "רשום את כל הדברים הרעים שאנו יודעים עליהם"), כפי שעושים חוסמי פרסומות ותוכניות אנטי-וירוס רבות, לא מצליח להגן עליך כראוי מפני איומים חדשים ולא ידועים מכיוון שהם עדיין לא עשו זאת. נוספו לרשימת המסננים. אתה צריך גם להשתמש בטכניקות הפחתה אחרות. +[^5]: האומות המאוחדות: [*הכרזה אוניברסלית על זכויות אדם*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/he/basics/email-security.md b/i18n/he/basics/email-security.md new file mode 100644 index 00000000..131fe3e8 --- /dev/null +++ b/i18n/he/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: אבטחת אימייל +icon: material/email +description: אימייל הוא מטבעו לא מאובטח במובנים רבים, ואלה חלק מהסיבות שהוא לא הבחירה המובילה שלנו לתקשורת מאובטחת. +--- + +אימייל הוא צורת תקשורת לא מאובטחת כברירת מחדל. אתה יכול לשפר את אבטחת האימייל שלך עם כלים כגון OpenPGP, שמוסיפים הצפנה מקצה לקצה להודעות שלך, אך ל-OpenPGP עדיין יש מספר חסרונות בהשוואה להצפנה ביישומי הודעות אחרים, וחלק מנתוני הדוא"ל לעולם אינם יכולים להיות מוצפנים מטבעם. לאופן עיצוב האימייל. + +כתוצאה מכך, האימייל משמש בצורה הטובה ביותר לקבלת הודעות אימייל עסקאות (כמו התראות, אימייל אימות, איפוסי סיסמה וכו') מהשירותים שאליהם אתה נרשם באופן מקוון, לא לתקשורת עם אחרים. + +## סקירת הצפנת אימייל + +הדרך הסטנדרטית להוסיף E2EE למיילים בין ספקי אימייל שונים היא באמצעות OpenPGP. ישנם יישומים שונים של תקן OpenPGP, הנפוצים ביותר הם [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) ו- [OpenPGP.js](https://openpgpjs.org). + +קיים תקן נוסף שפופולרי בקרב עסקים בשם [S/MIME](https://en.wikipedia.org/wiki/S/MIME), עם זאת, הוא דורש אישור שהונפקו מ[>רשות האישורים](https://en.wikipedia.org/wiki/Certificate_authority) (לא כולן מנפיקות אישורי S/MIME). יש לו תמיכה ב [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) ו [Outlook for Web או Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +גם אם אתה משתמש ב - OpenPGP, הוא אינו תומך בסודיות [קדימה](https://en.wikipedia.org/wiki/Forward_secrecy), כלומר אם המפתח הפרטי שלך או של הנמען ייגנב אי פעם, כל ההודעות הקודמות שהוצפנו איתו ייחשפו. זו הסיבה שאנו ממליצים על [מסנג'רים מיידיים](../real-time-communication.md) אשר מיישמים סודיות קדימה על פני דואר אלקטרוני עבור הודעות פנים אל פנים במידת האפשר. + +### אילו לקוחות אימייל תומכים ב - E2EE? + +ספקי אימייל המאפשרים לך להשתמש בפרוטוקולי גישה סטנדרטיים כגון IMAP ו- SMTP יכולים לשמש עם כל אחד מ[קליינטי הדואר האלקטרוני שאנו ממליצים עליהם](../email-clients.md). בהתאם לשיטת האימות, הדבר עלול להוביל לירידה באבטחה אם הספק או לקוח האימייל אינם תומכים בשבועה או ביישום גשר מאחר שלא ניתן לבצע [אימות רב - גורמי](multi-factor-authentication.md) באמצעות אימות סיסמה רגיל. + +### כיצד אוכל להגן על המפתחות הפרטיים שלי? + +כרטיס חכם (כגון [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) עובד על ידי קבלת הודעת אימייל מוצפנת ממכשיר (טלפון, טאבלט, מחשב וכו') המריץ לקוח אימייל/מייל אינטרנט. לאחר מכן, ההודעה מפוענחת על ידי הכרטיס החכם והתוכן המפוענח נשלח חזרה למכשיר. + +כדאי שהפענוח יתרחש בכרטיס החכם כדי להימנע מחשיפת המפתח הפרטי שלך למכשיר פגום. + +## סקירה כללית של מטא נתונים בדוא"ל + +מטא נתונים של דואר אלקטרוני מאוחסנים בכותרת [של ההודעה](https://en.wikipedia.org/wiki/Email#Message_header) של הודעת הדואר האלקטרוני וכוללים כמה כותרות גלויות שייתכן שראית כגון: `עד`, `מ`, `Cc`, `תאריך`, `נושא`. יש גם מספר כותרות נסתרות שנכללות על ידי לקוחות דוא"ל וספקים רבים שיכולים לחשוף מידע על החשבון שלך. + +תוכנת הלקוח עשויה להשתמש במטא נתונים של דוא"ל כדי להראות מי ההודעה ומאיזו שעה היא התקבלה. השרתים רשאים להשתמש בו כדי לקבוע לאן תישלח הודעת דוא"ל, בין [מטרות אחרות](https://en.wikipedia.org/wiki/Email#Message_header) שאינן תמיד שקופות. + +### מי יכול לצפות במטא נתונים של דוא"ל? + +מטא נתונים של דוא"ל מוגנים מפני משקיפים חיצוניים עם [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) אופורטוניסטיים המגנים עליהם מפני משקיפים חיצוניים, אך הם עדיין ניתנים לצפייה על ידי תוכנת לקוח הדוא"ל שלך (או דואר האינטרנט) וכל שרת שמעביר את ההודעה ממך לנמענים כלשהם, כולל ספק הדוא"ל שלך. לפעמים שרתי דוא"ל ישתמשו גם בשירותי צד שלישי כדי להגן מפני תגובות זבל, שבדרך כלל יש להם גם גישה להודעות שלך. + +### למה מטא נתונים לא יכולים להיות E2EE? + +מטא נתונים של דואר אלקטרוני חיוניים לפונקציונליות הבסיסית ביותר של דואר אלקטרוני (מהיכן הוא הגיע ולאן הוא צריך ללכת). E2EE לא היה מובנה בפרוטוקולי הדואר האלקטרוני במקור, ובמקום זאת נדרש לתוכנת הרחבה כמו OpenPGP. מכיוון שהודעות OpenPGP עדיין צריכות לעבוד עם ספקי דואר אלקטרוני מסורתיים, הן אינן יכולות להצפין מטה - נתונים של דואר אלקטרוני, אלא רק את גוף ההודעה עצמו. כלומר, גם כאשר משתמשים ב - OpenPGP, משקיפים חיצוניים יכולים לראות מידע רב על ההודעות שלך, כגון את מי אתה שולח בדוא"ל, את קווי הנושא, מתי אתה שולח דוא"ל וכו '. diff --git a/i18n/he/basics/multi-factor-authentication.md b/i18n/he/basics/multi-factor-authentication.md new file mode 100644 index 00000000..1aa17aa9 --- /dev/null +++ b/i18n/he/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "אימות מרובה גורמים" +icon: 'material/two-factor-authentication' +description: MFA הוא מנגנון אבטחה קריטי לאבטחת החשבונות המקוונים שלך, אך שיטות מסוימות חזקות יותר מאחרות. +--- + +**אימות מרובה גורמים** (**MFA**) הוא מנגנון אבטחה הדורש שלבים נוספים מעבר להזנת שם המשתמש (או האימייל) והסיסמה שלך. השיטה הנפוצה ביותר היא קודים מוגבלים בזמן שאתה עשוי לקבל מ-SMS או מאפליקציה. + +בדרך כלל, אם האקר (או יריב) מסוגל להבין את הסיסמה שלך, הם יקבלו גישה לחשבון שאליו שייכת הסיסמה. חשבון עם MFA מאלץ את ההאקר להחזיק גם את הסיסמה (משהו שאתה *יודע*) וגם מכשיר שבבעלותך (משהו שיש *לך*), כמו הטלפון שלך. + +שיטות MFA משתנות באבטחה, אך מבוססות על ההנחה שככל שקשה יותר לתוקף לקבל גישה לשיטת ה-MFA שלך, כך ייטב. דוגמאות לשיטות MFA (מהחלש ביותר לחזק ביותר) כוללות SMS, קודי דואר אלקטרוני, הודעות דחיפה של אפליקציה, TOTP, Yubico OTP ו-FIDO. + +## השוואת שיטות MFA + +### SMS או אימייל MFA + +קבלת קודי OTP באמצעות SMS או דואר אלקטרוני הם אחת הדרכים החלשות לאבטח את החשבונות שלך עם MFA. השגת קוד באימייל או ב-SMS מונעת מהרעיון "משהו ש*יש לך*", מכיוון שיש מגוון דרכים שההאקר יכול[להשתלט על מספר הטלפון שלך](https://en.wikipedia.org/wiki/SIM_swap_scam) או קבלת גישה לאימייל שלך מבלי שתהיה לך גישה פיזית לאף אחד מהמכשירים שלך כלל. אם אדם לא מורשה קיבל גישה לדוא"ל שלך, הוא יוכל להשתמש בגישה זו כדי לאפס את הסיסמה שלך ולקבל את קוד האימות, ולהעניק לו גישה מלאה לחשבון שלך. + +### התראות דחיפה + +הודעת דחיפה MFA לובשת צורה של הודעה שנשלחת לאפליקציה בטלפון שלך המבקשת ממך לאשר כניסות לחשבון חדש. שיטה זו טובה בהרבה מ-SMS או דואר אלקטרוני, מכיוון שתוקף בדרך כלל לא יוכל לקבל את הודעות הדחיפה הללו מבלי שיהיה לו מכשיר מחובר כבר, מה שאומר שהוא יצטרכו להתפשר תחילה על אחד מהמכשירים האחרים שלך. + +כולנו עושים טעויות, וקיים סיכון שאתה עלול לקבל את ניסיון הכניסה בטעות. הרשאות התחברות להודעות דחיפה נשלחות בדרך כלל ל*כל* המכשירים שלך בבת אחת, מה שמרחיב את הזמינות של קוד ה-MFA אם יש לך מכשירים רבים. + +האבטחה של הודעת דחיפה MFA תלויה הן באיכות האפליקציה, ברכיב השרת והן באמון של המפתח שמייצר אותה. התקנת אפליקציה עשויה גם לדרוש ממך לקבל הרשאות פולשניות המעניקות גישה לנתונים אחרים במכשיר שלך. אפליקציה בודדת דורשת גם שתהיה לך אפליקציה ספציפית עבור כל שירות, אשר עשויה שלא לדרוש סיסמה לפתיחה, בשונה מיישום מחולל TOTP טוב. + +### סיסמה חד פעמית מבוססת זמן (TOTP) + +TOTP היא אחת הצורות הנפוצות ביותר של MFA. כאשר אתה מגדיר TOTP, אתה בדרך כלל נדרש לסרוק קוד QR [](https://en.wikipedia.org/wiki/QR_code) אשר קובע "[סוד משותף](https://en.wikipedia.org/wiki/Shared_secret)" עם השירות שבו אתה מתכוון להשתמש. הסוד המשותף מאובטח בתוך הנתונים של אפליקציית האימות, ולעתים מוגן על ידי סיסמה. + +לאחר מכן, הקוד המוגבל בזמן נגזר מהסוד המשותף ומהזמן הנוכחי. מאחר שהקוד תקף לזמן קצר בלבד, ללא גישה לסוד המשותף, היריב אינו יכול ליצור קודים חדשים. + +אם יש לך מפתח אבטחת חומרה עם תמיכה ב-TOTP (כגון YubiKey עם [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), אנו ממליצים לאחסן את "הסודות המשותפים" שלך בחומרה. חומרה כגון YubiKey פותחה מתוך כוונה להקשות על החילוץ וההעתקה של "הסוד המשותף". YubiKey גם לא מחובר לאינטרנט, בניגוד לטלפון עם אפליקציית TOTP. + +שלא כמו [WebAuthn](#fido-fast-identity-online), TOTP אינו מציע הגנה מפני [דיוג](https://en.wikipedia.org/wiki/Phishing) או שימוש חוזר בהתקפות. אם יריב משיג ממך קוד חוקי, הוא רשאי להשתמש בו כמה פעמים שירצה עד שתוקפו יפוג (בדרך כלל 60 שניות). + +יריב יכול להקים אתר כדי לחקות שירות רשמי בניסיון להערים עליך למסור את שם המשתמש, הסיסמה וקוד ה-TOTP הנוכחי שלך. אם היריב ישתמש באותם אישורים מוקלטים, ייתכן שהוא יוכל להיכנס לשירות האמיתי ולחטוף את החשבון. + +למרות שאינו מושלם, TOTP מאובטח מספיק עבור רוב האנשים, ומתי ש[מפתחות אבטחה חומרה](../multi-factor-authentication.md#hardware-security-keys) אינם נתמכים [אפליקציות אימות](../multi-factor-authentication.md#authenticator-apps) עדיין אפשרות טובה. + +### מפתחות אבטחת חומרה + +ה-YubiKey מאחסן נתונים על שבב מוצק עמיד בפני חבלה ש[אי אפשר לגשת](https://security.stackexchange.com/a/245772) ללא הרס ללא תהליך יקר ו מעבדה לזיהוי פלילי. + +מפתחות אלה הם בדרך כלל רב-פונקציונליים ומספקים מספר שיטות לאימות. להלן הנפוצים ביותר. + +#### Yubico OTP + +Yubico OTP הוא פרוטוקול אימות המיושם בדרך כלל במפתחות אבטחה של חומרה. כאשר תחליט להשתמש ב-Yubico OTP, המפתח יפיק מזהה ציבורי, מזהה פרטי ומפתח סודי אשר יועלה לאחר מכן לשרת Yubico OTP. + +בעת כניסה לאתר, כל מה שאתה צריך לעשות הוא לגעת פיזית במפתח האבטחה. מפתח האבטחה יחקה מקלדת וידפיס סיסמה חד פעמית בשדה הסיסמה. + +מפתח האבטחה יחקה מקלדת וידפיס סיסמה חד פעמית בשדה הסיסמה. מונה מוגדל הן במפתח והן בשרת האימות של Yubico. ניתן להשתמש ב-OTP רק פעם אחת, וכאשר מתרחש אימות מוצלח, המונה מוגדל אשר מונע שימוש חוזר ב-OTP. Yubico מספקת [מסמך מפורט](https://developers.yubico.com/OTP/OTPs_Explained.html) על התהליך. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +ישנם כמה יתרונות וחסרונות לשימוש ב-Yubico OTP בהשוואה ל-TOTP. + +שרת האימות של Yubico הוא שירות מבוסס ענן, ואתה סומך על Yubico שהם מאחסנים נתונים בצורה מאובטחת ולא עושים לך פרופיל. המזהה הציבורי המשויך ל-Yubico OTP נמצא בשימוש חוזר בכל אתר ויכול להיות דרך נוספת עבור צדדים שלישיים ליצור פרופיל שלך. כמו TOTP, Yubico OTP אינו מספק עמידות להתחזות. + +אם מודל האיום שלך דורש ממך זהויות שונות באתרי אינטרנט שונים, **אל** תשתמש ב-Yubico OTP עם אותו מפתח אבטחת חומרה בכל אתרים אלה, שכן מזהה ציבורי הוא ייחודי לכל אבטחה מַפְתֵחַ. + +#### FIDO (זיהוי מהיר באינטרנט) + +אם מודל האיומים שלך דורש ממך זהויות שונות באתרים שונים, חזק **אל תשתמש **ב- Yubico OTP עם אותו מפתח אבטחת חומרה באתרים אלה מכיוון שמזהה ציבורי הוא ייחודי לכל מפתח אבטחה. + +U2F ו - FIDO2 מתייחסים ל - [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), שהוא הפרוטוקול בין מפתח האבטחה למחשב, כגון מחשב נייד או טלפון. זה משלים את WebAuthn שהוא הרכיב המשמש לאימות עם האתר ("הצד המסתמך") שאליו אתה מנסה להיכנס. + +WebAuthn היא הצורה המאובטחת והפרטית ביותר של אימות גורם שני. בעוד שחווית האימות דומה ל-Yubico OTP, המפתח אינו מדפיס סיסמה חד פעמית ומאמת עם שרת של צד שלישי. במקום זאת, הוא משתמש ב[הצפנת מפתח ציבורי](https://en.wikipedia.org/wiki/Public-key_cryptography) לצורך אימות. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +כאשר אתה יוצר חשבון, המפתח הציבורי נשלח לשירות, לאחר מכן בעת הכניסה, השירות ידרוש ממך "לחתום" על נתונים מסוימים עם המפתח הפרטי שלך. היתרון של זה הוא ששום סיסמה לא מאוחסנת על ידי השירות, כך שאין ליריב שום דבר לגנוב. + +מצגת זו דנה בהיסטוריה של אימות סיסמאות, במלכודות (כגון שימוש חוזר בסיסמה) ודיון בתקני FIDO2 ו[WebAuthn](https://webauthn.guide). + +
+ +
+ +ל-FIDO2 ול-WebAuthn יש מאפייני אבטחה ופרטיות מעולים בהשוואה לכל שיטות MFA. + +בדרך כלל עבור שירותי אינטרנט הוא משמש עם WebAuthn שהוא חלק מ[המלצות W3C](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). הוא משתמש באימות מפתח ציבורי והוא מאובטח יותר מאשר סודות משותפים המשמשים בשיטות Yubico OTP ו-TOTP, מכיוון שהוא כולל את שם המקור (בדרך כלל, שם התחום) במהלך האימות. אישור מסופק כדי להגן עליך מפני התקפות דיוג, מכיוון שהוא עוזר לך לקבוע שאתה משתמש בשירות האותנטי ולא בעותק מזויף. + +שלא כמו Yubico OTP, WebAuthn אינו משתמש בשום מזהה ציבורי, כך שהמפתח **לא** ניתן לזיהוי באתרים שונים. הוא גם לא משתמש בשרת ענן של צד שלישי לאימות. כל התקשורת הושלמה בין המפתח לאתר שאליו אתה נכנס. FIDO משתמשת גם במונה שמוגדל עם השימוש על מנת למנוע שימוש חוזר בהפעלה ומפתחות משובטים. + +אם אתר אינטרנט או שירות תומכים ב-WebAuthn עבור האימות, מומלץ מאוד להשתמש בו על פני כל צורה אחרת של MFA. + +## המלצות כלליות + +יש לנו את ההמלצות הכלליות הבאות: + +### באיזו שיטה עלי להשתמש? + +בעת הגדרת שיטת ה - MFA שלך, זכור שהיא מאובטחת כמו שיטת האימות החלשה ביותר שבה אתה משתמש. לכן, חשוב להשתמש בשיטת ה - MFA הטובה ביותר. לדוגמה, אם אתה כבר משתמש ב - TOTP, עליך להשבית דואר אלקטרוני ו - SMS MFA. אם אתה כבר משתמש ב-FIDO2/WebAuthn, אתה לא אמור להשתמש ב-Yubico OTP או TOTP בחשבון שלך. + +### גיבויים + +תמיד אמורים להיות לך גיבויים לשיטת ה-MFA שלך. מפתחות אבטחה של חומרה יכולים ללכת לאיבוד, להיגנב או פשוט להפסיק לעבוד עם הזמן. מומלץ שיהיה לך זוג מפתחות אבטחה חומרה עם אותה גישה לחשבונות שלך במקום רק אחד. + +בעת שימוש ב-TOTP עם אפליקציית אימות, הקפד לגבות את מפתחות השחזור שלך או את האפליקציה עצמה, או העתק את "הסודות המשותפים" למופע אחר של האפליקציה בטלפון אחר או למיכל מוצפן (למשל,[VeraCrypt](../encryption.md#veracrypt)). + +### הגדרה ראשונית + +בעת רכישת מפתח אבטחה, חשוב שתשנה את אישורי ברירת המחדל, תגדיר הגנה באמצעות סיסמה עבור המפתח ותפעיל אישור מגע אם המפתח שלך תומך בכך. למוצרים כגון YubiKey יש ממשקים מרובים עם אישורים נפרדים לכל אחד מהם, כך שכדאי לעבור על כל ממשק ולהגדיר גם הגנה. + +### אימייל ו-SMS + +אם אתה צריך להשתמש באימייל עבור MFA, ודא שחשבון האימייל עצמו מאובטח בשיטת MFA נכונה. + +אם אתה משתמש ב-SMS MFA, השתמש בספק שלא יחליף את מספר הטלפון שלך לכרטיס SIM חדש ללא גישה לחשבון, או השתמש במספר VoIP ייעודי מספק עם אבטחה דומה כדי להימנע מ[התקפת חילופי SIM](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[כלי MFA שאנו ממליצים עליהם](../multi-factor-authentication.md ""){.md-button} + +## מקומות נוספים להגדרת MFA + +מעבר לאבטחת כניסות האתר שלך בלבד, ניתן להשתמש באימות רב-גורמי כדי לאבטח את כניסותיך המקומיות, מפתחות SSH או אפילו מסדי נתונים של סיסמאות. + +### Windows + +לYubico יש ספק [אישורים ייעודי](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) שמוסיף אימות Challenge-Response עבור זרימת הכניסה לשם משתמש + סיסמה עבור חשבונות Windows מקומיים. אם יש לך YubiKey עם תמיכה באימות Challenge-Response, עיין במדריך התצורה של [Yubico Login for Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), שיאפשר לך להגדיר MFA במחשב Windows שלך. + +### macOS + +ל - macOS יש [תמיכה מקומית](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) לאימות עם כרטיסים חכמים (PIV). אם יש לך כרטיס חכם או מפתח אבטחה חומרה התומך בממשק PIV כגון YubiKey, אנו ממליצים לך לעקוב אחר התיעוד של ספק הכרטיס החכם/חומרה שלך ולהגדיר אימות גורם שני עבור מחשב macOS שלך. + +לYubico יש מדריך [שימוש ב-YubiKey שלך ככרטיס חכם ב-macOS](https://support.yubico.com/hc/en-us/articles/360016649059) שיכול לעזור לך להגדיר את YubiKey ב-macOS. + +לאחר הגדרת הכרטיס החכם/מפתח האבטחה שלך, אנו ממליצים להפעיל את הפקודה הזו בטרמינל: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +הפקודה תמנע מיריב לעקוף את MFA כאשר המחשב מאתחל. + +### לינוקס + +!!! warning "אזהרה" + + אם שם המארח של המערכת שלך משתנה (כגון עקב DHCP), לא תוכל להתחבר. חיוני להגדיר שם מארח מתאים למחשב שלך לפני ביצוע מדריך זה. + +מודול `pam_u2f` ב-Linux יכול לספק אימות דו-גורמי לכניסה לרוב ההפצות הפופולריות של לינוקס. אם יש לך מפתח אבטחת חומרה התומך ב-U2F, תוכל להגדיר אימות MFA עבור הכניסה שלך. ליוביקו יש מדריך [מדריך התחברות ל-Ubuntu Linux - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) שאמור לעבוד על כל הפצה. הפקודות של מנהל החבילות - כגון `apt-get` - ושמות החבילות עשויים להיות שונים. מדריך זה **אינו** חל על מערכת ההפעלה Qubes. + +### Qubes OS + +ל-Qubes OS יש תמיכה באימות Challenge-Response עם YubiKeys. אם יש לך YubiKey עם תמיכה באימות Challenge-Response, עיין ב[תיעוד של YubiKey](https://www.qubes-os.org/doc/yubikey/) של Qubes OS. רוצה להגדיר MFA ב-Qubes OS. + +### SSH + +#### מפתחות אבטחה של חומרה + +ניתן להגדיר SSH MFA באמצעות מספר שיטות אימות שונות הפופולריות במפתחות אבטחה של חומרה. אנו ממליצים לך לעיין ב[תיעוד](https://developers.yubico.com/SSH/) של Yubico כיצד להגדיר זאת. + +#### סיסמה חד פעמית מבוססת זמן (TOTP) + +ניתן גם להגדיר SSH MFA באמצעות TOTP. DigitalO Ocean סיפק מדריך [כיצד להגדיר אימות רב - גורמי עבור SSH ב - Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). רוב הדברים צריכים להיות זהים ללא קשר להפצה, אולם פקודות מנהל החבילות - כגון `apt-get` - ושמות החבילות עשויים להיות שונים. + +### KeePass (ו-KeePassXC) + +ניתן לאבטח מסדי נתונים של KeePass ו-KeePassXC באמצעות Challenge-Response או HOTP כאימות גורם שני. Yubico סיפקה מסמך עבור KeePass [שימוש ב-YubiKey עם KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) ויש גם אחד באתר [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa). diff --git a/i18n/he/basics/passwords-overview.md b/i18n/he/basics/passwords-overview.md new file mode 100644 index 00000000..fda831a9 --- /dev/null +++ b/i18n/he/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "מבוא לסיסמאות" +icon: 'material/form-textbox-password' +description: אלו הם כמה טיפים וטריקים כיצד ליצור את הסיסמאות החזקות ביותר ולשמור על אבטחת החשבונות שלך. +--- + +סיסמאות הן חלק חיוני מחיינו הדיגיטליים היומיומיים. אנו משתמשים בהם כדי להגן על החשבונות שלנו, המכשירים והסודות שלנו. למרות היותם לעתים קרובות הדבר היחיד בינינו לבין יריב שרודף אחרי המידע הפרטי שלנו, לא מושקעת בהם הרבה מחשבה, מה שמוביל לרוב לכך שאנשים משתמשים בסיסמאות שניתן לנחש בקלות או להכריח אותן. + +## שיטות עבודה מומלצות + +### השתמש בסיסמאות ייחודיות לכל שירות + +תדמיין את זה; אתה נרשם לחשבון עם אותו אימייל וסיסמא במספר שירותים מקוונים. אם אחד מספקי השירותים האלה הוא זדוני, או שהשירות שלהם חווה פרצת מידע שחושפת את הסיסמה שלך בפורמט לא מוצפן, כל מה ששחקן גרוע יצטרך לעשות הוא לנסות את שילוב האימייל והסיסמה במספר שירותים פופולריים עד שהם מקבלים מכה. זה לא משנה כמה חזקה אותה סיסמה אחת, כי כבר יש להם אותה. + +זה נקרא [מילוי אישורים](https://en.wikipedia.org/wiki/Credential_stuffing), וזו אחת הדרכים הנפוצות ביותר שבהן החשבונות שלך יכולים להיפגע על ידי שחקנים גרועים. כדי להימנע מכך, ודא שלעולם לא תעשה שימוש חוזר בסיסמאות שלך. + +### השתמש בסיסמאות שנוצרות באקראי + +==אתה **לעולם לא** צריך לסמוך על עצמך כדי למצוא סיסמה טובה.== אנו ממליצים להשתמש ב[סיסמאות שנוצרו באקראי](#passwords) או ב[ביטויי סיסמה של תוכנת קובייה](#diceware-passphrases) עם מספיק אנטרופיה כדי להגן על החשבונות והמכשירים שלך. + +כל [מנהלי הסיסמאות המומלצים](../passwords.md) שלנו כוללים מחולל סיסמאות מובנה שתוכל להשתמש בו. + +### סיסמאות מסתובבות + +עליך להימנע משינוי סיסמאות שאתה צריך לזכור (כגון סיסמת האב של מנהל הסיסמאות שלך) לעתים קרובות מדי, אלא אם יש לך סיבה להאמין שהיא נפגעה, שכן שינוי שלה לעתים קרובות מדי חושף אותך לסיכון של שכחתה. + +כשמדובר בסיסמאות שאינך חייב לזכור (כגון סיסמאות המאוחסנות בתוך מנהל הסיסמאות שלך), אם [מודל האיומים](threat-modeling.md) שלך דורש זאת, אנו ממליצים עוברים על חשבונות חשובים (במיוחד חשבונות שאינם משתמשים באימות רב-גורמי) ומשנים את הסיסמה שלהם כל חודשיים, למקרה שהם נפגעו בפרצת מידע שעדיין לא הפכה לציבורית. רוב מנהלי הסיסמאות מאפשרים לך להגדיר תאריך תפוגה לסיסמה שלך כדי להקל על הניהול שלה. + +!!! tip "בודקים פרצות נתונים" + + אם מנהל הסיסמאות שלך מאפשר לך לחפש סיסמאות שנפגעו, הקפד לעשות זאת ולשנות מיד כל סיסמה שאולי נחשפה בפרצת נתונים. לחלופין, תוכל לעקוב אחר [עדכון ההפרות האחרונות של have i been pwned'](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) בעזרת [מצבר חדשות](../news-aggregators.md). + +## יצירת סיסמאות חזקות + +### סיסמאות + +שירותים רבים מטילים קריטריונים מסוימים בכל הנוגע לסיסמאות, כולל אורך מינימום או מקסימום, וכן באילו תווים מיוחדים, אם בכלל, ניתן להשתמש. עליך להשתמש במחולל הסיסמאות המובנה של מנהל הסיסמאות שלך כדי ליצור סיסמאות ארוכות ומורכבות ככל שהשירות יאפשר על ידי הכללת אותיות רישיות וקטנות, מספרים ותווים מיוחדים. + +אם אתה צריך סיסמא שאתה יכול לשנן, אנו ממליצים על [משפט סיסמא לכלי הקוביות](#diceware-passphrases). + +### ביטויי סיסמא של כלי קוביות + +כלי קוביות היא שיטה ליצירת ביטויי סיסמה שקל לזכור, אבל קשה לנחש. + +ביטויי סיסמה של כלי קוביות הם אפשרות מצוינת כאשר אתה צריך לשנן או להזין באופן ידני את האישורים שלך, כגון עבור סיסמת האב של מנהל הסיסמאות שלך או סיסמת ההצפנה של המכשיר שלך. + +דוגמה לביטוי סיסמא של תוכנת קוביות היא `מהירות ניתנת לצפייה סרבן עיפרון מרוטש שבע עשרה מוצג`. + +כדי ליצור ביטוי סיסמא של כלי קוביות באמצעות קוביות אמיתיות, בצע את השלבים הבאים: + +!!! note "הערה" + + הוראות אלה מניחות שאתה משתמש ב[רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) כדי ליצור את ביטוי הסיסמה, שדורש חמש הטלות קוביות לכל מילה. רשימות מילים אחרות עשויות לדרוש יותר או פחות גלגולים למילה, ועשויות לדרוש כמות שונה של מילים כדי להשיג את אותה אנטרופיה. + +1. לזרוק קובייה בעלת שש צדדים חמש פעמים, לרשום את המספר לאחר כל גלגול. + +2. כדוגמה, נניח שזרקת `2-5-2-6-6`. חפש ב [רשימת המילים הגדולה של ה-EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) את המילה המתאימה ל-`25266`. + +3. אתה תמצא את המילה `להצפין`. כתוב את המילה הזו. + +4. חזור על תהליך זה עד לביטוי הסיסמה שלך יש כמה מילים שאתה צריך, שאותן עליך להפריד ברווח. + +!!! warning "חשוב" + + כדאי **לא** לגלגל מחדש מילים עד שתקבל שילוב של מילים שמושכות אותך. התהליך צריך להיות אקראי לחלוטין. + +אם אין לך גישה או תעדיף לא להשתמש בקוביות אמיתיות, תוכל להשתמש במחולל הסיסמאות המובנה של מנהל הסיסמאות שלך, שכן לרובם יש אפשרות ליצור ביטויי סיסמה של תוכנת קוביות בנוסף לסיסמאות הרגילות. + +אנו ממליצים להשתמש ב[רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) כדי ליצור את ביטויי הסיסמה של תוכנת הקוביות שלך, מכיוון שהיא מציעה את אותה אבטחה בדיוק כמו הרשימה המקורית, תוך שהיא מכילה מילים שקל יותר לשנן. יש גם [רשימות מילים אחרות בשפות שונות](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), אם אינך רוצה שביטוי הסיסמה שלך יהיה באנגלית. + +??? note "הסבר על אנטרופיה וחוזק של ביטויי סיסמה של כלי קוביות" + + כדי להדגים עד כמה חזקות ביטויי הסיסמא של תוכנת קוביות, נשתמש בביטוי הסיסמא של שבע המילים שהוזכר לעיל (`מהירות ניתנת לצפייה סרבן עיפרון מרוטש שבע עשרה מוצג`) וב[רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) כדוגמה. + + מדד אחד לקביעת עוצמתו של משפט סיסמא של קוביות הוא כמה אנטרופיה יש לו. האנטרופיה למילה בביטוי סיסמה של תוכנת קוביות מחושבת כnd the overall entropy of the passphrase is calculated as -$\text{log}_2(\text{WordsInList})$והאנטרופיה הכוללת של ביטוי הסיסמה מחושבת כ - $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + לכן, כל מילה ברשימה הנ"ל מביאה ל-~12.9 סיביות של אנטרופיה ($\text{log}_2(7776)$), ולביטוי סיסמה של שבע מילים שנגזר ממנו יש ~90.47 סיביות של אנטרופיה($\text{log}_2(7776^7)$). + + [רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) מכילה 7776 מילים ייחודיות. כדי לחשב את כמות ביטויי הסיסמה האפשריים, כל שעלינו לעשות הוא $\text{WordsInList}^\text{WordsInPhrase}$, או במקרה שלנו, $ 7776^7 $. + + בואו נשים את כל זה בפרספקטיבה: ביטוי סיסמה של שבע מילים באמצעות [רשימת המילים הגדולה של EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) הוא אחד מ-~1,719,070,799,748,422,500,000,phrass אפשריות. + + בממוצע, צריך לנסות 50% מכל השילובים האפשריים כדי לנחש את הביטוי שלך. עם זאת בחשבון, גם אם היריב שלך מסוגל ל-1,000,000,000,000 ניחושים בשנייה, עדיין ייקח לו ~27,255,689 שנים לנחש את משפט הסיסמה שלך. זה המצב גם אם הדברים הבאים נכונים: + + - היריב שלך יודע שהשתמשת בשיטת קוביות. + - היריב שלך יודע את רשימת המילים הספציפית שבה השתמשת. + - היריב שלך יודע כמה מילים מכיל ביטוי הסיסמה שלך. + +לסיכום, ביטויי סיסמה של תוכנת קוביות הם האפשרות הטובה ביותר שלך כאשר אתה צריך משהו שקל לזכור גם *ו* חזק במיוחד. + +## אחסון סיסמאות + +### מנהלי סיסמאות + +הדרך הטובה ביותר לאחסן את הסיסמאות שלך היא באמצעות מנהל סיסמאות. הם מאפשרים לך לאחסן את הסיסמאות שלך בקובץ או בענן ולהגן עליהן באמצעות סיסמת אב אחת. בדרך זו, תצטרך לזכור רק סיסמה אחת חזקה, המאפשרת לך לגשת לשאר שלהן. + +יש הרבה אפשרויות טובות לבחירה, הן מבוססות ענן והן מקומיות. בחר אחד ממנהלי הסיסמאות המומלצים שלנו והשתמש בו כדי ליצור סיסמאות חזקות בכל החשבונות שלך. אנו ממליצים לאבטח את מנהל הסיסמאות שלך באמצעות משפט סיסמה [של סכו"ם](#diceware-passphrases) המורכב משבע מילים לפחות. + +[רשימת מנהלי סיסמאות מומלצים](../passwords.md ""){.md-button} + +!!! warning אזהרה "אל תציב את הסיסמאות ואסימוני ה-TOTP שלך באותו מנהל סיסמאות" + + בעת שימוש בקודי TOTP כ[אימות רב-גורמי](../multi-factor-authentication.md), שיטת האבטחה הטובה ביותר היא לשמור את קודי ה-TOTP שלך ב[אפליקציה נפרדת](../multi-factor-authentication.md#authenticator-apps). + + אחסון אסימוני ה-TOTP שלך באותו מקום כמו הסיסמאות שלך, למרות שהוא נוח, מצמצם את החשבונות לגורם יחיד במקרה שיריב יקבל גישה למנהל הסיסמאות שלך. + + יתר על כן, איננו ממליצים לאחסן קודי שחזור חד-פעמיים במנהל הסיסמאות שלך. יש לאחסן אותם בנפרד, כגון במיכל מוצפן בהתקן אחסון לא מקוון. + +### גיבויים + +עליך לאחסן גיבוי [מוצפן](../encryption.md) של הסיסמאות שלך במספר התקני אחסון או בספק אחסון בענן. זה יכול לעזור לך לגשת לסיסמאות שלך אם משהו קורה למכשיר הראשי שלך או לשירות שבו אתה משתמש. diff --git a/i18n/he/basics/threat-modeling.md b/i18n/he/basics/threat-modeling.md new file mode 100644 index 00000000..bf0d2e0b --- /dev/null +++ b/i18n/he/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "מודל איומים" +icon: 'material/target-account' +description: איזון בין אבטחה, פרטיות ושימושיות היא אחת המשימות הראשונות והקשות שתתמודדו איתם במסע הפרטיות שלכם. +--- + +איזון בין אבטחה, פרטיות ושימושיות היא אחת המשימות הראשונות והקשות שתתמודדו איתם במסע הפרטיות שלכם. הכל הוא פשרה: ככל שמשהו בטוח יותר, כך הוא בדרך כלל מגביל או לא נוח יותר, וכו'. לעתים קרובות, אנשים מגלים שהבעיה בכלים שהם רואים מומלצים היא שפשוט קשה מדי להתחיל להשתמש בהם! + +אם תרצה להשתמש ב**רוב** הכלים המאובטחים הזמינים, תצטרך להקריב *הרבה* שימושיות. וגם אז, ==אין דבר שמאובטח תמיד לחלוטין.== יש אבטחה **גבוהה**, אך לעולם לא אבטחה **מלאה**. לכן מודלים של איומים חשובים. + +**אז, מה הם מודל האיומים האלה, בכלל?** + +==מודל איום הוא רשימה של האיומים הסבירים ביותר על מאמצי האבטחה והפרטיות שלך.== מכיוון שאי אפשר להגן על עצמך מפני **כל** תקיפה/תוקף, אתה צריך להתמקד באיומים ה**הסבירים ביותר**. באבטחת מחשבים, איום הוא אירוע שעלול לערער את המאמצים שלך להישאר פרטיים ומאובטחים. + +התמקדות באיומים החשובים לך מצמצמת את החשיבה שלך לגבי ההגנה הדרושה לך, כך שתוכל לבחור את הכלים המתאימים לתפקיד. + +## יצירת מודל האיום שלך + +כדי לזהות מה יכול לקרות לדברים שאתה מעריך ולקבוע ממי אתה צריך להגן עליהם, עליך לענות על חמש השאלות הבאות: + +1. על מה אני רוצה להגן? +2. ממי אני רוצה להגן עליו? +3. עד כמה סביר שאצטרך להגן עליו? +4. כמה נוראות יהיו ההשלכות אם אכשל? +5. כמה צרות אני מוכן לעבור כדי לנסות למנוע השלכות פוטנציאליות? + +### על מה אני רוצה להגן? + +"נכס" הוא משהו שאתה מעריך ורוצה להגן עליו. בהקשר של אבטחה דיגיטלית, נכס הוא בדרך כלל סוג של מידע. לדוגמה, הודעות דוא"ל, רשימות אנשי קשר, הודעות מיידיות, מיקום וקבצים הם כל הנכסים האפשריים. ייתכן שהמכשירים שלך עצמם הם גם נכסים. + +*צור רשימה של הנכסים שלך: נתונים שאתה שומר, היכן הם מוחזקים, למי יש גישה אליהם ומה מונע מאחרים לגשת אליהם.* + +### ממי אני רוצה להגן עליו? + +כדי לענות על שאלה זו, חשוב לזהות מי ירצה למקד אותך או את המידע שלך. =אדם או ישות המהווים איום על הנכסים שלך הוא "יריב ". דוגמאות ליריבים פוטנציאליים הם הבוס שלך, השותף שלך לשעבר, התחרות העסקית שלך, הממשלה שלך, או האקר ברשת ציבורית. + +*ערוך רשימה של היריבים שלך או של אלה שאולי ירצו להשיג את הנכסים שלך. הרשימה עשויה לכלול אנשים פרטיים, סוכנות ממשלתית או תאגידים.* + +תלוי מי הם היריבים שלך, בנסיבות מסוימות, רשימה זו עשויה להיות משהו שאתה רוצה להרוס אחרי שתסיים את התכנון ביטחוני. + +### עד כמה סביר שאצטרך להגן עליו? + +הסיכון הוא הסבירות שאיום מסוים על נכס מסוים יתרחש בפועל. זה הולך יד ביד עם יכולת. בעוד שלספק הטלפון הנייד שלך יש את היכולת לגשת לכל הנתונים שלך, הסיכון שהוא יפרסם את הנתונים הפרטיים שלך באינטרנט כדי לפגוע במוניטין שלך נמוך. + +חשוב להבחין בין מה שעלול לקרות לבין ההסתברות שזה יקרה. לדוגמה, קיים איום שהבניין שלך עלול לקרוס, אבל הסיכון שזה יקרה גדול יותר בסן פרנסיסקו (שבה רעידות אדמה נפוצות) מאשר בשטוקהולם (שבהן לא). + +הערכת סיכונים היא תהליך אישי וסובייקטיבי כאחד. אנשים רבים מוצאים איומים מסוימים בלתי מתקבלים על הדעת, לא משנה את הסבירות שהם יתרחשו, כי עצם הנוכחות של האיום לא שווה את המחיר. במקרים אחרים, אנשים מתעלמים מסיכונים גבוהים כי הם לא רואים את האיום כבעיה. + +*רשום אילו איומים אתה הולך לקחת ברצינות, ואשר עשוי להיות נדיר מדי או מזיק מדי (או קשה מדי להילחם) לדאוג.* + +### כמה נוראות יהיו ההשלכות אם אכשל? + +ישנן דרכים רבות כי יריב יכול לקבל גישה לנתונים שלך. לדוגמה, יריב יכול לקרוא את התקשורת הפרטית שלך כשהוא עובר דרך הרשת, או שהוא יכול למחוק או להשחית את הנתונים שלך. + +המניעים של היריבים שונים מאוד, וכך גם הטקטיקות שלהם. ממשלה המנסה למנוע הפצה של סרטון המציג אלימות משטרתית עשויה להיות מוכנה פשוט למחוק או להפחית את הזמינות של סרטון זה. לעומת זאת, יריב פוליטי עשוי לרצות לקבל גישה לתוכן סודי ולפרסם תוכן זה מבלי שתדע. + +תכנון אבטחה כרוך בהבנה של ההשלכות הרעות שיכולות להיות אם יריב מצליח להשיג גישה לאחד הנכסים שלך. כדי לקבוע את זה, אתה צריך לשקול את היכולת של היריב שלך. לדוגמה, לספק הטלפון הנייד שלך יש גישה לכל רשומות הטלפון שלך. האקר ברשת האלחוטית (Wi - Fi) פתוחה יכול לגשת לתקשורת הלא מוצפנת שלך. לממשלה שלך אולי יש יכולות חזקות יותר. + +*כתוב מה היריב שלך ירצה לעשות עם המידע הפרטי שלך.* + +### כמה צרות אני מוכן לעבור כדי לנסות למנוע השלכות פוטנציאליות? + +אין פתרון מושלם לאבטחה. לא לכולם יש את אותם סדרי עדיפויות, דאגות או גישה למשאבים. הערכת הסיכונים שלך תאפשר לך לתכנן את האסטרטגיה הנכונה עבורך, לאזן בין נוחות, עלות ופרטיות. + +לדוגמה, עורך דין המייצג לקוח במקרה של ביטחון לאומי עשוי להיות מוכן להשקיע מאמצים גדולים יותר כדי להגן על תקשורת לגבי מקרה זה, כגון באמצעות דואר אלקטרוני מוצפן, מאשר אמא ששולחת באופן קבוע מייל לבתה עם סרטוני חתולים מצחיקים. + +*כתוב אילו אפשרויות עומדות לרשותך כדי להקל על האיומים הייחודיים שלך. שימו לב אם יש לכם אילוצים כלכליים, אילוצים טכניים או אילוצים חברתיים.* + +### נסו בעצמכם: הגנה על השייכות שלכם + +שאלות אלה יכולות לחול על מגוון רחב של מצבים, מקוונים ולא מקוונים. כהדגמה כללית של האופן שבו שאלות אלה פועלות, בואו לבנות תוכנית כדי לשמור על הבית שלך ואת הרכוש בטוח. + +**על מה אתה רוצה להגן? (או, *מה יש לך ששווה הגנה?*)** +: + +הנכסים שלכם עשויים לכלול תכשיטים, מוצרי אלקטרוניקה, מסמכים חשובים או תמונות. + +**ממי אתה רוצה להגן עליו?** +: + +היריבים שלכם עשויים לכלול פורצים, שותפים לדירה או אורחים. + +**עד כמה סביר שתצטרך להגן עליו?** +: + +האם יש בשכונה שלך היסטוריה של פריצות? עד כמה השותפים והאורחים שלכם אמינים? מה היכולות של היריבים שלך? מהם הסיכונים שעליכם לקחת בחשבון? + +**כמה נוראות יהיו ההשלכות אם אכשל?** +: + +האם יש לך משהו בבית שלך שאתה לא יכול להחליף? האם יש לך את הזמן או הכסף כדי להחליף את הדברים האלה? יש לכם ביטוח שמכסה סחורה שנגנבה מהבית? + +**כמה צרות אתה מוכן לעבור כדי למנוע את התוצאות האלה?** +: + +אתה מוכן לקנות כספת למסמכים רגישים? אתה יכול להרשות לעצמך לקנות מנעול באיכות גבוהה? האם יש לך זמן לפתוח כספת בבנק המקומי שלך ולשמור את חפצי הערך שלך שם? + +רק לאחר שתשאלו את עצמכם את השאלות האלה תוכלו להעריך באילו אמצעים לנקוט. אם הרכוש שלך בעל ערך, אבל ההסתברות לפריצה נמוכה, אז אולי לא תרצה להשקיע יותר מדי כסף במנעול. אבל, אם ההסתברות לפריצה היא גבוהה, אתה רוצה לקבל את הנעילה הטובה ביותר בשוק ולשקול הוספת מערכת אבטחה. + +הנכסים שלכם עשויים לכלול תכשיטים, מוצרי אלקטרוניקה, מסמכים חשובים או תמונות. + +## קריאה נוספת + +**ממי אתה רוצה להגן עליו?** : + +- [מטרות ואיומים נפוצים :material-arrow-right-drop-circle:](common-threats.md) + +## מקורות + +- [הגנה עצמית במעקב EFF: תוכנית האבטחה שלך](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/he/basics/vpn-overview.md b/i18n/he/basics/vpn-overview.md new file mode 100644 index 00000000..dedbf416 --- /dev/null +++ b/i18n/he/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: סקירה כללית של VPN +icon: material/vpn +description: רשתות וירטואליות פרטיות מעבירות את הסיכון מספק שירותי האינטרנט שלך לצד שלישי שאתה סומך עליו. כדאי לזכור את הדברים האלה. +--- + +רשתות וירטואליות פרטיות הן דרך להרחיב את הקצה של הרשת שלך ליציאה למקום אחר בעולם. ספק שירותי אינטרנט יכול לראות את זרימת תעבורת האינטרנט הנכנסת ויוצאת ממכשיר סיום הרשת שלך (כלומר מודם). + +פרוטוקולי הצפנה כגון HTTPS נמצאים בשימוש נפוץ באינטרנט, כך שהם אולי לא יוכלו לראות בדיוק מה אתה מפרסם או קורא, אבל הם יכולים לקבל מושג על [הדומיינים שאתה מבקש](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +VPN יכול לעזור מכיוון שהוא יכול להעביר אמון לשרת במקום אחר בעולם. כתוצאה מכך, ספק שירותי האינטרנט רואה רק שאתה מחובר ל-VPN ושום דבר לגבי הפעילות שאתה מעביר אליו. + +## האם כדאי להשתמש ב - VPN? + +**כן**, אלא אם אתה כבר משתמש ב-Tor. VPN עושה שני דברים: מעביר את הסיכונים מספק שירותי האינטרנט שלך לעצמו והסתרת ה-IP שלך משירות של צד שלישי. + +VPNs אינם יכולים להצפין נתונים מחוץ לחיבור בין המכשיר שלך לשרת VPN. ספקי VPN יכולים לראות ולשנות את התעבורה שלך באותו אופן שבו ספק שירותי האינטרנט שלך יכול לראות. ואין דרך לאמת את מדיניות "ללא רישום" של ספק VPN בשום אופן. + +עם זאת, הם מסתירים את ה-IP האמיתי שלך משירות של צד שלישי, בתנאי שאין דליפות IP. הם עוזרים לך להשתלב עם אחרים ולהפחית מעקב מבוסס IP. + +## מתי לא כדאי להשתמש ב - VPN? + +השימוש ב-VPN במקרים שבהם אתה משתמש ב[זהות הידועה](common-threats.md#common-misconceptions) שלך לא סביר להיות שימושי. + +פעולה זו עלולה להפעיל מערכות זיהוי דואר זבל והונאות, כגון אם היית נכנס לאתר האינטרנט של הבנק שלך. + +## מה לגבי הצפנה? + +ההצפנה המוצעת על ידי ספקי VPN נמצאת בין המכשירים שלך לשרתים שלהם. זה מבטיח שהקישור הספציפי הזה מאובטח. זהו שלב עלייה משימוש בפרוקסי לא מוצפנים שבהם יריב ברשת יכול ליירט את התקשורת בין המכשירים שלך לפרוקסי האמורים ולשנות אותם. עם זאת, הצפנה בין האפליקציות או הדפדפנים שלך עם ספקי השירות אינה מטופלת על ידי הצפנה זו. + +על מנת לשמור על פרטיות ומאובטחת מה שאתה עושה באתרים שבהם אתה מבקר, עליך להשתמש ב-HTTPS. זה ישמור על הסיסמאות, אסימוני הפגישה והשאילתות שלך בטוחים מספק ה-VPN. שקול להפעיל "HTTPS בכל מקום" בדפדפן שלך כדי למתן התקפות שדרוג לאחור כמו [רצועת SSL](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## האם עלי להשתמש ב-DNS מוצפן עם VPN? + +אלא אם כן ספק ה-VPN שלך מארח את שרתי ה-DNS המוצפנים, **לא**. שימוש ב-DOH/DOT (או כל צורה אחרת של DNS מוצפן) עם שרתי צד שלישי פשוט יוסיף עוד ישויות למתן אמון ו**לא עושה כלום** לשיפור הפרטיות/אבטחתך. ספק ה-VPN שלך עדיין יכול לראות באילו אתרים אתה מבקר בהתבסס על כתובות ה-IP ושיטות אחרות. במקום לסמוך רק על ספק ה-VPN שלך, אתה בוטח כעת גם בספק ה-VPN וגם בספק ה-DNS. + +סיבה נפוצה להמליץ על DNS מוצפן היא שהוא עוזר נגד זיוף DNS. עם זאת, הדפדפן שלך כבר אמור לבדוק [אישורי TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) עם **HTTPS** ולהזהיר אותך לגבי זה. אם אינך משתמש ב**HTTPS**, יריב עדיין יכול פשוט לשנות כל דבר מלבד שאילתות ה-DNS שלך והתוצאה הסופית תהיה מעט שונה. + +מיותר לציין ש**לא כדאי להשתמש ב-DNS מוצפן עם Tor**. זה יפנה את כל בקשות ה-DNS שלך דרך מעגל יחיד ויאפשר לספק ה-DNS המוצפן לעשות לך דה-אנוניזציה. + +## האם עלי להשתמש ב- Tor *וגם*-VPN? + +על ידי שימוש ב-VPN עם Tor, אתה יוצר בעצם צומת כניסה קבוע, לעתים קרובות עם שביל כסף מחובר. זה מספק אפס יתרונות נוספים לך, תוך הגדלת משטח ההתקפה של החיבור שלך באופן דרמטי. אם אתה רוצה להסתיר את השימוש שלך ב-Tor מ-ISP שלך או מהממשלה שלך, ל-Tor יש פתרון מובנה לכך: גשרי Tor. [קרא עוד על גשרי Tor ומדוע אין צורך להשתמש ב-VPN](../advanced/tor-overview.md). + +## מה אם אני צריך אנונימיות? + +רשתות VPN לא יכולות לספק אנונימיות. ספק ה-VPN שלך עדיין יראה את כתובת ה-IP האמיתית שלך, ולעתים קרובות יש לו שובל כסף שניתן לקשר ישירות אליך. אינך יכול להסתמך על מדיניות "ללא רישום" כדי להגן על הנתונים שלך. השתמש [ב Tor](https://www.torproject.org/) במקום. + +## מה לגבי ספקי VPN המספקים צמתי Tor? + +אל תשתמש בתכונה זו. הנקודה בשימוש ב-Tor היא שאינך סומך על ספק ה-VPN שלך. נכון לעכשיו Tor תומך רק בפרוטוקול [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol). [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (בשימוש [WebRTC](https://en.wikipedia.org/wiki/WebRTC) לשיתוף קול ווידאו, פרוטוקול [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) החדש וכו'), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) ומנות אחרות יוסרו. כדי לפצות על כך, ספקי VPN בדרך כלל ינתבו את כל החבילות שאינן TCP דרך שרת ה-VPN שלהם (הקפיצה הראשונה שלך). זה המקרה עם [ProtonVPN](https://protonvpn.com/support/tor-vpn/). בנוסף, בעת שימוש בהגדרת Tor over VPN זו, אין לך שליטה על תכונות Tor חשובות אחרות כגון [כתובת יעד מבודדת](https://www.whonix.org/wiki/Stream_Isolation) (באמצעות מעגל Tor שונה עבור כל דומיין שאתה מבקר בו). + +יש לראות את התכונה כדרך נוחה לגשת לרשת Tor, לא להישאר אנונימית. לאנונימיות נאותה, השתמש בדפדפן Tor, TorSocks או שער Tor. + +## מתי רשתות VPN שימושיות? + +VPN עדיין עשוי להיות שימושי עבורך במגוון תרחישים, כגון: + +1. הסתרת התנועה שלך מ**רק** מספק האינטרנט שלך. +1. הסתרת ההורדות שלך (כגון טורנטים) מ-ISP וארגונים נגד פיראטיות. +1. הסתרת ה-IP שלך מאתרי אינטרנט ושירותים של צד שלישי, מניעת מעקב מבוסס IP. + +במצבים כאלה, או אם יש לך סיבה משכנעת אחרת, ספקי רשתות ה-VPN שציינו לעיל הם אלו שאנו חושבים שהם הכי אמינים. עם זאת, שימוש בספק VPN עדיין אומר שאתה *סומך* על הספק. כמעט בכל תרחיש אחר אתה אמור להשתמש בכלי מאובטח**שמעוצב** כגון Tor. + +## מקורות וקריאה נוספת + +1. [VPN - נרטיב מאוד מעורער](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) מאת דניס שוברט +1. [סקירה כללית של רשת Tor](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["האם אני צריך VPN?"](https://www.doineedavpn.com), כלי שפותח על ידי IVPN כדי לאתגר שיווק VPN אגרסיבי על ידי סיוע לאנשים להחליט אם VPN מתאים להם. + +## מידע שקשור ל VPN + +- [הבעיה עם אתרי סקירת VPN ואתרי פרטיות](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [חקירת אפליקציית VPN בחינם](https://www.top10vpn.com/free-vpn-app-investigation/) +- [בעלי VPN מוסתרים חשפו: 101 מוצרי VPN המנוהלים על ידי 23 חברות בלבד](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [החברה הסינית הזו עומדת בסתר מאחורי 24 אפליקציות פופולריות שמחפשות הרשאות מסוכנות](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/he/calendar.md b/i18n/he/calendar.md new file mode 100644 index 00000000..8fe2b47f --- /dev/null +++ b/i18n/he/calendar.md @@ -0,0 +1,70 @@ +--- +title: "סנכרון לוח שנה" +icon: material/calendar +description: לוחות שנה מכילים חלק מהנתונים הרגישים ביותר שלך; השתמש במוצרים המטמיעים הצפנה במנוחה. +--- + +לוחות שנה מכילים חלק מהנתונים הרגישים ביותר שלך; השתמש במוצרים המיישמים E2EE ב - מנוחה כדי למנוע מספק לקרוא אותם. + +## Tutanota + +!!! recommendation + + ![Tutanota לוגו](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota לוגו](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** מציעה לוח שנה בחינם ומוצפן על פני הפלטפורמות הנתמכות שלהם. התכונות כוללות: E2EE אוטומטי של כל הנתונים, תכונות שיתוף, פונקציונליות ייבוא/ייצוא, אימות רב-גורמי ו-[עוד](https://tutanota.com/calendar-app-comparison/). + + מספר לוחות שנה ופונקציונליות שיתוף מורחבת מוגבלים למנויים בתשלום. + + [:octicons-home-16: דף הבית](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** הוא שירות לוח שנה מוצפן הזמין לחברי Proton דרך לקוחות אינטרנט או ניידים. התכונות כוללות: E2EE אוטומטי של כל הנתונים, תכונות שיתוף, פונקציונליות ייבוא/ייצוא [ועוד](https://proton.me/support/proton-calendar-guide). אלה בשכבה החינמית מקבלים גישה ללוח שנה בודד, בעוד שמנויים בתשלום יכולים ליצור עד 20 לוחות שנה. פונקציונליות השיתוף המורחבת מוגבלת גם למנויים בתשלום. + + [:octicons-home-16: דף הבית](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### כישורים מינימליים + +- עליך לסנכרן ולאחסן מידע עם E2EE כדי לוודא שהנתונים אינם גלויים לספק השירות. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- צריך להשתלב עם לוח השנה של מערכת ההפעלה המקומית ואפליקציות ניהול אנשי קשר, אם רלוונטי. diff --git a/i18n/he/cloud.md b/i18n/he/cloud.md new file mode 100644 index 00000000..9fd92056 --- /dev/null +++ b/i18n/he/cloud.md @@ -0,0 +1,99 @@ +--- +title: "אחסון בענן" +icon: material/file-cloud +description: ספקי אחסון בענן רבים דורשים את האמון שלך שהם לא יסתכלו על הקבצים שלך. אלו חלופות פרטיות! +--- + +ספקי אחסון ענן רבים דורשים את האמון המלא שלך בכך שהם לא יסתכלו על הקבצים שלך. החלופות המפורטות להלן מבטלות את הצורך באמון על ידי הטמעת E2EE מאובטחת. + +אם חלופות אלה אינן מתאימות לצרכים שלך, אנו מציעים לך לבדוק שימוש בתוכנת הצפנה כמו [Cryptomator](encryption.md#cryptomator-cloud) עם ספק ענן אחר. שימוש ב-Cryptomator בשילוב עם **כל** ספק ענן (כולל אלה) עשוי להיות רעיון טוב כדי להפחית את הסיכון לפגמי הצפנה אצל הלקוחות המקומיים של הספק. + +??? השאלה "מחפשים את NextCloud?" + + Nextcloud הוא [עדיין כלי מומלץ](productivity.md) לאירוח עצמי של חבילת ניהול קבצים, אולם איננו ממליצים כרגע על ספקי אחסון Nextcloud של צד שלישי, מכיוון שאנו [לא ממליצים](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29)פונקציונליות ה-E2EE המובנית של Nextcloud למשתמשים ביתיים. + +## Proton Drive + +!!! recommendation + + ![Proton Drive לוגו](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** הוא ספק אחסון ענן מוצפן שוויצרי מספק האימייל המוצפן הפופולרי [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: דף הבית](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +אפליקציית האינטרנט של Proton Drive נבדקה באופן עצמאי על ידי Securitum ב[2021](https://proton.me/blog/security-audit-all-proton-apps), הפרטים המלאים לא זמינים, אך במכתב האישור של Securitum נאמר: + +> המבקרים זיהו שתי נקודות תורפה בדרגת חומרה נמוכה. בנוסף, דווחו חמש המלצות כלליות. יחד עם זאת, אנו מאשרים כי לא זוהו בעיות אבטחה חשובות במהלך המבחן. + +הלקוחות הניידים החדשים של Proton Drive עדיין לא עברו ביקורת פומבית על ידי צד שלישי. + +## Tresorit + +!!! recommendation + + ![Tresorit לוגו](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** היא ספקית אחסון ענן מוצפנת הונגרית שנוסדה ב-2011. Tresorit נמצאת בבעלות ה-Swiss Post, שירות הדואר הלאומי של שוויץ. + + [:octicons-home-16: דף הבית](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit קיבלה מספר ביקורות אבטחה עצמאיות: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] הענות[הסמכה](https://www.certipedia.com/quality_marks/9108644476) על ידי TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): בדיקת חדירה על ידי Computest + - סקירה זו העריכה את האבטחה של לקוח האינטרנט של Tresorit, אפליקציית אנדרואיד, אפליקציית ווינדוס והתשתית הקשורה אליו. + - Computest גילתה שתי נקודות תורפה שנפתרו. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): בדיקת חדירה על ידי Ernst & Young. + - סקירה זו ניתחה את קוד המקור המלא של Tresorit ואימתה שהיישום תואם את המושגים המתוארים ב[דף הלבן](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf) של Tresorit. + - ארנסט & יאנג בדק בנוסף את האינטרנט, הנייד והמחשב שולחני: "תוצאות הבדיקה לא מצאו חריגה מתביעות סודיות הנתונים של Tresorit." + +הם גם קיבלו את תווית האמון הדיגיטלי, הסמכה מ[היוזמה הדיגיטלית השוויצרית](https://www.swiss-digital-initiative.org/digital-trust-label/) המחייבת העברת 35[ קריטריונים](https://digitaltrust-label.swiss/criteria/) הקשורים לאבטחה, פרטיות ואמינות. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### דרישות מינימליות + +- חייב לאכוף הצפנה מקצה לקצה. +- יש להציע תוכנית חינם או תקופת ניסיון לבדיקה. +- צריך לתמוך בתמיכה באימות רב-גורמי TOTP או FIDO2, או כניסות מפתח סיסמה. +- חייב להציע ממשק אינטרנט התומך בפונקציונליות ניהול קבצים בסיסית. +- חייב לאפשר ייצוא קל של כל הקבצים/המסמכים. +- חייב להשתמש בהצפנה סטנדרטית ומבוקרת. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- הלקוחות צריכים להיות בקוד פתוח. +- לקוחות צריכים להיות מבוקרים במלואם על ידי צד שלישי עצמאי. +- צריך להציע ללקוחות מקומיים עבור לינוקס, אנדרואיד, Windows, macOS ו - iOS. + - לקוחות אלה צריכים להשתלב עם כלי מערכת הפעלה מקוריים עבור ספקי אחסון בענן, כגון שילוב אפליקציות קבצים ב- iOS, או פונקציונליות DocumentsProvider באנדרואיד. +- צריך לתמוך בשיתוף קבצים קל עם משתמשים אחרים. +- אמור להציע לפחות תצוגה מקדימה בסיסית של קובץ ופונקציונליות עריכה בממשק האינטרנט. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001): תאימות 2013 מתייחסת ל[מערכת ניהול אבטחת המידע](https://en.wikipedia.org/wiki/Information_security_management) של החברה ומכסה את המכירות, הפיתוח, התחזוקה והתמיכה של שירותי הענן שלהם. diff --git a/i18n/he/cryptocurrency.md b/i18n/he/cryptocurrency.md new file mode 100644 index 00000000..ac9c6abf --- /dev/null +++ b/i18n/he/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: מטבעות קריפטוגרפיים +icon: material/bank-circle +--- + +ביצוע תשלומים אונליין הוא אחד האתגרים הגדולים ביותר לפרטיות. מטבעות קריפטוגרפיים אלו מספקים פרטיות עסקאות כברירת מחדל (דבר ש**לא** מובטח על ידי רוב מטבעות הקריפטו), בתנאי שיש לך הבנה טובה כיצד לבצע תשלומים פרטיים ביעילות. אנו ממליצים בחום שתקרא תחילה את מאמר סקירת התשלומים שלנו לפני ביצוע רכישות כלשהן: + +[ביצוע תשלומים פרטיים :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger "סַכָּנָה" + + רבים אם לא רוב הפרויקטים של מטבעות קריפטוגרפיים הם הונאות. בצע עסקאות בזהירות עם רק פרויקטים שאתה סומך עליהם. + +## Monero + +!!! recommendation + + ![Monero לוגו](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** משתמש בבלוקצ'יין עם טכנולוגיות משפרות פרטיות המטשטשות עסקאות כדי להשיג אנונימיות. כל עסקת Monero מסתירה את סכום העסקה, כתובות שליחה וקבלה, ומקור הכספים ללא שום חישוקים לדלג דרכם, מה שהופך אותה לבחירה אידיאלית עבור טירוני מטבעות קריפטוגרפיים. + + [:octicons-home-16: דף הבית](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=לתרומה } + +עם Monero, משקיפים מבחוץ אינם יכולים לפענח כתובות מסחר Monero, סכומי עסקאות, יתרות כתובות או היסטוריית עסקאות. + +לפרטיות מיטבית, הקפד להשתמש בארנק לא משמורן שבו מפתח התצוגה נשאר במכשיר. המשמעות היא שרק לך תהיה את היכולת להוציא את הכספים שלך ולראות עסקאות נכנסות ויוצאות. אם אתה משתמש בארנק משמורן, הספק יכול לראות **כל מה** שאתה עושה; אם אתה משתמש בארנק "קל משקל" שבו הספק שומר על מפתח התצוגה הפרטי שלך, הספק יכול לראות כמעט כל מה שאתה עושה. כמה ארנקים שאינם משמורנים כוללים: + +- [Official Monero client](https://getmonero.org/downloads) (שולחני) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet תומך במספר מטבעות קריפטוגרפיים. גרסת Monero בלבד של Cake Wallet זמינה בכתובת [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (שולחני) +- [Monerujo](https://www.monerujo.io/) (אנדרואיד) + +לפרטיות מקסימלית (אפילו עם ארנק לא משמורן), עליך להפעיל צומת Monero משלך. שימוש בצומת של אדם אחר יחשוף בפניו מידע מסוים, כגון כתובת ה-IP שממנה אתה מתחבר אליו, חותמות הזמן שאתה מסנכרן את הארנק שלך והעסקאות שאתה שולח מהארנק שלך (אם כי אין פרטים נוספים על עסקאות אלו). לחלופין, אתה יכול להתחבר לצומת Monero של מישהו אחר באמצעות Tor או i2p. + +באוגוסט 2021, [הודיעה](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) CipherTrace על יכולות מעקב משופרות של Monero עבור סוכנויות ממשלתיות. פרסומים פומביים מראים כי רשת אכיפת הפשעים הפיננסיים של משרד האוצר האמריקאי העניקה [רישיון](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) ל-"Monero Module" של CipherTrace בסוף 2022. + +פרטיות גרף העסקאות של Monero מוגבלת על ידי חתימות הטבעות הקטנות יחסית שלה, במיוחד נגד התקפות ממוקדות. תכונות הפרטיות של Monero גם [הוטלו בספק](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) על ידי כמה חוקרי אבטחה, ומספר נקודות תורפה חמורות נמצאו ותוקנו בעבר, כך שהטענות שהועלו על ידי ארגונים כמו CipherTrace אינן באות בחשבון. אמנם אין זה סביר שכלי מעקב המוני Monero קיימים כפי שהם קיימים עבור ביטקוין ואחרים, אך בטוח שכלי מעקב מסייעים בחקירות ממוקדות. + +בסופו של דבר, Monero היא המתמודדת החזקה ביותר על מטבע קריפטוגרפי ידידותי לפרטיות, אך טענות הפרטיות שלה **לא** הוכחו באופן סופי כך או כך. נדרשים יותר זמן ומחקר כדי להעריך אם Monero עמיד מספיק בפני התקפות כדי לספק תמיד פרטיות נאותה. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- מטבעות קריפטו חייבים לספק עסקאות פרטיות/בלתי ניתנות לאיתור כברירת מחדל. diff --git a/i18n/he/data-redaction.md b/i18n/he/data-redaction.md new file mode 100644 index 00000000..ee04e62b --- /dev/null +++ b/i18n/he/data-redaction.md @@ -0,0 +1,144 @@ +--- +title: "הפחתת נתונים ומטא נתונים" +icon: material/tag-remove +description: השתמש בכלים אלה כדי להסיר מטא נתונים כמו מיקום GPS ומידע מזהה אחר מתמונות וקבצים שאתה משתף. +--- + +בעת שיתוף קבצים, הקפד להסיר מטא נתונים משויכים. קבצי תמונה כוללים בדרך כלל [נתוני Exif](https://en.wikipedia.org/wiki/Exif). תמונות לפעמים אפילו כוללות קואורדינטות GPS במטא-נתונים של הקובץ. + +## מחשב שולחני + +### MAT2 + +!!! recommendation + + ![MAT2 לוגו](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** היא תוכנה חופשית, המאפשרת להסיר את המטא נתונים מסוגים של תמונות, אודיו, טורנטים ומסמכים. הוא מספק גם כלי שורת פקודה וגם ממשק משתמש גרפי באמצעות [הרחבה עבור Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), מנהל הקבצים המוגדר כברירת מחדל של [GNOME](https://www.gnome.org), ו-[Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), מנהל הקבצים המוגדר כברירת מחדל של [KDE](https://kde.org). + + בלינקוס, קיים כלי גרפי של צד שלישי [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) המופעל על ידי MAT2 והוא [זמין ב-Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: מאגר](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=תיעוד} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## נייד + +### ExifEraser (אנדרואיד) + +!!! recommendation + + ![לוגו של ExifEraser](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** הוא יישום מודרני למחיקת מטא נתונים של תמונות ללא הרשאה עבור אנדרואיד. + + בשלב זה הוא תומך בקבצי JPEG, PNG ו - WebP. + + [:octicons-repo-16: מאגר](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +המטא נתונים שנמחקים תלויים בסוג הקובץ של התמונה: + +* **JPEG**: פרופיל ICC, Exif, משאבי תמונה בפוטושופ ומטא-נתונים של XMP/ExtendedXMP יימחקו אם הם קיימים. +* **PNG**: פרופיל ICC, מטא נתונים של Exif ו - XMP יימחקו אם הם קיימים. +* **WebP**: פרופיל ICC, מטא נתונים של Exif ו - XMP יימחקו אם הם קיימים. + +לאחר עיבוד התמונות, ExifEraser מספק לך דוח מלא על מה בדיוק הוסר מכל תמונה. + +האפליקציה מציעה מספר דרכים למחיקת מטא - נתונים מתמונות. כלומר: + +* באפשרותך לשתף תמונה מיישום אחר עם ExifEraser. +* דרך האפליקציה עצמה, אתה יכול לבחור תמונה אחת, תמונות מרובות בבת אחת, או אפילו ספריה שלמה. +* הוא כולל אפשרות "מצלמה ", המשתמשת באפליקציית המצלמה של מערכת ההפעלה כדי לצלם תמונה, ולאחר מכן מסירה ממנה את המטא נתונים. +* זה מאפשר לך לגרור תמונות מיישום אחר לתוך ExifEraser כאשר שניהם פתוחים במצב מסך מפוצל. +* לבסוף, הוא מאפשר לך להדביק תמונה מהלוח שלך. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho לוגו](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** הוא צופה פשוט ונקי עבור מטא נתונים של תמונות כגון תאריך, שם קובץ, גודל, מודל מצלמה, מהירות צמצם ומיקום. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + ** PrivacyBlur** היא אפליקציה חינמית שיכולה לטשטש חלקים רגישים של תמונות לפני שהיא משתפת אותם באינטרנט. + + [:octicons-home-16: דף הבית](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning "אזהרה" + + כדאי **לעולם** לא להשתמש בטשטוש כדי לעצב [טקסט בתמונות](https://bishopfox.com/blog/unredacter-tool-never-pixelation). אם ברצונך לשנות טקסט בתמונה, צייר תיבה מעל הטקסט. לשם כך, אנו מציעים אפליקציות כמו [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## שורת הפקודה + +### ExifTool + +!!! recommendation + + ![ExifTool לוגו](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** הוא ספריית ה-perl המקורית ויישום שורת הפקודה לקריאה, כתיבה ועריכה של מטא מידע (Exif, IPTC, XMP ועוד) במגוון רחב של פורמטים של קבצים (JPEG, TIFF, PNG, PDF, RAW ועוד). + + לעתים קרובות זה מרכיב של יישומי הסרת Exif אחרים ונמצא ברוב מאגרי ההפצה של לינוקס. + + [:octicons-home-16: דף הבית](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "מחיקת נתונים מספריית קבצים" + + ```bash + exiftool -all= *.סיומת קובץ + ``` + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- יישומים שפותחו עבור מערכות הפעלה בקוד פתוח חייבים להיות קוד פתוח. +- יישומים חייבים להיות חינמיים ולא לכלול מודעות או מגבלות אחרות. diff --git a/i18n/he/desktop-browsers.md b/i18n/he/desktop-browsers.md new file mode 100644 index 00000000..ce3ee586 --- /dev/null +++ b/i18n/he/desktop-browsers.md @@ -0,0 +1,361 @@ +--- +title: "דפדפנים שולחניים" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: המלצות על דפדפן לשולחן העבודה פרטי + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - לינוקס + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - לינוקס + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - לינוקס + subjectOf: + "@type": WebPage + url: "./" +--- + +אלה הדפדפנים והתצורות המומלצים כרגע לגלישה רגילה/לא אנונימית. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +אם אתה צריך לגלוש באינטרנט באופן אנונימי, אתה צריך להשתמש [Tor](tor.md) במקום. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![לוגו Firefox](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** מספק הגדרות פרטיות חזקות כגון [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), שיכול לעזור לחסום שונים [סוגי מעקב](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-protection-blocks). + + [:octicons-home-16: דף הבית](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=תיעוד} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning "אזהרה" + Firefox כולל [אסימון הורדה](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) ייחודי בהורדות מאתר האינטרנט של מוזילה ומשתמש בטלמטריה ב-Firefox כדי לשלוח את האסימון. האסימון **לא** כלול במהדורות מ-[Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### תצורה מומלצת + +ניתן למצוא אפשרויות אלה ב - :material-menu: ← **הגדרות** ← **פרטיות & אבטחה**. + +##### הגנה מוגברת מפני מעקב + +- [x] בחר ** מחמיר** הגנת מעקב מתקדמת + +זה מגן עליך על ידי חסימת מעקבי מדיה חברתית, סקריפטים של טביעת אצבע (שים לב שזה לא מגן עליך מפני *כל* טביעות האצבע), קריפטומינרים, עוגיות מעקב חוצות- אתרים ותוכן מעקב אחר. ETP מגן מפני איומים נפוצים רבים, אך הוא אינו חוסם את כל אפיקי המעקב מכיוון שהוא נועד להשפיע באופן מינימלי עד ללא השפעה על השימושיות באתר. + +##### חיטוי בעת סגירה + +אם אתה רוצה להישאר מחובר לאתרים מסוימים, אתה יכול לאפשר חריגים ב**עוגיות ונתוני אתר** ← **נהל חריגים... ** + +- [x] סמן **מחיקת עוגיות ונתוני אתרים עם סגירת Firefox** + +זה מגן עליך מפני עוגיות מתמשכות, אך אינו מגן עליך מפני עוגיות שנרכשו במהלך כל הפעלת גלישה אחת. כאשר זה מופעל, אפשר לנקות בקלות את קובצי העוגיות של הדפדפן שלך פשוט על ידי הפעלה מחדש של Firefox. אתה יכול להגדיר חריגים על בסיס אתר, אם אתה רוצה להישאר מחובר לאתר מסוים שאתה מבקר בו לעתים קרובות. + +##### הצעות חיפוש + +- [ ] בטל את הסימון **הצגת המלצות חיפוש** + +ייתכן שתכונות הצעות חיפוש לא יהיו זמינות באזור שלך. + +הצעות חיפוש שולחות את כל מה שאתה מקליד בסרגל הכתובות למנוע החיפוש המוגדר כברירת מחדל, ללא קשר אם אתה שולח חיפוש בפועל. השבתת הצעות חיפוש מאפשרת לך לשלוט בצורה מדויקת יותר באילו נתונים אתה שולח לספק מנועי החיפוש שלך. + +##### טלמטריה + +- [ ] בטל את הסימון **לאפשר ל-Firefox לשלוח אל Mozilla מידע טכני ופעולות שבוצעו בדפדפן** +- [ ] בטל את הסימון **לאפשר ל-Firefox להתקין ולהריץ מחקרים** +- [ ] בטל את הסימון **לאפשר ל-Firefox דיווחי קריסות שנשמרו בשמך** + +> Firefox שולח נתונים על הגרסה והשפה של Firefox שלך; תצורת מערכת ההפעלה והחומרה של המכשיר; זיכרון, מידע בסיסי על קריסות ושגיאות; תוצאה של תהליכים אוטומטיים כמו עדכונים, גלישה בטוחה והפעלה אלינו. כאשר Firefox שולח לנו נתונים, כתובת ה-IP שלך נאספת זמנית כחלק מיומני השרת שלנו. + +בנוסף, שירות חשבונות Firefox אוסף [כמה נתונים טכניים](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). אם אתה משתמש בחשבון Firefox אתה יכול לבטל את הסכמתך: + +1. פתח את [הגדרות הפרופיל שלך ב ](https://accounts.firefox.com/settings#data-collection)accounts.firefox.com +2. ביטול סימון **איסוף נתונים ושימוש** > **עזרה בשיפור חשבונות Firefox** + +##### מצב HTTPS בלבד + +- [x] בחר **הפעלת מצב HTTPS בלבד בכל החלונות** + +זה מונע ממך להתחבר ללא כוונה לאתר אינטרנט ב-HTTP בטקסט רגיל. אתרים ללא HTTPS אינם נפוצים כיום, לכן לא אמורה להיות לכך השפעה רבה על הגלישה היומיומית שלך. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) מאפשר לנתוני הגלישה שלך (היסטוריה, סימניות וכו') להיות נגישים בכל המכשירים שלך ומגן עליהם באמצעות E2EE. + +### Arkenfox (מתקדם) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +פרויקט [Arkenfox](https://github.com/arkenfox/user.js) מספק קבוצה של אפשרויות שנשקלו בקפידה עבור Firefox. אם אתה [מחליט](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) להשתמש ב-Arkenfox, [כמה אפשרויות](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) הן קפדניות סובייקטיבית ו/או עלולות לגרום לאתרים מסוימים לא לעבוד כראוי [שאותן תוכל לשנות בקלות](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) כדי להתאים לצרכים שלך. אנו **ממליצים בחום** לקרוא את [הויקי](https://github.com/arkenfox/user.js/wiki) המלא שלהם. Arkenfox גם מאפשר תמיכה ב[מכולות](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users). + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave לוגו](assets/img/browsers/brave.svg){ align=right } + + **דפדפן Brave** כולל חוסם תוכן מובנה ו [תכונות פרטיות ]( https://brave.com/privacy-features/), רבים מהם מופעלים כברירת מחדל. + + Brave בנוי על פרויקט דפדפן Chromium, כך שהוא אמור להרגיש מוכר ושיהיו לו בעיות תאימות מינימליות לאתר. + + [:octicons-home-16: דף הבית](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="שירות בצל" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="קוד פתוח" } + + ??? downloads annotate "הורדות" + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. אנו ממליצים לא להשתמש בגרסת Flatpak של Brave, מכיוון שהיא מחליפה את ארגז החול של Chromium ב-Flatpak, שהוא פחות יעיל. בנוסף, החבילה אינה מתוחזקת על ידי Brave Software, Inc. + +### תצורה מומלצת + +ניתן למצוא אפשרויות אלה ב - :material-menu: ← **הגדרות**. + +##### Shields + +Brave כולל כמה אמצעים נגד טביעת אצבע בתכונת [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) שלו. אנו מציעים להגדיר את האפשרויות האלה [גלובלי](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) בכל הדפים שבהם אתה מבקר. + +ניתן לשדרג לאחור את האפשרויות של Shields על בסיס אתר לפי הצורך, אך כברירת מחדל אנו ממליצים להגדיר את האפשרויות הבאות: + +
+ +- [x] בחר **מנע מאתרים לקחת ממני טביעות אצבע בהתבסס על העדפות השפה שלי** +- [x] בחר **אגרסיבי** תחת חסימת עוקבים ומודעות + + ??? warning "השתמש ברשימות סינון ברירת מחדל" + Brave מאפשר לך לבחור מסנני תוכן נוספים בדף הפנימי `brave://adblock`. אנו ממליצים לא להשתמש בתכונה זו; במקום זאת, שמור על רשימות הסינון המוגדרות כברירת מחדל. שימוש ברשימות נוספות יגרום לך להתבלט ממשתמשי Brave אחרים ועלול גם להגדיל את שטח ההתקפה אם יש ניצול ב-Brave וכלל זדוני יתווסף לאחת הרשימות שבהן אתה משתמש. + +- [x] (אופציונלי) בחר **בלוק סקריפטים** (1) +- [x] בחר **מחמיר, עלול לשבור אתרים** תחת בלוק טביעת אצבע + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### חסימת מדיה חברתית + +- [ ] בטל את הסימון של כל רכיבי המדיה החברתית + +##### פרטיות ואבטחה + +
+ +- [x] בחר **Disable Non-Proxied UDP** מתחת [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] בטל **שימוש בשירותי Google להעברת הודעות בדחיפה** +- [ ] בטל **אפשר ניתוח מוצרים ששומר על הפרטיות (P3A)** +- [ ] בטל **שליחה אוטומטית של פינג שימוש יומי ל-Brave** +- [x] בחר **השתמש תמיד בחיבורים מאובטחים** בתוך **אבטחה** תפריט +- [ ] בטל **חלון פרטי עם טור** (1) + + !!! חשוב"חיטוי בסגירה" + - [x] בחר**נקה קבצי עוגיות ונתוני אתר בעת סגירת כל החלונות**בתפריט *עוגיות ונתוני אתר אחרים* + + אם ברצונך להישאר מחובר לאתר מסוים שבו אתה מבקר לעתים קרובות, באפשרותך להגדיר חריגים על בסיס לכל אתר תחת *התנהגויות מותאמות אישית* section. + +
+ +1. Brave הוא **לא** עמיד בפני טביעת אצבע כמו דפדפן Tor והרבה פחות אנשים משתמשים אמיץ עם Tor, כך תוכל להתבלט. כאשר [נדרשת אנונימיות חזקה](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) השתמש בדפדפן [Tor](tor.md#tor-browser). + +##### הרחבות + +השבת הרחבות מובנות שאינך משתמש בהן ב**הרחבות** + +- [ ] בטל את הסימון **Hangouts** +- [ ] בטל את הסימון **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### הגדרות נוספות + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### סנכרון Brave + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) מאפשר לנתוני הגלישה שלך (היסטוריה, סימניות וכו ') להיות נגישים בכל המכשירים שלך ללא צורך בחשבון ומגן עליהם באמצעות E2EE. + +## מקורות נוספים + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![הלוגו של uBlock Origin](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** הוא חוסם תוכן פופולרי שיכול לעזור לך לחסום מודעות, עוקבים וסקריפטים של טביעות אצבע. + + [:octicons-repo-16: מאגר](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="קוד מקור" } + + ??? הורדות + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### רשימות אחרות + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### דרישות מינימליות + +- חייבת להיות תוכנת קוד פתוח. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- כל שינוי שיידרש כדי להפוך את הדפדפן ליותר מכבד פרטיות לא צריך להשפיע לרעה על חוויית המשתמש. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### קריטריונים להרחבה + +- אסור לשכפל דפדפן מובנה או פונקציונליות מערכת הפעלה. +- חייב להשפיע ישירות על פרטיות המשתמש, כלומר לא חייב פשוט לספק מידע. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/he/desktop.md b/i18n/he/desktop.md new file mode 100644 index 00000000..4c2781a5 --- /dev/null +++ b/i18n/he/desktop.md @@ -0,0 +1,183 @@ +--- +title: "שולחן עבודה/מחשב אישי" +icon: simple/linux +description: הפצות לינוקס מומלצות בדרך כלל להגנה על פרטיות וחופש תוכנה. +--- + +הפצות לינוקס מומלצות בדרך כלל להגנה על פרטיות וחופש תוכנה. אם אינך משתמש עדיין בלינוקס, להלן כמה הפצות שאנו מציעים לנסות, כמו גם כמה טיפים כלליים לשיפור פרטיות ואבטחה החלים על הפצות לינוקס רבות. + +- [סקירה כללית של לינוקס :material-arrow-right-drop-circle:](os/linux-overview.md) + +## הפצות מסורתיות + +### Fedora Workstation + +!!! recommendation + + ![Fedora לוגו](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **תחנת העבודה של פדורה** היא ההפצה המומלצת שלנו לאנשים חדשים ללינוקס. Fedora בדרך כלל מאמצת טכנולוגיות חדשות יותר לפני הפצות אחרות, למשל [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), ובקרוב [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). טכנולוגיות חדשות אלה מגיעות לעתים קרובות עם שיפורים באבטחה, בפרטיות ובשימושיות באופן כללי. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +לFedora יש מהדורת שחרור מתגלגל-למחצה. בעוד כמה חבילות כמו [GNOME](https://www.gnome.org) מוקפאות עד לשחרור הבא של פדורה, רוב החבילות (כולל הקרנל) מתעדכנות לעתים קרובות לאורך תוחלת החיים של השחרור. כל גרסה של פדורה נתמכת למשך שנה אחת, עם גרסה חדשה ששוחררה כל שישה חודשים. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed לוגו](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** היא הפצת שחרור מתגלגלת יציבה. + + ל-openSUSE Tumblewee יש a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) יש מערכת המשתמשת [Btrfs](https://en.wikipedia.org/wiki/Btrfs) ו [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) כדי להבטיח שניתן יהיה להחזיר תמונות אם תהיה בעיה. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed עוקב אחר מודל מהדורה מתגלגל שבו כל עדכון משוחרר כתמונת מצב של ההפצה. בעת שדרוג המערכת, מתבצעת הורדה של תמונת מצב חדשה. כל תמונת מצב מנוהלת באמצעות סדרה של בדיקות אוטומטיות על ידי [openQA](https://openqa.opensuse.org) כדי להבטיח את איכותה. + +### Arch Linux + +!!! recommendation + + ![Arch לוגו](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** הוא הפצה קלה של עשה זאת בעצמך (DIY) שמשמעותה שאתה מקבל רק את מה שאתה מתקין. לקבלת מידע נוסף, עיין ב[FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +ל - Arch Linux יש מחזור שחרור מתגלגל. אין לוח זמנים שחרור קבוע וחבילות מתעדכנות לעתים קרובות מאוד. + +להיות התפלגות DIY, אתה [צפוי להגדיר ולתחזק](os/linux-overview.md#arch-based-distributions) המערכת שלך בעצמך. יש Arch [מתקין רשמי](https://wiki.archlinux.org/title/Archinstall) כדי להפוך את תהליך ההתקנה קצת יותר קל. + +חלק גדול מהחבילות של [ארץ' לינוקס](https://reproducible.archlinux.org) הן [לשחזור](https://reproducible-builds.org). + +## הפצות בלתי ניתנות לשינוי + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue לוגו](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue *** ו -** Fedora Kinoite ** הם גרסאות בלתי ניתנות לשינוי של Fedora עם מיקוד חזק בזרימות עבודה של קונטיינרים. Silverblue מגיע עם [GNOME](https://www.gnome.org/) desktop environment while Kinoite [KDE](https://kde.org/). Silverblue ו - Kinoite מצייתות לאותו לוח זמנים של הפצה כמו Fedora Workstation, ומרוויחות מאותם עדכונים מהירים ונשארות קרובות מאוד לזרם. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (ו Kinoite) שונים מ Fedora Workstation כפי שהם מחליפים את [מנהל חבילת DNF](https://fedoraproject.org/wiki/DNF) עם אלטרנטיבה מתקדמת הרבה יותר בשם [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). מנהל החבילות `rpm - ostree` עובד על ידי הורדת תמונת בסיס עבור המערכת, ולאחר מכן שכבת חבילות מעליה ב [git](https://en.wikipedia.org/wiki/Git)- כמו להתחייב עץ. כאשר המערכת מתעדכנת, מורידים תמונת בסיס חדשה ושכבות העל יוחלו על תמונה חדשה זו. + +לאחר השלמת העדכון, תאתחל מחדש את המערכת לפריסה החדשה. `rpm - ostree` שומר שתי פריסות של המערכת, כך שתוכל בקלות לחזור לאחור אם משהו נשבר בפריסה החדשה. יש גם אפשרות להצמיד יותר פריסות לפי הצורך. + +[Flatpak](https://www.flatpak.org) היא שיטת התקנת החבילה העיקרית בהפצות אלה, מכיוון ש-`rpm-ostree` נועדה רק לכיסוי חבילות שאינן יכולות להישאר בתוך מיכל על גבי תמונת הבסיס. + +כחלופה Flatpaks, יש את האפשרות של[Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) כדי ליצור [Podman](https://podman.io) עם ספריית בית משותפת עם מערכת ההפעלה המארח לחקות סביבת פדורה מסורתית, המהווה [תכונה שימושית](https://containertoolbx.org) עבור מפתח הבחנה. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS היא הפצה עצמאית המבוססת על מנהל החבילות של Nix ומתמקדת בשחזור ואמינות. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +מנהל החבילות של NixOS שומר כל גרסה של כל חבילה בתיקיה אחרת בחנות **Nix store**. בשל כך אתה יכול לקבל גירסאות שונות של אותה חבילה מותקנת על המערכת שלך. לאחר שתוכן החבילה נכתב לתיקייה, התיקייה נעשית לקריאה בלבד. + +NixOS מספקת גם עדכונים אטומיים; תחילה היא מורידה (או בונה) את החבילות והקבצים עבור דור המערכת החדש ולאחר מכן עוברת אליו. ישנן דרכים שונות לעבור לדור חדש; באפשרותך להורות ל - NixOS להפעיל אותו לאחר אתחול מחדש או לעבור אליו בזמן ריצה. אתה יכול גם *לבדוק* הדור החדש על ידי מעבר אליו בזמן ריצה, אבל לא הגדרת אותו כמו הדור הנוכחי של המערכת. אם משהו בתהליך העדכון נשבר, אתה יכול פשוט לאתחל באופן אוטומטי ולחזור לגירסה עובדת של המערכת שלך. + +Nix מנהל החבילות משתמש בשפה פונקציונלית טהורה - הנקראת גם Nix - כדי להגדיר חבילות. + +[Nixpkgs](https://github.com/nixos/nixpkgs)(המקור העיקרי של חבילות) נמצאים במאגר אחד של GitHub. אתה יכול גם להגדיר חבילות משלך באותה שפה ולאחר מכן בקלות לכלול אותם בתצורה שלך. + +Nix הוא מנהל חבילות מבוסס מקור; אם אין מוכן מראש זמין במטמון הבינארי, ניקס פשוט יבנה את החבילה מהמקור באמצעות ההגדרה שלו. הוא בונה כל חבילה בסביבה *טהורה* בארגז חול, שאינה תלויה ככל האפשר במערכת המארחת, ובכך הופכת את הקבצים הבינאריים לניתנים לשחזור. + +## הפצות ממוקדות אנונימיות + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** מבוסס על [Kicksecure](https://www.whonix.org/wiki/Kicksecure), מזלג ממוקד אבטחה של דביאן. מטרתו לספק פרטיות, אבטחה ואנונימיות באינטרנט. כדאי להשתמש ב - Whonix בשילוב עם [Qubes OS](# qubes- os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix אמור לפעול כמו שתי מכונות וירטואליות: "תחנת עבודה" ו "שער" Tor כל התקשורת מתחנת העבודה חייבת לעבור דרך שער טור. משמעות הדבר היא כי גם אם תחנת העבודה נפגעת על ידי תוכנות זדוניות מסוג כלשהו, כתובת ה - IP האמיתית נשארת מוסתרת. + +חלק מהתכונות כוללות בידוד Tor Stream, אנונימיזציה של [הקשות](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [החלפה מוצפנת](https://github.com/Whonix/swap-file-creator), והקצאת זיכרון מוקשה. + +גירסאות עתידיות של Whonix יכללו ככל הנראה [מדיניות AppArmor מערכת מלאה](https://github.com/Whonix/apparmor-profile-everything) ו [משגר יישום ארגז חול](https://www.whonix.org/wiki/Sandbox-app-launcher) כדי להגביל באופן מלא את כל התהליכים במערכת. + +Whonix הוא הטוב ביותר בשימוש [בשילוב עם Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes - Whonix יש [חסרונות שונים](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) בהשוואה hypervisors אחרים. + +### Tails + +!!! recommendation + + ![Tails לוגו](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** היא מערכת הפעלה חיה המבוססת על דביאן המנתבת את כל התקשורת דרך Tor, שיכולה לאתחל כמעט כל מחשב מ - DVD, מקל USB או התקנת כרטיס SD. הוא משתמש ב - [Tor](tor.md) כדי לשמור על פרטיות ואנונימיות תוך עקיפת הצנזורה, והוא אינו מותיר עקבות של עצמו במחשב שבו הוא נמצא בשימוש לאחר שהוא כבוי. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails הוא נהדר עבור זיהוי פלילי נגדי עקב אמנזיה (כלומר שום דבר לא נכתב לדיסק); עם זאת, זו אינה התפלגות קשוחה כמו ווניקס. היא חסרה תכונות אנונימיות ואבטחה רבות שיש ל - Whonix ומתעדכנת בתדירות נמוכה בהרבה (רק אחת לשישה שבועות). מערכת Tails כי הוא נפגע על ידי תוכנות זדוניות עשוי לעקוף את פרוקסי שקוף המאפשר למשתמש להיות deanonymized. + +Tailsכולל[uBlock Origin](desktop-browsers.md#ublock-origin) בדפדפן Tor כברירת מחדל, מה שעשוי להקל על יריבים למשתמשים בזנבות טביעות אצבע. [Whonix](desktop.md#whonix) מכונות וירטואליות עשויות להיות יותר חסינות מפני דליפות, אך הן אינן אמנזיה, כלומר ניתן לשחזר נתונים ממכשיר האחסון שלך. + +על ידי עיצוב, Tails נועד לאפס את עצמו לחלוטין לאחר כל אתחול מחדש. ניתן להגדיר [אחסון קבוע](https://tails.boum.org/doc/first_steps/persistence/index.en.html) מוצפן כדי לאחסן נתונים מסוימים בין אתחולים מחדש. + +## הפצות ממוקדות אבטחה + +### Qubes OS + +!!! recommendation + + ![לוגו של מערכת ההפעלה Qubes ]( assets/img/qubes/qubes_os.svg){ align=right } + + **מערכת ההפעלה Qubes** היא מערכת הפעלה בקוד פתוח שנועדה לספק אבטחה חזקה למחשוב שולחני. Qubes מבוססת על Xen, מערכת החלונות X ולינוקס, ויכולה להריץ את רוב יישומי לינוקס ולהשתמש ברוב מנהלי ההתקן של לינוקס. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=תיעוד } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=לתרומה } + +Qubes OS היא מערכת הפעלה מבוססת Xen שנועדה לספק אבטחה חזקה למחשוב שולחני באמצעות מכונות וירטואליות מאובטחות (VMs), הידוע גם בשם *Qubes*. + +מערכת ההפעלה Qubes מאבטחת את המחשב על ידי בידוד תת - מערכות (למשל, רשת, USB וכו ') ויישומים ב - VMs נפרדים. אם חלק אחד של המערכת נפגע, הבידוד הנוסף עשוי להגן על שאר המערכת. לפרטים נוספים ראו Qubes [FAQ](https://www.qubes-os.org/faq/). + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +מערכות ההפעלה המומלצות שלנו: + +- זה חייב להיות קוד פתוח. +- חייבים לקבל עדכוני תוכנה וליבת לינוקס באופן קבוע. +- הפצות לינוקס חייבות לתמוך ב[Wayland](os/linux-overview.md#Wayland). +- חייב לתמוך בהצפנה בדיסק מלא במהלך ההתקנה. +- אין להקפיא מהדורות רגילות במשך יותר משנה. [איננו ממליצים](os/linux-overview.md#release-cycle) על מהדורות distro "תמיכה לטווח ארוך" או "יציבה" לשימוש בשולחן העבודה. +- חייב לתמוך במגוון רחב של חומרה. diff --git a/i18n/he/dns.md b/i18n/he/dns.md new file mode 100644 index 00000000..f632ee69 --- /dev/null +++ b/i18n/he/dns.md @@ -0,0 +1,139 @@ +--- +title: "ספקי DNS" +icon: material/dns +description: אלו הם כמה ספקי DNS מוצפנים שאנו ממליצים לעבור אליהם, כדי להחליף את תצורת ברירת המחדל של ספק שירותי האינטרנט שלך. +--- + +יש להשתמש ב-DNS מוצפן עם שרתי צד שלישי רק כדי לעקוף [חסימת DNS](https://en.wikipedia.org/wiki/DNS_blocking) בסיסית כאשר אתה יכול להיות בטוח שלא יהיו השלכות. DNS מוצפן לא יעזור לך להסתיר את פעילות הגלישה שלך. + +[למד עוד :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## ספקים מומלצים + +| ספקי DNS | מדיניות פרטיות | פרוטוקולים | תיעוד בקשות | ECS | סינון | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | -------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH
DoT
DNSCrypt | חלקי[^1] | לא | מבוסס על בחירת שרת. רשימת סינון בשימוש ניתן למצוא כאן. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH
DoT | חלקי[^2] | לא | מבוסס על בחירת שרת. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH
DoT
DNSCrypt
DoQ
DoH3 | אופציונאלי[^3] | לא | מבוסס על בחירת שרת. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | לא[^4] | לא | מבוסס על בחירת שרת. רשימת סינון בשימוש ניתן למצוא כאן. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH
DoT | אופציונאלי[^5] | אופציונאלי | מבוסס על בחירת שרת. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | חלק[^6] | אופציונאלי | בהתבסס על בחירת השרת, תוכנות זדוניות חוסמות כברירת מחדל. | + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בְּספק, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייב לתמוך ב [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [מזעור QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- אפשר ל - [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) להיות מנוטרל +- תעדוף תמיכה ב[Anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) או תמיכה ב"היגוי גיאוגרפי". + +## תמיכה מובנת במערכת ההפעלה + +### אנדרואיד + +אנדרואיד 9 ומעלה תומכת ב-DNS דרך TLS. ניתן למצוא את ההגדרות ב: **הגדרות** → **רשת & אינטרנט** → **פרטי DNS**. + +### מוצרי Apple + +הגרסאות האחרונות של iOS, iPadOS, tvOS ו-macOS, תומכות הן ב-DoT והן ב-DoH. שני הפרוטוקולים נתמכים באופן מקורי באמצעות [פרופילי תצורה](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) או דרך [ממשק API להגדרות DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +לאחר התקנה של פרופיל תצורה או אפליקציה המשתמשת ב-API של הגדרות DNS, ניתן לבחור את תצורת ה-DNS. אם VPN פעיל, הרזולוציה בתוך מנהרת ה-VPN תשתמש בהגדרות ה-DNS של ה-VPN ולא בהגדרות כלל המערכת שלך. + +#### פרופילים חתומים + +Apple אינה מספקת ממשק מקורי ליצירת פרופילי DNS מוצפנים. [יוצר פרופיל DNS מאובטח](https://dns.notjakob.com/tool.html) הוא כלי לא רשמי ליצירת פרופילי DNS מוצפנים משלך, אולם הם לא ייחתמו. פרופילים חתומים מועדפים; החתימה מאמתת את מקור הפרופיל ומסייעת להבטיח את שלמות הפרופילים. תווית "מאומת" ירוקה ניתנת לפרופילי תצורה חתומים. לקבלת מידע נוסף על חתימת קוד, ראה [אודות חתימת קוד](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **פרופילים חתומים** מוצעים על ידי [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), ו [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info "מידע" + + `systemd-resolved`, שהפצות לינוקס רבות משתמשות בו כדי לבצע את חיפושי ה-DNS שלהם, עדיין לא [תומך ב-DoH](https://github.com/systemd/systemd/issues/8639). אם אתה רוצה להשתמש ב-DoH, תצטרך להתקין פרוקסי כמו [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) ו[להגדיר אותו](https://wiki.archlinux.org/title/Dnscrypt-proxy) כדי לקחת את כל שאילתות ה-DNS מפותר המערכת ולהעביר אותן באמצעות HTTPS. + +## פרוקסי DNS מוצפנים + +תוכנת פרוקסי DNS מוצפנת מספקת פרוקסי מקומי שאליו ניתן להעביר את פותר [ה-DNS הלא מוצפן](advanced/dns-overview.md#unencrypted-dns). בדרך כלל הוא משמש בפלטפורמות שאינן תומכות באופן מקורי [ב-DNS מוצפן](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS לוגו](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS לוגו](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** הוא לקוח אנדרואיד בקוד פתוח התומך ב [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) ו-DNS Proxy יחד עם שמירה במטמון של תגובות DNS, רישום מקומי של שאילתות DNS וניתן להשתמש בהם גם בתור חומת אש. + + [:octicons-home-16: דף הבית](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy לוגו](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** הוא פרוקסי DNS עם תמיכה ב-[DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https -doh), ו-[DNS אנונימי](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "תכונת ה-DNS האנונימית עושה [**לא**](advanced/dns-overview.md#why-shouldn't-i-use-encrypted-dns) אנונימית לתעבורת רשת אחרת." + + [:octicons-repo-16: מאגר](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## פתרונות אירוח עצמי + +פתרון DNS שמתארח בעצמו שימושי לאספקת סינון בפלטפורמות מבוקרות, כגון טלוויזיות חכמות והתקני IoT אחרים, מכיוון שאין צורך בתוכנה בצד הלקוח. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home לוגו](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** הוא קוד פתוח [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) שמשתמש ב[סינון DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) כדי לחסום תוכן אינטרנט לא רצוי, כגון פרסומות. + + AdGuard Home כולל ממשק אינטרנט משופשף כדי להציג תובנות ולנהל תוכן חסום. + + [:octicons-home-16: דף הבית](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="קוד מקור" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole לוגו](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** הוא קוד פתוח [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) שמשתמש ב[סינון DNS](https://www.cloudflare.com/learning/access -management/what-is-dns-filtering/) כדי לחסום תוכן אינטרנט לא רצוי, כגון פרסומות. + + Pi-hole מיועד להתארח ב-Raspberry Pi, אך הוא אינו מוגבל לחומרה כזו. התוכנה כוללת ממשק אינטרנט ידידותי כדי להציג תובנות ולנהל תוכן חסום. + + [:octicons-home-16: דף הבית](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=לתרומה } + +[^1]: AdGuard מאחסן מדדי ביצועים מצטברים של שרתי ה-DNS שלהם, כלומר מספר הבקשות המלאות לשרת מסוים, מספר הבקשות החסומות ומהירות עיבוד הבקשות. הם גם שומרים ומאחסנים את מסד הנתונים של הדומיינים שהתבקשו ב-24 השעות האחרונות. "אנחנו צריכים את המידע הזה כדי לזהות ולחסום עוקבים ואיומים חדשים." "אנחנו גם מתעדים כמה פעמים גשש זה או אחר נחסם. אנחנו צריכים את המידע הזה כדי להסיר את הכללים המיושנים מהמסננים שלנו." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare אוספת ומאחסנת רק את נתוני שאילתת ה-DNS המוגבלים שנשלחים לפותר 1.1.1.1. שירות הפותר 1.1.1.1 אינו רושם נתונים אישיים, וחלק הארי של נתוני השאילתות המוגבלים שאינם ניתנים לזיהוי אישי מאוחסן למשך 25 שעות בלבד. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D רק מתעדים עבור פותרי Premium עם פרופילי DNS מותאמים אישית. פותרים חינמיים אינם רושמים נתונים. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: שירות ה-DNS של Mullvad זמין הן למנויים והן ללא מנויים של Mullvad VPN. מדיניות הפרטיות שלהם טוענת במפורש שהם לא רושמים בקשות DNS בשום צורה. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS יכול לספק תובנות ותכונות רישום על בסיס הסכמה. אתה יכול לבחור זמני שמירה ומיקומי אחסון ביומן עבור כל יומן שתבחר לשמור. אם זה לא מתבקש במיוחד, לא נרשמים נתונים. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 אוספת חלק מהנתונים למטרות ניטור ותגובה של איומים. לאחר מכן ניתן לערבב מחדש את הנתונים הללו ולשתף אותם, למשל לצורך מחקר אבטחה. Quad9 אינה אוספת או מתעדת כתובות IP או נתונים אחרים שלדעתם ניתנים לזיהוי אישי. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/he/email-clients.md b/i18n/he/email-clients.md new file mode 100644 index 00000000..3b56905b --- /dev/null +++ b/i18n/he/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "לקוחות אימייל" +icon: material/email-open +description: לקוחות אימייל אלה מכבדים פרטיות ותומכים בהצפנת אימייל OpenPGP. +--- + +רשימת ההמלצות שלנו מכילה לקוחות אימייל התומכים הן ב[OpenPGP](encryption.md#openpgp) והן באימות חזק כגון [הרשאת פתוחה ](https://en.wikipedia.org/wiki/OAuth)(OAuth). OAuth מאפשר לך להשתמש ב - [אימות רב - גורמי](basics/multi-factor-authentication.md) ולמנוע גניבת חשבון. + +??? warning "אימייל אינו מספק סודיות העברה" + + בעת שימוש בטכנולוגיית הצפנה מקצה לקצה (E2EE) כמו OpenPGP, לאימייל עדיין יהיו [כמה מטא נתונים](email.md#email-metadata-overview) שאינם מוצפנים בכותרת האימייל. + + OpenPGP גם לא תומך ב[סודיות העברה](https://en.wikipedia.org/wiki/Forward_secrecy), כלומר אם המפתח הפרטי שלך או של הנמען ייגנב אי פעם, כל ההודעות הקודמות שהוצפנו איתו ייחשפו: [ כיצד אוכל להגן על המפתחות הפרטיים שלי?](basics/email-security.md) שקול להשתמש באמצעי המספק סודיות קדימה: + + [תקשורת בזמן אמת](real-time-communication.md){ .md-button } + +## חוצה פלטפורמות + +### Thunderbird + +!!! recommendation + + ![Thunderbird לוגו](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** הוא לקוח חינמי, קוד פתוח, חוצה פלטפורמות אימייל, קבוצת דיון, עדכון חדשות וצ'אט (XMPP, IRC, Twitter) שפותח על ידי קהילת Thunderbird, ולפני כן על ידי קרן Mozilla. + + [:octicons-home-16: דף הבית](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="מדינות פרטיות" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=תיעוד} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-windows11: ווינדוס](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: לינקוס](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### תצורה מומלצת + +מומלץ לשנות חלק מהגדרות אלה כדי להפוך את Thunderbird לפרטי יותר. + +ניתן למצוא אפשרויות אלה ב - :material-menu: ← **הגדרות** ← **פרטיות & אבטחה**. + +##### תוכן אינטרנט + +- [ ] בטל את הסימון **זכור אתרים וקישורים שביקרתי** +- [ ] בטל את הסימון של **קבל קובצי Cookie מאתרים** + +##### טלמטריה + +- [ ] בטל את הסימון **אפשר ל - Thunderbird לשלוח נתונים טכניים ונתוני אינטראקציה ל - Mozilla** + +#### Thunderbird-user.js (מתקדם) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), היא קבוצה של אפשרויות תצורה שמטרתה להשבית כמה שיותר מתכונות הגלישה באינטרנט בתוך Thunderbird על מנת להקטין את שטח הפנים ולשמור על פרטיות. חלק מהשינויים הם backported מפרויקט [Arkenfox](https://github.com/arkenfox/user.js). + +## ספציפית לפלטפורמה + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail לוגו](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** כלול ב-macOS וניתן להרחיב אותו כך שתהיה לו תמיכה ב-OpenPGP עם [GPG Suite](encryption.md#gpg-suite), אשר מוסיפה את היכולת לשלוח מייל מוצפן PGP. + + [:octicons-home-16: דף הבית](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=תיעוד} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail לוגו](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** הוא לקוח אימייל בתשלום שנועד להפוך את ההצפנה מקצה לקצה לחלקה עם תכונות אבטחה כגון נעילת אפליקציה ביומטרית. + + [:octicons-home-16: דף הבית](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning "אזהרה" + + Canary Mail הוציאה רק לאחרונה לקוח של Windows ואנדרואיד, אם כי אנחנו לא מאמינים שהם יציבים כמו עמיתיהם של iOS ו-Mac. + +Canary Mail הוא קוד סגור. אנו ממליצים על זה בגלל האפשרויות המעטות שיש עבור לקוחות אימייל ב-iOS התומכים ב-PGP E2EE. + +### FairEmail (אנדרואיד) + +!!! recommendation + + ![FairEmail לוגו](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** היא אפליקציית אימייל מינימלית בקוד פתוח, המשתמשת בסטנדרטים פתוחים (IMAP, SMTP, OpenPGP) עם צריכת נתונים וסוללה נמוכה. + + [:octicons-home-16: דף הבית](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution לוגו](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** הוא יישום לניהול מידע אישי המספק פונקציונליות משולבת של דואר, לוחות שנה ופנקס כתובות. ל-Evolution יש [תיעוד](https://help.gnome.org/users/evolution/stable/) נרחב שיעזור לך להתחיל. + + [:octicons-home-16: דף הבית](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=תיעוד} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K -9 Mail (אנדרואיד) + +!!! recommendation + + ![K-9 Mail לוגו](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** היא אפליקציית מייל עצמאית התומכת גם בתיבות דואר POP3 וגם IMAP, אך תומכת רק בדואר דואר עבור IMAP. + + בעתיד, K-9 Mail יהיה [המותג הרשמי](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) לקוח Thunderbird עבור אנדרואיד. + + [:octicons-home-16: דף הבית](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning "אזהרה" + + כשמשיבים למישהו ברשימת תפוצה, אפשרות ה"תשובה" עשויה לכלול גם את רשימת התפוצה. למידע נוסף ראה [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact לוגו](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** הוא יישום מנהל מידע אישי (PIM) מפרויקט [KDE](https://kde.org). הוא מספק לקוח מייל, פנקס כתובות, מארגן ולקוח RSS. + + [:octicons-home-16: דף הבית](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=תיעוד} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (דפדפן) + +!!! recommendation + + ![Mailvelope לוגו](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** היא תוסף דפדפן המאפשר החלפת מיילים מוצפנים בהתאם לתקן ההצפנה OpenPGP. + + [:octicons-home-16: דף הבית](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt לוגו](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** הוא קורא דואר שורת פקודה בקוד פתוח (או MUA) עבור לינוקס ו-BSD. זה מזלג של [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) עם תכונות נוספות. + + NeoMutt הוא לקוח מבוסס טקסט שיש לו עקומת למידה תלולה. עם זאת, זה מאוד להתאמה אישית. + + [:octicons-home-16: דף הבית](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### כישורים מינימליים + +- יישומים שפותחו עבור מערכות הפעלה בקוד פתוח חייבים להיות קוד פתוח. +- לא יכול לאסוף טלמטריה, או שיש דרך קלה להפוך את כל הטלמטריה ללא זמינה. +- חייב לתמוך בהצפנת הודעות OpenPGP. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- זה צריך להיות קוד פתוח. +- צריך להיות חוצה פלטפורמות. +- אינו אוסף טלמטריה כברירת מחדל. +- צריך לתמוך ב - OpenPGP באופן מקורי, כלומר ללא הרחבות. +- יש לתמוך באחסון הודעות דואר אלקטרוני מוצפנות של OpenPGP באופן מקומי. diff --git a/i18n/he/email.md b/i18n/he/email.md new file mode 100644 index 00000000..2dc5fa1f --- /dev/null +++ b/i18n/he/email.md @@ -0,0 +1,503 @@ +--- +title: "שירותי אימייל" +icon: material/email +description: ספקי אימייל אלה מציעים מקום מצוין לאחסן את המיילים שלך בצורה מאובטחת, ורבים מציעים הצפנת OpenPGP הניתנת להפעלה הדדית עם ספקים אחרים. +--- + +אימייל הוא למעשה הכרח לשימוש בכל שירות מקוון, אולם איננו ממליצים עליו לשיחות מאדם לאדם. דואר אלקטרוני הוא למעשה הכרח שימוש בכל שירות מקוון, אולם איננו ממליצים עליו לשיחות מאדם לאדם. + +[מסנג'רים (הודעות מיידיות) מומלצות](real-time-communication.md ""){.md-button} + +לכל השאר, אנו ממליצים על מגוון ספקי דוא"ל המבוססים על מודלים עסקיים ברי קיימא ותכונות אבטחה ופרטיות מובנות. + +- [ספקי דוא"ל תואמי OpenPGP :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [ספקים מוצפנים אחרים :material-arrow-right-drop-circle:](#more-providers) +- [שירותי כינוי אימייל :material-arrow-right-drop-circle:](#email-aliasing-services) +- [אפשרויות אירוח עצמי :material-arrow-right-drop-circle:](#self-hosting-email) + +## ספקי דוא"ל מומלצים + +ספקים אלה תומכים באופן מקורי בהצפנה/פענוח של OpenPGP ובתקן Web Key Directory (WKD), המאפשרים הודעות אימייל E2EE אגנוסטיות לספקים. לדוגמה, משתמש Proton Mail יכול לשלוח הודעת E2EE למשתמש Mailbox.org, או שאתה יכול לקבל התראות מוצפנות OpenPGP משירותי אינטרנט התומכים בכך. + +
+ +- ![Proton Mail לוגו](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org לוגו](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning "אזהרה" + + בעת שימוש בטכנולוגיית E2EE כמו OpenPGP, לדוא"ל עדיין יהיו כמה מטא נתונים שאינם מוצפנים בכותרת האימייל. קרא עוד על [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP גם אינו תומך בסודיות קדימה, מה שאומר שאם המפתח הפרטי שלך או של הנמען ייגנב אי פעם, כל ההודעות הקודמות שהוצפנו באמצעותו ייחשפו. [איך אני מגן על המפתחות הפרטיים שלי?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail לוגו](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** הוא שירות דואר אלקטרוני עם התמקדות בפרטיות, הצפנה, אבטחה וקלות שימוש. הם פועלים מאז **2013**. Proton AG מבוססת בז'נב, שוויץ. חשבונות מתחילים עם 500 MB אחסון עם התוכנית החינמית שלהם. + + [:octicons-home-16: דף הבית](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +לחשבונות חינמיים יש מגבלות מסוימות, כגון חוסר היכולת לחפש גוף טקסט ואי גישה ל[Proton Mail Bridge](https://proton.me/mail/bridge), אשר נדרש כדי השתמש ב[לקוח אימייל שולחן העבודה המומלץ](email-clients.md) (למשל Thunderbird). חשבונות בתשלום כוללים תכונות כגון Proton Mail Bridge, אחסון נוסף ותמיכה בתחומים מותאמים אישית. [מכתב אישור](https://proton.me/blog/security-audit-all-proton-apps) סופק עבור האפליקציות של Proton Mail ב-9 בנובמבר 2021 על ידי [Securitum](https://research.securitum.com). + +אם יש לך תוכנית Proton Unlimited, Business או Visionary, אתה גם מקבל [SimpleLogin](#simplelogin) פרימיום בחינם. + +ל-Proton Mail יש דוחות קריסה פנימיים שהם **לא** חולקים עם צדדים שלישיים. ניתן להשבית אפשרות זו ב: **הגדרות** > **עבור אל הגדרות** > **חשבון** > **אבטחה ופרטיות** > **שלח דוחות קריסה**. + +#### :material-check:{ .pg-green } דומיינים וכינויים מותאמים אישית + +מנויי Proton Mail בתשלום יכולים להשתמש בדומיין משלהם עם השירות או בכתובת [תפוס-הכל](https://proton.me/support/catch-all). Proton Mail תומך גם ב[כתובת משנה](https://proton.me/support/creating-aliases), שהיא שימושית לאנשים שלא רוצים לרכוש דומיין. + +#### :material-check:{ .pg-green } שיטות תשלום פרטיות + +Proton Mail [מקבל](https://proton.me/support/payment-options) מזומן בדואר בנוסף לתשלומי אשראי/חיוב רגילים, [ביטקוין](advanced/payments.md#other-coins-bitcoin-ethereum-etc) ופייפאל. + +#### :material-check:{ .pg-green } אבטחת חשבון + +Proton Mail תומך באימות TOTP ב[שני גורמים](https://proton.me/support/two-factor-authentication-2fa) וב[מפתחות אבטחת חומרה](https://proton.me/support/2fa-security-key) באמצעות תקני FIDO2 או U2F. השימוש במפתח אבטחת חומרה מחייב הגדרת אימות דו - שלבי של TOTP תחילה. + +#### :material-check:{ .pg-green } אבטחת מידע + +ל-Proton Mail יש [הצפנה עם אפס-גישה](https://proton.me/blog/zero-access-encryption) במצב מנוחה עבור המיילים ו[היומנים](https://proton.me/news/protoncalendar-security-model) שלך. נתונים המאובטחים באמצעות הצפנת אפס גישה נגישים רק לך. + +מידע מסוים המאוחסן ב-[Proton Contacts](https://proton.me/support/proton-contacts), כגון שמות תצוגה וכתובות אימייל, אינו מאובטח בהצפנה ללא גישה. שדות אנשי קשר התומכים בהצפנה ללא גישה, כגון מספרי טלפון, מסומנים בסמל מנעול. + +#### :material-check:{ .pg-green } הצפנת אימייל + +Proton Mail [שילבה הצפנת OpenPGP](https://proton.me/support/how-to-use-pgp) בדואר האינטרנט שלהם. אימיילים לחשבונות Proton Mail אחרים מוצפנים באופן אוטומטי, וניתן להפעיל הצפנה לכתובות שאינן פרוטון מייל עם מפתח OpenPGP בקלות בהגדרות החשבון שלך. הם גם מאפשרים לך [להצפין הודעות לכתובות שאינן Proton Mail](https://proton.me/support/password-protected-emails) מבלי להזדקק להן להירשם לחשבון Proton Mail או להשתמש בתוכנה כמו OpenPGP. + +Proton Mail תומך גם בגילוי מפתחות ציבוריים באמצעות HTTP מ[ספריית מפתחות האינטרנט (WKD)](https://wiki.gnupg.org/WKD) שלהם. זה מאפשר לאנשים שאינם משתמשים ב-Proton Mail למצוא בקלות את מפתחות OpenPGP של חשבונות Proton Mail, עבור E2EE חוצה ספקים. + + +#### :material-information-outline:{ .pg-blue } סגירת חשבון + +אם יש לך חשבון בתשלום והחשבון שלך [לא שולם](https://proton.me/support/delinquency) לאחר 14 יום, לא תוכל לגשת לנתונים שלך. לאחר 30 יום, החשבון שלך יהפוך לבלתי פעיל ולא יקבל דואר נכנס. אתה תמשיך להיות מחויב במהלך תקופה זו. + +#### :material-information-outline:{ .pg-blue } פונקציונליות נוספת + +Proton Mail מציע חשבון "ללא הגבלה" במחיר של €9.99/חודש, המאפשר גם גישה ל-Proton VPN בנוסף לאספקת מספר חשבונות, דומיינים, כינויים ושטח אחסון של 500GB. + +Proton Mail אינו מציע תכונה מורשת דיגיטלית. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org לוגו](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** הוא שירות דוא"ל עם התמקדות בלהיות מאובטח, ללא פרסומות ומופעל באופן פרטי על ידי 100% אנרגיה ידידותית לסביבה. הם פועלים מאז 2014. Mailbox.org ממוקם בברלין, גרמניה. חשבונות מתחילים בנפח אחסון של 2 ג'יגה-בייט, שניתן לשדרג לפי הצורך. + + [:octicons-home-16: דף הבית](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } דומיינים וכינויים מותאמים אישית + +Mailbox.org מאפשר לך להשתמש בדומיין משלך, והם תומכים בכתובות [תפוס כל](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). Mailbox.org תומך גם [בכתובת משנה](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), וזה שימושי אם אינך רוצה לרכוש דומיין. + +#### :material-check:{ .pg-green } שיטות תשלום פרטיות + +Mailbox.org אינו מקבל מטבעות קריפטוגרפיים כלשהם כתוצאה מכך שמעבד התשלומים BitPay השהה את הפעולות בגרמניה. עם זאת, הם מקבלים מזומן בדואר, תשלום במזומן לחשבון בנק, העברה בנקאית, כרטיס אשראי, PayPal ועוד כמה מעבדים ספציפיים לגרמניה: paydirekt ו-Sofortüberweisung. + +#### :material-check:{ .pg-green } אבטחת חשבון + +Mailbox.org תומך ב[אימות דו-שלבי](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) עבור דואר האינטרנט שלהם בלבד. אתה יכול להשתמש ב-TOTP או ב-[Yubikey](https://en.wikipedia.org/wiki/YubiKey) דרך [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). תקני אינטרנט כגון [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) אינם נתמכים עדיין. + +#### :material-information-outline:{ .pg-blue } אבטחת מידע + +Mailbox.org מאפשר הצפנה של דואר נכנס באמצעות [תיבת הדואר המוצפנת](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox) שלהם. הודעות חדשות שתקבל יוצפנו באופן מיידי באמצעות המפתח הציבורי שלך. + +עם זאת, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), פלטפורמת התוכנה המשמשת את Mailbox.org, [אינה תומכת](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) בהצפנה של פנקס הכתובות והלוח שנה שלך. [אפשרות עצמאית](calendar.md) עשויה להתאים יותר למידע זה. + +#### :material-check:{ .pg-green } הצפנת אימייל + +ל-Mailbox.org יש [הצפנה משולבת](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) בדואר האינטרנט שלהם, מה שמקל על שליחת הודעות לאנשים עם מפתחות OpenPGP ציבוריים. הם גם מאפשרים [לנמענים מרוחקים לפענח אימייל בשרתים](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) של Mailbox.org. תכונה זו שימושית כאשר לנמען המרוחק אין OpenPGP ואין באפשרותו לפענח עותק של הדואר האלקטרוני בתיבת הדואר שלו. + +Mailbox.org תומך גם בגילוי מפתחות ציבוריים באמצעות HTTP מ-[Web Key Directory (WKD)](https://wiki.gnupg.org/WKD) שלהם. זה מאפשר לאנשים מחוץ Mailbox.org למצוא את מפתחות OpenPGP של חשבונות Mailbox.org בקלות, עבור E2EE חוצה ספקים. + +#### :material-information-outline:{ .pg-blue } סגירת חשבון + +החשבון שלך יוגדר לחשבון משתמש מוגבל כאשר החוזה שלך יסתיים, לאחר [30 יום הוא יימחק באופן בלתי הפיך](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } פונקציונליות נוספת + +אתה יכול לגשת לחשבון Mailbox.org שלך דרך IMAP/SMTP באמצעות [שירות.onion](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org) שלהם. עם זאת, לא ניתן לגשת לממשק דואר האינטרנט שלהם באמצעות שירות.onion שלהם ואתה עלול להיתקל בשגיאות אישור TLS. + +כל החשבונות מגיעים עם אחסון ענן מוגבל ש[ניתן להצפנה](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org מציעה גם את הכינוי [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), אשר אוכף את הצפנת TLS על החיבור בין שרתי דואר, אחרת ההודעה לא תישלח כלל. Mailbox.org תומך גם ב-[Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) בנוסף לפרוטוקולי גישה סטנדרטיים כמו IMAP ו-POP3. + +Mailbox.org כולל תכונת מורשת דיגיטלית לכל התוכניות. אתה יכול לבחור אם אתה רוצה שכל הנתונים שלך יועברו ליורשים בתנאי שהם חלים ומספקים את הצוואה שלך. לחלופין, ניתן למנות אדם לפי שם וכתובת. + +## עוד ספקים + +ספקים אלה מאחסנים את המיילים שלך עם הצפנת אפס ידע, מה שהופך אותם לאפשרויות נהדרות לשמירה על אבטחת המיילים המאוחסנים שלך. עם זאת, הם אינם תומכים בתקני הצפנה הניתנים להפעלה הדדית עבור תקשורת E2EE בין ספקים. + +
+ +- ![StartMail לוגו](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail לוגו](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota לוגו](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail לוגו](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail לוגו](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + ** StartMail ** הוא שירות דואר אלקטרוני עם דגש על אבטחה ופרטיות באמצעות הצפנת OpenPGP סטנדרטית. StartMail פועלת מאז 2014 וממוקמת בBoulevard 11, Zeist הולנד. החשבון מתחיל עם 10GB. הם מציעים תקופת ניסיון של 30 יום. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } דומיינים וכינויים מותאמים אישית + +חשבונות אישיים יכולים להשתמש ב[כינויים מותאמים אישית או מהירים](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases). [דומיינים מותאמים אישית](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) זמינים גם כן. + +#### :material-alert-outline:{ .pg-orange } שיטות תשלום פרטיות + +StartMail מקבלת ויזה, מאסטרקארד, אמריקן אקספרס ו - Paypal. ל-StartMail יש גם [אפשרויות תשלום](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) אחרות כגון [ביטקוין](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (כרגע רק עבור חשבונות אישיים) ו-SEPA ישיר עבור חשבונות מעל שנה. + +#### :material-check:{ .pg-green } אבטחת חשבון + +StartMail תומך באימות TOTP בשני גורמים עבור [דואר אינטרנט](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA) בלבד. הם אינם מאפשרים אימות מפתח אבטחה U2F. + +#### :material-information-outline:{ .pg-blue } אבטחת מידע + +ל-StartMail יש [הצפנת גישה אפסית במצב מנוחה](https://www.startmail.com/en/whitepaper/#_Toc458527835), באמצעות מערכת "כספת המשתמש" שלהם. כאשר אתה נכנס, הכספת נפתחת, ולאחר מכן הדואר האלקטרוני מועבר לכספת מחוץ לתור, שם הוא מפוענח על-ידי המפתח הפרטי המתאים. + +StartMail תומך בייבוא [אנשי קשר](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) עם זאת, הם נגישים רק בדואר האינטרנט ולא באמצעות פרוטוקולים כגון [CalDAV](https://en.wikipedia.org/wiki/CalDAV). אנשי קשר גם אינם מאוחסנים באמצעות הצפנת ידע אפס. + +#### :material-check:{ .pg-green } הצפנת אימייל + +ל-StartMail [הצפנה משולבת](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) בדואר האינטרנט שלהם, מה שמקל על שליחת הודעות מוצפנות עם מפתחות OpenPGP ציבוריים. עם זאת, הם אינם תומכים בתקן Web Key Directory, מה שהופך את גילוי המפתח הציבורי של תיבת דואר של Startmail למאתגר יותר עבור ספקי אימייל או לקוחות אחרים. + +#### :material-information-outline:{ .pg-blue } סגירת חשבון + +עם פקיעת החשבון, StartMail תמחק לצמיתות את חשבונך לאחר [ 6 חודשים בשלושה שלבים](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } פונקציונליות נוספת + +StartMail מאפשר פרוקסי של תמונות בתוך הודעות דוא"ל. אם תאפשרו את טעינת התמונה המרוחקת, השולח לא יידע מהי כתובת ה-IP שלכם. + +StartMail אינו מציע תכונה דיגיטלית מדור קודם. + +### Tutanota + +!!! recommendation + + ![Tutanota לוגו](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** הוא שירות דוא"ל עם דגש על אבטחה ופרטיות באמצעות הצפנה. Tutanota פועלת מאז **2011** ובסיסה בהנובר, גרמניה. חשבונות מתחילים עם שטח אחסון של 1GB עם התוכנית החינמית שלהם. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota אינה משתמשת בפרוטוקול [IMAP](https://tutanota.com/faq/#imap) או בשימוש של [לקוחות דואר אלקטרוני של צד שלישי](email-clients.md), וגם לא תוכל להוסיף [חשבונות דואר אלקטרוני חיצוניים](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) לאפליקציית Tutanota. לא [ייבוא דוא"ל](https://github.com/tutao/tutanota/issues/630) או [תיקיות משנה](https://github.com/tutao/tutanota/issues/927) נתמכים כעת, אם כי זה [בשל להיות שונה](https://tutanota.com/blog/posts/kickoff-import). הודעות דוא"ל ניתן לייצא [בנפרד או על ידי בחירה בכמות גדולה](https://tutanota.com/howto#generalMail) לכל תיקייה, דבר שעלול להיות לא נוח אם יש לך תיקיות רבות. + +#### :material-check:{ .pg-green } דומיינים וכינויים מותאמים אישית + +חשבונות Tutanota בתשלום יכולים להשתמש בעד 5 [כינויים](https://tutanota.com/faq#alias) ו[דומיינים מותאמים אישית](https://tutanota.com/faq#custom-domain). Tutanota אינה מאפשרת [כתובת משנה (בתוספת כתובות)](https://tutanota.com/faq#plus), אבל אתה יכול להשתמש ב[תפוס הכל](https://tutanota.com/howto#settings-global) עם דומיין מותאם אישית. + +#### :material-information-outline:{ .pg-blue } שיטות תשלום פרטיות + +Tutanota מקבל ישירות כרטיסי אשראי ופייפאל, אולם ניתן להשתמש ב[מטבע קריפטוגרפי](cryptocurrency.md) לרכישת כרטיסי מתנה באמצעות [שותפות](https://tutanota.com/faq/#cryptocurrency) שלהם עם Proxystore. + +#### :material-check:{ .pg-green } אבטחת חשבון + +Tutanota תומך ב[אימות דו-שלבי](https://tutanota.com/faq#2fa) עם TOTP או U2F. + +#### :material-check:{ .pg-green } אבטחת מידע + +ל-Tutanota יש [הצפנת גישה אפס בזמן מנוחה](https://tutanota.com/faq#what-encrypted) עבור המיילים, [אנשי הקשר בפנקס](https://tutanota.com/faq#encrypted-address-book) הכתובות ו[היומנים](https://tutanota.com/faq#calendar) שלך. משמעות הדבר היא שההודעות ונתונים אחרים המאוחסנים בחשבונך ניתנים לקריאה רק על ידך. + +#### :material-information-outline:{ .pg-blue } הצפנת אימייל + +Tutanota [אינו משתמש ב-OpenPGP](https://www.tutanota.com/faq/#pgp). חשבונות Tutanota יכולים לקבל אימיילים מוצפנים רק מחשבונות אימייל שאינם של Tutanota כאשר הם נשלחים דרך [תיבת דואר זמנית של Tutanota](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } סגירת חשבון + +Tutanota [ימחק חשבונות בחינם לא פעילים](https://tutanota.com/faq#inactive-accounts) לאחר שישה חודשים. אם ברצונך לשלם, באפשרותך להשתמש שוב בחשבון חינמי שהושבת. + +#### :material-information-outline:{ .pg-blue } פונקציונליות נוספת + +Tutanota מציעה את הגרסה העסקית של [Tutanota לארגונים ללא מטרות רווח](https://tutanota.com/blog/posts/secure-email-for-non-profit) בחינם או בהנחה כבדה. + +ל-Tutanota יש גם תכונה עסקית בשם [חיבור מאובטח](https://tutanota.com/secure-connect/). זה מבטיח שיצירת קשר עם הלקוח לעסק משתמשת ב- E2EE. התכונה עולה 240 אירו לשנה. + +Tutanota לא מציעה פיצ'ר מורשת דיגיטלית. + +## שירותי כינוי דוא"ל + +שירות כינוי דוא"ל מאפשר לך ליצור בקלות כתובת דוא"ל חדשה עבור כל אתר שאתה נרשם אליו. כינויי הדואר האלקטרוני שאתה יוצר מועברים לאחר מכן לכתובת דוא"ל שתבחר, תוך הסתרת כתובת הדוא"ל "הראשית" שלך וגם זהות ספק הדוא"ל שלך. כינוי דוא"ל אמיתי טוב יותר מאשר כתובת פלוס הנפוצה בשימוש ונתמך על ידי ספקים רבים, מה שמאפשר לך ליצור כינויים כמו yourname+[anythinghere]@example.com, מכיוון שאתרים, מפרסמים ורשתות מעקב יכולים להסיר כל דבר לאחר סימן + כדי לדעת את כתובת הדוא"ל האמיתית שלך. + +
+ +- ![AnonAddy לוגו](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy לוגו](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin לוגו](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +כינוי דוא"ל יכול לשמש כהגנה למקרה שספק הדוא"ל שלך יפסיק לפעול. בתרחיש זה, באפשרותך לנתב מחדש בקלות את הכינויים שלך לכתובת דואר אלקטרוני חדשה. עם זאת, אתה נותן אמון בשירות הכינוי כדי להמשיך לתפקד. + +שימוש בשירות ייעודי של כינוי דואר אלקטרוני יש גם מספר יתרונות על פני כינוי 'לתפוס-הכל' על תחום מותאם אישית: + +- ניתן להפעיל ולכבות כינויים באופן אישי בעת הצורך, וכך למנוע מאתרי אינטרנט לשלוח לך דוא"ל באופן אקראי. +- התגובות נשלחות מכתובת הכינוי, ומגינות על כתובת הדוא"ל האמיתית שלך. + +תכונות חינמיות בולטות: + +- כינויים הם קבועים וניתן להפעיל אותם שוב אם אתה צריך לקבל משהו כמו איפוס סיסמה. +- הודעות דוא"ל נשלחות לתיבת הדואר המהימנה שלך ולא מאוחסנות על ידי ספק הכינויים. +- שירותי דואר אלקטרוני זמניים בדרך כלל יש תיבות דואר ציבוריות אשר ניתן לגשת על ידי כל מי שמכיר את הכתובת, כינויים פרטיים שלך. + +ההמלצות שלנו לכינוי דוא"ל הן ספקים המאפשרים לך ליצור כינויים בדומיינים שהם שולטים בהם, כמו גם דומיינ(ים) מותאמים אישית משלך תמורת תשלום שנתי צנוע. ניתן גם לארח אותם בעצמך אם אתה רוצה שליטה מקסימלית. עם זאת, שימוש בדומיין מותאם אישית יכול להיות בעל חסרונות הקשורים לפרטיות: אם אתה האדם היחיד המשתמש בדומיין המותאם אישית שלך, ניתן לעקוב בקלות אחר הפעולות שלך באתרי אינטרנט פשוט על ידי הסתכלות על שם הדומיין בכתובת הדוא"ל והתעלמות מכל מה שלפני ה-(@) סימן. + +שימוש בשירות כינויים מחייב לתת אמון הן בספק הדואר האלקטרוני שלך והן בספק הכתובות שלך בהודעות הלא מוצפנות שלך. חלק מהספקים מפחיתים זאת מעט עם הצפנת PGP אוטומטית, שמפחיתה את מספר הצדדים שאתה צריך לסמוך עליהם משניים לאחד על ידי הצפנת הודעות דוא"ל נכנסות לפני שהן נמסרות לספק תיבת הדואר הסופי שלך. + +### AnonAddy + +!!! recommendation + + ![AnonAddy לוגו](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy לוגו](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** מאפשרת לך ליצור 20 כינויים של דומיין בדומיין משותף בחינם, או כינויים "סטנדרטיים" ללא הגבלה שהם פחות אנונימיים. + + [:octicons-home-16: דף הבית](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +מספר הכינויים המשותפים (שמסתיימים בדומיין משותף כמו @anonaddy.me) שתוכלו ליצור מוגבל ל-20 בתוכנית החינמית של AnonAddy ול-50 בחבילה החינמית שלהם ב-12 דולר לשנה. אתה יכול ליצור כינויים סטנדרטיים בלתי מוגבלים (שמסתיימים בדומיין כמו @[username].anonaddy.com או דומיין מותאם אישית בתוכניות בתשלום), עם זאת, כאמור, זה יכול להזיק לפרטיות מכיוון שאנשים יכולים לקשור באופן טריוויאלי את הכינויים הסטנדרטיים שלך יחד על סמך שם הדומיין בלבד. כינויים משותפים ללא הגבלה זמינים תמורת $36 לשנה. + +תכונות חינמיות בולטות: + +- [x] 20 כינויים משותפים +- [x] כינויים סטנדרטיים ללא הגבלה +- [ ] אין תגובות יוצאות +- [x] 2 תיבות דואר של נמען +- [x] הצפנת PGP אוטומטית + +### SimpleLogin + +!!! recommendation + + ![Simplelogin לוגו](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** הוא שירות חינמי המספק כינויי דוא"ל על מגוון שמות דומיין משותפים, ובאופן אופציונלי מספק תכונות בתשלום כמו כינויים בלתי מוגבלים ודומיינים מותאמים אישית. + + [:octicons-home-16: דף הבית](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin [נרכשה על ידי Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) נכון ל-8 באפריל 2022. אם אתה משתמש ב-Proton Mail עבור תיבת הדואר הראשית שלך, SimpleLogin היא בחירה מצוינת. מכיוון ששני המוצרים נמצאים כעת בבעלות אותה חברה, כעת עליך לסמוך רק על ישות אחת. אנו גם מצפים ש-SimpleLogin תשתלב בצורה הדוקה יותר עם ההיצע של Proton בעתיד. SimpleLogin ממשיכה לתמוך בהעברה לכל ספק דוא"ל שתבחרו. Securitum [ביקרה את SimpleLogin](https://simplelogin.io/blog/security-audit/) בתחילת 2022 וכל הבעיות [טופלו](https://simplelogin.io/audit2022/web.pdf). + +תוכל לקשר את חשבון SimpleLogin שלך בהגדרות עם חשבון Proton שלך. אם יש לך את הפרוטון ללא הגבלה, עסקים, או תוכנית חזון, יהיה לך SimpleLogin פרימיום בחינם. + +תכונות חינמיות בולטות: + +- [x] 10 כינויים משותפים +- [x] תשובות ללא הגבלה +- [x] 1 תיבת דואר נמען + +## אימייל לאירוח עצמי + +מנהלי מערכת מתקדמים עשויים לשקול הגדרת שרת דואר אלקטרוני משלהם. שרתי דואר דורשים תשומת לב ותחזוקה שוטפת על מנת לשמור על דברים מאובטחים ועל משלוח דואר אמין. + +### פתרונות תוכנה משולבים + +!!! recommendation + + ![Mailcow לוגו](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** הוא שרת דואר מתקדם יותר המושלם עבור אלה עם קצת יותר ניסיון בלינוקס. יש לו את כל מה שאתה צריך במיכל Docker: שרת דואר עם תמיכה ב- DKIM, ניטור אנטי וירוס וספאם, דואר אינטרנט ו- ActiveSync עם SOGo, וניהול מבוסס אינטרנט עם תמיכה ב- 2FA. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=לתרומה } + +!!! recommendation + + ![Mail-in-a-Box לוגו](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** הוא סקריפט התקנה אוטומטי לפריסת שרת דואר באובונטו. מטרתו היא להקל על אנשים להגדיר שרת דואר משלהם. + + [:octicons-home-16: דף הבית](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="קוד מקור" } + +לגישה ידנית יותר בחרנו את שני המאמרים הבאים: + +- [הגדרת שרת דואר עם OpenSMTPD, Dovecot ו - Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [כיצד להפעיל שרת דואר משלך](https://www.c0ffee.net/blog/mail-server-guide/) (אוגוסט 2017) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף [לקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה לפני שתבחר ספק דוא"ל, ולערוך מחקר משלך כדי להבטיח שספק הדוא"ל שבחרת הוא הבחירה הנכונה עבורך. + +### טכנולוגיה + +אנו רואים בתכונות אלה חשיבות על מנת לספק שירות בטוח ומיטבי. אתה צריך לשקול אם לספק יש לו את התכונות שאתה צריך. + +**מינימום כדי לעמוד בדרישות:** + +- מצפין נתוני חשבון אימייל במצב מנוחה עם הצפנה ללא גישה. +- יכולת ייצוא כ [Mbox](https://en.wikipedia.org/wiki/Mbox) או .eml בודד עם תקן [RFC5322](https://datatracker.ietf.org/doc/rfc5322/). +- מאפשר למשתמשים להשתמש ב[שם דומיין](https://en.wikipedia.org/wiki/Domain_name) משלהם. שמות דומיין מותאמים אישית חשובים למשתמשים מכיוון שהם מאפשרים להם לתחזק את הסוכנות שלהם מהשירות, אם היא תהפוך לגרועה או תירכש על ידי חברה אחרת שאינה מתעדפת פרטיות. +- פועל על תשתית בבעלות, כלומר לא בנוי על ספקי שירותי דואר אלקטרוני של צד שלישי. + +**המקרה הטוב ביותר:** + +- מצפין את כל נתוני החשבון (אנשי קשר, יומנים וכו') במצב מנוחה עם הצפנה ללא גישה. +- הצפנת דואר אינטרנט משולבת E2EE/PGP מסופקת לנוחיותך. +- תמיכה עבור [WKD](https://wiki.gnupg.org/WKD) כדי לאפשר גילוי משופר של מפתחות OpenPGP ציבוריים באמצעות HTTP. משתמשי GnuPG יכולים לקבל מפתח על ידי הקלדה `gpg --locate-key example_user@example.com` +- תמיכה בתיבת דואר זמנית למשתמשים חיצוניים. פעולה זו שימושית כאשר ברצונך לשלוח דוא"ל מוצפן, מבלי לשלוח עותק בפועל לנמען שלך. למיילים אלה יש בדרך כלל תוחלת חיים מוגבלת ולאחר מכן נמחקות אוטומטית. הם גם לא דורשים מהנמען להגדיר שום קריפטוגרפיה כמו OpenPGP. +- זמינות שירותי ספק הדואר האלקטרוני באמצעות [שירות onion](https://en.wikipedia.org/wiki/.onion). +- [תמיכה בתת - כתובת](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- פונקציונליות של תפוס - הכל או כינוי עבור בעלי דומיינים משלהם. +- שימוש בפרוטוקולי גישה סטנדרטיים למייל כגון IMAP, SMTP או [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). פרוטוקולי גישה סטנדרטיים מבטיחים שלקוחות יכולים להוריד בקלות את כל האימייל שלהם, אם הם רוצים לעבור לספק אחר. + +### פרטיות + +אנו מעדיפים שהספקים המומלצים שלנו יאספו כמה שפחות נתונים. + +**מינימום כדי לעמוד בדרישות:** + +- להגן על כתובת ה - IP של השולח. מסנן אותו כך שלא יוצג בשדה `השולח` header. +- אין צורך במידע המאפשר זיהוי אישי (PII) מלבד שם משתמש וסיסמה. +- מדיניות פרטיות העומדת בדרישות ה - GDPR +- לא מאוחסן בארה"ב עקב [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) שעדיין [ לא עברה רפורמה](https://epic.org/ecpa/). + +**המקרה הטוב ביותר:** + +- מקבל [אפשרויות תשלום אנונימיות](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), מזומן, כרטיסי מתנה וכו') + +### אבטחה + +שרתי דואר אלקטרוני עוסקים בהרבה מאוד נתונים רגישים. אנו מצפים שהספקים יאמצו שיטות עבודה מומלצות בתעשייה כדי להגן על חבריהם. + +**מינימום כדי לעמוד בדרישות:** + +- הגנה על דואר אינטרנט עם 2FA, כגון TOTP. +- הצפנת אפס גישה, מתבססת על הצפנה במנוחה. לספק אין את מפתחות הפענוח של הנתונים שברשותו. פעולה זו מונעת מעובד שסרח להדליף נתונים שיש לו גישה אליהם או מיריב מרחוק לשחרר נתונים שגנב על ידי השגת גישה בלתי מורשית לשרת. +- תמיכה ב [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). +- אין שגיאות TLS או פגיעות בעת פרופיל על ידי כלים כגון [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), או [Qualys SSL Labs](https://www.ssllabs.com/ssltest); זה כולל שגיאות הקשורות לאישור ופרמטרים חלשים של DH, כגון אלה שהובילו ל - [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- העדפת חבילת שרתים (אופציונלית ב-TLSv1.3) עבור חבילות צופן חזקות התומכות בסודיות קדימה ובהצפנה מאומתת. +- [MTA-STS](https://tools.ietf.org/html/rfc8461) בתוקף וגם מדיניות [TLS-RPT](https://tools.ietf.org/html/rfc8460). +- בתוקף [רשומות DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities). +- בתוקף [רשומות SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) ו - [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail). +- שיהיה לך מתאים [DMARC](https://en.wikipedia.org/wiki/DMARC) עבר ומדיניות או שימוש ב [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) לאימות. אם נעשה שימוש באימות DMARC, יש להגדיר את המדיניות ל- `דוחה` או `הסגר`. +- העדפת חבילת שרת של TLS 1.2 ואילך ותוכנית עבור [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [שליחת SMTPS](https://en.wikipedia.org/wiki/SMTPS), בהנחה שנעשה שימוש ב - SMTP. +- תקני אבטחת אתר אינטרנט כגון: + - [אבטחת תעבורה קפדנית של HTTP](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - שלמות [תת - מקור](https://en.wikipedia.org/wiki/Subresource_Integrity) אם מעמיסים דברים מדומיינים חיצוניים. +- חייב לתמוך בהצגה של [כותרות הודעות](https://en.wikipedia.org/wiki/Email#Message_header), מכיוון שזוהי תכונה משפטית חיונית כדי לקבוע אם הודעת דואר אלקטרוני היא ניסיון דיוג. + +**המקרה הטוב ביותר:** + +- תמיכה באימות חומרה, כלומר. U2F ו - [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F ו - WebAuthn מאובטחים יותר כאשר הם משתמשים במפתח פרטי המאוחסן בהתקן חומרה בצד הלקוח כדי לאמת אנשים, בניגוד לסוד משותף המאוחסן בשרת האינטרנט ובצד הלקוח בעת שימוש ב - TOTP. יתר על כן, U2F ו- WebAuthn עמידים יותר בפני דיוג מכיוון שתגובת האימות שלהם מבוססת על האימות [שם הדומיין](https://en.wikipedia.org/wiki/Domain_name). +- [אישור רשות ההסמכה של DNS (CAA) רשומת משאבים](https://tools.ietf.org/html/rfc6844) בנוסף לתמיכת DANE. +- יישום של [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), זה שימושי עבור אנשים שמפרסמים לרשימות דיוור [RFC8617](https://tools.ietf.org/html/rfc8617). +- תוכניות לחיפוש באגים ו/או תהליך גילוי - פגיעות מתואם. +- תקני אבטחת אתר אינטרנט כגון: + - [מדיניות אבטחת תוכן (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### אמון + +לא הייתם סומכים על הכספים שלכם למישהו שיש זהות מזויפת, אז למה לסמוך עליו עם הדוא"ל שלכם? אנו דורשים מהספקים המומלצים שלנו להיות פומביים לגבי הבעלות או המנהיגות שלהם. כמו כן, היינו רוצים לראות דיווחי שקיפות תכופים, במיוחד בכל הנוגע לאופן הטיפול בבקשות ממשלתיות. + +**מינימום כדי לעמוד בדרישות:** + +- מנהיגות ציבורית או בעלות. + +**המקרה הטוב ביותר:** + +- מנהיגות מול הציבור. +- דוחות שקיפות תכופים. + +### שיווק + +עם ספקי הדוא"ל אנו ממליצים לראות שיווק אחראי. + +**מינימום כדי לעמוד בדרישות:** + +- יש לבצע ניתוח של אחסון עצמי (ללא Google Analytics, Adobe Analytics וכו '). האתר של הספק חייב גם לציית ל [DNT (לא לעקוב)](https://en.wikipedia.org/wiki/Do_Not_Track) למי שרוצה לבטל את הסכמתו. + +אסור שיהיה שיווק שהוא חסר אחריות: + +- טענות של "הצפנה בלתי שבירה " יש להשתמש בהצפנה מתוך כוונה שהיא לא תהיה סודית בעתיד כאשר הטכנולוגיה קיימת כדי לפצח אותה. +- ביצוע ערבויות של הגנה על 100% אנונימיות. כשמישהו טוען שמשהו הוא 100% זה אומר שאין ודאות לכישלון. אנחנו יודעים שאנשים יכולים בקלות להפוך את עצמם לאיאנונימיים במספר דרכים, למשל.: + +- שימוש חוזר במידע אישי, למשל (חשבונות דוא"ל, שמות בדויים ייחודיים וכו ') שאליו ניגשו ללא תוכנה אנונימיות (Tor, VPN וכו ') +- [טביעת אצבע של דפדפן](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**המקרה הטוב ביותר:** + +- ברור וקל לקריאה. זה כולל דברים כמו, הגדרת 2FA, קליינט דוא"ל, OpenPGP וכו '. + +### פונקציונליות נוספת + +אמנם לא דרישות קפדניות, יש כמה גורמי נוחות או פרטיות אחרים שבדקנו בעת קביעת אילו ספקים להמליץ. diff --git a/i18n/he/encryption.md b/i18n/he/encryption.md new file mode 100644 index 00000000..7ddf812d --- /dev/null +++ b/i18n/he/encryption.md @@ -0,0 +1,357 @@ +--- +title: "תוכנת הצפנה" +icon: material/file-lock +description: הצפנה של נתונים היא הדרך היחידה לשלוט מי יכול לגשת אליו. כלים אלה מאפשרים לך להצפין את המיילים שלך וכל קובץ אחר. +--- + +הצפנה של נתונים היא הדרך היחידה לשלוט מי יכול לגשת אליו. אם אינך משתמש כעת בתוכנת הצפנה עבור הדיסק הקשיח, הודעות הדוא"ל או הקבצים שלך, עליך לבחור אפשרות כאן. + +## מרובה-פלטפורמות + +האפשרויות המפורטות כאן הן מרובות פלטפורמות ונהדרות ליצירת גיבויים מוצפנים של הנתונים שלך. + +### Cryptomator (ענן) + +!!! recommendation + + ![Cryptomator לוגו](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** הוא פתרון הצפנה המיועד לשמירה פרטית של קבצים לכל ספק ענן. הוא מאפשר לך ליצור כספות המאוחסנות בכונן וירטואלי, שתוכנן מוצפן ומסונכרן עם ספק אחסון הענן שלך. + + [:octicons-home-16: דף הבית](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator משתמש בהצפנת AES-256 כדי להצפין קבצים ושמות קבצים. Cryptomator אינו יכול להצפין מטא-נתונים כגון חותמות זמן של גישה, שינוי ויצירה, וגם לא את המספר והגודל של קבצים ותיקיות. + +מספר ספריות קריפטוגרפיות של Cryptomator [עברו ביקורת](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) על ידי Cure53. היקף הספריות המבוקרים כולל: [cryptolib](https://github.com/cryptomator/cryptolib), [ cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) ו-[cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). הביקורת לא התרחבה ל[cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), שהיא ספרייה המשמשת את Cryptomator עבור iOS. + +התיעוד של Cryptomator מפרט את [יעד האבטחה](https://docs.cryptomator.org/en/latest/security/security-target/) המיועד, [ארכיטקטורת האבטחה](https://docs.cryptomator.org/en/latest/security/architecture/) ו[שיטות העבודה המומלצות](https://docs.cryptomator.org/en/latest/security/best-practices/) לשימוש ביתר פירוט. + +### Picocrypt (קובץ) + +!!! recommendation + + ![Picocrypt לוגו](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** הוא כלי הצפנה קטן ופשוט המספק הצפנה מודרנית. Picocrypt משתמש בצופן המאובטח XChaCha20 ובפונקציית גזירת מפתח Argon2id כדי לספק רמת אבטחה גבוהה. הוא משתמש במודולי x/crypto הסטנדרטיים של Go עבור תכונות ההצפנה שלו. + + [:octicons-repo-16: מאגר](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (דיסק) + +!!! recommendation + + ![VeraCrypt לוגו](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt לוגו](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** הוא כלי תוכנה חופשית קוד פתוח המשמש להצפנה תוך כדי תנועה. זה יכול ליצור דיסק מוצפן וירטואלי בתוך קובץ, להצפין מחיצה או להצפין את כל התקן האחסון עם אימות לפני אתחול. + + [:octicons-home-16: דף הבית](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt הוא מזלג של פרויקט TrueCrypt שהופסק. על פי המפתחים שלה, שיפורים באבטחה יושמו וטופלו בעיות שעלו בביקורת הקוד הראשונית של TrueCrypt. + +בעת הצפנה עם VeraCrypt, יש לך אפשרות לבחור מבין [hash פונקציות](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme) שונות. אנו מציעים לך **לבחור** רק [SHA-512](https://en.wikipedia.org/wiki/SHA-512) ולהיצמד ל [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) צופן בלוק. + +Truecrypt [נבדק מספר פעמים](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), וגם VeraCrypt [נבדק בנפרד](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## הצפנת דיסק מלא של מערכת ההפעלה + +מערכות הפעלה מודרניות כוללות [FDE](https://en.wikipedia.org/wiki/Disk_encryption) ויהיה להן [מעבד קריפטו מאובטח](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker לוגו](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** הוא פתרון ההצפנה המלא המצורף ל-Microsoft Windows. הסיבה העיקרית שאנו ממליצים עליה היא בגלל [השימוש ב-TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), היא חברה לזיהוי פלילי, כתבה על כך ב- [הבנת BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=תיעוד} + +BitLocker [ נתמך רק](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) במהדורות Pro, Enterprise ו- Education של Windows. ניתן להפעיל אותו במהדורות ביתיות בתנאי שהן עומדות בדרישות המוקדמות. + +??? example "הפעלת BitLocker ב-Windows Home"" + + כדי להפעיל את BitLocker במהדורות "בית" של Windows, חייבות להיות לך מחיצות מעוצבות עם [טבלת מחיצות GUID](https://en.wikipedia.org/wiki/GUID_Partition_Table) ובעלות TPM ייעודי (v1.2, 2.0+) מודול. + + 1. פתח שורת פקודה ובדוק את תבנית טבלת המחיצות של הכונן באמצעות הפקודה הבאה. אתה אמור לראות את "**GPT**" ברשימה תחת "סגנון מחיצה": + + ``` + powershell Get-Disk + ``` + + 2. הפעל פקודה זו (בשורת פקודה של אדמין) כדי לבדוק את גרסת ה-TPM שלך. אתה אמור לראות את `2.0` או `1.2` לצד `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. גישה ל[אפשרויות הפעלה מתקדמות](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). עליך לאתחל מחדש תוך כדי לחיצה על מקש F8 לפני הפעלת Windows ולהיכנס ל *שורת הפקודה* ב **פתרון בעיות** → **אפשרויות מתקדמות** → **שורת הפקודהPrompt**. + + 4. התחבר עם חשבון הניהול שלך והקלד זאת בשורת הפקודה כדי להתחיל בהצפנה: + + ``` + manage-bde -on c: -used + ``` + + 5. סגור את שורת הפקודה והמשך אתחול ל-Windows רגיל. + + 6. פתח שורת פקודה של מנהל מערכת והפעל את הפקודות הבאות: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip "טיפ" + + גיבוי 'BitLocker-Recovery-Key.txt' בשולחן העבודה שלך להתקן אחסון נפרד. אובדן קוד שחזור זה עלול לגרום לאובדן נתונים. + +### FileVault + +!!! recommendation + + ![FileVault לוגו](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** הוא פתרון הצפנת נפח תוך כדי תנועה המובנה ב-macOS. FileVault מומלץ כי זה [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) יכולות אבטחת חומרה הקיימות בשבב אפל סיליקון SoC או T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=תיעוד} + +אנו ממליצים לאחסן מפתח שחזור מקומי במקום מאובטח, בניגוד לשימוש בחשבון iCloud שלך לשחזור. + +### הגדרת מפתח מאוחדת של לינוקס + +!!! recommendation + + ![LUKS לוגו](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** היא שיטת ברירת המחדל של FDE עבור לינוקס. ניתן להשתמש בו כדי להצפין אמצעי אחסון מלאים, מחיצות או ליצור מיכלים מוצפנים. + + [:octicons-home-16: דף הבית](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=תיעוד} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="קוד מקור" } + +??? example "יצירה ופתיחה של גורמים מכילים מוצפנים" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### פתיחת קונטיינרים מוצפנים + אנו ממליצים לפתוח מיכלים ואמצעי אחסון עם `udisksctl` כפי שהוא משתמש ב [Polkit](https://en.wikipedia.org/wiki/Polkit). רוב מנהלי הקבצים, כמו אלה הכלולים בסביבות שולחן עבודה פופולריות, יכולים לפתוח קבצים מוצפנים. כלים כמו [udiskie](https://github.com/coldfix/udiskie) יכול לפעול במגש המערכת ולספק ממשק משתמש מועיל. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "זכור לגבות את כותרות עוצמת הקול" + + אנו ממליצים לך תמיד [לגבות את כותרות ה-LUKS שלך](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) במקרה של כשל חלקי בכונן. ניתן לעשות זאת עם: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/קובץ.img + ``` + +## מבוסס-דפדפן + +הצפנה מבוססת דפדפן יכולה להיות שימושית כאשר אתה צריך להצפין קובץ אבל לא יכול להתקין תוכנות או אפליקציות במכשיר שלך. + +### hat.sh + +!!! recommendation + + ![hat.sh לוגו](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh לוגו](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** הוא יישום אינטרנט המספק הצפנת קבצים מאובטחת בצד הלקוח בדפדפן שלך. הוא גם יכול להיות באחסון עצמי והוא שימושי אם אתה צריך להצפין קובץ אבל לא יכול להתקין שום תוכנה במכשיר שלך בגלל מדיניות ארגונית. + + [:octicons-globe-16: אתר](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="קוד מקור" } + :octicons-heart-16:{ .card-link title="ניתן למצוא את שיטות התרומות בתחתית האתר" } + +## שורת הפקודה + +כלים עם ממשקי שורת פקודה שימושיים לשילוב [סקריפטים של מעטפת](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor לוגו](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** הוא כלי הצפנת וחתימה של קבצים חינמי ופתוח העושה שימוש באלגוריתמים קריפטוגרפיים מודרניים ומאובטחים. המטרה היא להיות גרסה טובה יותר של [age](https://github.com/FiloSottile/age) ו [Minisign](https://jedisct1.github.io/minisign/) כדי לספק חלופה פשוטה וקלה יותר ל GPG. + + [:octicons-home-16: דף הבית](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb לוגו](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** הוא מעטפת מעטפת שורת פקודה עבור LUKS. הוא תומך בסטגנוגרפיה באמצעות [כלים של צד שלישי](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: דף הבית](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=לתרומה } + +## OpenPGP + +לעתים יש צורך ב-OpenPGP עבור משימות ספציפיות כמו חתימה דיגיטלית והצפנת דואר אלקטרוני. ל-PGP תכונות רבות והוא [מורכב](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) כפי שהוא קיים זמן רב. עבור משימות כגון חתימה או הצפנה של קבצים, אנו מציעים את האפשרויות לעיל. + +בעת הצפנה באמצעות PGP, יש לך אפשרות להגדיר אפשרויות שונות בקובץ `gpg.conf` שלך. אנו ממליצים להישאר עם האפשרויות הסטנדרטיות המפורטות ב[שאלות הנפוצות של משתמשי GnuPG ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "השתמש בברירות מחדל עתידיות בעת יצירת מפתח" + + כאשר [יוצרים מפתחות](https://www.gnupg.org/gph/en/manual/c14.html) אנו מציעים להשתמש בפקודה `future-default` מכיוון שזו תנחה את GnuPG להשתמש בקריפטוגרפיה מודרנית כגון [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) ו [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard לוגו](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** היא חלופה ברישיון GPL לחבילת PGP של תוכנות הצפנה. GnuPG תואם ל-[RFC 4880](https://tools.ietf.org/html/rfc4880), שהוא מפרט ה-IETF הנוכחי של OpenPGP. פרויקט GnuPG עבד על [טיוטה מעודכנת](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) בניסיון לחדש את OpenPGP. GnuPG הוא חלק מפרויקט התוכנה GNU של קרן התוכנה החופשית וקיבל [מימון] גדול (https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) מממשלת גרמניה. + + [:octicons-home-16: דף הבית](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win לוגו](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** היא חבילה עבור Windows מ-[Intevation ו-g10 Code](https://gpg4win.org/impressum.html). הוא כולל [כלים שונים](https://gpg4win.org/about.html) שיכולים לסייע לך בשימוש ב-GPG ב-Microsoft Windows. הפרויקט יזם ובמקור [מומן על ידי](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) המשרד הפדרלי של גרמניה למידע אבטחה (BSI) בשנת 2005. + + [:octicons-home-16: דף הבית](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note "הערה" + + אנו מציעים [Canary Mail](email-clients.md#canary-mail) לשימוש ב-PGP עם אימייל במכשירי iOS. + +!!! recommendation + + ![GPG Suite לוגו](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** מספקת תמיכה ב-OpenPGP עבור [Apple Mail](email-clients.md#apple-mail) ו-macOS. + + אנו ממליצים להסתכל על [השלבים הראשונים](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup- gpgtools-create-a-new-key-your-first-encrypted-email) ו-[בסיס ידע](https://gpgtools.tenderapp.com/kb) לתמיכה. + + [:octicons-home-16: דף הבית](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain לוגו](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** הוא יישום אנדרואיד של GnuPG. זה נדרש בדרך כלל על ידי לקוחות דואר כגון [K-9 Mail](email-clients.md#k-9-mail) ו- [FairEmail](email-clients.md#fairemail) ואפליקציות Android אחרות כדי לספק תמיכה בהצפנה. Cure53 השלימה [ביקורת אבטחה](https://www.openkeychain.org/openkeychain-3-6) של OpenKeychain 3.6 באוקטובר 2015. פרטים טכניים על הביקורת והפתרונות של OpenKeychain ניתן למצוא [כאן](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: דף הבית](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="קוד מקור" } + :octicons-heart-16:{ .card-link title="ניתן לתרום באפליקציה" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### כישורים מינימליים + +- אפליקציות הצפנה חוצות פלטפורמות חייבות להיות בקוד פתוח. +- אפליקציות להצפנת קבצים חייבות לתמוך בפענוח ב-Linux, macOS ו-Windows. +- אפליקציות להצפנת דיסק חיצוני חייבות לתמוך בפענוח ב-Linux, macOS ו-Windows. +- אפליקציות להצפנת דיסק פנימי (OS) חייבות להיות חוצות פלטפורמות או מובנות במערכת ההפעלה באופן מקורי. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- אפליקציות הצפנה של מערכת הפעלה (FDE) צריכות להשתמש באבטחת חומרה כגון TPM או Secure Enclave. +- אפליקציות להצפנת קבצים צריכות לקבל תמיכה של צד ראשון או שלישי עבור פלטפורמות ניידות. diff --git a/i18n/he/file-sharing.md b/i18n/he/file-sharing.md new file mode 100644 index 00000000..3e669472 --- /dev/null +++ b/i18n/he/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "שיתוף וסנכרון קבצים" +icon: material/share-variant +description: גלה כיצד לשתף את הקבצים שלך באופן פרטי בין המכשירים שלך, עם החברים והמשפחה שלך, או באופן אנונימי באינטרנט. +--- + +גלה כיצד לשתף את הקבצים שלך באופן פרטי בין המכשירים שלך, עם החברים והמשפחה שלך, או באופן אנונימי באינטרנט. + +## שיתוף קבצים + +### Send + +!!! recommendation + + ![Send לוגו](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** היא נגזרת של שירות Firefox Send של Mozilla שהופסקה המאפשר לך לשלוח קבצים לאחרים עם קישור. קבצים מוצפנים במכשיר שלך כך שלא ניתן לקרוא אותם על ידי השרת, והם יכולים להיות מוגנים באמצעות סיסמה. המתחזק של שלח Send מארח [מופע ציבורי](https://send.vis.ee/). אפשר להשתמש במועדים ציבוריים אחרים, או לארח לשלוח את עצמכם. + + [:octicons-home-16: דף הבית](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=לתרומה } + +ניתן להשתמש ב- Send דרך ממשק האינטרנט שלו או דרך [ffsend](https://github.com/timvisee/ffsend) CLI. אם אתה מכיר את שורת הפקודה ושולח קבצים לעתים קרובות, אנו ממליצים להשתמש בלקוח ה-CLI כדי להימנע מהצפנה מבוססת JavaScript. אתה יכול לציין את הדגל `--host` כדי להשתמש בשרת ספציפי: + +```bash +ffsend upload -- host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare לוגו](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** הוא כלי קוד פתוח המאפשר לך לשתף בצורה מאובטחת ואנונימית קובץ בכל גודל. זה עובד על ידי הפעלת שרת אינטרנט נגיש כשירות Tor onion, עם כתובת URL בלתי ניתנת לניחוש שתוכל לשתף עם הנמענים כדי להוריד או לשלוח קבצים. + + [:octicons-home-16: דף הבית](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="שירות בצל" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- אסור לאחסן נתונים מפוענחים בשרת מרוחק. +- חייבת להיות תוכנת קוד פתוח. +- חייב להיות לקוחות עבור Linux, macOS ו-Windows; או בעלי ממשק אינטרנט. + +## FreedomBox + +!!! recommendation + + ![FreedomBox לוגו](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** היא מערכת הפעלה המיועדת להפעלה על [מחשב עם לוח יחיד (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). המטרה היא להקל על הגדרת יישומי שרת שאולי תרצה לארח בעצמך. + + [:octicons-home-16: דף הבית](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=תיעוד} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=לתרומה } + +## סנכרון קבצים + +### Nextcloud (שרת-לקוח) + +!!! recommendation + + ![Nextcloud לוגו](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** היא חבילה של תוכנות שרת-לקוח חינמיות וקוד פתוח ליצירת שירותי אירוח קבצים משלך בשרת פרטי שאתה שולט בו. + + [:octicons-home-16: דף הבית](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "סַכָּנָה" + + אנו לא ממליצים להשתמש ב-[E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) עבור Nextcloud מכיוון שהיא עלולה להוביל לאובדן נתונים; זה מאוד ניסיוני ולא איכות ייצור. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing לוגו](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** הוא כלי עזר רציף לסנכרון קבצים עמית לעמית בקוד פתוח. הוא משמש לסנכרון קבצים בין שני מכשירים או יותר ברשת המקומית או באינטרנט. Syncthing אינו משתמש בשרת מרכזי; הוא משתמש ב-[Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) כדי להעביר נתונים בין מכשירים. כל הנתונים מוצפנים באמצעות TLS. + + [:octicons-home-16: דף הבית](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +#### דרישות מינימליות + +- חייב לא לדרוש שרת מרוחק/ענן של צד שלישי. +- חייבת להיות תוכנת קוד פתוח. +- חייב להיות לקוחות עבור Linux, macOS ו-Windows; או בעלי ממשק אינטרנט. + +#### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- יש לו לקוחות ניידים עבור iOS ואנדרואיד, שלפחות תומכים בתצוגה מקדימה של מסמכים. +- תומך בגיבוי תמונות מ-iOS ואנדרואיד, ותומך באופן אופציונלי בסנכרון קבצים/תיקיות באנדרואיד. diff --git a/i18n/he/financial-services.md b/i18n/he/financial-services.md new file mode 100644 index 00000000..5b35ea27 --- /dev/null +++ b/i18n/he/financial-services.md @@ -0,0 +1,94 @@ +--- +title: שירותים פיננסיים +icon: material/bank +--- + +ביצוע תשלומים אונליין הוא אחד האתגרים הגדולים ביותר לפרטיות. שירותים אלה יכולים לסייע לך בהגנה על פרטיותך מפני סוחרים ועוקבים אחרים, בתנאי שיש לך הבנה טובה כיצד לבצע תשלומים פרטיים ביעילות. אנו ממליצים בחום שתקרא תחילה את מאמר סקירת התשלומים שלנו לפני ביצוע רכישות כלשהן: + +[ביצוע תשלומים פרטיים :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## שירותי מיסוך תשלומים + +ישנם מספר שירותים המספקים "כרטיסי חיוב וירטואליים" שבהם אתה יכול להשתמש עם סוחרים מקוונים מבלי לחשוף את פרטי הבנק או החיוב בפועל שלך ברוב המקרים. חשוב לציין ששירותים פיננסיים אלו הם **אינם** אנונימיים וכפופים לחוקי "הכר את הלקוח שלך" (KYC) ועשויים לדרוש את תעודת הזהות שלך או מידע מזהה אחר. שירותים אלה שימושיים בעיקר להגנה עליך מפני הפרות נתונים של סוחרים, מעקב פחות מתוחכם או מתאם רכישה על ידי סוכנויות שיווק וגניבת נתונים מקוונים; ו**לא** לביצוע רכישה באופן אנונימי לחלוטין. + +!!! tip "בדוק את הבנק הנוכחי שלך" + + בנקים וספקי כרטיסי אשראי רבים מציעים פונקציונליות מקורית של כרטיסים וירטואליים. אם אתה משתמש באחד שכבר מספק את האפשרות הזו, עליך להשתמש בו על פני ההמלצות הבאות ברוב המקרים. כך אינך סומך על מספר צדדים עם המידע האישי שלך. + +### Privacy.com (ארה"ב) + +!!! recommendation + + ![Privacy.com לוגו](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com לוגו](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + התוכנית החינמית של **Privacy.com** מאפשרת לך ליצור עד 12 כרטיסים וירטואליים בחודש, להגדיר מגבלות הוצאות על כרטיסים אלה ולכבות כרטיסים באופן מיידי. התוכנית בתשלום שלהם מאפשרת לך ליצור עד 36 כרטיסים בחודש, לקבל החזר של 1% מזומן על רכישות ולהסתיר מידע של העסקה מהבנק שלך. + + [:octicons-home-16: דף הבית](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=תיעוד} + +Privacy.com מספק מידע על הסוחרים מהם אתה רוכש לבנק שלך כברירת מחדל. תכונת "סוחרים דיסקרטיים" בתשלום שלהם מסתירה מידע סוחר מהבנק שלך, כך שהבנק שלך רואה רק שבוצעה רכישה עם Privacy.com אבל לא איפה הכסף הזה הוצא, אבל זה לא חסין תקלות, וכמובן ש-Privacy.com עדיין יש ידע על הסוחרים שאיתם אתה מוציא כסף. + +### MySudo (ארה"ב, בתשלום) + +!!! recommendation + + ![MySudo לוגו](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo לוגו](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** מספקת עד 9 כרטיסים וירטואליים בהתאם לתוכנית שתרכשו. התוכניות בתשלום שלהם כוללות בנוסף פונקציונליות שעשויה להיות שימושית לביצוע רכישות באופן פרטי, כגון מספרי טלפון וירטואליים וכתובות אימייל, אם כי בדרך כלל אנו ממליצים על [ספקי כינוי אימייל](email.md) אחרים לשימוש נרחב בכינויי אימייל. + + [:octicons-home-16: דף הבית](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=תיעוד} + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- מאפשר יצירת כרטיסים מרובים שמתפקדים כמגן בין הסוחר לבין הכספים האישיים שלך. +- אסור שהכרטיסים ידרשו ממך לספק פרטי כתובת מדויקת לחיוב למוכר. + +## שווקים של כרטיסי מתנה + +שירותים אלו מאפשרים לך לרכוש כרטיסי מתנה עבור מגוון סוחרים באינטרנט באמצעות [מטבע קריפטוגרפי](cryptocurrency.md). חלק מהשירותים הללו מציעים אפשרויות אימות מזהה עבור מגבלות גבוהות יותר, אך הם גם מאפשרים חשבונות עם כתובת אימייל בלבד. מגבלות בסיסיות מתחילות בדרך כלל מ-$5,000-10,000 ליום עבור חשבונות בסיסיים, ומגבלות גבוהות משמעותית עבור חשבונות מאומתים מזהים (אם מוצעים). + +### Cake Pay + +!!! recommendation + + ![CakePay לוגו](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** מאפשרת לכם לרכוש כרטיסי מתנה ומוצרים נלווים עם מונרו. רכישות עבור סוחרים בארה"ב זמינות באפליקציית Cake Wallet לנייד, בעוד שאפליקציית האינטרנט Cake Pay כוללת מבחר רחב של סוחרים גלובליים. + + [:octicons-home-16: דף הבית](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=תיעוד} + +### CoinCards + +!!! recommendation + + ![CakePay לוגו](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (זמין בארה"ב, קנדה ובריטניה) מאפשר לך לרכוש כרטיסי מתנה עבור מגוון גדול של סוחרים. + + [:octicons-home-16: דף הבית](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=תיעוד} + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- מקבל תשלום ב[מטבע קריפטוגרפי מומלץ](cryptocurrency.md). +- אין צורך בתעודת זהות. diff --git a/i18n/he/frontends.md b/i18n/he/frontends.md new file mode 100644 index 00000000..9558c3b3 --- /dev/null +++ b/i18n/he/frontends.md @@ -0,0 +1,267 @@ +--- +title: "חזיתות" +icon: material/flip-to-front +description: ממשקי קוד פתוח אלה לשירותי אינטרנט שונים מאפשרים לך לגשת לתוכן ללא JavaScript או מטרדים אחרים. +--- + +לפעמים שירותים ינסו לאלץ אותך להירשם לחשבון על ידי חסימת גישה לתוכן עם חלונות קופצים מעצבנים. הם יכולים להישבר גם ללא הפעלת JavaScript. חזיתות אלה יכולות לאפשר לך לעקוף את ההגבלות הללו. + +## קליינטים + +### Librarian + +!!! recommendation + + ![Librarian לוגו](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian לוגו](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** היא חזית חינמית וקוד פתוח עבור [Odysee](https://odysee.com/) (LBRY) שגם היא ניתנת לאירוח עצמי. + + ישנם מספר מופעים ציבוריים, כאשר בחלק מהמקרים יש תמיכה בשירותי בצל [Tor](https://www.torproject.org). + + [:octicons-repo-16: מאגר](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="קוד מקור" } + +!!! warning "אזהרה" + + Librarian אינו משדר סרטוני פרוקסי כברירת מחדל. סרטונים שנצפו באמצעות Librarian עדיין יבצעו חיבורים ישירים לשרתים של Odysee (למשל `odycdn.com`); עם זאת, מופעים מסוימים עשויים לאפשר שרת proxy אשר יפורט במדיניות הפרטיות של המופע. + +!!! tip "טיפ" + + Librarian שימושי אם אתה רוצה לצפות בתוכן LBRY בנייד ללא טלמטריה חובה ואם אתה רוצה להשבית את JavaScript בדפדפן שלך, כפי שקורה עם [דפדפן Tor](https://www.torproject.org/) באבטחה הבטוחה ביותר רָמָה. + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. עליך להיות זהיר עם היכן וכיצד אתה מארח את Librarian, מכיוון שהשימוש של אנשים אחרים יהיה מקושר לאירוח שלך. + +כאשר אתה משתמש במופע Librarian, הקפד לקרוא את מדיניות הפרטיות של אותו מופע ספציפי. מופעי Librarian יכולים להשתנות על ידי בעליהם ולכן עשויים שלא לשקף את מדיניות ברירת המחדל. מקרים של Librarian כוללים "תווית תזונה פרטית" כדי לספק סקירה כללית של המדיניות שלהם. במקרים מסוימים יש כתובות .onion Tor אשר עשוי להעניק קצת פרטיות כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![לוגו של Nitter]( assets/img/frontends/nitter.svg){ align=right } + + **Nitter** הוא ממשק קוד פתוח בחינם עבור [Twitter](https://twitter.com) שגם הוא ניתן לאירוח עצמי. + + ישנם מספר מופעים ציבוריים, כאשר בחלק מהמקרים יש תמיכה בשירותי בצל [Tor](https://www.torproject.org). + + [:octicons-repo-16: מאגר](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=לתרומה } + +!!! tip "טיפ" + + Nitter שימושי אם ברצונך לדפדף בתוכן של טוויטר ללא צורך בהתחברות ואם ברצונך להשבית את JavaScript בדפדפן שלך, כפי שקורה עם [Tor Browser](https://www.torproject.org/) ברמת האבטחה הבטוחה ביותר. זה גם מאפשר לך [ליצור הזנות RSS עבור טוויטר](news-aggregators.md#twitter). + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. אתה צריך להיות זהיר עם איפה ואיך אתה מארח Nitter, כמו השימוש של אנשים אחרים יהיה מקושר אירוח שלך. + +כאשר אתה משתמש במופע של Nitter, הקפד לקרוא את מדיניות הפרטיות של מופע ספציפי זה. ניתן לשנות מופעים של Nitter על ידי בעליהם ולכן ייתכן שלא ישקפו את מדיניות ברירת המחדל. במקרים מסוימים יש כתובות .onion Tor אשר עשוי להעניק קצת פרטיות כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok לוגו](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** הוא ממשק קוד פתוח לאתר [TikTok](https://www.tiktok.com) שגם הוא ניתן לאירוח עצמי. + + ישנם מספר מופעים ציבוריים, כאשר בחלק מהמקרים יש תמיכה בשירותי בצל [Tor](https://www.torproject.org). + + [:octicons-repo-16: מאגר](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="קוד מקור" } + +!!! tip "טיפ" + + ProxiTok שימושי אם ברצונך להשבית את JavaScript בדפדפן שלך, כגון [Tor Browser](https://www.torproject.org/) ברמת האבטחה הבטוחה ביותר. + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. אתה צריך להיות זהיר עם היכן וכיצד אתה מארח את ProxiTok, מכיוון שהשימוש של אנשים אחרים יהיה מקושר לאירוח שלך. + +כאשר אתה משתמש במופע של ProxiTok, הקפד לקרוא את מדיניות הפרטיות של אותו מופע ספציפי. מופעי ProxiTok ניתנים לשינוי על ידי בעליהם ולכן עשויים שלא לשקף את מדיניות הפרטיות הקשורה אליהם. במקרים מסוימים יש כתובות .onion Tor אשר עשוי להעניק קצת פרטיות כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +## יוטיוב + +### FreeTube + +!!! recommendation + + ![FreeTube לוגו](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** הוא יישום שולחן עבודה חינם וקוד פתוח עבור [יוטיוב](https://youtube.com). בעת שימוש ב- FreeTube, רשימת המנויים ורשימות ההשמעה שלך נשמרות באופן מקומי במכשיר שלך. + + כברירת מחדל, FreeTube חוסמת את כל הפרסומות של יוטיוב. בנוסף, FreeTube משתלבת באופן אופציונלי עם [SponsorBlock](https://sponsor.ajay.app) כדי לעזור לך לדלג על קטעי וידאו ממומנים. + + [:octicons-home-16: דף הבית](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning "אזהרה" + + בעת השימוש ב-FreeTube, ייתכן שכתובת ה-IP שלך עדיין ידועה ליוטיוב, [Invidious](https://instances.invidious.io) או [SponsorBlock](https://sponsor.ajay.app/) בהתאם לתצורה שלך. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +### Yattee + +!!! recommendation + + ![Yattee לוגו](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** הוא נגן וידאו חינמי וקוד פתוח מוכוון פרטיות עבור iOS, tvOS ו-macOS עבור [יוטיוב](https://youtube.com). בעת השימוש ב - Yattee, רשימת המנויים שלך נשמרת באופן מקומי במכשיר שלך. + + תצטרך לבצע כמה [צעדים נוספים](https://gonzoknows.com/posts/Yattee/) לפני שתוכל להשתמש ב-Yattee כדי לצפות ב-YouTube, עקב הגבלות של App Store. + + [:octicons-home-16: דף הבית](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning "אזהרה" + + בעת השימוש ב- Yattee, כתובת ה- IP שלך עשויה עדיין להיות ידועה ליוטיוב, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) או [SponsorBlock](https://sponsor.ajay.app/) בהתאם לתצורה שלך. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +כברירת מחדל, Yattee חוסם את כל הפרסומות ב - YouTube. בנוסף, Yattee משתלב באופן אופציונלי עם [SponsorBlock](https://sponsor.ajay.app) כדי לעזור לך לדלג על קטעי וידאו ממומנים. + +### LibreTube (אנדרואיד) + +!!! recommendation + + ![LibreTube לוגו](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube לוגו](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** היא אפליקציית אנדרואיד בחינם וקוד פתוח עבור [YouTube](https://youtube.com) המשתמשת בממשק ה-API של [Piped](#piped). + + LibreTube מאפשר לך לאחסן את רשימת המנויים והפלייליסטים שלך באופן מקומי במכשיר האנדרואיד שלך, או בחשבון במופע Piped שבחרת, מה שמאפשר לך לגשת אליהם בצורה חלקה גם במכשירים אחרים. + + [:octicons-home-16: דף הבית](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning "אזהרה" + + בעת שימוש ב-LibreTube, כתובת ה-IP שלך תהיה גלויה למופע [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) שתבחר ו/או ל-[SponsorBlock](https://sponsor.ajay.app/) בהתאם לתצורה שלך. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +כברירת מחדל, LibreTube חוסמת את כל פרסומות יוטיוב. בנוסף, Libretube משתמשת ב[SponsorBlock](https://sponsor.ajay.app) כדי לעזור לך לדלג על קטעי וידאו ממומנים. אתה יכול להגדיר באופן מלא את סוגי הפלחים שSponsorBlock ידלג עליהם, או להשבית אותו לחלוטין. יש גם כפתור בנגן הווידאו עצמו כדי להשבית אותו עבור סרטון מסוים אם תרצה בכך. + +### NewPipe (אנדרואיד) + +!!! recommendation annotate + + ![Newpipe לוגו](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** היא אפליקציית אנדרואיד חינמית וקוד פתוח עבור [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), ו-[PeerTube](https://joinpeertube.org/) (1). + + רשימת המנויים והפלייליסטים שלך נשמרים באופן מקומי במכשיר האנדרואיד שלך. + + [:octicons-home-16: דף הבית](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. מופע ברירת המחדל הוא [FramaTube](https://framatube.org/), עם זאת ניתן להוסיף יותר דרך **הגדרות** ← **תוכן** ← **מופעים PeerTube** + +!!! warning "אזהרה" + + בעת שימוש ב-NewPipe, כתובת ה-IP שלך תהיה גלויה לספקי הווידאו שבהם נעשה שימוש. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +### Invidious + +!!! recommendation + + ![Invidious לוגו](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious לוגו](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** הוא ממשק קצה חינמי וקוד פתוח עבור [YouTube](https://youtube.com) שמתארח גם בעצמו. + + ישנם מספר מופעים ציבוריים, כאשר בחלק מהמקרים יש תמיכה בשירותי בצל [Tor](https://www.torproject.org). + + [:octicons-home-16: דף הבית](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=לתרומה } + +!!! warning "אזהרה" + + כברירת מחדל, Invidious לא מזרימה פרוקסי וידאו. סרטונים שנצפו באמצעות Invidious עדיין יבצעו חיבורים ישירים לשרתים של Google (למשל `googlevideo.com`); עם זאת, מופעים מסוימים תומכים ב-proxy של וידאו - פשוט הפעל *סרטוני פרוקסי* בהגדרות של המופעים או הוסף '&local=true' לכתובת האתר. + +!!! tip "טיפ" + + Invidious שימושי אם ברצונך להשבית את JavaScript בדפדפן שלך, כגון [Tor Browser]( https://www.torproject.org/) ברמת האבטחה הבטוחה ביותר. הוא אינו מספק פרטיות בפני עצמו, ואנחנו לא ממליצים להיכנס לחשבונות כלשהם. + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. עליכם להיות זהירים לגבי המיקום והאופן שבו אתם מארחים את Invidious, מכיוון שהשימוש של אנשים אחרים יקושר לאירוח שלכם. + +כאשר אתה משתמש ב - Invidious instance, הקפד לקרוא את מדיניות הפרטיות של אותו מופע ספציפי. מקרים לא נעימים יכולים להשתנות על ידי בעליהם, ולכן ייתכן שלא ישקפו את מדיניות הפרטיות המשויכת אליהם. במקרים מסוימים יש כתובות .onion Tor אשר עשוי להעניק קצת פרטיות כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +### Piped + +!!! recommendation + + ![Piped לוגו](assets/img/frontends/piped.svg){ align=right } + + **Piped** הוא חזית קוד פתוח בחינם ל-[YouTube](https://youtube.com) שמתארח גם בעצמו. + + Piped דורש JavaScript כדי לתפקד ויש מספר מופעים ציבוריים. + + [:octicons-repo-16: מאגר](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=לתרומה } + +!!! tip "טיפ" + + Piped שימושי אם ברצונך להשתמש ב - [SponsorBlock](https://sponsor.ajay.app) מבלי להתקין תוסף או לגשת לתוכן מוגבל לגיל ללא חשבון. הוא אינו מספק פרטיות בפני עצמו, ואנחנו לא ממליצים להיכנס לחשבונות כלשהם. + +בעת אירוח עצמי, חשוב כי יש לך אנשים אחרים באמצעות המקרה שלך, כמו גם על מנת שתוכל להשתלב. עליכם להיות זהירים לגבי המיקום והאופן שבו אתם מארחים Piped, מכיוון שהשימוש של אנשים אחרים יקושר לאירוח שלכם. + +כאשר אתה משתמש ב - Piped instance, הקפד לקרוא את מדיניות הפרטיות של אותו מופע ספציפי. בעליהם יכולים לשנות מופעים מקוטעים ולכן ייתכן שהם לא ישקפו את מדיניות הפרטיות המשויכת אליהם. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +חזיתות מומלצות... + +- חייבת להיות תוכנת קוד פתוח. +- חייב להיות ניתן לאירוח עצמי. +- חייב לספק את כל הפונקציונליות הבסיסית של האתר הזמינה למשתמשים אנונימיים. + +אנו מתייחסים רק לחזיתות עבור אתרים שהם... + +- לא נגיש בדרך כלל ללא JavaScript. diff --git a/i18n/he/index.md b/i18n/he/index.md new file mode 100644 index 00000000..164d221f --- /dev/null +++ b/i18n/he/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.he.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## למה שיהיה אכפת לי? + +##### “אין לי מה להסתיר. למה שאדאג לפרטיות שלי?" + +בדומה לזכות לנישואים בין-גזעיים, זכות בחירה לאישה, חופש הביטוי ורבים אחרים, זכותנו לפרטיות לא תמיד נשמרה. בכמה דיקטטורות, היא עדיין לא. דורות לפנינו נלחמו על זכותנו לפרטיות. ==פרטיות היא זכות אדם, הטבועה בכולנו,== שמגיעה לנו (ללא אפליה). + +אין לבלבל בין פרטיות לסודיות. אנחנו יודעים מה קורה בשירותים, אבל עדיין סוגרים את הדלת. זה בגלל שאתה רוצה פרטיות, לא סודיות. **לכל** אחד יש על מה להגן. פרטיות היא משהו שהופך אותנו לאנושיים. + +[:material-target-account: איומים נפוצים באינטרנט](basics/common-threats.md ""){.md-button.md-button--primary} + +## מה אני צריך לעשות? + +##### ראשית, עליך להכין תוכנית + +ניסיון להגן על כל הנתונים שלך מפני כולם כל הזמן הוא לא מעשי, יקר ומתיש. אבל אל תדאג! אבטחה היא תהליך, ועל ידי תכנון בריא, אתה יכול להרכיב תוכנית שמתאימה לך. אבטחה אינה עוסקת רק בכלים שבהם אתה משתמש או בתוכנות שאותם אתה מוריד. במקום זאת, היא מתחילה בהבנת האיומים הייחודיים שאתה מתמודד איתם, וכיצד אתה יכול למגר אותם. + +==תהליך זה של זיהוי איומים והגדרת אמצעי נגד נקרא **מידול** (מלשון מודל) ** סיכונים ** ==, והוא מהווה את הבסיס לכל תוכנית אבטחה ופרטיות טובה. + +[:material-book-outline: למד עוד על מידול סיכונים](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## אנחנו זקוקים לך! יש כמה דרכים לעזור לנו: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="הצטרף לפורום שלנו" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="עקבו אחרינו במסטודון" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="תרום לאתר זה" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="עזור לתרגם את האתר הזה" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="שוחח איתנו במטריקס" } +[:material-information-outline:](about/index.md){ title="למד עוד אודותינו" } +[:material-hand-coin-outline:](about/donate.md){ title="תמכו בפרויקט" } + +חשוב שאתר כמו Privacy Guides יישאר תמיד מעודכן. אנחנו צריכים שהקהל שלנו יפקח עין על עדכוני תוכנה עבור היישומים הרשומים באתר שלנו ויעקוב אחר התפתחויות לגבי ספקים שאנחנו ממליצים עליהם. קשה לעמוד בקצב המהיר של האינטרנט, אבל אנחנו מנסים כמיטב יכולתנו. אם אתה מזהה איזו שגיאה, חושב שספק לא צריך להיות רשום, שם לב שחסר ספק מוסמך, מאמין שתוסף דפדפן הוא כבר לא הבחירה הטובה ביותר, או מוצא כל בעיה אחרת, אנא הודיע לנו. diff --git a/i18n/he/kb-archive.md b/i18n/he/kb-archive.md new file mode 100644 index 00000000..3f5f4a8f --- /dev/null +++ b/i18n/he/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: ארכיון KB +icon: material/archive +description: חלק מהדפים שהיו בעבר במאגר הידע שלנו נמצאים כעת בבלוג שלנו. +--- + +# דפים הועברו לבלוג + +כמה דפים שהיו בעבר במאגר הידע שלנו נמצאים כעת בבלוג שלנו: + +- [GrapheneOS לעומת CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal תצורה והקשחה](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [לינוקס - הקשחת המערכת](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [לינוקס - ארגז חול ליישומים](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [מחיקת נתונים מאובטחת](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [הסרה משולבת של מטא נתונים](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [מדריך התצורה של iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/he/meta/brand.md b/i18n/he/meta/brand.md new file mode 100644 index 00000000..a5c7d73e --- /dev/null +++ b/i18n/he/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: הנחיות מיתוג +--- + +שם האתר הוא **Privacy Guides** ואין **לשנותו** ל: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +שם ה-Subreddit הוא **r/PrivacyGuides** או **the Privacy Guides Subreddit**. + +ניתן למצוא הנחיות מיתוג נוספות בכתובת [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## סימן מסחרי + +"Privacy Guides" והלוגו של המגן הם סימנים מסחריים בבעלות Jonah Aragon, שימוש בלתי מוגבל מוענק לפרויקט Privacy Guides. + +מבלי לוותר על אף אחת מזכויותיה, Privacy Guides אינם מייעצים לאחרים לגבי היקף זכויות הקניין הרוחני שלה. Privacy Guides אינם מתירים או מסכימים לכל שימוש בסימנים המסחריים שלו בכל דרך העלולה לגרום לבלבול על ידי רמיזה של קשר או חסות על ידי Privacy Guides. אם אתה מודע לשימוש כזה, אנא צור קשר עם Jonah Aragon בכתובת jonah@privacyguides.org. התייעץ עם היועץ המשפטי שלך אם יש לך שאלות. diff --git a/i18n/he/meta/git-recommendations.md b/i18n/he/meta/git-recommendations.md new file mode 100644 index 00000000..0c406db6 --- /dev/null +++ b/i18n/he/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: המלצות Git +--- + +אם אתה מבצע שינויים באתר זה בעורך האינטרנט של GitHub.com ישירות, אתה לא צריך לדאוג בקשר לזה. אם אתה מפתח מקומי ו/או עורך אתרים לטווח ארוך (שכנראה צריך לפתח מקומי!), שקול את ההמלצות האלה. + +## הפעל חתימת SSH Key Commit + +אתה יכול להשתמש במפתח SSH קיים לחתימה, או [צור אחד חדש](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. הגדר את לקוח Git שלך לחתום על התחייבויות ותגים כברירת מחדל (הסר את `--global` כדי לחתום רק כברירת מחדל עבור repo זה): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. העתק את מפתח ה-SSH הציבורי שלך ללוח שלך, לדוגמה: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. הגדר את מפתח ה-SSH שלך לכניסה ל-Git עם הפקודה הבאה, החלפת המחרוזת האחרונה במרכאות במפתח הציבורי בלוח שלך: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +ודא שאתה [מוסיף את מפתח ה-SSH שלך לחשבון GitHub שלך](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **כמפתח חתימה** (בניגוד ל או בנוסף כמפתח אימות). + +## Rebase על Git pull + +השתמש ב-`git pull --rebase` במקום ב-`git pull` בעת שליפת שינויים מ-GitHub למחשב המקומי שלך. כך השינויים המקומיים שלך תמיד יהיו "על גבי" השינויים האחרונים ב-GitHub, ואתה נמנע מהתחייבויות מיזוג (שאסורות בrepo זה). + +אתה יכול להגדיר זאת כהתנהגות ברירת המחדל: + +``` +git config --global pull.rebase true +``` + +## Rebase מ`הראשי` לפני שליחת יחסי ציבור (PR) + +אם אתה עובד על branch משלך, הפעל את הפקודות הבאות לפני שליחת PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/he/meta/uploading-images.md b/i18n/he/meta/uploading-images.md new file mode 100644 index 00000000..6a91ec55 --- /dev/null +++ b/i18n/he/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: העלאת תמונות +--- + +הנה כמה כללים כלליים לתרומה ל-Privacy Guides: + +## תמונות + +- אנחנו **מעדיפים** תמונות SVG, אבל אם אלה לא קיימות נוכל להשתמש בתמונות PNG + +לסמלי החברה יש גודל קנבס של: + +- 128x128 פיקסלים +- 384x128 פיקסלים + +## אופטימיזציה + +### PNG + +השתמש ב-[OptiPNG](https://sourceforge.net/projects/optipng/) כדי לבצע אופטימיזציה של תמונת PNG: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[סרקו](https://github.com/scour-project/scour) את כל תמונות ה-SVG. + +ב-Inkscape: + +1. File Save As.. +2. הגדר את הסוג ל-SVG אופטימיזציה (*.svg) + +בלשונית **האפשרויות**: + +- **מספר הספרות המשמעותיות עבור קואורדינטות** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] תכבה **הסר את הצהרת ה-XML** +- [x] הפעל **הסר מטא נתונים** +- [x] הפעל **הסר תגובות** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +ניתן להשיג את אותו הדבר עם הפקודה [Scour](https://github.com/scour-project/scour): + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/he/meta/writing-style.md b/i18n/he/meta/writing-style.md new file mode 100644 index 00000000..6ee20e4a --- /dev/null +++ b/i18n/he/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: סגנון כתיבה +--- + +Privacy Guides כתובים באנגלית אמריקאית, וכדאי לעיין ב-[APA הנחיות סגנון](https://apastyle.apa.org/style-grammar-guidelines/grammar) כאשר יש ספק. + +באופן כללי [ההנחיות הפדרליות לשפה פשוטה של ארצות הברית](https://www.plainlanguage.gov/guidelines/) מספקות סקירה כללית טובה של איך לכתוב בצורה ברורה ותמציתית. אנו מדגישים כמה הערות חשובות מהנחיות אלה להלן. + +## כתיבה עבור הקהל שלנו + +[הקהל](https://www.plainlanguage.gov/guidelines/audience/) המיועד של Privacy Guides הוא בעיקר טכנולוגיה ממוצעת שמבוגרים משתמשים בה. אל תאט תוכן כאילו אתה פונה לכיתה בחטיבת הביניים, אבל אל תשתמש יתר על המידה בטרמינולוגיה מסובכת לגבי מושגים שמשתמשי מחשב ממוצעים לא היו מכירים. + +### התייחס רק למה שאנשים רוצים לדעת + +אנשים לא צריכים מאמרים מורכבים מדי עם מעט רלוונטיות עבורם. גלה מה אתה רוצה שאנשים ישיגו בעת כתיבת מאמר, וכלול רק את הפרטים האלה. + +> ספר לקהל שלך מדוע החומר חשוב לו. תגיד, "אם אתה רוצה מענק מחקר, הנה מה שאתה צריך לעשות." או, "אם אתה רוצה לכרות פחם פדרלי, הנה מה שאתה צריך לדעת." או, "אם אתה מתכנן טיול לרואנדה, קרא את זה קודם." + +### פנה ישירות לאנשים + +אנו כותבים *עבור* מגוון רחב של אנשים, אך אנו כותבים *ל*אדם שקורא בפועל את זה. השתמש ב"אתה" כדי לפנות ישירות לקורא. + +> יותר מכל טכניקה בודדת אחרת, השימוש ב"אתה" מושך משתמשים לתוך המידע והופך אותו לרלוונטי עבורם. +> +> כאשר אתה משתמש ב"אתה" כדי לפנות למשתמשים, סביר יותר שהם יבינו מהי האחריות שלהם. + +מקור: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### הימנעו מ"משתמשים " + +הימנע מלקרוא לאנשים "משתמשים", לטובת "אנשים", או תיאור ספציפי יותר של קבוצת האנשים עבורם אתה כותב. + +## ארגון תוכן + +ארגון הוא המפתח. התוכן צריך לזרום מהמידע החשוב ביותר לפחות, ולהשתמש בכותרות ככל שצריך כדי להפריד באופן הגיוני בין רעיונות שונים. + +- הגבל את המסמך לסביבות חמישה או שישה חלקים. מסמכים ארוכים כנראה צריכים להיות מחולקים לדפים נפרדים. +- סמן רעיונות חשובים ב**מודגש** או ב*אותיות מוטות*. + +מקור: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### התחל במשפט נושא + +> אם תספר לקורא שלך על מה הוא הולך לקרוא, סביר להניח שהם יצטרכו לקרוא שוב את הפסקה שלך. כותרות עוזרות, אבל הן לא מספיקות. קבע הקשר לקהל שלך לפני שאתה מספק לו את הפרטים. +> +> לעתים קרובות אנו כותבים את הדרך שבה אנו חושבים, שמים את הנחות היסוד שלנו קודם כל ואחר כך את המסקנה שלנו. זו אולי הדרך הטבעית לפתח מחשבות, אבל אנחנו מסיימים עם משפט הנושא בסוף הפסקה. הזז אותו לפנים ואפשר למשתמשים לדעת לאן אתה הולך. אל תגרמו לקוראים להחזיק הרבה מידע בראש לפני שהם מגיעים לנקודה. + +מקור: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## בחר את המילים שלך בקפידה + +> המילים חשובות. הם אבני הבניין הבסיסיות ביותר של תקשורת כתובה ומדוברת. אל תסבך דברים על ידי שימוש בז'רגון, מונחים טכניים או קיצורים שאנשים לא יבינו. + +כדאי לנסות להימנע מקיצורי מילים במידת האפשר, אבל הטכנולוגיה מלאה בקיצורי מילים. באופן כללי, יש לאיית את הקיצור/ראשי התיבות בפעם הראשונה שבה נעשה בו שימוש בדף, והוסיפו את הקיצור מילים לקובץ מילון המונחים של הקיצור מילים כאשר נעשה בו שימוש חוזר. + +> Kathy McGinty מציעה הוראות שפה אירוניות למשפטים הפשוטים והישירים שלך: +> +> > אין מנוס מהעובדה כי חשוב מאוד לציין כי מספר מחקרים ישימים שונים זיהו בדרך כלל את העובדה כי תעסוקה לילית מתאימה נוספת יכולה בדרך כלל לשמור על מתבגרים צעירים מחוץ לכבישים במהלך שעות הלילה, כולל אך לא מוגבל לזמן שלפני חצות בלילות השבוע ו/או 2 לפנות בוקר. בסופי שבוע. +> +> והמקור, תוך שימוש במילים חזקות ופשוטות יותר: +> +> > עוד עבודות לילה ירחיקו את הצעירים מהרחובות. + +## תהיה תמציתי + +> מילים מיותרות מבזבזות את הזמן של הקהל שלך. כתיבה נהדרת היא כמו שיחה. השמט מידע שהקהל לא צריך לדעת. זה יכול להיות קשה כמומחה לנושא ולכן חשוב שמישהו יסתכל על המידע מנקודת המבט של הקהל. + +מקור: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## שמור על שיחות טקסט + +> פעלים הם הדלק של הכתיבה. הם נותנים למשפטים שלך כוח וכיוון. הם מחדשים את הכתיבה שלך והופכים אותה למעניינת יותר. +> +> הפעלים אומרים לקהל שלך מה לעשות. ודא שברור מי עושה מה. + +### השתמש בקול פעיל + +> קול פעיל מבהיר מי אמור לעשות מה. זה מבטל אי בהירות לגבי אחריות. לא "זה חייב להיעשות", אלא "אתה חייב לעשות את זה." + +מקור: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### השתמש ב"חייב" לדרישות + +> - "חייב" להתחייבות +> - "אסור" לאיסור +> - "רשאי" לפעולה לפי שיקול דעת +> - "צריך" להמלצה diff --git a/i18n/he/mobile-browsers.md b/i18n/he/mobile-browsers.md new file mode 100644 index 00000000..0b902a7f --- /dev/null +++ b/i18n/he/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "דפדפני אינטרנט לנייד" +icon: material/cellphone-information +description: דפדפנים אלו הם מה שאנו ממליצים כיום עבור גלישה רגילה/לא אנונימית באינטרנט בטלפון שלך. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - אנדרואיד + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +אלו הם דפדפני האינטרנט הניידים המומלצים כרגע והתצורות שלנו לגלישה רגילה/לא אנונימית באינטרנט. אם אתה צריך לגלוש באינטרנט באופן אנונימי, אתה צריך להשתמש [Tor](tor.md) במקום. באופן כללי, אנו ממליצים לשמור על הרחבות למינימום; יש להם גישה מוסמכת בתוך הדפדפן שלך, דורשים ממך לסמוך על המפתח, יכולים לגרום לך [להיות בולט](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), [ולהחליש](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) את בידוד האתר. + +## אנדרואיד + +באנדרואיד, פיירפוקס עדיין פחות מאובטח מאלטרנטיבות מבוססות Chromium: המנוע של מוזילה, [GeckoView](https://mozilla.github.io/geckoview/), עדיין לא תמך [בבידוד אתרים](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) או איפשר את [תהליך מבודד](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave לוגו](assets/img/browsers/brave.svg){ align=right } + + **דפדפן Brave** כולל חוסם תוכן מובנה ו [תכונות פרטיות ]( https://brave.com/privacy-features/), רבים מהם מופעלים כברירת מחדל. + + Brave בנוי על פרויקט דפדפן Chromium, כך שהוא אמור להרגיש מוכר ושיהיו לו בעיות תאימות מינימליות לאתר. + + [:octicons-home-16: דף הבית](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="שירות בצל" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="קוד פתוח" } + + ??? downloads annotate "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### תצורה מומלצת + +דפדפן Tor הוא הדרך היחידה לגלוש באמת באינטרנט באופן אנונימי. כאשר אתה משתמש ב-Brave, אנו ממליצים לשנות את ההגדרות הבאות כדי להגן על פרטיותך מפני גורמים מסוימים, אך כל הדפדפנים מלבד [Tor דפדפן](tor.md#tor-browser) יהיו ניתנים למעקב על ידי *מישהו* בהקשר זה או אחר. + +ניתן למצוא אפשרויות אלו ב :material-menu: → **הגדרות** → **Brave Shields & פרטיות** + +##### Shields + +Brave כולל כמה אמצעים נגד טביעת אצבע בתכונת [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) שלו. אנו מציעים להגדיר את האפשרויות האלה [גלובלי](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) בכל הדפים שבהם אתה מבקר. + +##### ברירות מחדל גלובליות של Brave Shield + +ניתן לשדרג לאחור את האפשרויות של Shields על בסיס אתר לפי הצורך, אך כברירת מחדל אנו ממליצים להגדיר את האפשרויות הבאות: + +
+ +- [x] בחר **אגרסיבי** תחת חסימת עוקבים ומודעות + + ??? warning "השתמש ברשימות סינון ברירת מחדל" + Brave מאפשר לך לבחור מסנני תוכן נוספים בדף הפנימי `brave://adblock`. אנו ממליצים לא להשתמש בתכונה זו; במקום זאת, שמור על רשימות הסינון המוגדרות כברירת מחדל. שימוש ברשימות נוספות יגרום לך להתבלט ממשתמשי Brave אחרים ועלול גם להגדיל את שטח ההתקפה אם יש ניצול ב-Brave וכלל זדוני יתווסף לאחת הרשימות שבהן אתה משתמש. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### IPFS + +- [x] בחר **נקה נתונים ביציאה** + +##### חסימת מדיה חברתית + +- [ ] בטל את הסימון של כל רכיבי המדיה החברתית + +##### הגדרות פרטיות אחרות + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### סנכרון Brave + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) מאפשר לנתוני הגלישה שלך (היסטוריה, סימניות וכו ') להיות נגישים בכל המכשירים שלך ללא צורך בחשבון ומגן עליהם באמצעות E2EE. + +## iOS + +ב-iOS, כל אפליקציה שיכולה לגלוש באינטרנט [מוגבלת](https://developer.apple.com/app-store/review/guidelines) לשימוש ב[מסגרת WebKit](https://developer.apple.com/documentation/webkit), כך שאין סיבה קטנה להשתמש בדפדפן אינטרנט של צד שלישי. + +### Safari + +!!! recommendation + + ![Safari לוגו](assets/img/browsers/safari.svg){ align=right } + + **Safari** הוא דפדפן ברירת המחדל ב - iOS. הוא כולל [תכונות פרטיות](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) כגון הגנת מעקב חכמה, דוח פרטיות, כרטיסיות גלישה פרטית מבודדות, iCloud Private Relay ושדרוגי HTTPS אוטומטיים. + + [:octicons-home-16: דף הבית](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=תיעוד} + +#### תצורה מומלצת + +ניתן למצוא אפשרויות אלה ב - :gear: **הגדרות** ← **Safari** ← **פרטיות ואבטחה**. + +##### מניעת מעקב חוצה אתרים + +- [x] אפשר **מנע מעקב בין אתרים** + +זה מאפשר [הגנת מעקב אינטליגנטי](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp) של WebKit. התכונה מסייעת בהגנה מפני מעקב לא רצוי על ידי שימוש בלמידת מכונה במכשיר כדי לעצור עוקבים. ITP מגן מפני איומים נפוצים רבים, אך הוא אינו חוסם את כל אפיקי המעקב מכיוון שהוא נועד לא להפריע לשימושיות האתר. + +##### דוח פרטיות + +דוח הפרטיות מספק תמונה של עוקבים חוצי אתרים שכרגע מונעים ממך ליצור פרופיל באתר שבו אתה מבקר. הוא יכול גם להציג דוח שבועי כדי להראות אילו עוקבים נחסמו לאורך זמן. + +ניתן לגשת לדוח הפרטיות דרך התפריט 'הגדרות דף '. + +##### שמירת הפרטיות של מדידת המודעות + +- [ ] השבת **פרטיות שמירה על מדידת מודעות** + +מדידת קליקים על מודעה השתמשה באופן מסורתי בטכנולוגיית מעקב הפוגעת בפרטיות המשתמש. [מדידת קליקים פרטית](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) היא תכונה של WebKit ותקן אינטרנט מוצע שמטרתו לאפשר למפרסמים למדוד האפקטיביות של מסעות פרסום באינטרנט מבלי להתפשר על פרטיות המשתמש. + +לתכונה יש מעט חששות פרטיות בפני עצמה, כך שבעוד שאתה יכול לבחור להשאיר אותה פועלת, אנו רואים בעובדה שהיא מושבתת אוטומטית בגלישה פרטית כאינדיקטור להשבית התכונה. + +##### גלישה פרטית תמיד + +פתח את Safari והקש על כפתור הכרטיסיות, הממוקם בפינה השמאלית התחתונה. לאחר מכן, הרחב את רשימת קבוצות הכרטיסיות. + +- [x] בחר **פרטי** + +מצב הגלישה הפרטית של Safari מציע הגנות פרטיות נוספות. גלישה פרטית משתמשת בהפעלה חדשה [>חולפת](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) עבור כל כרטיסייה, כלומר כרטיסיות מבודדות זו מזו. יש גם יתרונות פרטיות קטנים יותר עם גלישה פרטית, כגון אי שליחת כתובת של דף אינטרנט לאפל בעת שימוש בתכונת התרגום של Safari. + +שימו לב שגלישה פרטית אינה שומרת קובצי עוגיות ונתוני אתר, כך שלא ניתן יהיה להישאר מחובר לאתרים. זה עשוי להיות אי נוחות. + +##### iCloud Sync + +סנכרון של היסטוריית ספארי, קבוצות כרטיסיות, כרטיסיות iCloud וסיסמאות שמורות הם E2EE. עם זאת, כברירת מחדל, סימניות [לא](https://support.apple.com/en-us/HT202303). Apple יכולה לפענח ולגשת אליהם בהתאם ל[מדיניות הפרטיות](https://www.apple.com/legal/privacy/en-ww/) שלהם. + +אתה יכול להפעיל את E2EE עבור הסימניות וההורדות של Safari על ידי הפעלת [הגנה על נתונים מתקדמת](https://support.apple.com/en-us/HT212520). עבור אל **שם Apple ID שלך ← iCloud ← הגנת נתונים מתקדמת**. + +- [x] הפעל **הגנת נתונים מתקדמת** + +אם אתה משתמש ב-iCloud עם הגנת נתונים מתקדמת מושבתת, אנו ממליצים גם לבדוק כדי לוודא שמיקום ההורדה המוגדר כברירת מחדל של Safari מוגדר באופן מקומי במכשיר שלך. ניתן למצוא אפשרות זו ב -:gear: **הגדרות** ← **Safari** ← **כללי** ← **הורדות**. + +### AdGuard + +!!! recommendation + + ![AdGuard לוגו](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** הוא תוסף חסימת תוכן בקוד פתוח בחינם עבור Safari המשתמש ב-[Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + ל-AdGuard for iOS יש כמה תכונות פרימיום; עם זאת, חסימת תוכן ספארי רגילה אינה כרוכה בתשלום. + + [:octicons-home-16: דף הבית](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +רשימות פילטרים נוספות מאטות את הקצב ועשויות להגדיל את משטח ההתקפה שלך, אז יש ליישם רק את מה שאתה צריך. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### דרישות מינימליות + +- חייב לתמוך בעדכונים אוטומטיים. +- חייב לקבל עדכוני מנוע בתוך 0 -1 ימים משחרורו במעלה הזרם. +- כל שינוי שיידרש כדי להפוך את הדפדפן ליותר מכבד פרטיות לא צריך להשפיע לרעה על חוויית המשתמש. +- דפדפני אנדרואיד חייבים להשתמש במנוע ה - Chromium. + - למרבה הצער, Mozilla GeckoView עדיין פחות מאובטחת מ-Chromium באנדרואיד. + - דפדפני iOS מוגבלים ל-WebKit. + +### קריטריונים להרחבה + +- אסור לשכפל דפדפן מובנה או פונקציונליות מערכת הפעלה. +- חייב להשפיע ישירות על פרטיות המשתמש, כלומר לא חייב פשוט לספק מידע. diff --git a/i18n/he/multi-factor-authentication.md b/i18n/he/multi-factor-authentication.md new file mode 100644 index 00000000..80a8760a --- /dev/null +++ b/i18n/he/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "מאמתים מרובי גורמים" +icon: 'material/two-factor-authentication' +description: כלים אלה מסייעים לך באבטחת חשבונות האינטרנט שלך באמצעות אימות רב-גורמי מבלי לשלוח את הסודות שלך לצד שלישי. +--- + +## מפתחות אבטחה של חומרה + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + **YubiKeys** הם בין מפתחות האבטחה הפופולריים ביותר. לחלק מדגמי YubiKey יש מגוון רחב של תכונות כגון: [גורם שני אוניברסלי (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 ו-WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [אימות זהות אישית (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/),[TOTP ו HOTP](https://developers.yubico.com/OATH). + + אחד היתרונות של YubiKey הוא שמפתח אחד יכול לעשות כמעט הכל (YubiKey 5), שאפשר לצפות ממפתח אבטחת חומרה. אנו ממליצים לך לקחת את [חידון](https://www.yubico.com/quiz/) לפני הרכישה כדי לוודא שאתה עושה את הבחירה הנכונה. + + [:octicons-home-16: דף הבית](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=תיעוד} + +[טבלת ההשוואה](https://www.yubico.com/store/compare/) מציגה את התכונות ואת אופן ההשוואה של YubiKeys. אנו ממליצים בחום לבחור במפתחות מסדרת YubiKey 5. + +ניתן לתכנת את [YubiKey מנהל](https://www.yubico.com/support/download/yubikey-manager/) או [YubiKey כלי התאמה אישית](https://www.yubico.com/support/download/yubikey-personalization-tools/). לניהול קודי TOTP, תוכל להשתמש ב - [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). כל הקליינטים של Yubico הם בקוד פתוח. + +עבור דגמים התומכים ב - HOTP וב - TOTP, ישנם 2 חריצים בממשק ה - OTP שניתן להשתמש בהם עבור HOTP ו -32 חריצים לאחסון סודות TOTP. סודות אלה מאוחסנים מוצפנים על המפתח ואף פעם לא לחשוף אותם למכשירים הם מחוברים. ברגע שזרע (סוד משותף) ניתן למאמת Yubico, הוא ייתן רק את הקודים בני שש הספרות, אך לעולם לא את הזרע. מודל אבטחה זה עוזר להגביל את מה שתוקף יכול לעשות אם הוא מסכן את אחד המכשירים המריצים את המאמת של Yubico והופך את ה - YubiKey לעמיד בפני תוקף פיזי. + +!!! warning "אזהרה" + הקושחה של YubiKey אינה קוד פתוח ואינה ניתנת לעדכון. אם אתה רוצה תכונות בגרסאות קושחה חדשות יותר, או אם ישנה פגיעות בגרסת הקושחה שבה אתה משתמש, תצטרך לרכוש מפתח חדש. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **ל - Nitrokey** יש מפתח אבטחה המסוגל ל- [FIDO2 ו- WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) בשם **Nitrokey FIDO2**. לתמיכה ב-PGP, עליך לרכוש אחד מהמפתחות האחרים שלהם כגון **Nitrokey Start**, **Nitrokey Pro 2** או **Nitrokey Storage 2**. + + [:octicons-home-16: דף הבית](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=תיעוד} + +[טבלת ההשוואה](https://www.nitrokey.com/#comparison) מציגה את התכונות ואת ההשוואה בין דגמי Nitrokey. ל**Nitrokey 3** המופיע ברשימה תהיה ערכת תכונות משולבת. + +ניתן להגדיר דגמי Nitrokey באמצעות [Nitrokey app](https://www.nitrokey.com/download). + +עבור הדגמים התומכים ב - HOTP וב - TOTP, ישנם 3 חריצים עבור HOTP ו -15 עבור TOTP. Nitrokeys מסוימים יכולים לשמש כמנהל סיסמאות. הם יכולים לאחסן 16 אישורים שונים ולהצפין אותם באמצעות אותה סיסמה כמו ממשק OpenPGP. + +!!! warning "אזהרה" + + בעוד ש-Nitrokeys אינם משחררים את סודות ה-HOTP/TOTP למכשיר שאליו הם מחוברים, אחסון ה-HOTP וה-TOTP **לא** מוצפן ופגיע להתקפות פיזיות. אם אתם מחפשים לאחסן HOTP או TOTP סודות אלה, אנו ממליצים בחום להשתמש ב- Yubikey במקום זאת. + +!!! warning "אזהרה" + + איפוס ממשק OpenPGP על Nitrokey גם יגרום למסד הנתונים סיסמה [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + +ה-Nitrokey Pro 2, Nitrokey Storage 2 וה-Nitrokey 3 הקרובים תומכים באימות שלמות המערכת עבור מחשבים ניידים עם קושחת [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/). + +הקושחה של Nitrokey היא קוד פתוח, שלא כמו YubiKey. הקושחה בדגמי NitroKey המודרניים (למעט ה**NitroKey Pro 2**) ניתנת לעדכון. + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +#### דרישות מינימליות + +- יש להשתמש במודולי אבטחה עמידים לחומרה באיכות גבוהה. +- חייב לתמוך במפרט FIDO2 העדכני ביותר. +- אסור לאפשר חילוץ מפתח פרטי. +- מכשירים שעולים מעל $35 חייבים לתמוך בטיפול ב-OpenPGP וב-S/MIME. + +#### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- אמור להיות זמין בפורמט USB-C. +- אמור להיות זמין עם NFC. +- אמור לתמוך באחסון סודי ב-TOTP. +- אמור לתמוך בעדכוני קושחה מאובטחים. + +## אפליקציות מאמתות + +יישומי אימות מיישמים תקן אבטחה שאומץ על ידי כוח המשימה להנדסת אינטרנט (IETF) הנקרא **סיסמאות חד פעמיות חד פעמיות מבוססות זמן**, או **TOTP**. זוהי שיטה שבה אתרי אינטרנט משתפים איתך סוד המשמש את אפליקציית האימות שלך כדי ליצור קוד בן שש ספרות (בדרך כלל) בהתבסס על השעה הנוכחית, שאותה אתה מזין בעת הכניסה לאתר כדי לבדוק. בדרך כלל קודים אלה מתחדשים כל 30 שניות, וברגע שנוצר קוד חדש הקוד הישן הופך לחסר תועלת. גם אם האקר מקבל קוד אחד בן שש ספרות, אין דרך להפוך את הקוד כדי לקבל את הסוד המקורי או אחרת להיות מסוגל לחזות מה כל קודים עתידיים עשויים להיות. + +אנו ממליצים בחום להשתמש באפליקציות TOTP למכשירים ניידים במקום בחלופות לשולחן העבודה, מכיוון שלאנדרואיד ול-iOS יש אבטחה ובידוד אפליקציות טובים יותר מרוב מערכות ההפעלה השולחניות. + +### Aegis Authenticator (אנדרואיד) + +!!! recommendation + + ![Aegis לוגו](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** היא אפליקציה חינמית, מאובטחת וקוד פתוח לניהול אסימוני האימות הדו-שלביים שלך עבור השירותים המקוונים שלך. + + [:octicons-home-16: דף הבית](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP לוגו](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** הוא קליינט סיסמאות מקורי, קל משקל ומאובטח מבוסס זמן (TOTP) & ומבוסס נגד (HOTP) עבור iOS. Raivo OTP מציע אופציונלי גיבוי iCloud & סנכרון. Raivo OTP זמין גם עבור macOS בצורה של יישום שורת מצב, אולם יישום Mac אינו פועל ללא תלות ביישום iOS. + + [:octicons-home-16: דף הבית](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- Source code must be publicly available. +- אסור לדרוש חיבור לאינטרנט. +- אסור לסנכרן לשירות סנכרון/גיבוי בענן של צד שלישי. + - **אופציונלי** תמיכה בסנכרון E2EE עם כלים מקוריים של מערכת ההפעלה מקובלת, למשל. סנכרון מוצפן באמצעות iCloud. diff --git a/i18n/he/news-aggregators.md b/i18n/he/news-aggregators.md new file mode 100644 index 00000000..a7746e47 --- /dev/null +++ b/i18n/he/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "צוברי חדשות" +icon: material/rss +description: לקוחות צוברי חדשות אלה מאפשרים לך להתעדכן בבלוגים ובאתרי החדשות האהובים עליך באמצעות תקני אינטרנט כמו RSS. +--- + +[צובר חדשות](https://en.wikipedia.org/wiki/News_aggregator) הוא דרך להתעדכן בבלוגים ובאתרי החדשות המועדפים עליך. + +## קליינטים צוברי חדשות + +### Akregator + +!!! recommendation + + ![Akregator לוגו](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** הוא קורא ניוז פיד המהווה חלק מפרויקט [KDE](https://kde.org). הוא מגיע עם חיפוש מהיר, פונקציונליות ארכיון מתקדמת ודפדפן פנימי לקריאת חדשות קלה. + + [:octicons-home-16: דף הבית](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=תיעוד} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** הוא קליינט RSS מודרני עבור אנדרואיד שיש לו רבים [features](https://gitlab.com/spacecowboy/Feeder#features) ועובד היטב עם תיקיות של הזנות RSS. הוא תומך ב [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: מאגר](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader לוגו](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** הוא צובר חדשות מאובטח חוצה פלטפורמות הכולל תכונות פרטיות שימושיות כגון מחיקת קובצי Cookie ביציאה, [מדיניות אבטחת תוכן (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) קפדנית ותמיכה בפרוקסי, כלומר אתה יכול להשתמש בו מעל [Tor](tor.md). + + [:octicons-home-16: דף הבית](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds לוגו](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **Feeds GNOME** הם [RSS](https://en.wikipedia.org/wiki/RSS) ו-[Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) קורא חדשות עבור [GNOME](https://www.gnome.org). יש לו ממשק פשוט והוא די מהיר. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads "הורדות" + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux לוגו](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux לוגו](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** הוא צובר חדשות מבוסס אינטרנט שתוכלו לארח בעצמכם. הוא תומך ב [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: דף הבית](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=לתרומה } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire לוגו](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** קורא עדכונים חינמי וקוד פתוח עבור macOS ו-iOS עם התמקדות בעיצוב ותכונות מקוריות. הוא תומך בפורמטי הפיד הטיפוסיים לצד תמיכה מובנית בפיד של טוויטר ו-Reddit. + + [:octicons-home-16: דף הבית](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat לוגו](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** הוא קורא הזנת RSS/Atom עבור קונסולת הטקסט. זהו נגזר מתוחזק באופן פעיל של [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). הוא קל מאוד, ואידיאלי לשימוש מעל [Secure Shell]( https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייבת להיות תוכנת קוד פתוח. +- חייב לפעול באופן מקומי, כלומר חייב לא להיות שירות ענן. + +## תמיכה ב- RSS של מדיה חברתית + +חלק משירותי המדיה החברתית תומכים גם ב - RSS, אם כי הוא לא מפורסם לעתים קרובות. + +### Reddit + +Reddit מאפשר לך להירשם ל subreddits באמצעות RSS. + +!!! example "דוגמא" + החלף `subreddit_name` עם subreddit שברצונך להירשם אליו. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +באמצעות כל אחד מ[מופעים](https://github.com/zedeus/nitter/wiki/Instances) של Nitter תוכל להירשם בקלות באמצעות RSS. + +!!! example "דוגמא" + 1. בחר מופע והגדר `nitter_instance`. + 2. החלף את `twitter_account` בשם החשבון. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### יוטיוב + +אתה יכול להירשם לערוצי יוטיוב מבלי להתחבר ולשייך פרטי שימוש לחשבון גוגל שלך. + +!!! example "דוגמא" + + כדי להירשם לערוץ YouTube עם לקוח RSS, חפש תחילה את [קוד הערוץ](https://support.google.com/youtube/answer/6180214), החלף את '[מזהה ערוץ]' למטה: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/he/notebooks.md b/i18n/he/notebooks.md new file mode 100644 index 00000000..5068d519 --- /dev/null +++ b/i18n/he/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "פנקס רשימות" +icon: material/notebook-edit-outline +description: אפליקציות רישום רשימות-מוצפנות אלו מאפשרות לך לעקוב אחר הרשימות שלך מבלי לתת אותן לצד שלישי. +--- + +עקוב אחר ההערות והיומנים שלך מבלי למסור אותם לצד שלישי. + +אם אתה משתמש כעת באפליקציה כמו Evernote, Google Keep או Microsoft OneNote, אנו מציעים שתבחר כאן חלופה שתומכת ב-E2EE. + +## מבוסס ענן + +### Joplin + +!!! recommendation + + ![Joplin לוגו](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** הוא יישום חינמי, קוד פתוח ומלא תכונות לרישום הערות ומשימות שיכול להתמודד עם מספר רב של הערות סימון מאורגנים במחברות ותגים. הוא מציע E2EE ויכול לסנכרן דרך Nextcloud, Dropbox ועוד. הוא מציע גם ייבוא קל מ-Evernote והערות בטקסט רגיל. + + [:octicons-home-16: דף הבית](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin אינו תומך בהגנה על סיסמה/PIN עבור [יישום עצמו או רשימות ומחברות בודדות](https://github.com/laurent22/joplin/issues/289). עם זאת, הנתונים שלך עדיין מוצפנים במעבר ובמיקום הסנכרון באמצעות מפתח הראשי שלך. מאז ינואר 2023, Joplin תומך בנעילת אפליקציות ביומטריה עבור [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) ו-[iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes לוגו](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** היא אפליקציית הערות פשוטה ופרטית שהופכת את ההערות שלך לקלות וזמינות בכל מקום שבו אתה נמצא. הוא כולל E2EE בכל פלטפורמה, וחוויית שולחן עבודה רבת עוצמה עם ערכות עיצוב ואפשריות עריכה מותאמים אישית. הוא גם עבר [ביקורת עצמאית (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee לוגו](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee לוגו](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** הוא קוד פתוח מבוסס אינטרנט E2EE עורך מסמכים ויישום אחסון תמונות. Cryptee הוא PWA, מה שאומר שהוא עובד בצורה חלקה בכל המכשירים המודרניים מבלי לדרוש אפליקציות מקוריות עבור כל פלטפורמה בהתאמה. + + [:octicons-home-16: דף הבית](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee מציע 100MB של אחסון בחינם, עם אפשרויות בתשלום אם אתה צריך יותר. ההרשמה אינה דורשת דואר אלקטרוני או מידע מזהה אישי אחר. + +## מחברות מקומיות + +### מצב ארגון + +!!! recommendation + + ![Org-mode לוגו](assets/img/notebooks/org-mode.svg){ align=right } + + **מצב ארגוני** הוא [מצב ראשי](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) עבור גנו Emacs. מצב ארגוני מיועד לשמירת הערות, שמירה על רשימות TODO, תכנון פרויקטים ועריכת מסמכים באמצעות מערכת טקסט רגיל מהירה ויעילה. סינכרון אפשרי באמצעות הכלי [file synchronization](file-sharing.md#file-sync). + + [:octicons-home-16: דף הבית](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=לתרומה } + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- הלקוחות צריכים להיות בקוד פתוח. +- כל פונקציונליות של סנכרון ענן חייבת להיות E2EE. +- חייב לתמוך בייצוא מסמכים לפורמט סטנדרטי. + +### המקרה הטוב ביותר + +- פונקציונליות גיבוי/סנכרון מקומית אמורה לתמוך בהצפנה. +- פלטפורמות מבוססות ענן צריכות לתמוך בשיתוף מסמכים. diff --git a/i18n/he/os/android-overview.md b/i18n/he/os/android-overview.md new file mode 100644 index 00000000..bb64f1d7 --- /dev/null +++ b/i18n/he/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: סקירה כללית של אנדרואיד +icon: simple/android +description: אנדרואיד היא מערכת הפעלה בקוד פתוח עם הגנות אבטחה חזקות, מה שהופך אותה לבחירה המובילה שלנו עבור טלפונים. +--- + +אנדרואיד היא מערכת הפעלה מאובטחת הכוללת [ארגז חול חזק של אפליקציות](https://source.android.com/security/app-sandbox), [אתחול מאומת](https://source.android.com/security/verifiedboot) (AVB) ומערכת בקרת [הרשאות](https://developer.android.com/guide/topics/permissions/overview) חזקה. + +## בחירת הפצת אנדרואיד + +כאשר אתה קונה טלפון אנדרואיד, מערכת ההפעלה המוגדרת כברירת מחדל של המכשיר מגיעה לרוב עם אינטגרציה פולשנית עם אפליקציות ושירותים שאינם חלק מ[פרויקט הקוד הפתוח של אנדרואיד](https://source.android.com/). דוגמה כזו היא שירותי Google Play, שיש לו הרשאות בלתי חוזרות לגשת לקבצים שלך, אחסון אנשי הקשר, יומני שיחות, הודעות SMS, מיקום, מצלמה, מיקרופון, מזהי חומרה וכו'. אפליקציות ושירותים אלו מגדילים את משטח ההתקפה של המכשיר שלך ומהווים מקור לחששות פרטיות שונים עם אנדרואיד. + +ניתן לפתור בעיה זו באמצעות הפצת אנדרואיד מותאמת אישית שאינה מגיעה עם אינטגרציה פולשנית כזו. לרוע המזל, הפצות רבות של אנדרואיד מותאמות אישית מפרות לעתים קרובות את מודל האבטחה של אנדרואיד בכך שאינן תומכות בתכונות אבטחה קריטיות כגון AVB, הגנה לאחור, עדכוני קושחה וכן הלאה. חלק מההפצות מספקות גם רכיבי [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) אשר חושפים שורש באמצעות [ADB](https://developer.android.com/studio/command-line/adb) ודורשים [מדיניות](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux מתירנית יותר כדי להתאים לתכונות ניפוי באגים, וכתוצאה מכך משטח התקפה מוגדל נוסף ומודל אבטחה מוחלש. + +באופן אידיאלי, בעת בחירת הפצת אנדרואיד מותאמת אישית, עליך לוודא שהיא מקיימת את מודל האבטחה של אנדרואיד. לכל הפחות, להפצה צריכה להיות בניית ייצור, תמיכה ב-AVB, הגנה על חזרה, עדכוני קושחה ומערכת הפעלה בזמן, ו-SELinux ב[מצב אכיפה](https://source.android.com/security/selinux/concepts#enforcement_levels). כל הפצות האנדרואיד המומלצות שלנו עומדות בקריטריונים האלה. + +[המלצות מערכת אנדרואיד שלנו :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## הימנע מהשתרשות + +[השרשת](https://en.wikipedia.org/wiki/Rooting_(Android)) טלפונים אנדרואיד יכולים להפחית את האבטחה באופן משמעותי מכיוון שהוא מחליש את [מודל האבטחה של אנדרואיד](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). זה יכול להפחית את הפרטיות אם יש ניצול הנעזר בירידה באבטחה. שיטות השתרשות נפוצות כוללות התעסקות ישירה במחיצת האתחול, מה שהופך את זה לבלתי אפשרי לבצע אתחול מאומת בהצלחה. אפליקציות הדורשות שורש ישנו גם את מחיצת המערכת, כלומר אתחול מאומת יצטרך להישאר מושבת. חשיפת השורש ישירות בממשק המשתמש גם מגדילה את [משטח ההתקפה](https://en.wikipedia.org/wiki/Attack_surface) של המכשיר שלך ועשויה לסייע ב[הסלמה של הרשאות](https://en.wikipedia.org/wiki/Privilege_escalation) פגיעויות ועקיפות מדיניות SELinux. + +חוסמי פרסומות, המשנים את [קובץ המארחים](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) וחומות אש (AFWall+) הדורשות גישת בסיס מתמשכת הם מסוכנים ו אסור להשתמש. הם גם לא הדרך הנכונה לפתור את מטרותיהם המיועדות. לחסימת מודעות אנו מציעים במקום זאת פתרונות חסימת שרת [DNS](../dns.md) או [VPN](../vpn.md) מוצפנים. RethinkDNS, TrackerControl ו-AdAway במצב ללא-שורש יתפסו את חריץ ה-VPN (על ידי שימוש ב-VPN עם לולאה מקומית) וימנעו ממך להשתמש בשירותים לשיפור הפרטיות כגון Orbot או שרת VPN אמיתי. + +AFWall+ פועל על בסיס גישת [סינון חבילות](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) וייתכן שניתן לעקוף אותו במצבים מסוימים. + +אנחנו לא מאמינים שקורבנות האבטחה שנעשו על ידי השתרשות טלפון שווים את יתרונות הפרטיות המפוקפקים של אפליקציות אלה. + +## אתחול מאומת + +[אתחול מאומת](https://source.android.com/security/verifiedboot) הוא חלק חשוב ממודל האבטחה של אנדרואיד. הוא מספק הגנה מפני התקפות [משרתת רעה](https://en.wikipedia.org/wiki/Evil_maid_attack), התמדה של תוכנות זדוניות, ומבטיח שלא ניתן לשדרג לאחור עדכוני אבטחה עם [הגנה לאחור](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +אנדרואיד 10 ומעלה עברה מהצפנה בדיסק מלא ל[הצפנה מבוססת קבצים](https://source.android.com/security/encryption/file-based) גמישה יותר. הנתונים שלך מוצפנים באמצעות מפתחות הצפנה ייחודיים, וקבצי מערכת ההפעלה נותרים לא מוצפנים. + +אתחול מאומת מבטיח את שלמות קבצי מערכת ההפעלה, ובכך מונע מיריב בעל גישה פיזית לחבל או להתקין תוכנה זדונית במכשיר. במקרה הבלתי סביר שתוכנות זדוניות מסוגלות לנצל חלקים אחרים של המערכת ולהשיג גישה מוסמכת יותר, אתחול מאומת ימנע ותחזיר שינויים במחיצת המערכת עם אתחול המכשיר מחדש. + +למרבה הצער, יצרני ציוד מקורי מחויבים לתמוך באתחול מאומת רק בהפצת אנדרואיד בברירת מחדל שלהם. רק כמה יצרני OEM כגון גוגל תומכים ברישום מפתח AVB מותאם אישית במכשירים שלהם. בנוסף, חלק מנגזרות AOSP כגון LineageOS או /e/ OS אינן תומכות ב-Verified Boot אפילו בחומרה עם תמיכה ב-Verified Boot עבור מערכות הפעלה של צד שלישי. אנו ממליצים לבדוק אם יש תמיכה **לפני** רכישת מכשיר חדש. נגזרות AOSP שאינן תומכות באתחול מאומת **לא** מומלצות. + +יצרני OEM רבים גם עשו יישום שבור של אתחול מאומת שעליך להיות מודע אליו מעבר לשיווק שלהם. לדוגמה, ה-Fairphone 3 ו-4 אינם מאובטחים כברירת מחדל, מכיוון ש[מטען האתחול של הברירת מחדל סומך על מפתח החתימה הציבורי של ](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11)AVB. זה שובר אתחול מאומת במכשיר Fairphone ברירת מחדל, מכיוון שהמערכת תאתחל מערכות הפעלה חלופיות של אנדרואיד כגון (כגון /e/) [ללא כל אזהרה](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) לגבי שימוש מותאם אישית במערכת ההפעלה. + +## עדכוני קושחה + +עדכוני קושחה הם קריטיים לשמירה על האבטחה ובלעדיהם המכשיר שלך לא יכול להיות מאובטח. ליצרני ציוד מקורי יש הסכמי תמיכה עם השותפים שלהם כדי לספק את רכיבי הקוד הסגור לתקופת תמיכה מוגבלת. אלה מפורטים ב[עלוני האבטחה של אנדרואיד](https://source.android.com/security/bulletin) החודשיים. + +מכיוון שרכיבי הטלפון, כגון טכנולוגיות המעבד והרדיו, מסתמכים על רכיבי קוד סגור, העדכונים חייבים להיות מסופקים על ידי היצרנים המתאימים. לכן, חשוב שתרכוש מכשיר בתוך מחזור תמיכה פעיל. [קוואלקום](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) ו[סמסונג](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) תומכות במכשירים שלהן במשך 4 שנים, בעוד שלמוצרים זולים יותר יש לרוב מחזורי תמיכה קצרים יותר. עם ההשקה של [פיקסל 6](https://support.google.com/pixelphone/answer/4457705), גוגל מייצרת כעת את ה-SoC שלהם והם יספקו לפחות 5 שנים של תמיכה. + +מכשירי EOL שאינם נתמכים עוד על ידי יצרן ה-SoC אינם יכולים לקבל עדכוני קושחה מספקי OEM או מפיצי אנדרואיד לאחר השוק. משמעות הדבר היא שבעיות אבטחה במכשירים אלה יישארו ללא תיקון. + +Fairphone, למשל, משווקת את המכשירים שלהם כמקבלים 6 שנות תמיכה. עם זאת, ל-SoC (Qualcomm Snapdragon 750G ב-Fairphone 4) יש תאריך EOL קצר בהרבה. המשמעות היא שעדכוני אבטחת קושחה מ-Qualcomm עבור Fairphone 4 יסתיימו בספטמבר 2023, ללא קשר לשאלה אם Fairphone תמשיך לשחרר עדכוני אבטחה תוכנה. + +## גרסאות אנדרואיד + +חשוב לא להשתמש בגרסת [סוף החיים](https://endoflife.date/android) של אנדרואיד. גרסאות חדשות יותר של אנדרואיד לא רק מקבלות עדכוני אבטחה עבור מערכת ההפעלה אלא גם עדכונים חשובים לשיפור הפרטיות. לדוגמה, [לפני אנדרואיד 10](https://developer.android.com/about/versions/10/privacy/changes), כל אפליקציה עם הרשאת [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) יכלו לגשת למספרים סידוריים רגישים וייחודיים של הטלפון שלך כגון [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), כרטיס ה-SIM שלך [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), בעוד שכעת הם חייבים להיות אפליקציות מערכת כדי לעשות זאת. אפליקציות מערכת מסופקות רק על ידי הפצת OEM או אנדרואיד. + +## הרשאות אנדרואיד + +[הרשאות ב-אנדרואיד](https://developer.android.com/guide/topics/permissions/overview) מעניקות לך שליטה על האפליקציות המורשות לגשת. גוגל מבצעת בקביעות [שיפורים](https://developer.android.com/about/versions/11/privacy/permissions) במערכת ההרשאות בכל גרסה עוקבת. כל האפליקציות שאתה מתקין הן אך ורק [ארגז חול](https://source.android.com/security/app-sandbox), לכן, אין צורך להתקין אפליקציות אנטי וירוס. + +סמארטפון עם הגרסה העדכנית ביותר של אנדרואיד תמיד יהיה מאובטח יותר מסמארטפון ישן עם אנטי וירוס ששילמת עליו. עדיף לא לשלם על תוכנת אנטי וירוס ולחסוך כסף בקניית סמארטפון חדש כמו גוגל פיקסל. + +אנדרואיד 10: + +- [אחסון בהיקף](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) נותן לך שליטה רבה יותר על הקבצים שלך ויכול להגביל את מה שיכול [לגשת לאחסון חיצוני](https://developer.android.com/training/data-storage#permissions). לאפליקציות יכולות להיות ספרייה ספציפית באחסון חיצוני וכן יכולת לאחסן שם סוגים ספציפיים של מדיה. +- גישה הדוקה יותר ב[מיקום המכשיר](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) על ידי הצגת ההרשאה `ACCESS_BACKGROUND_LOCATION `. זה מונע מאפליקציות לגשת למיקום כשהן פועלות ברקע ללא אישור מפורש מהמשתמש. + +אנדרואיד 11: + +- [הרשאות חד פעמיות](https://developer.android.com/about/versions/11/privacy/permissions#one-time) מאפשרות לך להעניק הרשאה לאפליקציה פעם אחת בלבד. +- [הרשאות איפוס אוטומטי](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), המאפס [הרשאות זמן ריצה](https://developer.android.com/guide/topics/permissions/overview#runtime) שניתנו בעת פתיחת האפליקציה. +- הרשאות מפורטות לגישה לתכונות הקשורות ל[מספרי טלפון](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers). + +אנדרואיד 12: + +- הרשאה להעניק רק את ה[מיקום המשוער](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- איפוס אוטומטי של [אפליקציות במצב שינה](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [ביקורת גישה לנתונים](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) שמקלה לקבוע איזה חלק באפליקציה מבצע סוג מסוים של גישה לנתונים. + +אנדרואיד 13: + +- הרשאה ל[גישה לאינטרנט אלחוטי בקרבת מקום](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). כתובות ה-MAC של נקודות גישה אלחוטיות סמוכות היו דרך פופולרית עבור אפליקציות לעקוב אחר מיקומו של משתמש. +- [הרשאות מדיה מפורטות](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions) יותר, כלומר אתה יכול להעניק גישה לתמונות, סרטונים או קבצי אודיו בלבד. +- שימוש ברקע בחיישנים מחייב כעת את הרשאת [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission). + +אפליקציה עשויה לבקש הרשאה עבור תכונה ספציפית שיש לה. לדוגמה, כל אפליקציה שיכולה לסרוק קודי QR תדרוש את אישור המצלמה. אפליקציות מסוימות יכולות לבקש יותר הרשאות ממה שהן צריכות. + +[Exodus](https://exodus-privacy.eu.org/) יכול להיות שימושי כאשר משווים אפליקציות שיש להן מטרות דומות. אם אפליקציה דורשת הרבה הרשאות ויש לה הרבה פרסום וניתוח זה כנראה סימן רע. אנו ממליצים להסתכל על העוקבים הבודדים ולקרוא את התיאורים שלהם במקום פשוט **לספור את הסכום הכולל** ולהנחה שכל הפריטים הרשומים שווים. + +!!! warning "אזהרה" + + אם אפליקציה היא ברובה שירות מבוסס אינטרנט, המעקב עשוי להתרחש בצד השרת. [פייסבוק](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) מציג "ללא עוקבים" אבל בהחלט עוקב אחר תחומי העניין וההתנהגות של המשתמשים ברחבי האתר. אפליקציות עשויות להתחמק מזיהוי על ידי אי שימוש בספריות קוד סטנדרטיות המיוצרות על ידי תעשיית הפרסום, אם כי זה לא סביר. + +!!! note "הערה" + + אפליקציות ידידותיות לפרטיות כגון [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) עשויות להציג עוקבים מסוימים כגון [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). ספרייה זו כוללת את [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) שיכולה לספק [הודעות דחיפה](https://en.wikipedia.org/wiki/Push_technology) באפליקציות. זה [המקרה](https://fosstodon.org/@bitwarden/109636825700482007) עם Bitwarden. זה לא אומר ש-Bitwarden משתמש בכל תכונות הניתוח שמסופקות על ידי Google Firebase Analytics. + +## גישה למדיה + +לא מעט אפליקציות מאפשרות "לחלוק" איתם קובץ להעלאת מדיה. אם אתה רוצה, למשל, לצייץ תמונה לטוויטר, אל תעניק לטוויטר גישה ל"מדיה ותמונות" שלך, כי אז תהיה לה גישה לכל התמונות שלך. במקום זאת, עבור אל מנהל הקבצים שלך (documentsUI), שמור את התמונה ולאחר מכן שתף אותה עם טוויטר. + +## פרופילי משתמשים + +ניתן למצוא פרופילי משתמש מרובים ב**הגדרות** ← **מערכת** ← **משתמש מרובים** והם הדרך הפשוטה ביותר לבודד באנדרואיד. + +עם פרופילי משתמש, אתה יכול להטיל הגבלות על פרופיל ספציפי, כגון: ביצוע שיחות, שימוש ב-SMS או התקנת אפליקציות במכשיר. כל פרופיל מוצפן באמצעות מפתח הצפנה משלו ואינו יכול לגשת לנתונים של אף פרופיל אחר. אפילו בעל המכשיר לא יכול לראות את הנתונים של פרופילים אחרים מבלי לדעת את הסיסמה שלהם. פרופילי משתמשים מרובים הם שיטה בטוחה יותר לבידוד. + +## פרופיל עבודה + +[פרופילי עבודה](https://support.google.com/work/android/answer/6191949) הם דרך נוספת לבודד אפליקציות בודדות ועשויה להיות נוחה יותר מפרופילי משתמשים נפרדים. + +נדרשת אפליקציית **בקר מכשיר** כגון [Shelter](#recommended-apps) כדי ליצור פרופיל עבודה ללא MDM ארגוני, אלא אם אתה משתמש במערכת הפעלה אנדרואיד מותאמת אישית הכוללת אחת. + +פרופיל העבודה תלוי בבקר התקן כדי לתפקד. תכונות כגון *מעבורת קבצים* ו*חסימת חיפוש אנשי קשר* או כל סוג של תכונות בידוד חייבות להיות מיושמות על ידי הבקר. עליך גם לסמוך באופן מלא על אפליקציית בקר המכשיר, מכיוון שיש לה גישה מלאה לנתונים שלך בתוך פרופיל העבודה. + +שיטה זו בדרך כלל פחות מאובטחת מפרופיל משתמש משני; עם זאת, זה כן מאפשר לך את הנוחות של הפעלת אפליקציות בפרופיל העבודה וגם בפרופיל האישי בו-זמנית. + +## מתג הרג VPN + +אנדרואיד 7 ומעלה תומך ב-VPN Killswitch והוא זמין ללא צורך בהתקנת אפליקציות של צד שלישי. תכונה זו יכולה למנוע דליפות אם ה-VPN מנותק. ניתן למצוא אותו ב:gear: **הגדרות** ← **רשת & אינטרנט** ← **VPN** ← :gear: ← **חסום חיבורים ללא VPN**. + +## בוררים גלובליים + +למכשירי אנדרואיד מודרניים יש בוררים גלובליים לביטול Bluetooth ושירותי מיקום. אנדרואיד 12 הציגה מתגים למצלמה ולמיקרופון. כאשר אינו בשימוש, אנו ממליצים להשבית את התכונות הללו. אפליקציות לא יכולות להשתמש בתכונות מושבתות (גם אם ניתנה הרשאה אישית) עד להפעלה מחדש. + +## גוגל + +אם אתה משתמש במכשיר עם שירותי Google, בין אם מערכת ההפעלה ברירת מחדל שלך או מערכת הפעלה המארחת בבטחה את שירותי Google Play כמו GrapheneOS, ישנם מספר שינויים נוספים שתוכל לבצע כדי לשפר את הפרטיות שלך. אנו עדיין ממליצים להימנע לחלוטין משירותי Google, או להגביל את שירותי Google Play לפרופיל משתמש/עבודה ספציפי על ידי שילוב של בקר מכשיר כמו *Shelter* עם Google Play Sandboxed של GrapheneOS. + +### תוכנית הגנה מתקדמת + +אם יש לך חשבון Google, אנו מציעים להירשם ל[תוכנית ההגנה המתקדמת](https://landing.google.com/advancedprotection/). הוא זמין ללא עלות לכל מי שיש לו שני מפתחות אבטחה חומרה או יותר עם תמיכה ב-[FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online). + +תוכנית ההגנה המתקדמת מספקת ניטור איומים משופר ומאפשרת: + +- אימות דו-גורמי מחמיר יותר; למשל שחייבים להשתמש ב-[FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **** ואוסר את השימוש ב- [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) ו [OAuth](https://en.wikipedia.org/wiki/OAuth) +- רק גוגל ואפליקציות צד שלישי מאומתות יכולות לגשת לנתוני החשבון +- סריקה של הודעות אימייל נכנסות בחשבונות Gmail עבור ניסיונות [דיוג](https://en.wikipedia.org/wiki/Phishing#Email_phishing) +- [סריקת דפדפן בטוחה](https://www.google.com/chrome/privacy/whitepaper.html#malware) מחמירה יותר עם Google Chrome +- תהליך שחזור מחמיר עבור חשבונות עם אישורים שאבדו + + אם אתה משתמש בשירותי Google Play שאינם בארגז חול (נפוצים במערכות הפעלה במלאי), תוכנית ההגנה המתקדמת מגיעה גם עם [הטבות נוספות](https://support.google.com/accounts/answer/9764949?hl=en) כגון: + +- לא מאפשר התקנת אפליקציה מחוץ לחנות Google Play, לחנות האפליקציות של ספק מערכת ההפעלה או דרך [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- סריקת מכשיר אוטומטי חובה עם [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- מזהיר אותך לגבי יישומים לא מאומתים + +### עדכוני מערכת Google Play + +בעבר, עדכוני אבטחה אנדרואיד היו צריכים להישלח על ידי ספק מערכת ההפעלה. אנדרואיד הפכה מודולרית יותר החל מאנדרואיד 10, וגוגל יכולה לדחוף עדכוני אבטחה עבור **חלק** רכיבי מערכת באמצעות שירותי Play המועדפים. + +אם יש לך מכשיר EOL שנשלח עם אנדרואיד 10 ומעלה ואינך יכול להריץ אף אחת ממערכות ההפעלה המומלצות שלנו במכשיר שלך, סביר להניח שעדיף לך להישאר עם התקנת האנדרואיד של היצרן ציוד המקורי (בניגוד למערכת הפעלה שאינה מופיעה ברשימה כאן כגון LineageOS או /e/ OS). זה יאפשר לך לקבל **כמה** תיקוני אבטחה מגוגל, מבלי להפר את מודל האבטחה של אנדרואיד על ידי שימוש בנגזרת אנדרואיד לא מאובטחת והגדלת משטח ההתקפה שלך. אנו עדיין ממליצים לשדרג למכשיר נתמך בהקדם האפשרי. + +### מזהה פרסום + +כל המכשירים עם שירותי Google Play מותקנים באופן אוטומטי מייצרים [מזהה פרסום](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) המשמש לפרסום ממוקד. השבת תכונה זו כדי להגביל את הנתונים שנאספו עליך. + +בהפצות אנדרואיד עם [Google Play בארגז חול](https://grapheneos.org/usage#sandboxed-google-play), עבור אל :gear: **הגדרות** ← **אפליקציות** ← **Google Play בארגז חול** ← **הגדרות גוגל** ← **מודעות**, ותבחר *מחק מזהה פרסום*. + +בהפצות אנדרואיד עם שירותי Google Play מורשים (כגון מערכת הפעלה ברירת מחדל), ההגדרה עשויה להיות באחד מכמה מיקומים. בדיקה + +- :gear: **הגדרות** ← **גוגל** ← **מודעות** +- :gear: **הגדרות** ← **פרטיות** ← **מודעות** + +תינתן לך האפשרות למחוק את מזהה הפרסום שלך או *לבטל את הסכמתך למודעות מבוססות עניין*, זה משתנה בין הפצות OEM של אנדרואיד. אם מוצגת האפשרות למחוק את מזהה הפרסום המועדף. אם לא, הקפד לבטל את הסכמתך ולאפס את מזהה הפרסום שלך. + +### SafetyNet ו-Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) וה[ממשק API של Play Integrity](https://developer.android.com/google/play/integrity) משמשים בדרך כלל עבור [אפליקציות בנקאיות](https://grapheneos.org/usage#banking-apps). אפליקציות בנקאות רבות יעבדו מצוין ב-GrapheneOS עם שירותי Play בארגז חול, אולם לחלק מהאפליקציות הלא פיננסיות יש מנגנוני אנטי-שיבוש גולמיים משלהם שעלולים להיכשל. GrapheneOS עובר את בדיקת `basicIntegrity`, אך לא את בדיקת האישור `ctsProfileMatch`. למכשירים עם אנדרואיד 8 ואילך יש תמיכה באישורי חומרה שלא ניתן לעקוף ללא מפתחות דלופים או פגיעויות חמורות. + +לגבי ארנק Google, אנו לא ממליצים על כך בשל [ מדיניות הפרטיות שלהם](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), הקובעת שעליך לבטל את הסכמתך אם אינך רוצה שדירוג האשראי והמידע האישי שלך ישותפו עם שירותי שיווק שותפים. diff --git a/i18n/he/os/linux-overview.md b/i18n/he/os/linux-overview.md new file mode 100644 index 00000000..e0c1ab9d --- /dev/null +++ b/i18n/he/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: סקירה כללית של לינוקס +icon: simple/linux +description: לינוקס היא חלופה למערכת הפעלה שולחנית ממוקדת פרטיות בקוד פתוח, אך לא כל ההפצות נוצרות שווה. +--- + +לעתים קרובות מאמינים שתוכנת [קוד פתוח](https://en.wikipedia.org/wiki/Open-source_software) מאובטחת מטבעה מכיוון שקוד המקור זמין. קיימת ציפייה שאימות קהילה מתרחש באופן קבוע; עם זאת, זה לא תמיד [המקרה](https://seirdy.one/posts/2022/02/02/floss-security/). זה אכן תלוי במספר גורמים, כגון פעילות הפרויקט, חוויית מפתח, רמת הקפדה על [ביקורות קוד](https://en.wikipedia.org/wiki/Code_review), וכן באיזו תדירות ניתנת תשומת לב לחלקים ספציפיים של [בסיס הקוד](https://en.wikipedia.org/wiki/Codebase) שעלולים להישאר ללא נגיעה במשך שנים. + +נכון לעכשיו, ללינוקס שולחני יש כמה תחומים שניתן לשפר טוב יותר בהשוואה לעמיתיהם הקנייניים, למשל.: + +- שרשרת אתחול מאומתת, כמו [אתחול מאובטח](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) של אפל (עם [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)),של אנדרואיד [אתחול מאומת](https://source.android.com/security/verifiedboot), ChromeOS' [אתחול מאומת](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), או Microsoft Windows’s [תהליך האתחול](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) עם [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). תכונות וטכנולוגיות חומרה אלו יכולות לעזור למנוע התעסקות מתמשכת על ידי תוכנות זדוניות או [התקפות עוזרות מרושעות](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- פתרון ארגזי חול חזק כמו זה שנמצא ב- [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), ו- [אנדרואיד](https://source.android.com/security/app-sandbox). פתרונות ארגז חול נפוצים של לינוקס כגון [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) ו- [Firejail](https://firejail.wordpress.com/) עדיין יש דרך ארוכה לפניו +- חזק [ניצול ההקלות](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +למרות החסרונות הללו, הפצות לינוקס לשולחן העבודה הן נהדרות אם אתה רוצה: + +- הימנע מטלמטריה שמגיעה לרוב עם מערכות הפעלה קנייניות +- לשמור על [חופש תוכנה](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- יש מערכות ממוקדות פרטיות כגון [Whonix](https://www.whonix.org) או [Tails](https://tails.boum.org/) + +האתר שלנו משתמש בדרך כלל במונח "לינוקס" כדי לתאר הפצות לינוקס לשולחן העבודה. מערכות הפעלה אחרות המשתמשות גם בליבת לינוקס כמו ChromeOS, אנדרואיד ו-Qubes OS אינן נדונות כאן. + +[המלצות לינוקס שלנו :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## בחירת ההפצה שלך + +לא כל ההפצות של לינוקס נוצרו שוות. בעוד שדף ההמלצות שלנו ללינוקס לא נועד להיות מקור סמכותי לגבי ההפצה שבה אתה צריך להשתמש, יש כמה דברים שאתה צריך לזכור כאשר אתה בוחר באיזו הפצה להשתמש. + +### מחזור שחרור + +אנו ממליצים בחום לבחור בהפצות שנשארות קרובות למהדורות התוכנה היציבות במעלה הזרם, המכונה לעתים קרובות הפצות מהדורות מתגלגלות. הסיבה לכך היא שהפצות מחזור שחרור קפוא לרוב אינן מעדכנות גרסאות חבילה ונגררות לפי עדכוני אבטחה. + +עבור הפצות קפואות כגון [Debian](https://www.debian.org/security/faq#handling), מתחזקים חבילות צפויים לבצע אחורה תיקונים כדי לתקן נקודות תורפה במקום להקפיץ את התוכנה ל- "הגרסה הבאה" שפורסמה על ידי המפתח במעלה הזרם. חלק מתיקוני האבטחה [אינם](https://arxiv.org/abs/2105.14565) מקבלים [CVE ](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (במיוחד תוכנה פחות פופולרית) בכלל ולכן אל תכנסו להפצה עם מודל התיקון הזה. כתוצאה מכך תיקוני אבטחה קלים מתעכבים לפעמים עד לגרסה הגדולה הבאה. + +אנחנו לא מאמינים שהחזקת חבילות והחלת תיקוני ביניים הם רעיון טוב, מכיוון שהוא שונה מהדרך שבה המפתח התכוון שהתוכנה תעבוד. ל [Richard Brown](https://rootco.de/aboutme/) יש מצגת על נושא זה: + +
+ +
+ +### עדכונים מסורתיים לעומת עדכונים אטומיים + +באופן מסורתי, הפצות לינוקס מתעדכנות על ידי עדכון רציף של החבילות הרצויות. עדכונים מסורתיים כמו אלה המשמשים בהפצות מבוססות פדורה, Arch Linux ודביאן יכולים להיות פחות אמינים אם מתרחשת שגיאה בזמן העדכון. + +הפצות עדכון אטומי מיישמות עדכונים במלואם או לא בכלל. בדרך כלל, מערכות עדכון עסקאות הן גם אטומיות. + +מערכת עדכון עסקה יוצרת תמונת מצב שנעשתה לפני ואחרי החלת עדכון. אם עדכון נכשל בכל עת (אולי בגלל הפסקת חשמל), ניתן להחזיר את העדכון בקלות ל"מצב התקין האחרון הידוע." + +שיטת העדכון Atomic משמשת להפצות בלתי ניתנות לשינוי כמו Silverblue, Tumbleweed ו-NixOS ויכולה להשיג אמינות עם מודל זה. [Adam Šamalík](https://twitter.com/adsamalik) סיפק מצגת על האופן שבו `rpm-ostree` עובד עם Silverblue: + +
+ +
+ +### הפצות "ממוקדות אבטחה" + +לעתים קרובות קיים בלבול מסוים בין הפצות "ממוקדות אבטחה" והפצות "לבדיקת חדירות". חיפוש מהיר של "הפצת לינוקס המאובטחת ביותר" יביא לרוב תוצאות כמו Kali Linux, Black Arch ו- Parrot OS. הפצות אלו הן הפצות בדיקות חדירה פוגעניות המאגדות כלים לבדיקת מערכות אחרות. הם אינם כוללים "אבטחה נוספת" או הקלות הגנתיות המיועדות לשימוש קבוע. + +### הפצות מבוססות Arch + +הפצות מבוססות Arch אינן מומלצות לחדשים ב-Linux, (ללא קשר להפצה) מכיוון שהן דורשות [תחזוקת מערכת](https://wiki.archlinux.org/title/System_maintenance) רגילה. ל- Arch אין מנגנון עדכון הפצה עבור אפשרויות התוכנה הבסיסיות. כתוצאה מכך, עליך להישאר מודע למגמות הנוכחיות ולאמץ טכנולוגיות מכיוון שהן מחליפות שיטות ישנות בעצמך. + +עבור מערכת מאובטחת, מצפים ממך גם שיהיה לך מספיק ידע בלינוקס כדי להגדיר כראוי אבטחה עבור המערכת שלהם, כגון אימוץ מערכת [בקרת כניסה חובה](https://en.wikipedia.org/wiki/Mandatory_access_control), הגדרת רשימות שחורות של [מודול ליבה](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) רשימות שחורות, הקשחת פרמטרי אתחול, מניפולציה של [סיסקטל](https://en.wikipedia.org/wiki/Sysctl) פרמטרים, ולדעת אילו רכיבים הם צריכים כמו [Polkit](https://en.wikipedia.org/wiki/Polkit). + +כל מי שמשתמש ב[Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **חייב** להיות נוח בביקורת PKGBUILDs שהם מתקינים משירות זה. חבילות AUR הן תוכן המיוצר בקהילה ואינן נבדקות בשום צורה, ולכן הן פגיעות להתקפות שרשרת אספקת תוכנה, [מה שקרה למעשה](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). יש להשתמש תמיד במשורה ב-AUR ולעיתים קרובות יש הרבה עצות רעות בדפים שונים שמפנים אנשים להשתמש באופן עיוור ב [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) ללא אזהרה מספקת. אזהרות דומות חלות על שימוש בארכיון חבילות אישיות של צד שלישי (PPA) בהפצות מבוססות דביאן או בפרויקטים קהילתיים (COPR) בפדורה. + +אם אתה מנוסה עם לינוקס וברצונך להשתמש בהפצה מבוססת Arch, אנו ממליצים רק על Arch Linux הראשי, לא על אף אחת מהנגזרות שלו. אנו ממליצים נגד שתי נגזרות Arch אלה באופן ספציפי: + +- **Manjaro**: הפצה זו מעכבת חבילות למשך שבועיים כדי לוודא שהשינויים שלהן לא יישברו, לא כדי לוודא שהמעלה הזרם יציב. כאשר נעשה שימוש בחבילות AUR, הן בנויות לרוב על פי [ספריות](https://en.wikipedia.org/wiki/Library_(computing)) העדכניות ביותר מהמאגרים של Arch. +- **Garuda**: הם משתמשים ב[Chaotic-AUR](https://aur.chaotic.cx/) אשר מרכיב באופן אוטומטי ועיוור חבילות מה- AUR. אין תהליך אימות כדי לוודא שחבילות AUR אינן סובלות מהתקפות שרשרת האספקה. + +### Kicksecure + +למרות שאנו ממליצים בחום לא להשתמש בהפצות מיושנות כמו דביאן, יש מערכת הפעלה מבוססת דביאן שהוקשה להיות בטוחה הרבה יותר מהפצות לינוקס טיפוסיות: [Kicksecure ](https://www.kicksecure.com/). Kicksecure, במונחים פשוטים מדי, היא קבוצה של סקריפטים, תצורות וחבילות שמצמצמות באופן משמעותי את משטח ההתקפה של דביאן. זה מכסה הרבה המלצות לפרטיות והקשחה כברירת מחדל. + +### הפצות ליבה של לינוקס ו-"Libre" + +אנו ממליצים בחום **נגד** להשתמש בליבת Linux-libre, שכן היא [מסירה הגבלות אבטחה](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) ו[מדכא אזהרות ליבה](https://news.ycombinator.com/item?id=29674846) על מיקרוקוד פגיע מסיבות אידיאולוגיות. + +## המלצות כלליות + +### הצפנת כונן + +לרוב ההפצות של לינוקס יש אפשרות בתוך תוכנית ההתקנה שלה להפעלת [LUKS](../encryption.md#linux-unified-key-setup) FDE. אם אפשרות זו לא מוגדרת בזמן ההתקנה, תצטרך לגבות את הנתונים שלך ולהתקין מחדש, מכיוון שההצפנה מוחלת לאחר [חלוקת דיסקים ](https://en.wikipedia.org/wiki/Disk_partitioning), אבל לפני ש[מערכות הקבצים](https://en.wikipedia.org/wiki/File_system) מתעצבות. אנו מציעים גם למחוק בצורה מאובטחת את מכשיר האחסון שלך: + +- [מחיקת נתונים מאובטחת :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### החלף + +שקול להשתמש ב-[ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) או [החלפה מוצפנת](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) במקום החלפה לא מוצפנת כדי למנוע בעיות אבטחה פוטנציאליות עם דחיפה של נתונים רגישים ל[מרחב החלפה](https://en.wikipedia.org/wiki/Memory_paging). הפצות מבוססות פדורה [משתמשות ב-ZRAM כברירת מחדל](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +אנו ממליצים להשתמש בסביבת שולחן עבודה התומכת בפרוטוקול התצוגה [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) כפי שפותח [תוך מחשבה](https://lwn.net/Articles/589147/) על אבטחה. קודמו, [X11](https://en.wikipedia.org/wiki/X_Window_System), אינו תומך בבידוד GUI, מה שמאפשר לכל החלונות [רשום מסך, רישום והכנס קלט בחלונות אחרים](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), מה שהופך כל ניסיון לארגז חול לחסר תועלת. אמנם יש אפשרויות לעשות X11 מקונן כגון [Xpra](https://en.wikipedia.org/wiki/Xpra) או [Xephyr](https://en.wikipedia.org/wiki/Xephyr), לעתים קרובות הם מגיעים עם השלכות ביצועים שליליות ואינם נוחים להגדרה ואינם עדיפים על פני Wayland. + +למרבה המזל, סביבות נפוצות כגון [GNOME](https://www.gnome.org), [KDE](https://kde.org) וה- למנהל החלונות [Sway](https://swaywm.org) יש תמיכה ב-Wayland. חלק מההפצות כמו Fedora ו- Tumbleweed משתמשות בו כברירת מחדל, וחלק אחרות עשויות לעשות זאת בעתיד מכיוון ש-X11 נמצא ב[מצב תחזוקה קשה](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). אם אתה משתמש באחת מהסביבות האלה זה קל כמו לבחור את הפגישה "Wayland" במנהל התצוגה של שולחן העבודה ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +אנו ממליצים **נגד** להשתמש בסביבות שולחן עבודה או במנהלי חלונות שאין להם תמיכה ב-Wayland, כגון Cinnamon (ברירת מחדל ב-Linux Mint), Pantheon (ברירת מחדל במערכת ההפעלה היסודית), MATE, Xfce, ו-i3. + +### קושחה קניינית (עדכוני מיקרוקוד) + +הפצות לינוקס כגון אלו שהן [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) או DIY (Arch Linux) אינן מגיעות עם עדכוני [microcode](https://en.wikipedia.org/wiki/Microcode) שלעתים קרובות מתקנים נקודות תורפה. כמה דוגמאות בולטות לפגיעויות אלה כוללות [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), ועוד [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +אנו **ממליצים בחום** להתקין את עדכוני המיקרוקוד, מכיוון שהמעבד שלך כבר מריץ את המיקרוקוד הקנייני מהמפעל. לפדורה ול-openSUSE יש את עדכוני המיקרוקוד כברירת מחדל. + +### עדכונים + +רוב ההפצות של לינוקס יתקינו עדכונים אוטומטית או יזכירו לך לעשות זאת. חשוב לשמור על מערכת ההפעלה שלך מעודכנת כדי שהתוכנה שלך תתוקן כאשר מתגלה פגיעות. + +חלק מההפצות (במיוחד אלו המיועדות למשתמשים מתקדמים) הן יותר חשופות ומצפות ממך לעשות דברים בעצמך (למשל Arch או Debian). אלה ידרשו להפעיל את "מנהל החבילות" (`apt`, `pacman`, `dnf` וכו') באופן ידני על מנת לקבל עדכוני אבטחה חשובים. + +בנוסף, הפצות מסוימות לא יוריד עדכוני קושחה באופן אוטומטי. לשם כך תצטרך להתקין את [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## תיקוני פרטיות + +### כתובת MAC אקראית + +הפצות רבות של לינוקס לשולחן העבודה (Fedora, openSUSE וכו') יגיעו עם [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), כדי להגדיר הגדרות Ethernet ו-Wi-Fi. + +אפשר [לבצע באקראי](https://fedoramagazine.org/randomize-mac-address-nm/) את [כתובת MAC](https://en.wikipedia.org/wiki/MAC_address) בעת שימוש ב-NetworkManager. זה מספק קצת יותר פרטיות ברשתות Wi-Fi מכיוון שהוא מקשה על מעקב אחר מכשירים ספציפיים ברשת שאליה אתה מחובר. זה [**לא**](https://papers.mathyvanhoef.com/wisec2016.pdf) הופך אותך לאנונימי. + +אנו ממליצים לשנות את ההגדרה ל-**אקראי** במקום** יציב**, כפי שהוצע ב[מאמר](https://fedoramagazine.org/randomize-mac-address-nm/). + +אם אתה משתמש ב [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), יהיה עליך להגדיר [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) אשר יאפשר [RFC 7844 (פרופילי אנונימיות עבור לקוחות DHCP)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +אין הרבה נקודות בביצוע אקראי של כתובת ה-MAC עבור חיבורי Ethernet, שכן מנהל מערכת יכול למצוא אותך על ידי התבוננות ביציאה שבה אתה משתמש ב-[מתג רשת](https://en.wikipedia.org/wiki/Network_switch). הקצאה אקראית של כתובות Wi-Fi MAC תלויה בתמיכה מהקושחה של ה-Wi-Fi. + +### מזהים אחרים + +ישנם מזהי מערכת נוספים שתרצו להיזהר מהם. עליך להקדיש לכך מחשבה כדי לראות אם הוא חל על [מצב האיום ](../basics/threat-modeling.md)שלך: + +- **שמות מארח:** שם המארח של המערכת שלך משותף עם הרשתות שאליהן אתה מתחבר. עליך להימנע מלכלול מונחים מזהים כמו השם או מערכת ההפעלה שלך בשם המארח שלך, במקום להיצמד למונחים גנריים או מחרוזות אקראיות. +- **שמות משתמש:** באופן דומה, שם המשתמש שלך משמש במגוון דרכים במערכת שלך. שקול להשתמש במונחים גנריים כמו "משתמש" ולא בשמך האמיתי. +- **מזהה מכונה:** במהלך ההתקנה נוצר מזהה מכונה ייחודי ומאוחסן במכשיר שלך. שקול [להגדיר אותו למזהה גנרי](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### ספירת מערכת + +פרויקט Fedora [סופר](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) כמה מערכות ייחודיות ניגשים למראות שלו באמצעות [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) משתנה במקום מזהה ייחודי. פדורה עושה זאת כדי לקבוע עומס והספקת שרתים טובים יותר עבור עדכונים במידת הצורך. + +[אפשרות](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) זו כבויה כעת כברירת מחדל. אנו ממליצים להוסיף את `countme=false` ל-`/etc/dnf/dnf.conf` למקרה שהוא יופעל בעתיד. במערכות המשתמשות ב-`rpm-ostree` כגון Silverblue, אפשרות ה-countme מושבתת על ידי מיסוך של [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) טיימר. + +openSUSE משתמשת גם ב[מזהה ייחודי](https://en.opensuse.org/openSUSE:Statistics) כדי לספור מערכות, אותן ניתן להשבית על ידי מחיקת הקובץ `/var/lib/zypp/AnonymousUniqueId`. diff --git a/i18n/he/os/qubes-overview.md b/i18n/he/os/qubes-overview.md new file mode 100644 index 00000000..9b681a6f --- /dev/null +++ b/i18n/he/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "סקירה כללית של Qubes" +icon: simple/qubesos +description: Qubes היא מערכת הפעלה הבנויה סביב בידוד אפליקציות בתוך מכונות וירטואליות לאבטחה מוגברת. +--- + +[**Qubes OS**](../desktop.md#qubes-os) היא מערכת הפעלה המשתמשת ב [Xen](https://en.wikipedia.org/wiki/Xen) היפרוויזר לספק אבטחה חזקה עבור מחשוב שולחני באמצעות מכונות וירטואליות מבודדות. כל VM נקרא *Qube* ואתה יכול להקצות לכל Qube רמת אמון על סמך מטרתו. מכיוון שמערכת ההפעלה Qubes מספקת אבטחה על ידי שימוש בבידוד, ומתירה רק פעולות על בסיס כל מקרה, זה ההפך מ[ספירת רעות](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## איך עובדת מערכת ההפעלה של Qubes? + +Qubes משתמשת ב[מידור](https://www.qubes-os.org/intro/) כדי לשמור על אבטחת המערכת. Qubes נוצרים מתבניות, ברירת המחדל היא עבור Fedora, Debian ו-[Whonix](../desktop.md#whonix). מערכת ההפעלה Qubes מאפשרת לך גם ליצור מכונות וירטואליות לשימוש [חד פעמי](https://www.qubes-os.org/doc/how-to-use-disposables/). + +![ארכיטקטורת Qubes](../assets/img/qubes/qubes-trust-level-architecture.png) +
ארכיטקטורת Qubes, קרדיט: מהי הקדמה למערכת ההפעלה של Qubes
+ +לכל אפליקציה של Qubes יש [גבול צבעוני](https://www.qubes-os.org/screenshots/) שיכול לעזור לך לעקוב אחר המכונה הוירטואלית שבה היא פועלת. אתה יכול, למשל, להשתמש בצבע ספציפי עבור הדפדפן הבנקאי שלך, תוך שימוש בצבע אחר עבור דפדפן כללי שאינו מהימן. + +![גבול צבוע](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
גבולות החלונות של Qubes, קרדיט: צילומי מסך של Qubes
+ +## מדוע עלי להשתמש ב-Qubes? + +מערכת ההפעלה של Qubes שימושית אם [מודל האיום](../basics/threat-modeling.md) שלך דורש מידור ואבטחה חזקות, כגון אם אתה חושב שתפתח קבצים לא מהימנים ממקורות לא מהימנים. סיבה טיפוסית לשימוש ב-Qubes OS היא פתיחת מסמכים ממקורות לא ידועים. + +מערכת ההפעלה Qubes משתמשת ב-[Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (כלומר, "AdminVM") לשליטה ב-VM אורחים או Qubes אחרים במערכת ההפעלה המארח. VMs אחרים מציגים חלונות יישומים בודדים בתוך סביבת שולחן העבודה של Dom0. זה מאפשר לך לצבוע חלונות על סמך רמות אמון ולהפעיל יישומים שיכולים לקיים אינטראקציה זה עם זה עם שליטה פרטנית מאוד. + +### העתקה והדבקה של טקסט + +אתה יכול [להעתיק ולהדביק טקסט](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) באמצעות `qvm-copy -to-vm` או ההוראות שלהלן: + +1. הקש על **Ctrl+C** כדי לומר ל-VM שאתה נמצא בו שאתה רוצה להעתיק משהו. +2. הקש על **Ctrl+Shift+C** כדי לומר ל-VM להפוך את המאגר הזה לזמין ללוח הגלובלי. +3. הקש על **Ctrl+Shift+V** ב-VM היעד כדי להפוך את הלוח הגלובלי לזמין. +4. הקש על **Ctrl+V** ב-VM היעד כדי להדביק את התוכן במאגר. + +### החלפת קבצים + +כדי להעתיק ולהדביק קבצים וספריות (תיקיות) מ-VM אחד לאחר, אתה יכול להשתמש באפשרות **העתק ל-AppVM אחר...** או **עבור ל-AppVM אחר...**. ההבדל הוא שהאפשרות ה**העבר** תמחק את הקובץ המקורי. כל אחת מהאפשרויות תגן על הלוח שלך מפני דליפה לכל Qubes אחר. זה מאובטח יותר מהעברת קבצים עם רווח אוויר מכיוון שמחשב עם רווח אוויר עדיין ייאלץ לנתח מחיצות או מערכות קבצים. זה לא נדרש עם מערכת ההעתקה inter-qube. + +??? info "ל-AppVMs או qubes אין מערכות קבצים משלהם" + + אתה יכול [להעתיק ולהעביר קבצים](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) בין Qubes. כאשר עושים זאת השינויים לא מתבצעים באופן מיידי וניתן לבטל אותם בקלות במקרה של תאונה. + +### אינטראקציות בין-VM + +[מסגרת qrexec](https://www.qubes-os.org/doc/qrexec/) היא חלק מרכזי ב-Qubes המאפשר תקשורת מכונה וירטואלית בין דומיינים. הוא בנוי על גבי ספריית Xen *vchan*, המאפשרת [בידוד באמצעות מדיניות](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## מקורות נוספים + +למידע נוסף, אנו ממליצים לך לעיין בדפי התיעוד הנרחבים של Qubes OS הממוקמים ב[אתר האינטרנט של Qubes OS](https://www.qubes-os.org/doc/). ניתן להוריד עותקים לא מקוונים מ[מאגר התיעוד](https://github.com/QubesOS/qubes-doc) של Qubes OS. + +- Open Technology Fund: [*ללא ספק מערכת ההפעלה המאובטחת בעולם*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*מידור תוכנה לעומת הפרדה פיזית*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*חלוקת החיים הדיגיטליים שלי לתחומי אבטחה*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*מאמרים קשורים*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/he/passwords.md b/i18n/he/passwords.md new file mode 100644 index 00000000..84b913da --- /dev/null +++ b/i18n/he/passwords.md @@ -0,0 +1,341 @@ +--- +title: "מנהלי סיסמאות" +icon: material/form-textbox-password +description: מנהלי סיסמאות מאפשרים לך לאחסן ולנהל בצורה מאובטחת סיסמאות ואישורים אחרים. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: מנהל הסיסמאות + operatingSystem: + - Windows + - macOS + - לינוקס + - אנדרואיד + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: מנהל הסיסמאות + operatingSystem: + - Windows + - macOS + - לינוקס + - אנדרואיד + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: מנהל הסיסמאות + operatingSystem: + - אנדרואיד + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: מנהל הסיסמאות + operatingSystem: + - Windows + - macOS + - לינוקס + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: מנהל הסיסמאות + operatingSystem: אנדרואיד + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: מנהל הסיסמאות + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: מנהל הסיסמאות + operatingSystem: + - Windows + - macOS + - לינוקס + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +מנהלי סיסמאות מאפשרים לך לאחסן ולנהל בצורה מאובטחת סיסמאות ואישורים אחרים עם שימוש בסיסמת אב. + +[מבוא לסיסמאות :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info "מידע" + + מנהלי סיסמאות מובנים בתוכנות כמו דפדפנים ומערכות הפעלה אינם טובים לפעמים כמו תוכנות ייעודיות למנהל סיסמאות. היתרון של מנהל סיסמאות מובנה הוא אינטגרציה טובה עם התוכנה, אך לרוב זה יכול להיות פשוט מאוד וחסר תכונות פרטיות ואבטחה שיש להצעות עצמאיות. + + לדוגמה, מנהל הסיסמאות ב-Microsoft Edge אינו מציע E2EE כלל. למנהל הסיסמאות של Google יש E2EE [אופציונלי](https://support.google.com/accounts/answer/11350823), ו-[של Apple](https://support.apple.com/en-us/HT202303) מציע E2EE על ידי ברירת מחדל. + +## מבוסס ענן + +מנהלי סיסמאות אלו מסנכרנים את הסיסמאות שלך עם שרת ענן לצורך נגישות קלה מכל המכשירים שלך ובטיחות מפני אובדן מכשירים. + +### Bitwarden + +!!! recommendation + + ![Bitwarden לוגו](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** הוא מנהל סיסמאות חינמי ובקוד פתוח. מטרתו היא לפתור בעיות ניהול סיסמאות עבור יחידים, צוותים וארגונים עסקיים. Bitwarden הוא בין הפתרונות הטובים והבטוחים ביותר לאחסון כל פרטי ההתחברות והסיסמאות שלך תוך שמירה נוחה על סנכרון בין כל המכשירים שלך. + + [:octicons-home-16: דף הבית](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden כולל גם [Bitwarden Send](https://bitwarden.com/products/send/), המאפשר לך לשתף טקסט וקבצים בצורה מאובטחת עם [הצפנה מקצה לקצה](https://bitwarden.com/help/send-encryption). ניתן לדרוש [סיסמה](https://bitwarden.com/help/send-privacy/#send-passwords) יחד עם קישור השליחה. Bitwarden Send כולל גם תכונות [מחיקה אוטומטית](https://bitwarden.com/help/send-lifespan). + +אתה צריך [תוכנית פרימיום](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) כדי להיות מסוגל לשתף קבצים. התוכנית החינמית מאפשרת שיתוף טקסט בלבד. + +הקוד בצד השרת של Bitwarden הוא [קוד-פתוח](https://github.com/bitwarden/server), כך שאם אינכם רוצים להשתמש בענן Bitwarden, תוכלו לארח בקלות שרת סינכרון Bitwarden משלכם. + +**Vaultwarden** הוא יישום חלופי של שרת הסנכרון של Bitwarden שנכתב ב-Rust ותואם ללקוחות רשמיים של Bitwarden, מושלם לפריסה באירוח עצמי שבו הפעלת השירות הרשמי עתיר המשאבים עשויה להיות לא אידיאלית. אם אתם מחפשים לארח את Bitwarden באופן עצמאי בשרת שלכם, קרוב לוודאי שתרצו להשתמש ב-Vaultwarden על פני קוד השרת הרשמי של Bitwarden. + +[:octicons-repo-16: Vaultwarden מאגר](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=תיעוד} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="קוד מקור" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=לתרומה } + +### 1Password + +!!! recommendation + + ![1Password לוגו](assets/img/password-management/1password.svg){ align=right } + + **1Password** הוא מנהל סיסמאות עם דגש חזק על אבטחה וקלות שימוש, המאפשר לך לאחסן סיסמאות, כרטיסי אשראי, רישיונות תוכנה וכל מידע רגיש אחר בכספת דיגיטלית מאובטחת. הכספת שלכם מתארחת בשרתים של 1Password תמורת [תשלום חודשי](https://1password.com/sign-up/). 1Password [מבוקרת](https://support.1password.com/security-assessments/) על בסיס קבוע ומספקת תמיכת לקוחות יוצאת דופן. 1Password הוא מקור סגור; עם זאת, האבטחה של המוצר מתועדת ביסודיות ב[מסמך האבטחה הלבן](https://1passwordstatic.com/files/security/1password-white-paper.pdf) שלהם. + + [:octicons-home-16: דף הבית](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=תיעוד} + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +באופן מסורתי, **1Password** הציעה את חוויית המשתמש הטובה ביותר של מנהל סיסמאות לאנשים המשתמשים ב-macOS ו-iOS; עם זאת, הוא השיג כעת שוויון תכונה בכל הפלטפורמות. הוא מתהדר בתכונות רבות המיועדות למשפחות ולאנשים פחות טכניים, כמו גם בפונקציונליות מתקדמת. + +כספת 1Password שלך מאובטחת גם עם סיסמת האב שלך וגם עם מפתח אבטחה אקראי בן 34 תווים כדי להצפין את הנתונים שלך בשרתים שלהם. מפתח אבטחה זה מוסיף שכבת הגנה לנתונים שלך מכיוון שהנתונים שלך מאובטחים באנטרופיה גבוהה ללא קשר לסיסמת המאסטר שלך. פתרונות רבים אחרים של מנהל סיסמאות תלויים לחלוטין בחוזקה של סיסמת המאסטר שלך כדי לאבטח את הנתונים שלך. + +יתרון אחד שיש ל-1Password על פני Bitwarden הוא התמיכה המדרגה הראשונה שלה עבור לקוחות מקומיים. בעוד Bitwarden מסירה מטלות רבות, במיוחד תכונות ניהול חשבונות, לממשק הכספת האינטרנטית שלה, 1Password הופכת כמעט כל תכונה לזמינה בתוך הלקוחות המקוריים שלה לנייד או למחשב שולחני. ללקוחות של 1Password יש גם ממשק משתמש אינטואיטיבי יותר, מה שמקל עליהם את השימוש והניווט. + +### Psono + +!!! recommendation + + ![Psono לוגו](assets/img/password-management/psono.svg){ align=right } + + **Psono** הוא מנהל סיסמאות חינמי ובקוד פתוח מגרמניה, עם התמקדות בניהול סיסמאות לצוותים. Psono תומכת בשיתוף מאובטח של סיסמאות, קבצים, סימניות ודואר אלקטרוני. כל הסודות מוגנים באמצעות סיסמת מאסטר. + + [:octicons-home-16: דף הבית](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="מדיניות-פרטיות" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=תיעוד} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono מספקת תיעוד נרחב עבור המוצר שלהם. לקוח האינטרנט של Psono יכול להתארח בעצמו; לחלופין, אתה יכול לבחור את מהדורת הקהילה המלאה או את המהדורה הארגונית עם תכונות נוספות. + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +#### דרישות מינימליות + +- חייב להשתמש ב-E2EE חזק, מבוסס תקנים/מודרני. +- חייב להיות מתועד ביסודיות נוהלי הצפנה ואבטחה. +- חייב להיות ביקורת שפורסמה מצד שלישי מכובד ובלתי תלוי. +- כל טלמטריה לא חיונית חייבת להיות אופציונלית. +- אסור לאסוף יותר PII ממה שנדרש למטרות חיוב. + +#### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- יש להצטרף לטלמטריה (מושבת כברירת מחדל) או לא לאסוף כלל. +- צריך להיות קוד פתוח וניתן לאירוח עצמי סביר. + +## אחסון מקומי + +אפשרויות אלה מאפשרות לך לנהל מסד נתונים של סיסמאות מוצפנות באופן מקומי. + +### KeePassXC + +!!! recommendation + + ![KeePassXC לוגו](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** הוא מזלג קהילתי של KeePassX, יציאה מקורית בין פלטפורמות של KeePass Password Safe, במטרה להרחיב ולשפר אותו עם תכונות חדשות ותיקוני באגים כדי לספק תכונות עשירות בתכונות, מנהל סיסמאות חוצה פלטפורמות ומודרני בקוד פתוח. + + [:octicons-home-16: דף הבית](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC מאחסן את נתוני הייצוא שלו כקובצי [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). המשמעות עשויה להיות אובדן נתונים אם אתה מייבא קובץ זה למנהל סיסמאות אחר. אנו ממליצים לך לבדוק כל רשומה באופן ידני. + +### KeePassDX (אנדרואיד) + +!!! recommendation + + ![KeePassDX לוגו](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** הוא מנהל סיסמאות קל משקל לאנדרואיד, מאפשר עריכת נתונים מוצפנים בקובץ בודד בפורמט KeePass ויכול למלא את הטפסים בצורה מאובטחת. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) מאפשר ביטול נעילה של תוכן קוסמטי ותכונות פרוטוקול לא סטנדרטיות, אך חשוב מכך, זה עוזר ומעודד התפתחות. + + [:octicons-home-16: דף הבית](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="קוד מקור } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![לוגו Strongbox](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** הוא מנהל סיסמאות מקורי בקוד פתוח עבור iOS ו-macOS. תמיכה בפורמטים של KeePass ו- Password Safe, ניתן להשתמש ב-Strongbox במקביל למנהלי סיסמאות אחרים, כמו KeePassXC, בפלטפורמות שאינן של אפל. על ידי שימוש ב[מודל freemium](https://strongboxsafe.com/pricing/), Strongbox מציעה את רוב התכונות תחת השכבה החינמית שלה עם [תכונות](https://strongboxsafe.com/comparison/) יותר מוכוונות נוחות - כגון כאימות ביומטרי - נעול מאחורי מנוי או רישיון תמידי. + + [:octicons-home-16: דף הבית](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +בנוסף, קיימת גרסה לא מקוונת בלבד המוצעת: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). גרסה זו מופשטת בניסיון לצמצם את שטח התקיפה. + +### שורת הפקודה + +מוצרים אלה הם מנהלי סיסמאות מינימליים שניתן להשתמש בהם בתוך יישומי סקריפטים. + +#### gopass + +!!! recommendation + + ![לוגו gopass](assets/img/password-management/gopass.svg){ align=right } + + **gopass** הוא מנהל סיסמאות עבור שורת הפקודה הכתובה ב-Go. זה עובד על כל מערכות ההפעלה העיקריות של שולחן העבודה והשרת (Linux, macOS, BSD, Windows). + + [:octicons-home-16: דף הבית](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### קריטריונים + +**שימו לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל[קריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו מערכת ברורה של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייב להיות חוצה פלטפורמות. diff --git a/i18n/he/productivity.md b/i18n/he/productivity.md new file mode 100644 index 00000000..99953524 --- /dev/null +++ b/i18n/he/productivity.md @@ -0,0 +1,155 @@ +--- +title: "כלי פרודוקטיביות" +icon: material/file-sign +description: רוב חבילות המשרד המקוונות אינן תומכות ב-E2EE, כלומר לספק הענן יש גישה לכל מה שאתה עושה. +--- + +רוב חבילות המשרד המקוונות אינן תומכות ב-E2EE, כלומר לספק הענן יש גישה לכל מה שאתה עושה. מדיניות הפרטיות עשויה להגן על זכויותיך באופן חוקי, אך היא אינה מספקת אילוצי גישה טכניים. + +## פלטפורמות שיתוף פעולה + +### Nextcloud + +!!! recommendation + + ![Nextcloud לוגו](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** היא חבילה של תוכנות שרת-לקוח חינמיות וקוד פתוח ליצירת שירותי אירוח קבצים משלך בשרת פרטי שאתה שולט בו. + + [:octicons-home-16: דף הבית](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "סַכָּנָה" + + אנו לא ממליצים להשתמש ב-[E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) עבור Nextcloud מכיוון שהיא עלולה להוביל לאובדן נתונים; זה מאוד ניסיוני ולא איכות ייצור. מסיבה זו, איננו ממליצים על ספקי NextCloud של צד שלישי. + +### CryptPad + +!!! recommendation + + ![CryptPad לוגו](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** הוא אלטרנטיבה פרטית-עיצובית לכלי משרד פופולריים. כל התוכן בשירות אינטרנט זה מוצפן מקצה לקצה וניתן לשתף אותו עם משתמשים אחרים בקלות. + + [:octicons-home-16: דף הבית](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=לתרומה } + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +באופן כללי, אנו מגדירים פלטפורמות שיתוף פעולה כחבילות מן המניין שיכולות לשמש באופן סביר כתחליף לפלטפורמות שיתוף פעולה כמו Google Drive. + +- קוד פתוח. +- הופך קבצים לנגישים דרך WebDAV אלא אם זה בלתי אפשרי בגלל E2EE. +- יש לו לקוחות סנכרון עבור לינוקס, macOS ו-Windows. +- תומך בעריכת מסמכים וגיליון אלקטרוני. +- תומך בשיתוף פעולה מסמכים בזמן אמת. +- תומך בייצוא מסמכים לפורמטים סטנדרטיים של מסמכים (למשל ODF). + +#### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- צריך לאחסן קבצים במערכת קבצים קונבנציונלית. +- צריך לתמוך בתמיכה באימות רב-גורמי TOTP או FIDO2, או כניסות מפתח סיסמה. + +## חבילות אופיס + +### LibreOffice + +!!! recommendation + + ![לוגו LibreOffice](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** היא חבילת משרדים חינמית וקוד פתוח עם פונקציונליות נרחבת. + + [:octicons-home-16: דף הבית](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=תיעוד} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![לוגו OnlyOffice](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** היא חבילת משרדים חינמית מבוססת ענן וקוד פתוח עם פונקציונליות נרחבת, כולל אינטגרציה עם Nextcloud. + + [:octicons-home-16: דף הבית](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +באופן כללי, אנו מגדירים חבילות משרדיות כיישומים שיכולים לשמש באופן סביר כתחליף ל-Microsoft Word עבור רוב הצרכים. + +- חייב להיות חוצה פלטפורמות. +- חייבת להיות תוכנת קוד פתוח. +- חייב לתפקד במצב לא מקוון. +- חייב לתמוך בעריכת מסמכים, גיליונות אלקטרוניים ומצגות שקופיות. +- יש לייצא קבצים לפורמטים סטנדרטיים של מסמכים. + +## שירותי הדבקה + +### PrivateBin + +!!! recommendation + + ![לוגו PrivateBin](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** הוא מינימליסטי, קוד פתוח מקוון Pastebin שבו לשרת יש אפס ידע על נתונים מודבקים. הנתונים מוצפנים/מפוענים בדפדפן באמצעות 256 סיביות AES. זוהי הגרסה המשופרת של ZeroBin. יש [רשימת מופעים](https://privatebin.info/directory/). + + [:octicons-home-16: דף הבית](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="מופעים ציבוריים"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="קוד מקור" } diff --git a/i18n/he/real-time-communication.md b/i18n/he/real-time-communication.md new file mode 100644 index 00000000..baabd648 --- /dev/null +++ b/i18n/he/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "תקשורת בזמן אמת" +icon: material/chat-processing +description: מסנג'רים אחרים הופכים את כל השיחות הפרטיות שלך לזמינות לחברה שמנהלת אותן. +--- + +אלו ההמלצות שלנו לתקשורת מוצפנת בזמן אמת. + +[סוגי רשתות תקשורת :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## מסנג'רים מוצפנים + +מסנג'רים אלה נהדרים לאבטחת התקשורת הרגישה שלך. + +### Signal + +!!! recommendation + + ![Signal לוגו](assets/img/messengers/signal.svg){ align=right } + + **Signal** היא אפליקציה לנייד שפותחה על ידי סיגנל מסנג'ר LLC. האפליקציה מספקת הודעות מיידיות, כמו גם שיחות קוליות ושיחות וידאו. + + כל התקשורת היא E2EE. רשימות אנשי קשר מוצפנות באמצעות קוד ה - PIN שלך ולשרת אין גישה אליהן. גם פרופילים אישיים מוצפנים ומשותפים רק עם אנשי קשר שאיתם אתה משוחח בצ'אט. + + [:octicons-home-16: דף הבית](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal תומך ב[קבוצות פרטיות](https://signal.org/blog/signal-private-group-system/). לשרת אין תיעוד של חברות בקבוצה, כותרות קבוצות, אווטרים של קבוצות או תכונות קבוצה. לSignal יש מטא נתונים מינימליים כאשר [שולח חתום](https://signal.org/blog/sealed-sender/) מופעל. כתובת השולח מוצפנת יחד עם גוף ההודעה, ורק כתובת הנמען גלויה לשרת. 'שולח אטום' זמין רק עבור אנשים ברשימת אנשי הקשר שלך, אך ניתן להפוך אותו לזמין עבור כל הנמענים עם סיכון מוגבר לקבלת דואר זבל. סיגנל דורש את מספר הטלפון שלך כמזהה אישי. + +הפרוטוקול היה מבוקר [באופן עצמאי](https://eprint.iacr.org/2016/1013.pdf) בשנת 2016. ניתן למצוא את המפרט של פרוטוקול סיגנל בתיעוד [](https://signal.org/docs/)שלהם. + +יש לנו כמה טיפים נוספים להגדרה והקשחה של התקנת הSignal שלך: + +[תצורת סיגנל והקשחה :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![לוגו Simplex](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat הוא מסנג'ר מיידי מבוזר ואינו תלוי במזהים ייחודיים כגון מספרי טלפון או שמות משתמש. משתמשי SimpleX Chat יכולים לסרוק קוד QR או ללחוץ על קישור הזמנה כדי להשתתף בשיחות קבוצתיות. + + [:octicons-home-16: דף הבית](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [נבדק](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) על ידי Trail of Bits באוקטובר 2022. + +נכון לעכשיו SimpleX Chat מספק לקוח רק עבור אנדרואיד ו-iOS. פונקציונליות בסיסית של צ'אט קבוצתי, הודעות ישירות, עריכת הודעות וסימון נתמכים. שיחות שמע ווידאו E2EE נתמכות גם כן. + +ניתן לייצא את הנתונים שלך ולייבא אותם למכשיר אחר, מכיוון שאין שרתים מרכזיים שבהם הם מגובים. + +### Briar + +!!! recommendation + + ![לוגו של Briar](assets/img/messengers/briar.svg){ align=right } + + **Briar** הוא מסנג'ר מיידי מוצפן ש[מתחבר](https://briarproject.org/how-it-works/) ללקוחות אחרים המשתמשים ברשת Tor. Briar יכול גם להתחבר באמצעות Wi-Fi או Bluetooth כאשר הוא נמצא בקרבה מקומית. מצב הרשת המקומי של Briar יכול להיות שימושי כאשר זמינות האינטרנט היא בעיה. + + [:octicons-home-16: דף הבית](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=תיעוד} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="אפשרויות התרומה מפורטות בתחתית דף הבית" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +כדי להוסיף איש קשר ב Briar, שניכם חייבים להוסיף אחד את השני קודם. באפשרותך להחליף `קישורים ` או לסרוק את קוד ה - QR של איש הקשר אם הוא נמצא בקרבת מקום. + +תוכנת הקליינט נבדקה באופן עצמאי [](https://briarproject.org/news/2017-beta-released-security-audit/), ופרוטוקול הניתוב האנונימי משתמש ברשת Tor שנבדקה אף היא. + +ל Briar יש מפרט ש[פורסם במלואו](https://code.briarproject.org/briar/briar-spec). + +Briar תומך בסודיות קדימה מושלמת על ידי שימוש ב-[Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) ו [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) פרוטוקול. + +## אפשרויות נוספות + +!!! warning "אזהרה" + + למסנג'רים האלה אין [סודיות קדימה](https://en.wikipedia.org/wiki/Forward_secrecy) מושלם (PFS), ולמרות שהם ממלאים צרכים מסוימים שהמלצות קודמות שלנו אולי לא, אנחנו לא ממליצים עליהם לאורך זמן- מונחים או תקשורת רגישה. כל פשרה מרכזית בין מקבלי ההודעות תשפיע על הסודיות של **כל** התקשורת העבר. + +### Element + +!!! recommendation + + ![לוגו אלמנט](assets/img/messengers/element.svg){ align=right } + + **Element** הוא לקוח הייחוס עבור פרוטוקול [Matrix](https://matrix.org/docs/guides/introduction), [תקן פתוח](https://matrix.org/docs/spec) עבור תקשורת מבוזרת מאובטחת בזמן אמת. + + הודעות וקבצים המשותפים בחדרים פרטיים (אלו הדורשים הזמנה) הם כברירת מחדל E2EE וכך גם שיחות קול ווידאו אחד לאחד. + + [:octicons-home-16: דף הבית](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://element.io/help){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +תמונות פרופיל, תגובות וכינויים אינם מוצפנים. + +שיחות קוליות ושיחות וידאו קבוצתיות [אינן](https://github.com/vector-im/element-web/issues/12878) E2EE, ומשתמשות ב- Jitsi, אך זה צפוי להשתנות עם[ איתות VoIP קבוצתי מקורי](https://github.com/matrix-org/matrix-doc/pull/3401). שיחות קבוצתיות כוללות [שיחות ללא אימות](https://github.com/vector-im/element-web/issues/13074) כרגע, כלומר, כל משתתפים יכולים גם להצטרף לשיחות. אנו ממליצים שלא להשתמש בתכונה זו לפגישות פרטיות. + +פרוטוקול Matrix עצמו [תומך תיאורטית ב-PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), עם זאת, זה [לא נתמך כרגע ב-Element](https://github.com/vector-im/element-web/issues/7101) בגלל שהוא שובר היבטים מסוימים של חוויית המשתמש, כגון גיבויי מפתח והיסטוריית הודעות משותפת. + +הפרוטוקול היה מבוקר [באופן עצמאי](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) בשנת 2016. את המפרט לפרוטוקול מטריקס ניתן למצוא [בתיעוד שלהם](https://spec.matrix.org/latest/). מחגר ההצפנה [Olm](https://matrix.org/docs/projects/other/olm) המשמש את Matrix הוא יישום של [אלגוריתם ה-Double Ratchet](https://signal.org/docs/specifications/doubleratchet/) של Signal. + +### Session + +!!! recommendation + + ![לוגו Session](assets/img/messengers/session.svg){ align=right } + + **Session** הוא מסנג'ר מבוזר עם התמקדות בתקשורת פרטית, מאובטחת ואנונימית. Session מציע תמיכה בהודעות ישירות, צ'אטים קבוצתיים ושיחות קוליות. + + Session משתמש ב-[Oxen Service Node Network](https://oxen.io/) המבוזר כדי לאחסן ולנתב הודעות. כל הודעה מוצפנת מנותבת דרך שלושה צמתים ברשת Oxen Service Node Network, מה שהופך את זה למעשה לבלתי אפשרי עבור הצמתים לאסוף מידע משמעותי על המשתמשים ברשת. + + [:octicons-home-16: דף הבית](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="מדיניות-פרטיות" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="קוד מקור } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session מאפשרת E2EE בצ'אטים אחד על אחד או קבוצות סגורות המאפשרות עד 100 חברים. לקבוצות פתוחות אין הגבלה על מספר החברים, אך הן פתוחות על פי עיצוב. + +Session [לא](https://getsession.org/blog/session-protocol-technical-information) תומך ב-PFS, כלומר כאשר מערכת הצפנה משנה באופן אוטומטי ותדיר את המפתחות שבה היא משתמשת להצפנה ולפענח מידע, כך שאם המפתח האחרון נפגע הוא חושף חלק קטן יותר של מידע רגיש. + +Oxen ביקשה ביקורת בלתי תלויה למפגש במרץ 2020. הביקורת [הסתיימה](https://getsession.org/session-code-audit) באפריל 2021, "רמת האבטחה הכללית של האפליקציה הזו טובה והופכת אותה לשמישה לפרטיות אנשים." + +להפעלה יש [נייר לבן](https://arxiv.org/pdf/2002.04609.pdf) המתאר את התכונות הטכניות של האפליקציה והפרוטוקול. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייבים להיות לקוחות קוד פתוח. +- חייב להשתמש ב- E2EE עבור הודעות פרטיות כברירת מחדל. +- חייב לתמוך ב- E2EE עבור כל ההודעות. +- חייב להיות נבדק באופן עצמאי. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- צריך להיות סודיות קדימה מושלמת. +- צריכים להיות שרתי קוד פתוח. +- צריך להיות מבוזר, כלומר מאוחד או P2P. +- אמור להשתמש ב- E2EE עבור כל ההודעות כברירת מחדל. +- צריך לתמוך בלינוקס, macOS, ווינדוס, אנדרואיד ו-iOS. diff --git a/i18n/he/router.md b/i18n/he/router.md new file mode 100644 index 00000000..87c9054a --- /dev/null +++ b/i18n/he/router.md @@ -0,0 +1,50 @@ +--- +title: "קושחת הנתב" +icon: material/router-wireless +description: ניתן להשתמש במערכות הפעלה חלופיות אלה כדי לאבטח את הנתב או נקודת הגישה ל-Wi-Fi. +--- + +להלן מספר מערכות הפעלה חלופיות, שניתן להשתמש בהן בנתבים, נקודות גישה ל-Wi-Fi וכו'. + +## OpenWrt + +!!! recommendation + + ![לוגו OpenWrt](assets/img/router/openwrt.svg#only-light){ align=right } + ![לוגו OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** היא מערכת הפעלה מבוססת לינוקס; הוא משמש בעיקר במכשירים משובצים לניתוב תעבורת רשת. זה כולל util-linux, uClibc ו-BusyBox. כל הרכיבים עברו אופטימיזציה עבור נתבים ביתיים. + + [:octicons-home-16: דף הבית](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=לתרומה } + +אתה יכול לעיין ב[טבלת החומרה](https://openwrt.org/toh/start) של OpenWrt כדי לבדוק אם המכשיר שלך נתמך. + +## OPNsense + +!!! recommendation + + ![OPNsense לוגו](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** היא חומת אש ופלטפורמת ניתוב מבוססת קוד פתוח, מבוססת FreeBSD, המשלבת תכונות מתקדמות רבות כגון עיצוב תעבורה, איזון עומסים ויכולות VPN, עם תכונות רבות נוספות הזמינות בצורה של תוספים. OPNsense נפוץ כחומת אש היקפית, נתב, נקודת גישה אלחוטית, שרת DHCP, שרת DNS ונקודת קצה VPN. + + [:octicons-home-16: דף הבית](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=לתרומה } + +OPNsense פותחה במקור כמזלג של [pfSense](https://en.wikipedia.org/wiki/PfSense), ושני הפרויקטים ידועים לפי הפצות חומת אש חינמיות ואמינות המציעות ציוד דומה נמצא רק בחומות אש מסחריות יקרות. הושק בשנת 2015, מפתחי OPNsense [ציטטו](https://docs.opnsense.org/history/thefork.html) מספר בעיות אבטחה ואיכות ב-pfSense שלדעתם היו נחוצות חלק מהפרויקט, כמו גם חששות לגבי רכישת הרוב של Netgate של pfSense והכיוון העתידי של פרויקט pfSense. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייב להיות קוד פתוח. +- חייב לקבל עדכונים שוטפים. +- חייב לתמוך במגוון רחב של חומרה. diff --git a/i18n/he/search-engines.md b/i18n/he/search-engines.md new file mode 100644 index 00000000..1c8bdcfd --- /dev/null +++ b/i18n/he/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "מנועי חיפוש" +icon: material/search-web +description: מנועי החיפוש המכבדים את הפרטיות אינם בונים פרופיל פרסום על סמך החיפושים שלך. +--- + +השתמש במנוע חיפוש שאינו בונה פרופיל פרסום על סמך החיפושים שלך. + +ההמלצות כאן מבוססות על היתרונות של מדיניות הפרטיות של כל שירות. אין **ערובה לכך** שמדיניות פרטיות זו תכובד. + +מומלץ להשתמש ב - [VPN](vpn.md) או [Tor](https://www.torproject.org/) אם מודל האיום דורש הסתרת כתובת ה - IP שלכם מספק החיפוש. + +## חיפוש Brave + +!!! recommendation + + ![Brave Search לוגו](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** פותח על ידי Brave ומגיש תוצאות בעיקר מאינדקס עצמאי משלו. האינדקס מותאם לחיפוש Google ולכן עשוי לספק תוצאות מדויקות יותר מבחינה הקשרית בהשוואה לחלופות אחרות. + + Brave Search כולל תכונות ייחודיות כגון דיונים, המדגישים תוצאות הממוקדות בשיחה - כגון הודעות בפורום. + + אנו ממליצים להשבית את [מדדי שימוש אנונימיים](https://search.brave.com/help/usage-metrics) מכיוון שהוא מופעל כברירת מחדל וניתן להשבית אותו בהגדרות. + + [:octicons-home-16: דף הבית](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=תיעוד} + +Brave Search מבוסס בארצות הברית. [מדיניות הפרטיות](https://search.brave.com/help/privacy-policy) שלהם קובעת שהם אוספים מדדי שימוש מצטברים, הכוללים את מערכת ההפעלה והדפדפן שבשימוש, אולם לא נאסף מידע המאפשר זיהוי אישי. כתובות IP מעובדות באופן זמני, אך אינן נשמרות. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo לוגו](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** היא אחת האפשרויות היותר מיינסטרים במנועי חיפוש פרטיים. תכונות החיפוש הבולטות של DuckDuckGo כוללות [bangs](https://duckduckgo.com/bang) והרבה [תשובות מיידיות](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). מנוע החיפוש מסתמך על Bing API מסחרי כדי להגיש את רוב התוצאות, אך הוא משתמש במספר [מקורות אחרים](https://help.duckduckgo.com/results/sources/) לתשובות מיידיות ולתוצאות אחרות שאינן ראשוניות. + + DuckDuckGo הוא מנוע החיפוש המוגדר כברירת מחדל עבור דפדפן Tor והוא אחת האפשרויות הבודדות הזמינות בדפדפן הספארי של אפל. + + [:octicons-home-16: דף הבית](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=תיעוד} + +DuckDuckGo מבוססת בארצות הברית. [מדיניות הפרטיות](https://duckduckgo.com/privacy) שלהם קובעת **שהם** שומרים את החיפושים שלך למטרות שיפור מוצרים, אך לא את כתובת ה-IP שלך או כל מידע מזהה אישי אחר. + +DuckDuckGo מציעה שתי [גרסאות אחרות](https://help.duckduckgo.com/features/non-javascript/) של מנוע החיפוש שלהם, שתיהן אינן דורשות JavaScript. עם זאת, גרסאות אלו חסרות תכונות. ניתן להשתמש בגרסאות אלה גם יחד עם [Tor כתובת בצל](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) על-ידי צירוף [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) או [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) עבור הגרסה המתאימה. + +## SearXNG + +!!! recommendation + + ![SearXNG לוגו](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** הוא מנוע חיפוש מטה-חיפוש, מתארח בעצמו, קוד-פתוח, אוסף את התוצאות של מנועי חיפוש אחרים מבלי לאחסן מידע בעצמו. זהו מזלג מתוחזק פעיל של [SearX](https://github.com/searx/searx). + + [:octicons-home-16: דף הבית](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="מופעים ציבוריים"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="קוד מקור" } + +SearXNG הוא פרוקסי בינך לבין מנועי החיפוש שמהם הוא צובר. שאילתות החיפוש שלך עדיין יישלחו למנועי החיפוש שמהם SearXNG מקבל את תוצאותיו. + +בעת אירוח עצמי, חשוב שאנשים אחרים ישתמשו במקרה שלך כדי שהשאילתות ישתלבו. עליכם להיזהר היכן וכיצד אתם מארחים את SearXNG, מכיוון שאנשים שמחפשים תוכן לא חוקי בהפצה שלכם עלולים למשוך תשומת לב לא רצויה מהרשויות. + +כאשר אתה משתמש בהפצה של SearXNG, הקפד לקרוא את מדיניות הפרטיות שלהם. מאחר שמופעי SearXNG עשויים להשתנות על ידי בעליהם, הם לא בהכרח משקפים את מדיניות הפרטיות שלהם. חלק מהמקרים מופעלים כשירות Tor מוסתר, אשר עשוי להעניק פרטיות מסוימת כל עוד שאילתות החיפוש שלך אינן מכילות PII. + +## Startpage + +!!! recommendation + + ![Startpage לוגו](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage לוגו](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** הוא מנוע חיפוש פרטי הידוע בכך שהוא משרת את תוצאות החיפוש של גוגל. אחת התכונות הייחודיות של Startpage היא [תצוגה אנונימית](https://www.startpage.com/en/anonymous-view/), שמשקיעה מאמצים בסטנדרטיזציה של פעילות המשתמשים כדי להקשות על זיהוי ייחודי. התכונה יכולה להיות שימושית להסתרת [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) מאפייני הרשת והדפדפן. שלא כמו שהשם מרמז, אין להסתמך על התכונה לאנונימיות. אם אתה מחפש אנונימיות, השתמש במקום זאת ב [Tor Browser]( tor.md#tor - browser). + + [:octicons-home-16: דף הבית](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=תיעוד} + +!!! warning "אזהרה" + + Startpage מגביל באופן קבוע את גישת השירות לכתובות IP מסוימות, כגון כתובות IP שמורות ל-VPN או Tor. [DuckDuckGo](#duckduckgo) ו-[Brave Search](#brave-search) הן אפשרויות ידידותיות יותר אם מודל האיום שלך דורש הסתרת כתובת ה-IP שלך מספק החיפוש. + +Startpage מבוסס בהולנד. לפי [מדיניות הפרטיות](https://www.startpage.com/en/privacy-policy/) שלהם, הם רושמים פרטים כגון: מערכת הפעלה, סוג הדפדפן והשפה. הם לא רושמים את כתובת ה-IP שלך, שאילתות חיפוש או מידע אישי מזהה אחר. + +בעלת המניות הרוב של Startpage היא System1 שהיא חברת adtech. אנחנו לא מאמינים שזו בעיה מכיוון שיש להם [מדיניות פרטיות](https://system1.com/terms/privacy-policy) נפרדת באופן מובהק. צוות Privacy Guides פנה אל Startpage [בשנת 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) כדי לפתור את כל החששות מההשקעה הגדולה של System1 בשירות. היינו מרוצים מהתשובות שקיבלנו. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +### דרישות מינימליות + +- אסור לאסוף מידע המאפשר זיהוי אישי בהתאם למדיניות הפרטיות שלהם. +- אסור לאפשר למשתמשים ליצור חשבון אצלם. + +### המקרה הטוב ביותר + +הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה. + +- צריך להיות מבוסס על תוכנת קוד פתוח. +- אין לחסום את כתובות ה - IP של צומת היציאה של Tor. diff --git a/i18n/he/tools.md b/i18n/he/tools.md new file mode 100644 index 00000000..c52ae80c --- /dev/null +++ b/i18n/he/tools.md @@ -0,0 +1,476 @@ +--- +title: "כלי פרטיות" +icon: material/tools +hide: + - toc +description: Privacy Guides הוא האתר השקוף והאמין ביותר למציאת תוכנות, אפליקציות ושירותים המגינים על הנתונים האישיים שלך מפני תוכניות מעקב המוני ואיומי אינטרנט אחרים. +--- + +אם אתם מחפשים פתרון ספציפי למשהו, אלו הם כלי החומרה והתוכנה שאנו ממליצים עליהם במגוון קטגוריות. כלי הפרטיות המומלצים שלנו נבחרים בעיקר על סמך תכונות אבטחה, עם דגש נוסף על כלים מבוזרים וקוד פתוח. הם ישימים למגוון מודלים של איומים, החל מהגנה מפני תוכניות מעקב המוני גלובליות והימנעות מחברות טכנולוגיה גדולות ועד למיתון התקפות, אבל רק אתה יכול לקבוע מה יעבוד הכי טוב עבור הצרכים שלך. + +אם אתה רוצה עזרה בזיהוי כלי הפרטיות והתוכניות החלופיות הטובות ביותר לצרכים שלך, התחל דיון ב[פורום](https://discuss.privacyguides.net/) או בקהילת ה- [Matrix](https://matrix.to/#/#privacyguides:matrix.org) שלנו! + +לפרטים נוספים על כל פרויקט, מדוע הם נבחרו וטיפים או טריקים נוספים שאנו ממליצים עליו, לחץ על הקישור "למד עוד" בכל חלק, או לחץ על ההמלצה עצמה כדי לעבור לאותו חלק ספציפי של העמוד. + +## רשת טור (Tor Network) + +
+ +- ![Tor Browser לוגו](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot לוגו](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake לוגו](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake לוגו](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake אינו מגביר את הפרטיות, אולם הוא מאפשר לך לתרום בקלות לרשת Tor ולעזור לאנשים ברשתות מצונזרות להשיג פרטיות טובה יותר. + +[למד עוד :material-arrow-right-drop-circle:](tor.md) + +## דפדפני אינטרנט שולחניים + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[למד עוד :material-arrow-right-drop-circle:](desktop-browsers.md) + +### מקורות נוספים + +
+ +- ![uBlock Origin לוגו](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[למד עוד :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## דפדפני אינטרנט לנייד + +
+ +- ![Brave לוגו](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari לוגו](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[למד עוד :material-arrow-right-drop-circle:](mobile-browsers.md) + +### מקורות נוספים + +
+ +- ![AdGuard לוגו](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[למד עוד :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## מערכות הפעלה + +### נייד + +
+ +- ![GrapheneOS לוגו](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS לוגו](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS לוגו](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[למד עוד :material-arrow-right-drop-circle:](android.md) + +#### אפליקציות אנדרואיד + +
+ +- ![Aurora Store לוגו](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter לוגו](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor לוגו](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS לוגו](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera לוגו](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera לוגו](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer לוגו](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS לוגו](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[למד עוד :material-arrow-right-drop-circle:](android.md#general-apps) + +### שולחן עבודה/מחשב אישי + +
+ +- ![Qubes OS לוגו](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora לוגו](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed לוגו](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch לוגו](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue לוגו](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS לוגו](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix לוגו](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails לוגו](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[למד עוד :material-arrow-right-drop-circle:](desktop.md) + +### קושחת הנתב + +
+ +- ![OpenWrt לוגו](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense לוגו](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[למד עוד :material-arrow-right-drop-circle:](router.md) + +## ספקי שירות + +### אחסון בענן + +
+ +- ![Proton Drive לוגו](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit לוגו](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[למד עוד :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### ספקי DNS + +אנו ממליצים [](dns.md#recommended-providers) מספר שרתי DNS מוצפנים על בסיס מגוון רחב של קריטריונים, כגון [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) ו [Quad9](https://quad9.net/) בין היתר. אנו ממליצים לך לקרוא את הדפים שלנו על DNS לפני בחירת ספק. במקרים רבים, שימוש בספק DNS חלופי אינו מומלץ. + +[למד עוד :material-arrow-right-drop-circle:](dns.md) + +#### פרוקסי DNS מוצפנים + +
+ +- ![RethinkDNS לוגו](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy לוגו](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[למד עוד :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### פתרונות אירוח עצמי + +
+ +- ![AdGuard Home לוגו](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole לוגו](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[למד עוד :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### אימייל + +
+ +- ![Proton Mail לוגו](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org לוגו](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail לוגו](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota לוגו](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[למד עוד :material-arrow-right-drop-circle:](email.md) + +#### שירותי כינוי דוא"ל + +
+ +- ![AnonAddy לוגו](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy לוגו](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin לוגו](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[למד עוד :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### אימייל לאירוח עצמי + +
+ +- ![mailcow לוגו](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box לוגו](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[למד עוד :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### שירותים פיננסיים + +#### שירותי מיסוך תשלומים + +
+ +- ![Privacy.com לוגו](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com לוגו](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo לוגו](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo לוגו](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[למד עוד :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### שוק כרטיסי מתנה אונליין + +
+ +- ![Cake Pay לוגו](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards לוגו](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[למד עוד :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### מנועי חיפוש + +
+ +- ![Brave Search לוגו](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo לוגו](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG לוגו](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage לוגו](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[למד עוד :material-arrow-right-drop-circle:](search-engines.md) + +### ספקי VPN + +??? danger סכנה "רשתות VPN לא מספקות אנונימיות" + + שימוש ב-VPN **לא** ישמור על הרגלי הגלישה שלך אנונימיים, וגם לא יוסיף אבטחה לתעבורה לא מאובטחת (HTTP). + + אם אתם מחפשים **אנונימיות**, כדאי להשתמש בדפדפן Tor **במקום** ב-VPN. + + אם אתה מחפש **אבטחה** נוספת, עליך תמיד לוודא שאתה מתחבר לאתרים באמצעות HTTPS. VPN אינו תחליף לשיטות אבטחה טובות. + + [למד עוד :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN לוגו](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad לוגו](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN לוגו](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[למד עוד :material-arrow-right-drop-circle:](vpn.md) + +## תוכנה + +### סנכרון לוח שנה + +
+ +- ![Tutanota לוגו של](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar לוגו של](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[למד עוד :material-arrow-right-drop-circle:](calendar.md) + +### מטבעות קריפטוגרפיים + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[למד עוד :material-arrow-right-drop-circle:](cryptocurrency.md) + +### הפחתת נתונים ומטא נתונים + +
+ +- ![MAT2 לוגו](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho לוגו](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur לוגו](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool לוגו](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[למד עוד :material-arrow-right-drop-circle:](data-redaction.md) + +### לקוחות אימייל + +
+ +- ![Thunderbird לוגו](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail לוגו](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail לוגו](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail לוגו](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution לוגו](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail לוגו](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact לוגו](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope לוגו](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt לוגו](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[למד עוד :material-arrow-right-drop-circle:](email-clients.md) + +### תוכנת הצפנה + +??? info מידע "הצפנת דיסק של מערכת הפעלה" + + להצפנת כונן מערכת ההפעלה שלך, אנו ממליצים בדרך כלל להשתמש בכל כלי הצפנה שמערכת ההפעלה שלך מספקת, אם זה **BitLocker** בווינדוס, **FileVault** ב macOS, או **LUKS** בלינוקס. כלים אלה כלולים במערכת ההפעלה ומשתמשים בדרך כלל ברכיבי הצפנת חומרה כגון TPM שתוכנות הצפנה אחרות בדיסק מלא כמו VeraCrypt אינן עושות. VeraCrypt עדיין מתאים לדיסקים שאינם פועלים במערכת כגון כוננים חיצוניים, במיוחד כוננים שניתן לגשת אליהם ממספר מערכות הפעלה. + + [למד עוד :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator לוגו](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt לוגו](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt לוגו](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt לוגו](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh לוגו](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh לוגו](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor לוגו](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb לוגו](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[למד עוד :material-arrow-right-drop-circle:](encryption.md) + +#### לקוחות OpenPGP + +
+ +- ![GnuPG לוגו](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win לוגו](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite לוגו](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain לוגו](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[למד עוד :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### שיתוף וסנכרון קבצים + +
+ +- ![Send לוגו](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare לוגו](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox לוגו](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud לוגו](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing לוגו](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[למד עוד :material-arrow-right-drop-circle:](file-sharing.md) + +### חזיתות + +
+ +- ![Librarian לוגו](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter לוגו](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube לוגו](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee לוגו](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![NewPipe לוגו](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious לוגו](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped לוגו](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[למד עוד :material-arrow-right-drop-circle:](frontends.md) + +### כלי אימות רב-גורמי + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis לוגו](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP לוגו](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[למד עוד :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### צוברי חדשות + +
+ +- ![Akregator לוגו](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder לוגו](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader לוגו](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds לוגו](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux לוגו](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire לוגו](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat לוגו](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[למד עוד :material-arrow-right-drop-circle:](news-aggregators.md) + +### פנקס רשימות + +
+ +- ![Joplin לוגו](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes לוגו](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee לוגו](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode לוגו](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[למד עוד :material-arrow-right-drop-circle:](notebooks.md) + +### מנהלי סיסמאות + +
+ +- ![Bitwarden לוגו](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password לוגו](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono לוגו](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC לוגו](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX לוגו](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox לוגו](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass לוגו](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[למד עוד :material-arrow-right-drop-circle:](passwords.md) + +### כלי פרודוקטיביות + +
+ +- ![Nextcloud לוגו](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice לוגו](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice לוגו](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad לוגו](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin לוגו](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[למד עוד :material-arrow-right-drop-circle:](productivity.md) + +### תקשורת בזמן אמת + +
+ +- ![Signal לוגו](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar לוגו](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat לוגו](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element לוגו](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session לוגו](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[למד עוד :material-arrow-right-drop-circle:](real-time-communication.md) + +### לקוחות הזרמת וידאו + +
+ +- ![LBRY לוגו](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[למד עוד :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/he/tor.md b/i18n/he/tor.md new file mode 100644 index 00000000..81971c91 --- /dev/null +++ b/i18n/he/tor.md @@ -0,0 +1,119 @@ +--- +title: "רשת טור (Tor Network)" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +הרשת **Tor** היא קבוצה של שרתים המופעלים בהתנדבות המאפשרת לך להתחבר בחינם ולשפר את הפרטיות והאבטחה שלך באינטרנט. אנשים וארגונים יכולים גם לשתף מידע על גבי רשת Tor עם ".onion hidden services" מבלי לפגוע בפרטיותם. מכיוון שקשה לחסום ולעקוב אחר תעבורת Tor, Tor הוא כלי יעיל לעקוף צנזורה. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=דף הבית } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="שירות בצל" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=תיעוד} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="קוד מקור" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=לתרומה } + +Tor פועלת על ידי ניתוב תעבורת האינטרנט שלך דרך אותם שרתים המופעלים על ידי מתנדבים, במקום ליצור חיבור ישיר לאתר שבו אתה מנסה לבקר. זה מטשטש מהיכן מגיעה התעבורה, ואף שרת בנתיב החיבור לא מסוגל לראות את הנתיב המלא של המקום ממנו מגיעה התנועה והולכת, כלומר אפילו השרתים שבהם אתה משתמש כדי להתחבר לא יכולים לשבור את האנונימיות שלך. + +[סקירת Tor מפורטת :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## התחברות ל - Tor + +ישנן מגוון דרכים שלך להתחבר לרשת Tor מהמכשיר, הנפוץ ביותר הוא דפדפן **Tor**, נגזרת של Firefox המיועד לגלישה אנונימית למחשבים שולחניים ואנדרואיד. בנוסף לאפליקציות המפורטות למטה, יש גם מערכות הפעלה שתוכננו במיוחד להתחבר לרשת Tor כגון [Whonix](desktop.md#whonix) ב-[Qubes OS](desktop.md#qubes-os), המספקות אבטחה והגנות גבוהות עוד יותר מאשר דפדפן Tor הרגיל. + +### דפדפן Tor + +!!! recommendation + + ![Tor Browser לוגו](assets/img/browsers/tor.svg){ align=right } + + **דפדפן Tor** הוא הבחירה אם אתה זקוק לאנונימיות, מכיוון שהוא מספק לך גישה לרשת Tor ולגשרים, והוא כולל הגדרות ברירת מחדל והרחבות המוגדרות אוטומטית לפי רמות האבטחה המוגדרות כברירת מחדל: *סטנדרטי*, *בטוח יותר * ו*הבטוח ביותר*. + + [:octicons-home-16: דף הבית](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="שירות בצל" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=תיעוד } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger "סַכָּנָה" + + אתה צריך **לעולם לא** להתקין הרחבות נוספות בדפדפן Tor או לערוך את הגדרות `about:config`, כולל אלו שאנו מציעים עבור Firefox. הרחבות דפדפן והגדרות לא סטנדרטיות גורמים לך להתבלט על פני אחרים ברשת Tor, ובכך להקל על [טביעת אצבע](https://support.torproject.org/glossary/browser-fingerprinting) של הדפדפן שלך. + +דפדפן Tor נועד למנוע טביעת אצבע, או לזהות אותך על סמך תצורת הדפדפן שלך. לכן, זה הכרחי כי אתה עושה **לא** לשנות את הדפדפן מעבר ברירת המחדל [רמות אבטחה](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot לוגו](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** הוא Tor VPN בחינם לסמארטפונים שמנתב תעבורה מכל אפליקציה במכשיר שלך דרך רשת Tor. + + [:octicons-home-16: דף הבית](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! טיפ "טיפים עבור אנדרואיד" + + Orbot יכול לבצע שרת proxy של אפליקציות בודדות אם הם תומכים ב-SOCKS או HTTP proxy. זה יכול גם לספק את כל חיבורי הרשת שלך באמצעות [VpnService](https://developer.android.com/reference/android/net/VpnService) וניתן להשתמש בו עם מתג ה-VPN ב-:gear: **הגדרות** → * *רשת & אינטרנט** → **VPN** → :gear: → **חסום חיבורים ללא VPN**. + + Orbot מיושן לעתים קרובות ב[מאגר F-Droid](https://guardianproject.info/fdroid) ו- [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), אז שקול להוריד ישירות מ[מאגר GitHub](https://github.com/guardianproject/orbot/releases) במקום זאת. + + כל הגרסאות חתומות באמצעות אותה חתימה ולכן הן צריכות להיות תואמות זו לזו. + +## ממסרים וגשרים + +### Snowflake + +!!! recommendation + + ![Snowflake לוגו](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake לוגו](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** מאפשר לך לתרום רוחב פס לפרויקט Tor על ידי הפעלת "Snowflake proxy" בתוך הדפדפן שלך. + + אנשים שמצונזרים יכולים להשתמש בפרוקסי של Snowflake כדי להתחבר לרשת Tor. Snowflake היא דרך מצוינת לתרום לרשת גם אם אין לך את הידע הטכני להפעיל ממסר Tor או גשר. + + [:octicons-home-16: דף הבית](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=תיעוד} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="קוד מקור" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=לתרומה } + + ??? downloads "הורדות" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "מוטבע Snowflake" + + אתה יכול להפעיל את Snowflake בדפדפן שלך על ידי לחיצה על המתג למטה ו== השארת דף זה פתוח==. אתה יכול גם להתקין את Snowflake כתוסף לדפדפן כדי להפעיל אותו תמיד כשהדפדפן שלך פתוח, אולם הוספת הרחבות של צד שלישי יכולה להגדיל את משטח ההתקפה שלך. + +
+ אם ההטמעה לא מופיעה עבורך, ודא שאינך חוסם את המסגרת של צד שלישי מ- `torproject.org`. לחלופין, בקר ב[דף זה](https://snowflake.torproject.org/embed.html). + +Snowflake אינו מגדיל את פרטיותך בשום צורה, ואינו משמש לחיבור לרשת Tor בתוך הדפדפן האישי שלך. עם זאת, אם חיבור האינטרנט שלך אינו מצונזר, עליך לשקול להפעיל אותו כדי לעזור לאנשים ברשתות מצונזרות להשיג פרטיות טובה יותר בעצמם. אין צורך לדאוג לאילו אתרים אנשים ניגשים דרך ה-proxy שלך - כתובת ה-IP הגלויה של הגלישה שלהם תתאים לצומת היציאה של Tor, לא שלך. + +הפעלת פרוקסי של Snowflake היא בסיכון נמוך, אפילו יותר מהפעלת ממסר Tor או גשר שהם כבר מאמצים לא מסוכנים במיוחד. עם זאת, היא עדיין עושה תעבורת פרוקסי דרך הרשת שלך, מה שיכול להשפיע במובנים מסוימים, במיוחד אם הרשת שלך מוגבלת ברוחב הפס. ודא שאתה מבין [איך Snowflake עובד](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) לפני שתחליט אם להפעיל פרוקסי. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/he/video-streaming.md b/i18n/he/video-streaming.md new file mode 100644 index 00000000..ae18817e --- /dev/null +++ b/i18n/he/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "הזרמת וידאו" +icon: material/video-wireless +description: רשתות אלו מאפשרות לך להזרים תוכן אינטרנט מבלי לבנות פרופיל פרסומי המבוסס על תחומי העניין שלך. +--- + +האיום העיקרי בעת שימוש בפלטפורמת הזרמת וידאו הוא שהרגלי הסטרימינג ורשימות המנויים שלך יוכלו לשמש אותך כדי ליצור פרופיל. עליך לשלב את הכלים האלה עם [VPN](vpn.md) או [Tor](https://www.torproject.org/) כדי להקשות על פרופיל השימוש שלך. + +## קליינטים + +!!! recommendation + + ![LBRY לוגו](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** היא רשת שיתוף וידאו מבוזרת. הוא משתמש ברשת דמוית [BitTorrent](https://wikipedia.org/wiki/BitTorrent) כדי לאחסן את תוכן הווידאו, וב-[blockchain](https://wikipedia.org/wiki/Blockchain) כדי לאחסן את האינדקסים עבור הסרטונים האלה. היתרון העיקרי של עיצוב זה הוא התנגדות לצנזורה. + + **לקוח שולחן העבודה של LBRY** עוזר לך להזרים סרטונים מרשת LBRY ומאחסן את רשימת המנויים שלך בארנק LBRY משלך. + + [:octicons-home-16: דף הבית](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note "הערה" + + מומלץ רק **לקוח שולחני LBRY**, שכן לאתר [Odysee](https://odysee.com) וללקוחות LBRY ב-F-Droid, ב-Play Store וב-App Store יש סנכרון וטלמטריה חובה. + +!!! warning "אזהרה" + + בזמן צפייה ואירוח בסרטונים, כתובת ה-IP שלך גלויה לרשת LBRY. שקול להשתמש ב-[VPN](vpn.md) או [Tor](https://www.torproject.org) אם [מודל האיום](basics/threat-modeling.md) שלך דורש הסתרת כתובת ה-IP שלך. + +אנו ממליצים **נגד** סנכרון הארנק שלך עם LBRY Inc., מכיוון שסנכרון ארנקים מוצפנים עדיין אינו נתמך. אם אתה מסנכרן את הארנק שלך עם LBRY Inc., אתה צריך לסמוך עליהם שלא יסתכלו ברשימת המנויים שלך, קרנות [LBC](https://lbry.com/faq/earn-credits), או להשתלט על הערוץ שלך. + +ניתן להשבית *שמירת נתוני אירוח כדי לעזור לרשת LBRY* באפשרות :gear: **הגדרות** ← **הגדרות מתקדמות**, כדי להימנע מחשיפת כתובת ה-IP והסרטונים שצפיתם בעת השימוש ב-LBRY למשך תקופה ממושכת. + +## קריטריונים + +**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך. + +!!! example "חלק זה הוא חדש" + + אנו עובדים על קביעת קריטריונים מוגדרים לכל קטע באתר שלנו, והדבר עשוי להשתנות. אם יש לך שאלות כלשהן לגבי הקריטריונים שלנו, אנא [שאל בפורום שלנו](https://discuss.privacyguides.net/latest) ואל תניח שלא שקלנו משהו כשהצענו את ההמלצות שלנו אם הוא לא רשום כאן. ישנם גורמים רבים שנחשבים ונדונים כאשר אנו ממליצים על פרויקט, ותיעוד כל אחד מהם הוא עבודה בתהליך. + +- חייב לא לדרוש חשבון מרוכז כדי לצפות בסרטונים. + - אימות מבוזר, כגון באמצעות מפתח פרטי של ארנק נייד מקובל. diff --git a/i18n/he/vpn.md b/i18n/he/vpn.md new file mode 100644 index 00000000..7877b8f1 --- /dev/null +++ b/i18n/he/vpn.md @@ -0,0 +1,327 @@ +--- +title: "שירותי VPN" +icon: material/vpn +description: אלו הם שירותי ה-VPN הטובים ביותר להגנה על הפרטיות והאבטחה שלך באינטרנט. מצא כאן ספק שאינו מעוניין לרגל אחריך. +--- + +אם אתה מחפש **פרטיות** נוספת מ-ISP שלך, ברשת Wi-Fi ציבורית, או תוך כדי טורנט קבצים, VPN עשוי להיות הפתרון עבורך כל עוד אתה מבין את הסיכונים הכרוכים בכך. אנו חושבים שהספקים האלה הם חתך מעל השאר: + +
+ +- ![IVPN לוגו](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad לוגו](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN לוגו](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger סכנה "רשתות VPN לא מספקות אנונימיות" + + שימוש ב-VPN **לא** ישמור על הרגלי הגלישה שלך אנונימיים, וגם לא יוסיף אבטחה לתעבורה לא מאובטחת (HTTP). + + אם אתם מחפשים **אנונימיות**, כדאי להשתמש בדפדפן Tor **במקום** ב-VPN. + + אם אתה מחפש **אבטחה** נוספת, עליך תמיד לוודא שאתה מתחבר לאתרים באמצעות HTTPS. VPN אינו תחליף לשיטות אבטחה טובות. + + [הורד את Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & שאלות נפוצות](advanced/tor-overview.md){ .md-button } + +[סקירת VPN מפורטת :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## ספקים מומלצים + +הספקים המומלצים שלנו משתמשים בהצפנה, מקבלים Monero, תומכים ב-WireGuard & OpenVPN, ויש להם מדיניות ללא רישום. קרא את [רשימת הקריטריונים המלאה](#criteria) שלנו למידע נוסף. + +### IVPN + +!!! recommendation + + ![לוגו IVPN](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** הוא עוד ספק VPN פרימיום, והם פועלים מאז 2009. IVPN מבוסס בגיברלטר. + + [:octicons-home-16: דף הבית](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 מדינות + +ל-IVPN יש [שרתים ב-35 מדינות](https://www.ivpn.net/server-locations).(1) בחירת ספק VPN עם שרת הקרוב אליך תפחית את זמן האחזור של תעבורת הרשת שאתה שולח. הסיבה לכך היא מסלול קצר יותר (פחות דילוגים) ליעד. +{ .annotate } + +1. נבדק אחרון: 2022-09-16 + +אנחנו גם חושבים שעדיף לאבטחת המפתחות הפרטיים של ספק ה-VPN אם הם משתמשים ב[שרתים ייעודיים](https://en.wikipedia.org/wiki/Dedicated_hosting_service), במקום פתרונות משותפים זולים יותר (עם לקוחות אחרים) כמו [שרתים פרטיים וירטואליים](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } נבדק באופן עצמאי + +IVPN [עבר ביקורת ללא רישום מ-](https://cure53.de/audit-report_ivpn.pdf)Cure53 שהסתיים בהסכמה עם טענת VPN ללא רישום. IVPN השלימה גם [דוח בדיקה מקיף ](https://cure53.de/summary-report_ivpn_2019.pdf)Cure53 בינואר 2020. IVPN גם אמר שהם מתכננים לקבל [דוחות שנתיים](https://www.ivpn.net/blog/independent-security-audit-concluded) בעתיד. סקירה נוספת נערכה [באפריל ](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/)2022 והופקה על ידי Cure53 [באתר האינטרנט שלהם](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } לקוחות קוד פתוח + +החל מפברואר 2020 [יישומי IVPN הם כעת בקוד פתוח](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). קוד המקור ניתן לקבל מ[ארגון GitHub שלהם](https://github.com/ivpn). + +#### :material-check:{ .pg-green } מקבל מזומן ומונרו + +בנוסף לקבלת כרטיסי אשראי/חיוב ופייפאל, IVPN מקבל ביטקוין, **מונרו** ו**מזומן/מטבע מקומי** (בתוכניות שנתיות) כאמצעי תשלום אנונימיים. + +#### :material-check:{ .pg-green } תמיכה ב-WireGuard + +IVPN תומך בפרוטוקול WireGuard®. [WireGuard](https://www.wireguard.com) הוא פרוטוקול חדש יותר המשתמש ב[קריפטוגרפיה](https://www.wireguard.com/protocol/) חדישה. בנוסף, WireGuard שואפת להיות פשוטה וביצועית יותר. + +IVPN [ממליצה](https://www.ivpn.net/wireguard/) להשתמש ב-WireGuard עם השירות שלהם, וככזה, הפרוטוקול הוא ברירת המחדל בכל האפליקציות של IVPN. IVPN מציע גם מחולל תצורה של WireGuard לשימוש עם [אפליקציות](https://www.wireguard.com/install/) WireGuard הרשמיות. + +#### :material-check:{ .pg-green } העברת פורטים מרחוק + +[העברת פורטים](https://en.wikipedia.org/wiki/Port_forwarding) מרחוק אפשרית עם תוכנית Pro. [ניתן להפעיל](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) פורטים מרחוק דרך אזור הלקוח. העברת פורטים זמינה רק ב-IVPN בעת שימוש בפרוטוקולי WireGuard או OpenVPN [ומושבתת בשרתים בארה"ב](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } לקוחות ניידים + +בנוסף לאספקת קובצי תצורה סטנדרטיים של OpenVPN, ל-IVPN יש לקוחות ניידים עבור [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), ו- [GitHub](https://github.com/ivpn/android-app/releases) המאפשרים חיבורים קלים לשרתים שלהם. + +#### :material-information-outline:{ .pg-blue } פונקציונליות נוספת + +תוכונת IVPN תומכים באימות דו - שלבי (הלקוחות של Mullvad לא תומכים). IVPN מספקת גם פונקציונליות של "[AntiTracker](https://www.ivpn.net/antitracker)", החוסמת רשתות פרסום ועוקבים מרמת הרשת. + +### Mullvad + +!!! recommendation + + ![לוגו Mullvad](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** הוא VPN מהיר וזול עם התמקדות רצינית בשקיפות ואבטחה. הם פועלים מאז **2009**. Mullvad מבוסס בשוודיה ואין לו ניסיון חינם. + + [:octicons-home-16: דף הבית](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="שירותי בצל" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 מדינות + +ל-Mullvad יש [שרתים ב-41 מדינות](https://mullvad.net/servers/).(1) בחירת ספק VPN עם שרת הקרוב אליך תפחית את זמן האחזור של תעבורת הרשת שאתה שולח. הסיבה לכך היא מסלול קצר יותר (פחות דילוגים) ליעד. +{ .annotate } + +1. נבדק לאחרונה: 2022 -09 -16 + +אנחנו גם חושבים שעדיף לאבטחת המפתחות הפרטיים של ספק ה-VPN אם הם משתמשים ב[שרתים ייעודיים](https://en.wikipedia.org/wiki/Dedicated_hosting_service), במקום פתרונות משותפים זולים יותר (עם לקוחות אחרים) כמו [שרתים פרטיים וירטואליים](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } נבדק באופן עצמאי + +לקוחות ה-VPN של Mullvad נבדקו על ידי Cure53 ו-Assured AB בדו"ח חדיש [שפורסם ב-](https://cure53.de/pentest-report_mullvad_v2.pdf)cure53.de. חוקרי האבטחה הגיעו למסקנה: + +> Cure53 ו-Assured AB מרוצים מתוצאות הביקורת והתוכנה משאירה רושם חיובי כללי. עם מסירות אבטחה של הצוות הפנימי במתחם ה-VPN של Mullvad, לבודקים אין ספק לגבי הפרויקט בדרך הנכונה מבחינה אבטחה. + +בשנת 2020 [הוכרזה](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) ביקורת שנייה ו[דוח הביקורת הסופי](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) הפך לזמין באתר האינטרנט של Cure53: + +> התוצאות של פרויקט מאי-יוני 2020 המתמקד במתחם Mullvad הן חיוביות למדי. [...] המערכת האקולוגית הכוללת של היישום המשמשת את Mullvad משאירה רושם קול ומובנה. המבנה הכללי של היישום מקל על גלגול תיקונים ותיקונים באופן מובנה. יותר מכל, הממצאים שנצפו על ידי Cure53 מדגימים את החשיבות של ביקורת מתמדת והערכה מחדש של וקטורי הדליפה הנוכחיים, על מנת להבטיח תמיד את פרטיותם של משתמשי הקצה. עם זאת, Mullvad עושה עבודה נהדרת בהגנה על משתמש הקצה מפני דליפות PII נפוצות וסיכונים הקשורים לפרטיות. + +בשנת 2021 [הוכרזה](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) ביקורת תשתית ו[דוח הביקורת הסופי](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) הפך לזמין באתר האינטרנט של Cure53. דוח נוסף הוזמן [ביוני 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) והוא זמין [ באתר של Assured's](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } לקוחות קוד פתוח + +Mullvad מספק את קוד המקור עבור לקוחות שולחן העבודה והנייד שלהם ב[ארגון GitHub שלהם](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } מקבל מזומן ומונרו + +Mullvad, בנוסף לקבל כרטיסי אשראי/חיוב ופייפאל, מקבל ביטקוין, ביטקוין מזומן, **מונרו** ו**מזומן/מטבע מקומי** כאמצעי תשלום אנונימיים. הם גם מקבלים סוויש והעברות בנקאיות. + +#### :material-check:{ .pg-green } תמיכה ב-WireGuard + +Mullvad תומך בפרוטוקול WireGuard®. [WireGuard](https://www.wireguard.com) הוא פרוטוקול חדש יותר המשתמש ב[קריפטוגרפיה](https://www.wireguard.com/protocol/) חדישה. בנוסף, WireGuard שואפת להיות פשוטה וביצועית יותר. + +Mullvad [ממליץ](https://mullvad.net/en/help/why-wireguard/) על השימוש ב-WireGuard עם השירות שלהם. זהו פרוטוקול ברירת המחדל או היחיד באפליקציות אנדרואיד, iOS, macOS ו-Linux של Mullvad, אך ב-Windows אתה צריך להפעיל את WireGuard [באופן ידני](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/). Mullvad מציע גם מחולל תצורה של WireGuard לשימוש עם [אפליקציות](https://www.wireguard.com/install/) הרשמיות של WireGuard. + +#### :material-check:{ .pg-green } תמיכה ב-IPv6 + +Mullvad תומך בעתיד של רשת [IPv6](https://en.wikipedia.org/wiki/IPv6). הרשת שלהם מאפשרת לך [לגשת לשירותים המתארחים ב-IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) בניגוד לספקים אחרים שחוסמים חיבורי IPv6. + +#### :material-check:{ .pg-green } העברת פורטים מרחוק + +[העברת פורטים](https://en.wikipedia.org/wiki/Port_forwarding) מרחוק מותרת לאנשים המבצעים תשלומים חד פעמיים, אך אסורה עבור חשבונות עם אמצעי תשלום חוזר/מבוסס מנוי. זאת כדי למנוע מ-Mullvad להיות מסוגל לזהות אותך על סמך השימוש שלך בנמל ופרטי המנוי המאוחסנים. ראה [העברת פורטים עם Mullvad VPN ](https://mullvad.net/help/port-forwarding-and-mullvad/) למידע נוסף. + +#### :material-check:{ .pg-green } לקוחות ניידים + +Mullvad פרסמה לקוחות [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) ו- [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), שניהם תומכים בממשק קל לשימוש, בניגוד לדרישה ממך להגדיר באופן ידני את חיבור ה-WireGuard שלך. לקוח אנדרואיד זמין גם ב-[GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } פונקציונליות נוספת + +Mullvad מאוד שקוף לגבי אילו צמתים הם [בעלים או שוכרים](https://mullvad.net/en/servers/). הם משתמשים ב-[ShadowSocks](https://shadowsocks.org/) בתצורת ShadowSocks + OpenVPN שלהם, מה שהופך אותם לעמידות יותר בפני חומות אש עם [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) שמנסה לחסום VPNs. לכאורה, [סין צריכה להשתמש בשיטה אחרת כדי לחסום שרתי ShadowSocks ](https://github.com/net4people/bbs/issues/22). האתר של Mullvad נגיש גם דרך Tor בכתובת [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN לוגו](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** הוא מתחרה חזק בתחום ה-VPN, והם פועלים מאז 2016. Proton AG מבוססת בשוויץ ומציעה רמה מוגבלת בחינם, כמו גם אפשרות פרימיום מומלצת יותר. + + [:octicons-home-16: דף הבית](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="מדיניות פרטיות" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=תיעוד} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="קוד מקור" } + + ??? downloads "הורדות" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 מדינות + +ל-Proton VPN יש [שרתים ב-67 מדינות](https://protonvpn.com/vpn-servers).(1) בחירת ספק VPN עם שרת הקרוב אליך תפחית את זמן האחזור של תעבורת הרשת שאתה שולח. הסיבה לכך היא מסלול קצר יותר (פחות דילוגים) ליעד. +{ .annotate } + +1. נבדק אחרון: 2022-09-16 + +אנחנו גם חושבים שעדיף לאבטחת המפתחות הפרטיים של ספק ה-VPN אם הם משתמשים ב[שרתים ייעודיים](https://en.wikipedia.org/wiki/Dedicated_hosting_service), במקום פתרונות משותפים זולים יותר (עם לקוחות אחרים) כמו [שרתים פרטיים וירטואליים](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } נבדק באופן עצמאי + +החל מינואר 2020, Proton VPN עבר ביקורת בלתי תלויה על ידי SEC Consult. SEC Consult מצא כמה נקודות תורפה בסיכון בינוני ונמוך ביישומי Windows, Android ו-iOS של Proton VPN, שכולן תוקנו כראוי על ידי Proton VPN לפני פרסום הדוחות. אף אחת מהבעיות שזוהו לא הייתה מספקת לתוקף גישה מרחוק למכשיר או לתעבורה שלך. אתה יכול להציג דוחות בודדים עבור כל פלטפורמה בכתובת [protonvpn.com](https://protonvpn.com/blog/open-source/). באפריל 2022 Proton VPN עבר [ביקורת נוספת](https://protonvpn.com/blog/no-logs-audit/) והדוח [הופק על ידי Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). [מכתב אישור](https://proton.me/blog/security-audit-all-proton-apps) סופק עבור האפליקציות של Proton VPN ב-9 בנובמבר 2021 על ידי [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } לקוחות קוד פתוח + +Proton VPN מספק את קוד המקור עבור לקוחות שולחן העבודה והנייד שלהם ב[ארגון GitHub](https://github.com/ProtonVPN) שלהם. + +#### :material-check:{ .pg-green } מקבל מזומן + +Proton VPN, בנוסף לקבלת כרטיסי אשראי/חיוב, פייפאל ו-[ביטקוין](advanced/payments.md#other-coins-bitcoin-ethereum-etc), מקבל גם **מזומן/מטבע מקומי** כאמצעי תשלום אנונימי. + +#### :material-check:{ .pg-green } תמיכה ב-WireGuard + +Proton VPN תומך בעיקר בפרוטוקול WireGuard®. [WireGuard](https://www.wireguard.com) הוא פרוטוקול חדש יותר המשתמש ב[קריפטוגרפיה](https://www.wireguard.com/protocol/) חדישה. בנוסף, WireGuard שואפת להיות פשוטה וביצועית יותר. + +Proton VPN [ממליץ](https://protonvpn.com/blog/wireguard/) על השימוש ב-WireGuard עם השירות שלהם. באפליקציות Windows, macOS, iOS, Android, ChromeOS ו-Android TV של Proton VPN, פרוטוקול WireGuard הוא ברירת המחדל; עם זאת, [תמיכה](https://protonvpn.com/support/how-to-change-vpn-protocols/) בפרוטוקול אינה קיימת באפליקציית הלינוקס שלהם. + +#### :material-alert-outline:{ .pg-orange } העברת פורטים מרחוק + +Proton VPN תומך כרגע רק ב[העברת פורטים](https://protonvpn.com/support/port-forwarding/) מרחוק ב-Windows, מה שעשוי להשפיע על יישומים מסוימים. במיוחד יישומי Peer - to - peer כמו לקוחות Torrent. + +#### :material-check:{ .pg-green } לקוחות ניידים + +בנוסף לאספקת קובצי תצורה סטנדרטיים של OpenVPN, ל-Proton VPN יש לקוחות ניידים עבור [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), ו- [GitHub](https://github.com/ProtonVPN/android-app/releases) המאפשרים חיבורים קלים לשרתים שלהם. + +#### :material-information-outline:{ .pg-blue } פונקציונליות נוספת + +תוכנות Proton VPN תומכים באימות דו-שלבי בכל הפלטפורמות מלבד לינוקס כרגע. ל - Proton VPN יש שרתים ומרכזי נתונים משלו בשוויץ, איסלנד ושוודיה. הם מציעים חסימת מודעות ודומיינים ידועים של תוכנות זדוניות שחוסמים באמצעות שירות ה - DNS שלהם. בנוסף, Proton VPN מציע גם שרתי "Tor" המאפשרים לך להתחבר בקלות לאתרי בצל, אך אנו עדיין ממליצים בחום להשתמש ב[דפדפן Tor הרשמי](https://www.torproject.org/) למטרה זו. + +#### :material-alert-outline:{ .pg-orange } תכונת Killswitch שבורה במחשבי Mac מבוססי אינטל + +קריסות מערכת [עשויות להתרחש](https://protonvpn.com/support/macos-t2-chip-kill-switch/) במחשבי Mac מבוססי אינטל בעת שימוש במתג ההרוג של VPN. אם אתם זקוקים לתכונה זו, ואתם משתמשים ב - Mac עם ערכת שבבים של Intel, כדאי לכם לשקול להשתמש בשירות VPN אחר. + +## קריטריונים + +!!! danger "סַכָּנָה" + + חשוב לציין ששימוש בספק VPN לא יהפוך אתכם לאנונימיים, אבל הוא ייתן לכם פרטיות טובה יותר במצבים מסוימים. VPN הוא לא כלי לפעילויות בלתי חוקיות. אל תסמכו על מדיניות "ללא תיעוד ". + +**לידיעתך, איננו קשורים לאף אחד מהספקים שאנו ממליצים עליהם. זה מאפשר לנו לספק המלצות אובייקטיביות לחלוטין.** בנוסף ל[הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו מערכת ברורה של דרישות עבור כל ספק VPN שרוצה מומלץ, כולל הצפנה חזקה, ביקורות אבטחה עצמאיות, טכנולוגיה מודרנית ועוד. מומלץ להכיר את הרשימה לפני שבוחרים ספק אימייל, ולבצע מחקר משלך כדי לוודא שספק האימייל שבחרתם הוא הבחירה הנכונה עבורכם. + +### טכנולוגיה + +אנו דורשים מכל ספקי ה - VPN המומלצים שלנו לספק קבצי תצורה של OpenVPN לשימוש בכל לקוח. **אם** VPN מספק קליינט מותאם אישית משלו, אנו זקוקים ל-killswitch כדי לחסום דליפות נתוני רשת כאשר הוא מנותק. + +**מינימום כדי לעמוד בדרישות:** + +- תמיכה בפרוטוקולים חזקים כגון WireGuard & OpenVPN. +- Killswitch מובנה בקליינטים. +- תמיכה Multihop. Multihopping חשוב לשמור על נתונים פרטיים במקרה של פשרה צומת אחת. +- אם לקוחות VPN מסופקים, הם צריכים להיות [קוד פתוח](https://en.wikipedia.org/wiki/Open_source), כמו תוכנת ה - VPN שהם בדרך כלל בנו לתוכם. אנחנו מאמינים שזמינות של [קוד מקור](https://en.wikipedia.org/wiki/Source_code) מספקת שקיפות רבה יותר לגבי מה שהמכשיר שלך עושה בפועל. + +**המקרה הטוב ביותר:** + +- תמיכה ב - WireGuard וב - OpenVPN. +- Killswitch עם אפשרויות להגדרה גבוהה (הפעלה/השבתה ברשתות מסוימות, על אתחול, וכו ') +- קליינטים VPN קלים לשימוש +- תומך [IPv6](https://en.wikipedia.org/wiki/IPv6). אנו מצפים כי שרתים יאפשרו חיבורים נכנסים באמצעות IPv6 ויאפשרו לך לגשת לשירותים המתארחים בכתובות IPv6. +- היכולת של [העברת יציאות מרחוק](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) מסייעת ביצירת חיבורים בעת שימוש בתוכנת שיתוף קבצים P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer))או בעת אירוח שרת (לדוגמה, Mumble). + +### פרטיות + +אנו מעדיפים שהספקים המומלצים שלנו יאספו כמה שפחות נתונים. לא לאסוף מידע אישי על רישום, וקבלת צורות אנונימיות של תשלום נדרשים. + +**מינימום כדי לעמוד בדרישות:** + +- [מטבע קריפטוגרפי אנונימי](cryptocurrency.md) **או** אפשרות תשלום במזומן. +- אין צורך במידע אישי כדי להירשם: רק שם משתמש, סיסמה ודוא"ל לכל היותר. + +**המקרה הטוב ביותר:** + +- מקבל [אפשרויות תשלום אנונימיות מרובות](advanced/payments.md). +- לא מתקבל מידע אישי (שם משתמש שנוצר אוטומטית, אין צורך באימייל וכו'). + +### אבטחה + +VPN הוא חסר טעם אם הוא אפילו לא יכול לספק אבטחה מספקת. אנו דורשים מכל הספקים המומלצים שלנו לציית לתקני האבטחה הנוכחיים לחיבורי OpenVPN שלהם. באופן אידיאלי, הם ישתמשו ביותר תוכניות הצפנה עתידיות כברירת מחדל. כמו כן, אנו דורשים מצד שלישי עצמאי לבדוק את האבטחה של הספק, באופן אידיאלי באופן מקיף מאוד ועל בסיס חוזר ונשנה (שנתי). + +**מינימום כדי לעמוד בדרישות:** + +- ערכות הצפנה חזקות: OpenVPN עם אימות SHA -256; RSA -2048 או לחיצת יד טובה יותר; AES -256 - GCM או הצפנת נתונים AES -256 - CBC. +- סודיות קדימה מושלמת (PFS). +- פירסם ביקורות אבטחה מחברת צד שלישי מכובדת. + +**המקרה הטוב ביותר:** + +- הצפנה חזקה ביותר: RSA -4096. +- סודיות קדימה מושלמת (PFS). +- ביקורות אבטחה מקיפות שפורסמו מחברת צד שלישי בעלת מוניטין. +- תוכניות לחיפוש באגים ו/או תהליך גילוי - פגיעות מתואם. + +### אמון + +לא היית סומך על הכספים שלך למישהו עם זהות מזויפת, אז למה לסמוך עליהם עם נתוני האינטרנט שלך? אנו דורשים מהספקים המומלצים שלנו להיות פומביים לגבי הבעלות או המנהיגות שלהם. כמו כן, היינו רוצים לראות דיווחי שקיפות תכופים, במיוחד בכל הנוגע לאופן הטיפול בבקשות ממשלתיות. + +**מינימום כדי לעמוד בדרישות:** + +- מנהיגות ציבורית או בעלות. + +**המקרה הטוב ביותר:** + +- מנהיגות מול הציבור. +- דוחות שקיפות תכופים. + +### שיווק + +עם ספקי ה - VPN אנו ממליצים לראות שיווק אחראי. + +**מינימום כדי לעמוד בדרישות:** + +- חייבים לבצע ניתוח מידע באיחסון עצמי (כלומר, ללא Google Analytics). האתר של הספק חייב גם לציית ל [DNT (לא לעקוב)](https://en.wikipedia.org/wiki/Do_Not_Track) למי שרוצה לבטל את הסכמתו. + +אסור שיהיה שיווק שהוא חסר אחריות: + +- ביצוע ערבויות של הגנה על 100% אנונימיות. כשמישהו טוען שמשהו הוא 100% זה אומר שאין ודאות לכישלון. אנחנו יודעים שאנשים יכולים בקלות להפוך את עצמם לאיאנונימיים במספר דרכים, למשל.: + - שימוש חוזר במידע אישי, למשל (חשבונות דוא"ל, שמות בדויים ייחודיים וכו ') שאליו ניגשו ללא תוכנה אנונימיות (Tor, VPN וכו ') + - [טביעת אצבע של דפדפן](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- טוענים ש - VPN במעגל אחד הוא "אנונימי יותר" מאשר Tor, שהוא מעגל של שלושה כשות או יותר שמשתנה באופן קבוע. +- השתמשו בשפה אחראית: כלומר, זה בסדר לומר ש-VPN "מנותק" או "לא מחובר", אולם לטעון שמישהו "חשוף", "פגיע" או "נפרץ" הוא שימוש מיותר בשפה מדאיגה שעשויה להיות שגויה. לדוגמה, ייתכן שהאדם הזה פשוט משתמש בשירות של ספק VPN אחר או משתמש ב - Tor. + +**המקרה הטוב ביותר:** + +שיווק אחראי כי הוא גם חינוכי ושימושי לצרכן יכול לכלול: + +- השוואה מדויקת למועד שבו יש להשתמש ב-[Tor](tor.md) במקום זאת. +- זמינות אתר האינטרנט של ספק ה - VPN מעל [Onion Service](https://en.wikipedia.org/wiki/.onion) + +### פונקציונליות נוספת + +אמנם לא דרישות קפדניות, אך ישנם כמה גורמים שבדקנו בעת קביעה על אילו ספקים להמליץ. אלה כוללים פונקציונליות של חסימת מודעות/חסימת מעקב, כנריות, חיבורי מולטי-הופ, תמיכת לקוחות מצוינת, מספר החיבורים המותרים בו זמנית וכו'. diff --git a/i18n/hi/404.md b/i18n/hi/404.md new file mode 100644 index 00000000..25c1c780 --- /dev/null +++ b/i18n/hi/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) diff --git a/i18n/hi/CODE_OF_CONDUCT.md b/i18n/hi/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/hi/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/hi/about/criteria.md b/i18n/hi/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/hi/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/hi/about/donate.md b/i18n/hi/about/donate.md new file mode 100644 index 00000000..8accd67a --- /dev/null +++ b/i18n/hi/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/hi/about/index.md b/i18n/hi/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/hi/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/hi/about/notices.md b/i18n/hi/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/hi/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/hi/about/privacy-policy.md b/i18n/hi/about/privacy-policy.md new file mode 100644 index 00000000..26c668d1 --- /dev/null +++ b/i18n/hi/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/hi/about/privacytools.md b/i18n/hi/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/hi/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/hi/about/services.md b/i18n/hi/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/hi/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/hi/about/statistics.md b/i18n/hi/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/hi/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/hi/advanced/communication-network-types.md b/i18n/hi/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/hi/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/hi/advanced/dns-overview.md b/i18n/hi/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/hi/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/hi/advanced/payments.md b/i18n/hi/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/hi/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/hi/advanced/tor-overview.md b/i18n/hi/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/hi/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/hi/android.md b/i18n/hi/android.md new file mode 100644 index 00000000..481bad8a --- /dev/null +++ b/i18n/hi/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/hi/assets/img/account-deletion/exposed_passwords.png b/i18n/hi/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/hi/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/hi/assets/img/android/rss-apk-dark.png b/i18n/hi/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/hi/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/hi/assets/img/android/rss-apk-light.png b/i18n/hi/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/hi/assets/img/android/rss-apk-light.png differ diff --git a/i18n/hi/assets/img/android/rss-changes-dark.png b/i18n/hi/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/hi/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/hi/assets/img/android/rss-changes-light.png b/i18n/hi/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/hi/assets/img/android/rss-changes-light.png differ diff --git a/i18n/hi/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/hi/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/how-tor-works/tor-encryption.svg b/i18n/hi/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/how-tor-works/tor-path-dark.svg b/i18n/hi/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/hi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/hi/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/how-tor-works/tor-path.svg b/i18n/hi/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/hi/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hi/assets/img/multi-factor-authentication/fido.png b/i18n/hi/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/hi/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/hi/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/hi/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/hi/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/hi/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/hi/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/hi/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/hi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/hi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/hi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/hi/basics/account-creation.md b/i18n/hi/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/hi/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/hi/basics/account-deletion.md b/i18n/hi/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/hi/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/hi/basics/common-misconceptions.md b/i18n/hi/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/hi/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/hi/basics/common-threats.md b/i18n/hi/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/hi/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/hi/basics/email-security.md b/i18n/hi/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/hi/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/hi/basics/multi-factor-authentication.md b/i18n/hi/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ae57848d --- /dev/null +++ b/i18n/hi/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/hi/basics/passwords-overview.md b/i18n/hi/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/hi/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/hi/basics/threat-modeling.md b/i18n/hi/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/hi/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/hi/basics/vpn-overview.md b/i18n/hi/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/hi/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/hi/calendar.md b/i18n/hi/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/hi/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/hi/cloud.md b/i18n/hi/cloud.md new file mode 100644 index 00000000..e375d093 --- /dev/null +++ b/i18n/hi/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/hi/cryptocurrency.md b/i18n/hi/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/hi/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/hi/data-redaction.md b/i18n/hi/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/hi/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/hi/desktop-browsers.md b/i18n/hi/desktop-browsers.md new file mode 100644 index 00000000..85ee0d78 --- /dev/null +++ b/i18n/hi/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/hi/desktop.md b/i18n/hi/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/hi/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/hi/dns.md b/i18n/hi/dns.md new file mode 100644 index 00000000..a8cc21da --- /dev/null +++ b/i18n/hi/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/hi/email-clients.md b/i18n/hi/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/hi/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/hi/email.md b/i18n/hi/email.md new file mode 100644 index 00000000..62156fdd --- /dev/null +++ b/i18n/hi/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/hi/encryption.md b/i18n/hi/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/hi/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/hi/file-sharing.md b/i18n/hi/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/hi/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/hi/financial-services.md b/i18n/hi/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/hi/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/hi/frontends.md b/i18n/hi/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/hi/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/hi/index.md b/i18n/hi/index.md new file mode 100644 index 00000000..1b650cc5 --- /dev/null +++ b/i18n/hi/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.hi.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/hi/kb-archive.md b/i18n/hi/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/hi/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/hi/meta/brand.md b/i18n/hi/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/hi/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/hi/meta/git-recommendations.md b/i18n/hi/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/hi/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/hi/meta/uploading-images.md b/i18n/hi/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/hi/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/hi/meta/writing-style.md b/i18n/hi/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/hi/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/hi/mobile-browsers.md b/i18n/hi/mobile-browsers.md new file mode 100644 index 00000000..c6be3a37 --- /dev/null +++ b/i18n/hi/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/hi/multi-factor-authentication.md b/i18n/hi/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/hi/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/hi/news-aggregators.md b/i18n/hi/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/hi/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/hi/notebooks.md b/i18n/hi/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/hi/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/hi/os/android-overview.md b/i18n/hi/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/hi/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/hi/os/linux-overview.md b/i18n/hi/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/hi/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/hi/os/qubes-overview.md b/i18n/hi/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/hi/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/hi/passwords.md b/i18n/hi/passwords.md new file mode 100644 index 00000000..59579402 --- /dev/null +++ b/i18n/hi/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/hi/productivity.md b/i18n/hi/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/hi/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/hi/real-time-communication.md b/i18n/hi/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/hi/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/hi/router.md b/i18n/hi/router.md new file mode 100644 index 00000000..a494c017 --- /dev/null +++ b/i18n/hi/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/hi/search-engines.md b/i18n/hi/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/hi/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/hi/tools.md b/i18n/hi/tools.md new file mode 100644 index 00000000..d9e57d9b --- /dev/null +++ b/i18n/hi/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/hi/tor.md b/i18n/hi/tor.md new file mode 100644 index 00000000..b1f2afbf --- /dev/null +++ b/i18n/hi/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/hi/video-streaming.md b/i18n/hi/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/hi/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/hi/vpn.md b/i18n/hi/vpn.md new file mode 100644 index 00000000..6bba2546 --- /dev/null +++ b/i18n/hi/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/hu/404.md b/i18n/hu/404.md new file mode 100644 index 00000000..5aa957fc --- /dev/null +++ b/i18n/hu/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Nem Található + +Nem található az oldal, amit kerestél! Lehet, hogy ezek közül kerested valamelyiket? + +- [Bevezető a Védelmi Modellezésbe](basics/threat-modeling.md) +- [Ajánlott DNS Szolgáltatók](dns.md) +- [Legjobb Asztali Böngészők](desktop-browsers.md) +- [Legjobb VPN Szolgáltatók](vpn.md) +- [Privacy Guides Fórum](https://discuss.privacyguides.net) +- [Blogunk](https://blog.privacyguides.org) diff --git a/i18n/hu/CODE_OF_CONDUCT.md b/i18n/hu/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/hu/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/hu/about/criteria.md b/i18n/hu/about/criteria.md new file mode 100644 index 00000000..5697f9e3 --- /dev/null +++ b/i18n/hu/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Általános Követelmények +--- + +!!! example "Folyamatban lévő munka" + + Az alábbi oldal egy folyamatban lévő munka, és jelenleg nem tükrözi az ajánlásaink teljes körű követelményeit. Korábbi beszélgetés erről a témáról: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Pénzügyi Nyilatkozat + +Nem keresünk pénzt bizonyos termékek ajánlásával, nem használunk affiliate linkeket, és nem nyújtunk különleges bánásmódot a projekt adományozóinak. + +## Általános Irányelvek + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/hu/about/donate.md b/i18n/hu/about/donate.md new file mode 100644 index 00000000..d96f624f --- /dev/null +++ b/i18n/hu/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Támogass Minket +--- + + +Nagyon sok [emberre](https://github.com/privacyguides/privacyguides.org/graphs/contributors) és [munkára](https://github.com/privacyguides/privacyguides.org/pulse/monthly) van szükség ahhoz, hogy a Privacy Guides-t frissen tartsuk és hogy terjesszük a szót az adatvédelemről és tömeges megfigyelésről. Ha tetszik, amit csinálunk, fontold meg, hogy részt veszel az [oldal szerkesztésében](https://github.com/privacyguides/privacyguides.org), vagy [hozzájárulsz fordításokkal](https://crowdin.com/project/privacyguides). + +Ha anyagilag szeretnél támogatni minket, a számunkra legkényelmesebb módszer az Open Collective-en keresztül történő hozzájárulás, amelyet a pénzügyi házigazdánk működtet. Az Open Collective elfogadja a hitelkártyával/betéti kártyával, PayPal és banki átutalással történő fizetéseket. + +[Adományozás az OpenCollective.com-on](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +A közvetlenül nekünk adott adományok Open Collective-en általában adólevonásra jogosultak az Egyesült Államokban, mivel a pénzügyi házigazdánk (az Open Collective Foundation) egy bejegyzett 501(c)3 szervezet. Az adományozás után egy számlát fogsz kapni az Open Collective Fundation-től. A Privacy Guides nem nyújt pénzügyi tanácsadást, ezzel kapcsolatban fordulj adótanácsadódhoz, hogy megtudd, ez vonatkozik-e rád. + +Ha már használod a GitHub szponzorálási lehetőséget, akkor ott is támogathatod szervezetünket. + +[Szponzorálj minket GitHub-on](https://github.com/sponsors/privacyguides ""){.md-button} + +## Támogatók + +Egy különleges köszönet mindazoknak akik támogatják a küldetésünket! :heart: + +*Megjegyzés: Ez a rész közvetlenül az Open Collective-ról tölt be egy widgetet. Ez a rész nem tükrözi a Open Collective-en kívüli adományokat, és nincs befolyásunk az ebben a részben szereplő konkrét adományozókra.* + + + +## Hogyan Használjuk Fel az Adományokat + +A Privacy Guides egy **non-profit** szervezet. Az adományokat különböző célokra használjuk fel, többek között: + +**Domain Regisztrációk** +: + +Van néhány domain nevünk, mint például `privacyguides.org`, amelyek regisztrációjának fenntartása évente körülbelül 10 dollárba kerül. + +**Web Üzemeltetés** +: + +A weboldalra érkező forgalom több száz gigabájtnyi adatot használ havonta, és számos szolgáltatót használunk, hogy lépést tartsunk ezzel a forgalommal. + +**Online Szolgáltatások** +: + +[Internetes szolgáltatásokat](https://privacyguides.net) üzemeltetünk a különböző adatvédelmi termékek teszteléséhez és bemutatásához amiket kedvelünk és [ajánlunk](../tools.md). Ezek közül néhányat nyilvánosan elérhetővé teszünk a közösségünk számára (SearXNG, Tor, stb.), néhányat pedig a csapatunk tagjai számára biztosítunk (email, stb.). + +**Termékvásárlások** +: + +Alkalmanként vásárolunk termékeket és szolgáltatásokat az [ajánlott eszközeink](../tools.md) tesztelése céljából. + +Még mindig dolgozunk a pénzügyi házigazdánkkal (az Open Collective Foundation-nel), hogy fogadni tudjunk kriptovaluta adományokat, jelenleg a könyvelés sok kisebb tranzakció esetében kivitelezhetetlen, de ez a jövőben valószínűleg változni fog. Addig is, ha szeretnél egy nagyobb összegű (> $100) kriptovaluta adományt tenni, kérjük, írj a [jonah@privacyguides.org](mailto:jonah@privacyguides.org) címre. diff --git a/i18n/hu/about/index.md b/i18n/hu/about/index.md new file mode 100644 index 00000000..f18eafe4 --- /dev/null +++ b/i18n/hu/about/index.md @@ -0,0 +1,102 @@ +--- +title: "A Privacy Guides-ról" +description: A Privacy Guides egy szociálisan motivált weboldal, amely információkat nyújt az adatbiztonság és a magánélet védelméről. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +A **Privacy Guides** egy szociálisan motivált weboldal, amely [információkat nyújt](/kb) az adatbiztonság és a magánélet védelméről. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. Mi egy non-profit csoport vagyunk, ameit teljes egészében önkéntes [csapattagok](https://discuss.privacyguides.net/g/team) és közreműködők működtetnek. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Honlap } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Forráskód" } +[:octicons-heart-16:](donate.md){ .card-link title=Közreműködés } + +> Hogy [adatvédelemre összpontosító alternatív] alkalmazásokat találj, tekints meg olyan oldalakat, mint a Good Reports és a **Privacy Guides**, amelyek adatvédelemre összpontosító alkalmazásokat sorolnak fel különböző kategóriákban, beleértve az olyan (általában fizetős) e-mail szolgáltatókat is, amelyeket nem big tech vállalatok üzemeltetnek. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> Ha egy új VPN-t keresel, akkor szinte bármelyik podcastban találsz egy kedvezménykódot. Ha egy **jó** VPN-t keresel, akkor profi segítségre van szükséged. Ugyanez vonatkozik e-mail kliensekre, böngészőkre, operációs rendszerekre és jelszókezelőkre. Honnan tudhatod, hogy melyik a legjobb, legbiztonságosabb, a magánéletet legjobban tisztelő választás? Ehhez van itt a **Privacy Guides**, egy olyan platform, amelyen számos önkéntes nap mint nap keresi a legjobb adatvédelmi eszközöket az interneten. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## Történet + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Csapatunk + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Honlap](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Honlap](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Honlap](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Webhelylicenc + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Eltérő megjegyzés hiányában a weboldal eredeti tartalma a [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE) alatt érhető el. Ez azt jelenti, hogy te szabadon másolhatod és terjesztheted az anyagot bármilyen médiumban vagy formátumban, bármilyen célból, akár kereskedelmi céllal is; feltéve, hogy megfelelően hivatkozol a `Privacy Guides (www.privacyguides.org)` címre, és biztosítasz egy linket a licenchez. Te **nem** használhatod a Privacy Guides márkajelzéseit saját projektedben ennek a projektnek a kifejezett jóváhagyása nélkül. Ha a weboldal tartalmát remixeled, átalakítod, vagy arra építesz, a módosított anyagot nem terjesztheted. + +Ez a licenc azért van érvényben, hogy megakadályozzuk, a munkánk megfelelő elismerés nélküli megosztását és félrevezetésre használt módosítását. Ha úgy találod, hogy a licenc feltételei túlságosan korlátozóak a projekthez, amelyen dolgozol, kérjük, fordulj hozzánk a `jonah@privacyguides.org` címen. Örömmel biztosítunk alternatív licencelési lehetőségeket jó szándékú projektek számára adatvédelmi térben! diff --git a/i18n/hu/about/notices.md b/i18n/hu/about/notices.md new file mode 100644 index 00000000..3cb34084 --- /dev/null +++ b/i18n/hu/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Jogi Nyilatkozat + +A Privacy Guides nem jogi iroda. Mint ilyen, a Privacy Guides weboldal és közreműködői nem nyújtanak jogi tanácsadást. A weboldalunkon és az útmutatóinkban található anyagok és ajánlások nem minősülnek jogi tanácsadásnak, és a weboldalhoz való hozzájárulás, valamint a Privacy Guides, vagy más közreműködőkkel való kommunikáció a weboldalunkról sem hoz létre ügyvéd-ügyfél kapcsolatot. + +A weboldal működtetése, mint minden emberi vállalkozás, bizonytalansággal és kompromisszumokkal jár. Reméljük, hogy ez a weboldal segít, de hibákat tartalmazhat, és nem tud minden helyzetet figyelembe venni. Ha bármilyen kérdésed van a szituációddal kapcsolatban, bátorítunk, hogy végezz saját kutatásokat, keress fel más szakértőket, és vegyél részt a Privacy Guides közösségével folytatott beszélgetésekben. Ha bármilyen jogi kérdésed van, konzultálj saját jogi tanácsadóddal, mielőtt továbblépnél. + +A Privacy Guides egy nyílt forráskódú projekt, amelyhez olyan licencek alapján lehet hozzá járulni, amelyek a weboldal és a közreműködők védelme érdekében egyértelművé teszik, hogy a Privacy Guides projekt és a weboldal garancia nélkül és úgy van kínálva "ahogy van", és kizárják a felelősséget a weboldal vagy a benne található ajánlások használatából eredő károkért. A Privacy Guides nem garantálja és nem vállal semmilyen felelősséget a weboldalon található anyagok pontosságát, valószínűsíthető eredményét vagy megbízhatóságát illetően, vagy egyéb módon a weboldalon található ilyen anyagokkal kapcsolatban, illetve az ezen a weboldalon hivatkozott bármely harmadik fél weboldalán. + +A Privacy Guides továbbá nem garantálja, hogy ez a weboldal folyamatosan vagy egyáltalán elérhető lesz. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Ez nem vonatkozik az ebbe az adattárba beágyazott, harmadik féltől származó kódra, illetve azokra a kódokra, amelyeknél a helyettesítő licenc másként van feltüntetve. Az alábbi példák figyelemre méltóak, de ez a lista nem feltétlenül teljes: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Ez azt jelenti, hogy az ebben a adattárban található, ember által olvasható tartalmat felhasználhatod saját projektedhez, a Creative Commons Attribution-NoDerivatives 4.0 International Public License szövegben foglalt feltételei szerint. Te **nem** használhatod a Privacy Guides márkajelzéseit saját projektedben ennek a projektnek a kifejezett jóváhagyása nélkül. Te **nem** használhatod a Privacy Guides márkajelzéseit saját projektedben ennek a projektnek a kifejezett jóváhagyása nélkül. A Privacy Guides márkavédjegyei közé tartozik a "Privacy Guides" szóvédjegy és a pajzs logó. + +Úgy véljük, hogy az `assets`-ekben található logók és egyéb, harmadik féltől származó képek vagy közkincsek, vagy **fair use** alatt állnak. Dióhéjban, a jogi [fair use elmélet](https://www.copyright.gov/fair-use/more-info.html) lehetővé teszi a szerzői joggal védett képek felhasználását a téma azonosítása érdekében nyilvános komment céljából. Ezek a logók és egyéb képek azonban egy vagy több joghatóságban továbbra is védjegyekre vonatkozó törvények hatálya alá tartozhatnak. Mielőtt felhasználnád ezt a tartalmat, kérjük, győződj meg arról, hogy a védjegyet a védjegyegy tulajdonló entitás, vagy szervezet azonosítására használatos, illetve hogy az általad tervezett felhasználás körülményei között alkalmazandó törvények értelmében jogosult vagy-e annak használatára. *A weboldal tartalmának másolásakor kizárólag te vagy felelős azért, hogy ne sértsd meg más védjegyét vagy szerzői jogát.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Elfogadható Használat + +Nem használhatod ezt a weboldalt semmilyen módon, amely kárt okoz vagy okozhat a weboldalban, vagy a Privacy Guides elérhetőségének vagy hozzáférhetőségének károsodását okozhatja, vagy bármilyen módon, amely jogellenes, illegális, csalárd, káros, vagy bármilyen jogellenes, illegális, csalárd vagy káros céllal vagy tevékenységgel összefüggésben. + +Kifejezett írásbeli hozzájárulás nélkül nem végezhetsz semmilyen szisztematikus vagy automatizált adatgyűjtési tevékenységet ezen a weboldalon vagy azzal kapcsolatban, beleértve: + +* Túlzott autómatikus szkennek +* Denial of Service támadások +* Scrapelés +* Adatbányászat +* 'Framelés' (IFramek) + +--- + +*A közlemény egyes részei a GitHub-on található [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) dokumentumból lettek átvéve. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/hu/about/privacy-policy.md b/i18n/hu/about/privacy-policy.md new file mode 100644 index 00000000..ea536d3c --- /dev/null +++ b/i18n/hu/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Adatvédelmi Tájékoztató" +--- + +A Privacy Guides egy közösségi projekt, amelyet számos aktív önkéntes közreműködő működtet. A csapattagok nyilvános listája [megtalálható a GitHub-on](https://github.com/orgs/privacyguides/people). + +## Látogatókról Gyűjtött Adatok + +Fontos számunkra weboldalunk látogatóinak magánélete, ezért nem követünk egyetlen önálló személyt sem. Weboldalunk látogatójaként: + +- Semmilyen személyes információt nem gyűjtünk +- Semmilyen sütihez hasonló információ nincs tárolva a böngészőben +- Semmilyen információt nem osztunk meg, küldünk el, vagy adunk el harmadik feleknek +- Semmilyen információt nem osztunk meg hirdetőcégekkel +- Semmilyen információt nem bányászunk és gyűjtünk be személyes és viselkedési trendek megállapításához +- Semmilyen információt nem értékesítünk + +Az általunk gyűjtött adatokat a [statisztikák](statistics.md) oldalon tekintheted meg. + +A [Plausible Analytics](https://plausible.io) egy saját üzemeltetésű telepítését futtatjuk, hogy statisztikai célokra egyes anonim használati adatokat gyűjtsünk. A cél a weboldalunk forgalmának általános trendjeinek nyomon követése, nem pedig egyéni látogatók nyomon követése. Minden adat kizárólag csak összesített. Semmilyen személyes adatot nem gyűjtünk. + +Az összegyűjtött adatok közé tartoznak a hivatkozási források, a legnépszerűbb oldalak, a látogatás időtartama, a látogatás során használt eszközökről származó információk (eszköztípus, operációs rendszer, ország és böngésző) és még sok más. Itt tudhatsz meg többet arról, hogyan működik a Plausible, és hogyan gyűjt információkat az magánélet tiszteletben tartásával [](https://plausible.io/data-policy). + +## Fióktulajdonosokról Gyűjtött Adatok + +Egyes általunk kínált weboldalon és szolgáltatáson számos funkcióhoz fiókra lehet szükség. Egy fórumplatformon például a témákhoz való posztoláshoz és hozzászóláshoz fiókra lehet szükség. + +A legtöbb fiókhoz való regisztrációhoz egy nevet, felhasználónevet, email címet és jelszót kell megadnod. Amennyiben egy weboldal az említett adatoknál több információt igényel, az egyértelműen jelezve lesz, és külön adatvédelmi tájékoztatóban lesz feltüntetve. + +A fiókadataidat arra használjuk, hogy azonosítsunk a weboldalon, és hogy jellemző oldalakat, például a profiloldaladat létrehozzuk. A fiókadataidat arra is felhasználjuk, hogy nyilvános profilt tegyünk közzé számodra a szolgáltatásainkban. + +Az email címedet a következőkre használjuk: + +- Értesítünk a weboldalakon vagy szolgáltatásokban megjelenő bejegyzésekről és egyéb tevékenységekről. +- Visszaállítjuk a jelszavadat, és segítünk megőrizni fiókod biztonságát. +- Felvesszük veled a kapcsolatot a fiókoddal összefüggő különleges körülményekkel kapcsolatban. +- Felvesszük veled a kapcsolatot jogi kérésekkel, például DMCA tiltási kérelmekkel kapcsolatban. + +Egyes weboldalakon és szolgáltatásokon további információt adhatsz meg fiókodhoz, például egy rövid életrajzot, avatart, a tartózkodási helyedet vagy a születésnapodat. Ezeket az információkat mindenki számára elérhetővé tesszük, aki hozzáférhet az adott weboldalhoz vagy szolgáltatáshoz. Ezek az információk nem szükségesek egyik szolgáltatásaink igénybevételéhez sem, és bármikor törölhetők. + +Fiókadataidat mindaddig tárolni fogjuk, amíg fiókod nyitva van. A fiók bezárása után a fiókadatok egy részét vagy egészét biztonsági mentések vagy archívumok formájában legfeljebb 90 napig megőrizhetjük. + +## Kapcsolatfelvétel + +A Privacy Guides csapata általában nem fér hozzá személyes adatokhoz, kivéve a moderációs panelek által biztosított korlátozott hozzáférést. A személyes adataiddal kapcsolatos kérdéseket a következő címre kell küldeni: + +```text +Jonah Aragon +Szolgáltatás Adminisztrátor +jonah@privacyguides.org +``` + +Minden más megkereséssel kapcsolatban csapatunk bármelyik tagjával kapcsolatba léphetsz. + +GDPR alá eső általános panaszok esetében a helyi adatvédelmi felügyeleti szervhez nyújthatsz be panaszt. Franciaországban ez a Commission Nationale de l'Informatique et des Libertés (Nemzeti Informatikai és Szabadságügyi Bizottság) ami foglalkozik és kezeli a panaszokat. Ők egy [panaszlevél sablont](https://www.cnil.fr/en/plaintes) is biztosítanak felhasználásra. + +## A Jelen Szabályzatról + +A tájékoztató bármely új verzióját [itt fogjuk közzétenni](privacy-policy.md). Előfordulhat, hogy a dokumentum jövőbeli verzióinál megváltoztatjuk a változások bejelentésének módját. Időközben bármikor frissíthetjük elérhetőségeinket anélkül, hogy a változást bejelentenénk. A legfrissebb elérhetőségekért kérjük, hivatkozz bármikor az [Adatvédelmi Tájékoztatóra](privacy-policy.md). + +Az oldal teljes [előzménye](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) a GitHub-on található meg. diff --git a/i18n/hu/about/privacytools.md b/i18n/hu/about/privacytools.md new file mode 100644 index 00000000..f54fe722 --- /dev/null +++ b/i18n/hu/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools GYIK" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/hu/about/services.md b/i18n/hu/about/services.md new file mode 100644 index 00000000..3d8eb6b0 --- /dev/null +++ b/i18n/hu/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Szolgáltatások + +Számos webes szolgáltatást futtatunk, hogy teszteljünk funkciókat és népszerűsítsünk menő decentralizált, föderált és/vagy nyílt forráskódú projekteket. E szolgáltatások közül számos elérhető a nyilvánosság számára, és az alábbiakban részletesen ismertetjük őket. + +[:material-comment-alert: Probléma bejelentése](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Elérhetőség: Nyilvános +- Forrás: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Elérhetőség: Csak Meghívóval + A *Privacy Guides*-hoz kapcsolódó fejlesztéseken vagy tartalmakon dolgozó bármely csapat számára kérésre engedélyezhető a hozzáférés. +- Forrás: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Elérhetőség: Csak Meghívóval + A hozzáférés kérésre megadható a Privacy Guides csapatának tagjainak, Mátrix-moderátoroknak, harmadik feles Matrix közösség adminisztrátoroknak, Matrix-botok üzemeltetőinek és más olyan személyeknek, akiknek megbízható Matrix-jelenlétre van szükségük. +- Forrás: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Elérhetőség: Nyilvános +- Forrás: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Elérhetőség: Félig Nyilvános + Az Invidioust elsősorban beágyazott YouTube-videók szolgáltatásához üzemeltetjük a webhelyünkön, ez az instance általános célú használatra nem szolgál, és bármikor korlátozható. +- Forrás: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/hu/about/statistics.md b/i18n/hu/about/statistics.md new file mode 100644 index 00000000..4285a5af --- /dev/null +++ b/i18n/hu/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Forgalom Statisztikák +--- + +## Weboldal Statisztikák + + +
Plausible Analytics által működtetett statisztikák
+ + + + +## Blog Statisztikák + + +
Plausible Analytics által működtetett statisztikák
+ + + diff --git a/i18n/hu/advanced/communication-network-types.md b/i18n/hu/advanced/communication-network-types.md new file mode 100644 index 00000000..755a7903 --- /dev/null +++ b/i18n/hu/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Kommunikációs Hálózatok Típusai" +icon: 'material/transit-connection-variant' +description: Azonnali üzenetküldő alkalmazások által gyakran használt különböző hálózati architektúrák áttekintése. +--- + +Személyek közötti üzenetek továbbítására többféle hálózati architektúra használható. Ezek a hálózatok különböző magánéleti garanciákat nyújthatnak, ezért érdemes figyelembe venned a [védelmk modelledet](../basics/threat-modeling.md), amikor eldöntöd, hogy melyik alkalmazást fogod használni. + +[Ajánlott Azonnali Üzenetküldők](../real-time-communication.md ""){.md-button} + +## Központosított Hálózatok + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +A központosított üzenetküldők azok, ahol minden résztvevő ugyanazon a szerveren vagy szerverhálózaton tartózkodik, amelyet ugyanaz a szervezet irányít. + +Néhány saját működtetésű üzenetküldő lehetővé teszi, hogy saját szervert hozz létre. Az üzemeltetés saját magad álltal további adatvédelmi garanciákat nyújthat, például használati naplók hiánya, vagy korlátozott hozzáférés metaadatokhoz (arra vonatkozó adatok, hogy ki kivel beszél). A saját üzemeltetésű, központosított üzenetküldők el vannak különítve, és a kommunikációhoz mindenkinek ugyanazon a szerveren kell lennie. + +**Előnyök:** + +- Új funkciók és módosítások gyorsabban megvalósíthatók. +- Könnyebb elkzedeni a használatot és megtalálni a kapcsolatokat. +- A környezetek a legérettebb és legstabilabb funkciókkal rendelkeznek, mivel ezeket könnyebb egy központi szoftverben programozni. +- Az adatvédelmi problémák csökkenhetnek, ha egy olyan szerverben kell megbíznod, amit te magad üzemeltetsz. + +**Hátrányok:** + +- Tartalmazhat [korlátozott ellenőrzést vagy hozzáférést](https://drewdevault.com/2018/08/08/Signal.html). Ez olyan dolgokat foglalhat magában, mint: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Gyakran a Felhasználási Feltételekben van meghatározva. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Föderált Hálózatok + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Előnyök:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Hátrányok:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Hálózatok + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Előnyök:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Hátrányok:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonim Forgalomirányítás + +![Anoním forgalomirányítási diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Előnyök:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Hátrányok:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/hu/advanced/dns-overview.md b/i18n/hu/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/hu/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/hu/advanced/payments.md b/i18n/hu/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/hu/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/hu/advanced/tor-overview.md b/i18n/hu/advanced/tor-overview.md new file mode 100644 index 00000000..f3e390b8 --- /dev/null +++ b/i18n/hu/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Áttekintés" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Android + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/hu/android.md b/i18n/hu/android.md new file mode 100644 index 00000000..bc4f2c88 --- /dev/null +++ b/i18n/hu/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +### Operációs Rendszerek + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/hu/assets/img/account-deletion/exposed_passwords.png b/i18n/hu/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/hu/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/hu/assets/img/android/rss-apk-dark.png b/i18n/hu/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/hu/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/hu/assets/img/android/rss-apk-light.png b/i18n/hu/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/hu/assets/img/android/rss-apk-light.png differ diff --git a/i18n/hu/assets/img/android/rss-changes-dark.png b/i18n/hu/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/hu/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/hu/assets/img/android/rss-changes-light.png b/i18n/hu/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/hu/assets/img/android/rss-changes-light.png differ diff --git a/i18n/hu/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/hu/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..3fd9b575 --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Az + + Eszközöd + + + + Adatok küldése egy webhelynek + + + + + Adatok fogadása egy webhelyről + + + + + Az + + Eszközöd + + + + Belépő + + + + + Közép + + + + + Kilépő + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Belépő + + + + + Közép + + + + + Kilépő + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/how-tor-works/tor-encryption.svg b/i18n/hu/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..0d42a82d --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Az + + Eszközöd + + + + Adatok küldése egy webhelynek + + + + + Adatok fogadása egy webhelyről + + + + + Az + + Eszközöd + + + + Belépő + + + + + Közép + + + + + Kilépő + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Belépő + + + + + Közép + + + + + Kilépő + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/how-tor-works/tor-path-dark.svg b/i18n/hu/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..af62c99f --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Az + Eszközöd + + + + Belépő + + + + + Közép + + + + + Kilépő + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/hu/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..e7ce0c2a --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A te + + + Eszközöd + + + + + + Őr + + + Elosztó + + + Elosztó + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Találkozó + + + Elosztó + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/hu/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..7543a89d --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A te + + + Eszközöd + + + + + + Őr + + + Elosztó + + + Elosztó + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Találkozó + + + Elosztó + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/how-tor-works/tor-path.svg b/i18n/hu/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..9df7ac98 --- /dev/null +++ b/i18n/hu/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Az + Eszközöd + + + + Belépő + + + + + Közép + + + + + Kilépő + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/hu/assets/img/multi-factor-authentication/fido.png b/i18n/hu/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/hu/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/hu/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/hu/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/hu/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/hu/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/hu/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/hu/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/hu/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/hu/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/hu/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/hu/basics/account-creation.md b/i18n/hu/basics/account-creation.md new file mode 100644 index 00000000..19433a61 --- /dev/null +++ b/i18n/hu/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on - Egyszeri Bejelentkezés + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/hu/basics/account-deletion.md b/i18n/hu/basics/account-deletion.md new file mode 100644 index 00000000..c8033019 --- /dev/null +++ b/i18n/hu/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Fiókok törlése" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/hu/basics/common-misconceptions.md b/i18n/hu/basics/common-misconceptions.md new file mode 100644 index 00000000..bae4435b --- /dev/null +++ b/i18n/hu/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Gyakori Tévhitek" +icon: 'material/robot-confused' +description: Az adatvédelem nem egy egyszerű téma, és könnyű belekeveredni marketinges állításokba és egyéb dezinformációkba. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + Sokat beszélünk a "bizalom áthelyezéséről", amikor olyan megoldásokról beszélünk, mint a VPN-ek (amelyek az internetszolgáltatódba vetett bizalmat a VPN-szolgáltatóra helyezik át). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Ha kizárólag egy eszköz vagy szolgáltató adatvédelmi szabályzatára és marketingjére koncentrálsz, az elvakíthat annak gyengeségeivel szemben. Ha privát megoldást keresel, meg kell határozni, hogy mi az az mögött megbúvó probléma, és műszaki megoldásokat kell találni erre a problémára. Érdemes például elkerülni a Google Drive-ot, amely a Google számára hozzáférést biztosít az összes adatodhoz. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Azzal, hogy egy "adatvédelemre összpontosító" szolgáltatóra váltasz (amely nem alkalmaz End-to-End titkoítást), nem oldja meg a problémádat: csak a bizalmat helyezi át a Google-tól az adott szolgáltatóra. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + Gyakran látjuk, hogy az emberek túlságosan összetett adatvédelmi védelmi modelleket írnak le. Ezek a megoldások gyakran olyan problémákat tartalmaznak, mint sok különböző email fiók vagy bonyolult felállások sok mozgó alkatrésszel és feltétellel. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "A nyílt forráskódú szoftverek mindig biztonságosak" vagy "A jogvédett szoftverek biztonságosabbak" + +Ezek a mítoszok számos előítéletből fakadnak, de az, hogy a forráskód elérhető-e, és hogy a szoftverek licencelése hogyan történik, nem befolyásolja annak biztonságát semmilyen módon. ==A nyílt forráskódú szoftverek potenciálisan ** biztonságosabbak, mint a jogvédett szoftverek, de egyáltalán nem garantálható, hogy ez így is van.== Egy szoftver elbírálásánál az egyes eszközök hírnevét és biztonságát egyénileg kell megvizsgálni. + +Nyílt forráskódú szoftverek felülvizsgál*hatók* harmadik felek által, és gyakran átláthatóbbak lehetséges sebezhetőségek esetében, mint a jogvédett szoftverek. Azt is lehetővé teszi, hogy felülvizsgáld a kódot, és letiltsd a gyanús funkciókat, amiket találsz. Azonban, *ha nem így teszel*, nincs garancia arra, hogy a kód valaha is el lett bírálva, különösen a kisebb szoftverprojektek esetében. A nyílt fejlesztési folyamat is ki lett használva arra, hogy új sebezhetőségeket építsenek be még nagyobb projektekbe is.[^1] + +A másik oldalon a jogvédett szoftverek kevésbé átláthatóak, de ez nem jelenti azt, hogy nem biztonságosak. A nagyobb jogvédett szoftverprojektek belső és harmadik fél által is felülvizsgálhatók, és független biztonsági kutatók továbbra is találhatnak sebezhetőségeket olyan technikákkal, mint a reverse engineering. + +Az elfogult döntések elkerülése érdekében *létfontosságú*, hogy elbíráld az általad használt szoftverek adatvédelmi és biztonsági szabványait. + +## "A bizalom áthelyezése növelheti a magánélet védelmét" + +Sokat beszélünk a "bizalom áthelyezéséről", amikor olyan megoldásokról beszélünk, mint a VPN-ek (amelyek az internetszolgáltatódba vetett bizalmat a VPN-szolgáltatóra helyezik át). Míg ez megvédi a böngészési adataid az internetszolgáltatódtól *konkrétan*, a választott VPN szolgáltató továbbra is hozzáfér a böngészési adatokhoz: Az adataid nincsenek teljesen védve minden féltől. Ez azt jelenti, hogy: + +1. Óvatosan kell eljárnod, amikor kiválasztasz egy szolgáltatót, akire áthelyezed a bizalmat. +2. Az adatok teljes védelme érdekében továbbra is egyéb technikákat kell alkalmaznod, például End-to-End titkosítást. Ha csak azért nem bízol egy szolgáltatóban, hogy egy másikban bíz, az nem jelenti az adataid védelmét. + +## "Az adatvédelemre összpontosító megoldások eredendően megbízhatóak" + +Ha kizárólag egy eszköz vagy szolgáltató adatvédelmi szabályzatára és marketingjére koncentrálsz, az elvakíthat annak gyengeségeivel szemben. Ha privát megoldást keresel, meg kell határozni, hogy mi az az mögött megbúvó probléma, és műszaki megoldásokat kell találni erre a problémára. Érdemes például elkerülni a Google Drive-ot, amely a Google számára hozzáférést biztosít az összes adatodhoz. A probléma ebben az esetben az End-to-End titkosítás hiánya, ezért meg kell győződnöd arról, hogy a szolgáltató, amelyre váltasz, valóban megvalósítja az End-to-End titkosítást, vagy olyan eszközt használsz (mint például a [Cryptomator](../encryption.md#cryptomator-cloud)), amely bármely felhőszolgáltatónál biztosítja az End-to-End titkosítást. Azzal, hogy egy "adatvédelemre összpontosító" szolgáltatóra váltasz (amely nem alkalmaz End-to-End titkoítást), nem oldja meg a problémádat: csak a bizalmat helyezi át a Google-tól az adott szolgáltatóra. + +Az általad választott szolgáltatók adatvédelmi irányelvei és üzleti gyakorlatai nagyon fontosak, de másodlagosnak kell tekinteni az adatvédelmed technikai garanciáihoz képest: Ne helyezd át a bizalmat egy másik szolgáltatóra, ha a szolgáltatóban való bizalom egyáltalán nem is szükséges. + +## "A bonyolult jobb" + +Gyakran látjuk, hogy az emberek túlságosan összetett adatvédelmi védelmi modelleket írnak le. Ezek a megoldások gyakran olyan problémákat tartalmaznak, mint sok különböző email fiók vagy bonyolult felállások sok mozgó alkatrésszel és feltétellel. A válaszok általában a "Mi a legjobb módja, hogy *X*-t csinálj?" kérdésre adnak választ. + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/hu/basics/common-threats.md b/i18n/hu/basics/common-threats.md new file mode 100644 index 00000000..6f9a3cac --- /dev/null +++ b/i18n/hu/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Gyakori veszélyek" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/hu/basics/email-security.md b/i18n/hu/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/hu/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/hu/basics/multi-factor-authentication.md b/i18n/hu/basics/multi-factor-authentication.md new file mode 100644 index 00000000..e2b40a9b --- /dev/null +++ b/i18n/hu/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication - Többlépcsős Hitelesítés" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/hu/basics/passwords-overview.md b/i18n/hu/basics/passwords-overview.md new file mode 100644 index 00000000..06010013 --- /dev/null +++ b/i18n/hu/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Jelszókezelők + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/hu/basics/threat-modeling.md b/i18n/hu/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/hu/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/hu/basics/vpn-overview.md b/i18n/hu/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/hu/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/hu/calendar.md b/i18n/hu/calendar.md new file mode 100644 index 00000000..6683d53e --- /dev/null +++ b/i18n/hu/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Naptár Szinkronizálás" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +A naptárak a legérzékenyebb adataidat tartalmazzák; használj at rest End-to-End titkosítást megvalósító termékeket, hogy megakadályozd, hogy a szolgáltató elolvassa ezeket. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **A **Tutanota** ingyenes és titkosított naptárat kínál a támogatott platformjain keresztül. A funkciók közé tartoznak: az összes adat automatikus End-to-End titkosítása, megosztási funkciók, import/export funkciók, többlépcsős hitelesítés és még [sok más](https://tutanota.com/calendar-app-comparison/). + + A több naptár és kiterjesztett megosztási funkciók csak a fizetett előfizetőknek elérhető. + + [:octicons-home-16: Honlap](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentáció} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + A **Proton Calendar** egy titkosított naptárszolgáltatás, amely a Proton-tagok számára webes vagy mobilklienseken keresztül érhető el. A funkciók közé tartoznak: az összes adat automatikus End-to-End titkosítása, megosztási funkciók, import/export funkciók és még [sok más](https://proton.me/support/proton-calendar-guide). Az ingyenes előfizetéssel rendelkezők egyetlen naptárhoz kapnak hozzáférést, míg a fizetett előfizetők akár 20 naptárat is létrehozhatnak. Kiterjesztett megosztási funkciók szintén csak a fizetett előfizetőknek elérhető. + + [:octicons-home-16: Honlap](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +### Minimális Fenttartások + +- Szinkronizálnia és tárolnia kell információkat End-to-End titkosítással, hogy biztosítva legyen az, hogy az adatok nem láthatóak a szolgáltató számára. + +### Legjobb Esetben + +A legjobb esetben alkalmazott követelményeink azt fejezik ki, hogy mit szeretnénk látni egy tökéletes projekttől ebben a kategóriában. Előfordulhat, hogy ajánlásaink nem tartalmazzák az összes ilyen funkciót, de azok, amelyek igen, magasabb helyen szerepelhetnek, mint mások ezen az oldalon. + +- Adott esetben integrálódnia kell az operációs rendszer natív naptár- és névjegykezelő alkalmazásaival. diff --git a/i18n/hu/cloud.md b/i18n/hu/cloud.md new file mode 100644 index 00000000..684c57c5 --- /dev/null +++ b/i18n/hu/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Felhőtárhely" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Sok felhőalapú tárhelyszolgáltatónak elvárása a teljes bizalmad abban, hogy nem fogják megnézni a fájljaidat. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "A Nextcloud-ot keresed?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Honlap](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +### Minimális Követelmények + +- Végponttól végpontig terjedő titkosítást kell érvényesítenie. +- Ingyenes csomagot vagy próbaidőszakot kell kínálnia a teszteléshez. +- Támogatnia kell TOTP vagy FIDO2 többlépcsős hitelesítés használatát, vagy Passkey bejelentkezéseket. +- Olyan webes felületet kell kínálnia, amely támogat alapvető fájlkezelési funkciókat. +- Lehetővé kell tennie az összes fájl/dokumentum egyszerű exportálását. +- Szabványos, felülvizsgált titkosítást kell használnia. + +### Legjobb Esetben + +A legjobb esetben alkalmazott követelményeink azt fejezik ki, hogy mit szeretnénk látni egy tökéletes projekttől ebben a kategóriában. Előfordulhat, hogy ajánlásaink nem tartalmazzák az összes ilyen funkciót, de azok, amelyek igen, magasabb helyen szerepelhetnek, mint mások ezen az oldalon. + +- A klienseknek nyílt forráskódúaknak kell lenniük. +- A klienseket teljes egészükben független harmadik félnek kell felülvizsgálnia. +- Natív klienseket kell kínálnia Linux, Android, Windows, macOS és iOS rendszerekre. + - Ezeknek a klienseknek integrálódniuk kell natív operációs rendszer eszközökkel, amik felhőtárhely szolgáltatóknak lettek létrehozva, például a Files alkalmazás integrációjával iOS-en, vagy a DocumentsProvider funkcióval Androidon. +- Támogatnia kell az egyszerű fájlmegosztást más felhasználókkal. +- Legalább alapvető fájlelőnézeti és szerkesztési funkciókat kell kínálnia a webes felületen. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/hu/cryptocurrency.md b/i18n/hu/cryptocurrency.md new file mode 100644 index 00000000..06d7e760 --- /dev/null +++ b/i18n/hu/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/hu/data-redaction.md b/i18n/hu/data-redaction.md new file mode 100644 index 00000000..67c2afa7 --- /dev/null +++ b/i18n/hu/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Adat és Metaadat Eltávolítás" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +Fájlok megosztásakor ügyelj a kapcsolódó metaadatok eltávolítsára. A képfájlok gyakran tartalmaznak [Exif](https://en.wikipedia.org/wiki/Exif) adatokat. A fényképek időnként még GPS-koordinátákat is tartalmaznak a fájl metaadataiban. + +## Asztal + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + A **MAT2** szabad szoftver, amely lehetővé teszi a metaadatok eltávolítását kép, hang, torrent és dokumentum fájltípusokból. Egy parancssor eszközt és egy grafilus felhasználói felületet is biztosít egy [Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus) és [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin) bővítményen keresztül, amik közül az előbbi a [GNOME](https://www.gnome.org), az utóbbi a [KDE](https://kde.org) alapértelmezett fájlkezelője. + + Linuxon létezik egy harmadik féltől származó grafikus eszköz, a [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner), amely alapját a MAT2 adja, és ez [el is érhető a Flathubon](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Adattár](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobil + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + Az **ExifEraser** egy modern, engedély nélküli képmetaadat-törlő alkalmazás Androidra. + + Jelenleg támogatja a JPEG, PNG és WebP fájlokat. + + [:octicons-repo-16: Adattár](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +A törlésre kerülő metaadat a kép fájltípusától függ: + +* **JPEG**: ICC Profil, Exif, Photoshop Image Resources és XMP/ExtendedXMP metaadatok fognak törlődni, ha vannak. +* **PNG**: ICC Profil, Exif és XMP metaadatok fognak törlődni, ha vannak. +* **WebP**: ICC Profil, Exif és XMP metaadatok fognak törlődni, ha vannak. + +A képek feldolgozása után ExifEraser teljes jelentést ad arról, hogy pontosan mit távolított el egyes képekről. + +Az alkalmazás többféle módszert nyújt metaadatokat törléséhez a képekről. Név szerint: + +* Az megoszthat egy képet egy másik alkalmazásból az ExifEraser-nek. +* Magán az alkalmazáson keresztül egyetlen képet, egyszerre több képet vagy akár egy egész könyvtárat is kiválaszthatsz. +* Rendelkezik egy "Kamera" opcióval, amely az operációs rendszer kameraalkalmazását használja egy fénykép készítéséhez, majd eltávolítja arról a metaadatokat. +* Lehetővé teszi, hogy fényképeket húzz át egy másik alkalmazásból az ExifEraser-be, ha mindkét app osztott képernyős módban van megnyitva. +* Végül, lehetővé teszi egy kép beillesztését a vágólapról. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + A **Metapho** egy egyszerű és letisztult megjelenítője fényképek metaadatainak, mint például dátum, fájlnév, méret, fényképező modell, zársebesség és helyszín. + + [:octicons-home-16: Honlap](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Adatvédelmi Nyilatkozat" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + A **PrivacyBlur** egy ingyenes alkalmazás, amely képes elmosni képek érzékeny részeit, mielőtt online megosztanád azokat. + + [:octicons-home-16: Honlap](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + **Soha** ne használd a homályosítást [képekben lévő szöveg](https://bishopfox.com/blog/unredacter-tool-never-pixelation) szerkesztésére. Ha egy képen lévő szöveget szeretnél eltávolítani, rajzolj egy négyzetet a szöveg fölé. Ehhez olyan alkalmazásokat ajánlunk, mint a [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Parancssor + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + Az **ExifTool** az eredeti perl könyvtár és parancssor alkalmazás a metainformációk (Exif, IPTC, XMP stb.) olvasására, írására és szerkesztésére a legkülönbözőbb fájlformátumok (JPEG, TIFF, PNG, PDF, RAW stb.) esetében. + + Gyakran más Exif eltávolító alkalmazások része, és megtalálható a legtöbb Linux disztribúció addattáraiban. + + [:octicons-home-16: Honlap](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Adatok törlése egy fájlkönyvtárból" + + ```bash + exiftool -all= *.fájl_kiterjesztés + ``` + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Nyílt forráskódú operációs rendszerekre fejlesztett alkalmazásoknak nyílt forráskódúnak kell lenniük. +- Az alkalmazásoknak ingyenesnek kell lenniük, és nem tartalmazhatnak reklámokat vagy egyéb korlátozásokat. diff --git a/i18n/hu/desktop-browsers.md b/i18n/hu/desktop-browsers.md new file mode 100644 index 00000000..40302e6e --- /dev/null +++ b/i18n/hu/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Android + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Bővítmény Követelmények + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/hu/desktop.md b/i18n/hu/desktop.md new file mode 100644 index 00000000..79662918 --- /dev/null +++ b/i18n/hu/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Asztal/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + A **Qubes OS** egy nyílt forráskódú operációs rendszer, amelyet úgy terveztek, hogy erős biztonságot nyújtson asztali számítógépek számára. Qubes a Xen-en, az X Window System-en és a Linuxon alapul, képes a legtöbb Linux alkalmazás futtatására és a legtöbb Linux illesztőprogram használatára. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/hu/dns.md b/i18n/hu/dns.md new file mode 100644 index 00000000..5dce3850 --- /dev/null +++ b/i18n/hu/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolverek" +icon: material/dns +description: Ezekre a titkosított DNS-szolgáltatókra való átállást javasoljuk, hogy lecseréld az internetszolgáltatód alapértelmezett konfigurációját. +--- + +Titkosított DNS-t harmadik féltől származó szerverekkel csak alapvető [DNS-blokkolás](https://en.wikipedia.org/wiki/DNS_blocking) megkerülésére kellene használni, ha biztos vagy benne, hogy annak nem lesz semmilyen következménye. A titkosított DNS nem fog segíteni elrejteni a böngészési tevékenységedet. + +[További információ a DNS-ről :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Ajánlott Szolgáltatók + +| DNS Szolgáltatók | Adatvédelmi Tájékoztató | Protokollok | Naplózás | ECS | Szűrés | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | --------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Nyílt szöveg
DoH/3
DoT
DNSCrypt | Némi[^1] | Nem | Választott szerver alapján. A használt szűrőlista itt található. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Nyílt szöveg
DoH/3
DoT | Némi[^2] | Nem | Választott szerver alapján. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Nyílt szöveg
DoH/3
DoT
DoQ | Választható[^3] | Nem | Választott szerver alapján. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Nem[^4] | Nem | Választott szerver alapján. A használt szűrőlista itt található. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Nyílt szöveg
DoH/3
DoT | Választható[^5] | Választható | Választott szerver alapján. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Nyílt szöveg
DoH
DoT
DNSCrypt | Némi[^6] | Választható | Választott szerver alapján, Kártékony szoftver blokkolás alapértelmezetten. | + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Támogatnia kell a [DNSSEC](advanced/dns-overview.md#what-is-dnssec)-et. +- [QNAME Minimalizáció](advanced/dns-overview.md#what-is-qname-minimization). +- Lehetővé teszi az [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) letiltását. +- Előnyben részesíti az [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods), vagy a geo-steering támogatását. + +## Natív Operációs Rendszer Támogatás + +### Android + +Az Android 9 és újabb verziói támogatják a DNS-t TLS-en keresztül. A beállítások megtalálhatók itt: **Beállítások** → **Hálózat és Internet** → **Privát DNS**. + +### Apple Eszközök + +Az iOS, iPadOS, tvOS és macOS legújabb verziói támogatják a DoT és a DoH funkciót is. Mindkét protokoll alapból támogatva van a [konfigurációs profilok](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) vagy a [DNS-beállítás API](https://developer.apple.com/documentation/networkextension/dns_settings)-n keresztül. + +Egy konfigurációs profilt vagy egy DNS-beállítások API-t használó alkalmazás telepítése után kiválasztható a DNS-konfiguráció. Ha egy VPN aktív, a VPN-alagúton belüli elosztás a VPN DNS-beállításait fogja használni, nem pedig a rendszerbeállításokat. + +#### Aláírt Profilok + +Az Apple nem biztosít natív felületet titkosított DNS-profilok létrehozásához. A [Secure DNS profile creator](https://dns.notjakob.com/tool.html) egy nem hivatalos eszköz saját titkosított DNS-profilok létrehozására, azonban ezek a profilok nem lesznek aláírva. Az aláírt profilok előnyben részesítendők; az aláírás igazolja a profil eredetét, és segít biztosítani a profilok integritását. Az aláírt konfigurációs profilok zöld "Ellenőrzött" címkét kapnak. A kódaláírással kapcsolatos további információkért lásd: [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **** Aláírt profilokat az [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), a [NextDNS](https://apple.nextdns.io) és a [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/) nyújt. + +!!! info + + A `systemd-resolved`, amelyet sok Linux disztribúció használ a DNS-lekérdezéseikhez, még nem [támogatja a DoH-t](https://github.com/systemd/systemd/issues/8639). Ha a DoH-t szeretnéd használni, telepítened kell egy proxyt, mint például a [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) és [konfigurálnod kell azt](https://wiki.archlinux.org/title/Dnscrypt-proxy), hogy az átvegye az összes DNS-lekérdezést a rendszer resolverjétől, és azokat HTTPS-en keresztül továbbítsa. + +## Titkosított DNS proxyk + +Egy titkosított DNS proxy szoftver helyi proxy-t biztosít a [titkosítatlan DNS](advanced/dns-overview.md#unencrypted-dns) resolver számára, amelyhez majd továbbít. Általában olyan platformokon használatos, amelyek nem támogatják natívan a [titkosított DNS-t](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + A **RethinkDNS** egy nyílt forráskódú Android kliens, amely támogatja a [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) és DNS Proxy funkciókat, valamint a DNS-válaszok gyorsítótárazását, a DNS-lekérdezések helyi naplózását, de használható tűzfalként is. + + [:octicons-home-16: Honlap](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dns/dnscrypt-proxy.svg){ align=right } + + A **dnscrypt-proxy** egy DNS-proxy, amely támogatja a [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) és [Anonymizált DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS) funkciókat. + + !!! warning "Az anonimizált DNS funkció [**nem**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonimizál más hálózati forgalmat." + + [:octicons-repo-16: Adattár](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Saját Üzemeltetésű Megoldások + +Egy saját üzemeltetésű DNS-megoldás hasznos ellenőrzött platformokon, például Smart TV-ken és más IoT-eszközökön történő szűrés biztosításához, mivel nincs szükség kliensoldali szoftverre. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + Az **AdGuard Home** egy nyílt forráskódú [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole), amely [DNS-szűrést](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) alkalmaz nem kívánatos webes tartalmak, például hirdetések blokkolására. + + Az AdGuard Home egy kifinomult webes felületet kínál az betekintések megtekintéséhez és blokkolt tartalmak kezeléséhez. + + [:octicons-home-16: Honlap](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Forráskód" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + A **Pi-hole** egy nyílt forráskódú [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole), amely [DNS-szűrést](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) alkalmaz nem kívánatos webes tartalmak, például reklámok blokkolására. + + A Pi-hole-t úgy tervezték, hogy egy Raspberry Pi-n lehessen üzemeltetni, de az nem korlátozott erre a hardverre. Az szoftver egy kifinomult webes felületet kínál az betekintések megtekintéséhez és blokkolt tartalmak kezeléséhez. + + [:octicons-home-16: Honlap](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Közreműködés } + +[^1]: Az AdGuard tárolja a DNS szervereik összesített teljesítményméréseit, nevezetesen az adott szerverhez érkező teljes kérések számát, a blokkolt kérések számát és a kérések feldolgozásának sebességét. Az elmúlt 24 órában igényelt domainek adatbázisát is eltárolják. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/hu/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: A Cloudflare csak azokat a korlátozott DNS-lekérdezési adatokat gyűjti és tárolja ami az 1.1.1.1 resolverhez érkezik. Az 1.1.1.1 resolver szolgáltatás nem naplóz személyes adatokat, és a korlátozott, személyazonosításra nem alkalmas lekérdezési adatok nagy részét csak 25 órán keresztül tárolja. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: A Control D csak az egyedi DNS-profilokkal rendelkező Premium resolverek esetében naplóz. Az ingyenes resolverek nem naplóznak adatokat. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: A Mullvad DNS szolgáltatása a Mullvad VPN előfizetői és nem előfizetői számára egyaránt elérhető. Az adatvédelmi irányelvük kifejezetten azt állítja, hogy semmilyen módon nem naplóznak DNS-kéréseket. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: A NextDNS beleegyezési alapon betekintési és naplózási funkciókat biztosíthat. A kiválasztott naplók megőrzési idejét és tárolási helyét is kiválaszthatod. Ha erre nincs külön kérés, akkor nem kerül naplózásra semmilyen adat. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: A Quad9 bizonyos adatokat a fenyegetések megfigyelése és elhárítása céljából gyűjt. Ezek az adatok ezután összekeverhetők és megoszthatók, például biztonsági kutatások céljából. A Quad9 nem gyűjt vagy rögzít IP-címeket vagy más, személyazonosításra alkalmasnak ítélt adatokat. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/hu/email-clients.md b/i18n/hu/email-clients.md new file mode 100644 index 00000000..420600a1 --- /dev/null +++ b/i18n/hu/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email kliensek" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +### Minimális Fenttartások + +- Nyílt forráskódú operációs rendszerekre fejlesztett alkalmazásoknak nyílt forráskódúnak kell lenniük. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/hu/email.md b/i18n/hu/email.md new file mode 100644 index 00000000..00b54b22 --- /dev/null +++ b/i18n/hu/email.md @@ -0,0 +1,503 @@ +--- +title: "Email szolgáltatások" +icon: material/email +description: Ezek az e-mail szolgáltatók nagyszerű helyet kínálnak az e-mailek biztonságos tárolására, és sokan kínálnak más szolgáltatókkal együttműködő OpenPGP titkosítást. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Szolgáltatások + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Saját Üzemeltetésű Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Követelmények + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technológia + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimális Elvárások:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Adatvédelem + +Jobban szeretjük, ha az általunk ajánlott szolgáltatók a lehető legkevesebb adatot gyűjtik. + +**Minimális Elvárások:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Adatbiztonság + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimális Elvárások:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programok és/vagy összehangolt sebezhetőség-közzétételi folyamat. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Bizalom + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Az általunk ajánlott szolgáltatóktól elvárjuk, hogy nyilvánosak legyenek a tulajdonlásukról vagy vezetésükről. Szeretnénk továbbá gyakori átláthatósági jelentéseket látni, különösen a kormányzati kérelmek kezelésének módját illetően. + +**Minimális Elvárások:** + +- Nyilvános vezetés vagy tulajdonlás. + +**Best Case:** + +- Nyilvános vezetés. +- Gyakori átláthatósági jelentések. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimális Elvárások:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Nem használhat felelőtlen marketinget: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Az anonimitás 100%-os védelmének garantálása. Ha valaki azt állítja, hogy valami 100%-os, az azt jelenti, hogy nincs bizonyosság meghibásodásra. Tudjuk, hogy személyek elég könnyen és számos módon deanonimizálni tudják magukat, pl.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Böngésző fingerprintelés](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### További Funkciók + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/hu/encryption.md b/i18n/hu/encryption.md new file mode 100644 index 00000000..31d78074 --- /dev/null +++ b/i18n/hu/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Titkosító Szoftverek" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Parancssor + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +### Minimális Fenttartások + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/hu/file-sharing.md b/i18n/hu/file-sharing.md new file mode 100644 index 00000000..1bc1eb61 --- /dev/null +++ b/i18n/hu/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "Fájlmegosztás és Szinkronizálás" +icon: material/share-variant +description: Fedezd fel, hogyan oszthatod meg fájljaid privát módon készülékek között, barátaiddal és családtagjaiddal vagy névtelenül online. +--- + +Fedezd fel, hogyan oszthatod meg fájljaid privát módon készülékek között, barátaiddal és családtagjaiddal vagy névtelenül online. + +## Fájlmegosztás + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + A **Send** a Mozilla megszűnt Firefox Send szolgáltatásának egy forkja, amely lehetővé teszi, hogy fájlokat küldj másoknak egy link segítségével. A fájlok az eszközön kerülnek titkosításra, így a szerver nem tudja azokat elolvasni, és választhatóan jelszóval is védhetők. A Send karbantartója egy [publikus instance-et](https://send.vis.ee/) üzemeltet. Használhatsz más nyilvános instanceket, vagy magad is üzemeltetheted a Send-et. + + [:octicons-home-16: Honlap](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Publikus Instancek"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Közreműködés } + +A Send a webes felületén vagy az [ffsend](https://github.com/timvisee/ffsend) CLI segítségével használható. Ha jól ismered a parancssort, és gyakran küldesz fájlokat, a JavaScript-alapú titkosítás elkerülése érdekében a CLI-kliens használatát javasoljuk. Megadhatod a `--host` flaget, ha egy adott szervert szeretnél használni: + +```bash +ffsend upload --host https://send.vis.ee/ FÁJL +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + Az **OnionShare** egy nyílt forráskódú eszköz, amellyel biztonságosan és névtelenül oszthatsz meg bármilyen méretű fájlt. Úgy működik, hogy egy Tor onion szolgáltatásként elérhető webszervert indít el, egy kitalálhatatlan URL-címmel együtt, amit megoszthatsz a címzettekkel fájlok letöltéséhez vagy küldéséhez. + + [:octicons-home-16: Honlap](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Szolgáltatás" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Nem tárolhat visszafejtett adatokat távoli szerveren. +- Nyílt forráskódú szoftvernek kell lennie. +- Linux, macOS és Windows kliensekkel, vagy webes felülettel kell rendelkeznie. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + A **FreedomBox** egy operációs rendszer, amelyet [single-board számítógépen (SBC)](https://en.wikipedia.org/wiki/Single-board_computer) történő futtatásra terveztek. Célja az, hogy megkönnyítse szerveralkalmazások beállítását, amelyeket esetleg magad szeretnél üzemeltetni. + + [:octicons-home-16: Honlap](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Közreműködés } + +## Fájl Szinkronizálás + +### Nextcloud (Kliens-Szerver) + +!!! recommendation + + ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ align=right } + + A **Nextcloud** egy ingyenes és nyílt forráskódú kliens-szerver szoftvercsomag, amellyel saját fájltárhely-szolgáltatásokat hozhatsz létre egy privát általad ellenőrzött szerveren. + + [:octicons-home-16: Honlap](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + Nem javasoljuk az [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) használatát a Nextcloudhoz, mivel adatvesztéshez vezethet; ez erősen kísérleti jellegű és nem gyártási minőségű. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + A **Syncthing** egy nyílt forráskódú peer-to-peer folyamatos fájlszinkronizáló segédprogram. Két vagy több eszköz közötti fájl szinkronizálásra szolgál helyi hálózaton vagy az interneten keresztül. A Syncthing nem használ központi szervert; a [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1)-t használja az eszközök közötti adatátvitelre. Minden adat TLS-sel van titkosítva. + + [:octicons-home-16: Honlap](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Kontribúció } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +#### Minimális Követelmények + +- Nem igényelhet harmadik féltől származó távoli/felhőalapú szervert. +- Nyílt forráskódú szoftvernek kell lennie. +- Linux, macOS és Windows kliensekkel, vagy webes felülettel kell rendelkeznie. + +#### Legjobb Esetben + +A legjobb esetben alkalmazott követelményeink azt fejezik ki, hogy mit szeretnénk látni egy tökéletes projekttől ebben a kategóriában. Előfordulhat, hogy ajánlásaink nem tartalmazzák az összes ilyen funkciót, de azok, amelyek igen, magasabb helyen szerepelhetnek, mint mások ezen az oldalon. + +- Van mobil kliense iOS és Android rendszerekre, amelyek legalább dokumentum előnézeteket támogatnak. +- Támogatja fényképek biztonsági mentését iOS-ről és Androidról, és opcionálisan támogatja a fájl/mappa szinkronizálást Androidon. diff --git a/i18n/hu/financial-services.md b/i18n/hu/financial-services.md new file mode 100644 index 00000000..739fb474 --- /dev/null +++ b/i18n/hu/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Pénzügyi Szolgáltatások +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/hu/frontends.md b/i18n/hu/frontends.md new file mode 100644 index 00000000..c884f61b --- /dev/null +++ b/i18n/hu/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontendek" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/hu/index.md b/i18n/hu/index.md new file mode 100644 index 00000000..adb1ca77 --- /dev/null +++ b/i18n/hu/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.hu.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Miért érdekelne a dolog? + +##### “Nincs semmi rejtegetnivalóm. Miért kellene törődnöm a magánéletemmel?” + +A kultúrák közötti házassághoz, a női választójoghoz, a szólásszabadsághoz és sok minden máshoz hasonlóan a magánélethez való jogunk sem volt mindig biztosított. Számos diktatúrában még mindig nem az. Generációink előtt nemzedékek harcoltak a mi jogunkért a magánélethez. ==A magánélet mindannyiunk emberi joga==, amelyhez (megkülönböztetés nélkül) jogunk van. + +Nem szabad összekeverni a magánéletet a titoktartással. Tudjuk, hogy mi történik a mosdóban, de az ajtó mégis becsukjuk. Ez azért van, mert magánéletet akarsz, nem titoktartást. **Mindenkinek** van valami, amit meg akar védeni. A magánélet olyasmi, ami emberré tesz minket. + +[:material-target-account: Gyakori Internetes Fenyegetések](basics/common-threats.md ""){.md-button.md-button--primary} + +## Mihez kezdjek? + +##### Először is, tervet kell készítened + +Megpróbálni az összes adatodat mindenkitől és mindig megvédeni nem praktikus, költséges és fárasztó. De ne aggódj! Az adatbiztonság egy folyamat, és ha előre gondolkodsz, akkor összeállíthatsz egy neked megfelelő tervet. A biztonság nem csak a használt eszközökről vagy a letöltött szoftverekről szól. Inkább annak megértésével kezdődik, hogy milyen egyedi fenyegetésekkel kell szembenézned, és hogyan tudsz ellenük védekezni. + +==A fenyegetések azonosításának és az ellenintézkedések meghatározásának ezt a folyamatát **védelmi modellezésnek**== nevezzük, és ez képezi minden jó biztonsági és adatvédelmi terv alapját. + +[:material-book-outline: További Információk a Védelmi Modellezésről](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Szükségünk van rád! Így kapcsolódhatsz be: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Csatlakozz a Fórumunkhoz" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Kövess minket a Mastodonon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Járulj hozzá a weboldalhoz" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Segíts lefordítani a weboldalt" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Csevegj velünk a Matrixon" } +[:material-information-outline:](about/index.md){ title="Tudjon meg többet rólunk" } +[:material-hand-coin-outline:](about/donate.md){ title="Támogasd a projektet" } + +Fontos, hogy egy olyan weboldal, mint a Privacy Guides, mindig naprakész maradjon. Szükségünk van arra, hogy a közönségünk figyelemmel kísérje az oldalunkon felsorolt alkalmazások frissítéseit, és kövesse az általunk ajánlott szolgáltatókkal kapcsolatos legújabb híreket. Nehéz lépést tartani az internet gyors tempójával, de mi megteszünk minden tőlünk telhetőt. Ha hibát észlelsz, úgy gondolod, hogy egy szolgáltatónak nem kellene szerepelnie a listán, észreveszed, hogy egy alkalmas szolgáltató hiányzik, úgy véled, hogy egy böngésző bővítmény már nem a legjobb választás, vagy ha bármilyen más problémát észlelsz, kérjük, jelezd nekünk. diff --git a/i18n/hu/kb-archive.md b/i18n/hu/kb-archive.md new file mode 100644 index 00000000..9faacbd9 --- /dev/null +++ b/i18n/hu/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: TB Archívum +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Az Oldalak Át Lettek Helyezve a Blogokhoz + +Néhány oldal, amely korábban a tudásbázisunkban volt, most a blogunkon található: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Konfiguráció Hardenelés](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Rendszer Hardenelés](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Alkalmazás Sandboxolás](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Biztonságos Adattörlés](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Metaadatok Eltávolításának Integrálása](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Konfigurációs Útmutató](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/hu/meta/brand.md b/i18n/hu/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/hu/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/hu/meta/git-recommendations.md b/i18n/hu/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/hu/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/hu/meta/uploading-images.md b/i18n/hu/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/hu/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/hu/meta/writing-style.md b/i18n/hu/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/hu/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/hu/mobile-browsers.md b/i18n/hu/mobile-browsers.md new file mode 100644 index 00000000..40827135 --- /dev/null +++ b/i18n/hu/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Bővítmény Követelmények + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/hu/multi-factor-authentication.md b/i18n/hu/multi-factor-authentication.md new file mode 100644 index 00000000..cfc5708f --- /dev/null +++ b/i18n/hu/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- A forráskódnak nyilvánosan elérhetőnek kell lennie. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/hu/news-aggregators.md b/i18n/hu/news-aggregators.md new file mode 100644 index 00000000..2fff413c --- /dev/null +++ b/i18n/hu/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "Híraggregátorok" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/hu/notebooks.md b/i18n/hu/notebooks.md new file mode 100644 index 00000000..1b7210b0 --- /dev/null +++ b/i18n/hu/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Jegyzetfüzetek" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Kövesd nyomon jegyzeteid és naplóid anélkül, hogy harmadik félnek adnád át azokat. + +Ha jelenleg olyan alkalmazást használsz, mint az Evernote, a Google Keep vagy a Microsoft OneNote, javasoljuk, hogy válassz egy olyan alternatívát, amely támogatja az End-to-End titksoítást. + +## Felhő-alapú + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + A **Joplin** egy ingyenes, nyílt forráskódú, teljesen felszerelt jegyzetkezelő és teendő vezető alkalmazás, amely nagyszámú, jegyzetfüzetekbe és címkékbe rendezett markdown jegyzeteket képes kezelni. End-to-End titkosítást kínál, és képes szinkronizálni a Nextcloudon, a Dropboxon és sok máson keresztül is. Evernote és nyílt szöveges jegyzetek egyszerű importálását is lehetővé teszi. + + [:octicons-home-16: Honlap](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +A Joplin nem támogatja a jelszavas/PIN-kódos védelmet magához az [alkalmazáshoz vagy egyes jegyzetekhez és jegyzetfüzetekhez](https://github.com/laurent22/joplin/issues/289). Ettől függetlenül az adatok szállítás közben és a szinkronizáció helyén is titkosítva lesznek a főkulcs segítségével. 2023 januárjától a Joplin támogatja a biometrikus alkalmazászárat az [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) és a [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z) rendszerekhez. + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + A **Standard Notes** egy egyszerű és privát jegyzetkezelő alkalmazás, amely megkönnyíti és elérhetővé teszi a feljegyzéseid kezelését bárhol is legyél. Minden platformon End-to-End titkosítást, valamint erőteljes asztali élményt kínál témákkal és egyedi szerkesztőkkel. Emellett [felül is lett vizsgálva egy független fél által (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Honlap](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + A **Cryptee** egy nyílt forráskódú, webalapú End-to-End titkosított dokumentumszerkesztő és fotótároló alkalmazás. A Cryptee egy PWA, ami azt jelenti, hogy minden modern eszközön zökkenőmentesen működik anélkül, hogy minden egyes platformra natív alkalmazás igényelne. + + [:octicons-home-16: Honlap](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Forráskód" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +A Cryptee 100MB tárhelyet kínál ingyenesen, fizetős lehetőséggel, ha többre lenne szükség. A regisztrációhoz nincs szükség e-mailre vagy más személyazonosításra alkalmas információra. + +## Helyi Jegyzetfüzetek + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + Az **Org-mode** egy [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) a GNU Emacs számára. Az Org-mode jegyzetek vezetésére, teendő listák fenttartására, projektek tervezésére és dokumentumok írására szolgál egy gyors és hatékony nyílt szöveges rendszerrel. Szinkronizálás a [fájlszinkronizációs](file-sharing.md#file-sync) eszközökkel lehetséges. + + [:octicons-home-16: Honlap](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Közreműködés } + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- A klienseknek nyílt forráskódúaknak kell lenniük. +- Minden felhőszinkronizálás funkciónak End-to-End titkosítottnak kell lennie. +- Támogatnia kell dokumentumok szabványos formátumba történő exportálását. + +### Legjobb Esetben + +- A helyi mentési/szinkronizálási funkcióknak támogatniuk kell a titkosítást. +- A felhőalapú platformoknak támogatniuk kell a dokumentumok megosztását. diff --git a/i18n/hu/os/android-overview.md b/i18n/hu/os/android-overview.md new file mode 100644 index 00000000..e0a5a474 --- /dev/null +++ b/i18n/hu/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Áttekintés +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Az Android egy biztonságos operációs rendszer, amely erős [app sandboxoló](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB) és egy robusztus [engedély](https://developer.android.com/guide/topics/permissions/overview) ellenőrző rendszerrel rendelkezik. + +## Egy Android Disztribúció Kiválasztása + +Egy Android telefon vásárlásakor a készülék alapértelmezett operációs rendszere gyakran olyan alkalmazások és szolgáltatások invazív integrációját tartalmazza, amelyek nem részei az [Android Open-Source Project](https://source.android.com/)-nek. Ilyen például a Google Play Szolgáltatások, amely visszavonhatatlan jogosultságokkal rendelkezik a fájljaidhoz, névjegy tárolódhoz, hívásnaplóidhoz, SMS-üzeneteidhez, tartózkodási helyedhez, kamerádhoz, mikrofonodhoz, hardverazonosítóidhoz stb. való hozzáférésre. Ezek az alkalmazások és szolgáltatások növelik a készüléked támadási felületét, és számos adatvédelmi aggály forrását jelentik az Androiddal kapcsolatban. + +Ez a probléma megoldható lehet egy olyan egyedi Android-disztribúció használatával, amely nem tartalmaz ilyen invazív integrációkat. Sajnos sok egyedi Android disztribúció gyakran megsérti az Android biztonsági modellt azzal, hogy nem támogat olyan kritikus biztonsági funkciókat, mint az AVB, a rollback védelem, firmware-frissítések stb. Egyes disztribúciók [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) buildeket nyújtanak, amelyek védtelenné teszik a root-ot az [ADB](https://developer.android.com/studio/command-line/adb)-n keresztül és [több engedélyt biztosító](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policy-kat igényelnek a hibakeresési funkciókhoz, ami tovább növeli a támadási felületet és gyengébb biztonsági modellt eredményez. + +Ideális esetben, amikor egyedi Android disztribúciót választasz, győződj meg arról, hogy az, az Android biztonsági modellt követi. A disztribúciónak minimum rendelkeznie kell gyártási buildekkel, AVB támogatással, rollback védelemmel, időszerű firmware és operációs rendszer frissítésekkel, valamint SELinux-xal [enforcing módban](https://source.android.com/security/selinux/concepts#enforcement_levels). Az általunk ajánlott összes Android disztribúció megfelel ezeknek a követelményeknek. + +[Android Rendszer Ajánlásaink :hero-arrow-circle-right-fill:](../android.md ""){.md-button} + +## Kerüld a Rootolást + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/hu/os/linux-overview.md b/i18n/hu/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/hu/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/hu/os/qubes-overview.md b/i18n/hu/os/qubes-overview.md new file mode 100644 index 00000000..2b667a1f --- /dev/null +++ b/i18n/hu/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Android + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/hu/passwords.md b/i18n/hu/passwords.md new file mode 100644 index 00000000..9e932ce3 --- /dev/null +++ b/i18n/hu/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Jelszókezelők" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Felhő-alapú + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Parancssor + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Cross-platformnak kell lennie. diff --git a/i18n/hu/productivity.md b/i18n/hu/productivity.md new file mode 100644 index 00000000..c517cbb4 --- /dev/null +++ b/i18n/hu/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Produktivitás Eszközök" +icon: material/file-sign +description: A legtöbb online irodai programcsomag nem támogatja az End-to-End titkosítást, ami azt jelenti, hogy a felhőszolgáltató hozzáfér mindenhez, amit csinálsz. +--- + +A legtöbb online irodai programcsomag nem támogatja az End-to-End titkosítást, ami azt jelenti, hogy a felhőszolgáltató hozzáfér mindenhez, amit csinálsz. Az adatvédelmi tájékoztató törvényileg védheti a jogaidat, de nem biztosít technikai hozzáférési korlátokat. + +## Kollaborációs Platformok + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ align=right } + + A **Nextcloud** egy ingyenes és nyílt forráskódú kliens-szerver szoftvercsomag, amellyel saját fájltárhely-szolgáltatásokat hozhatsz létre egy privát általad ellenőrzött szerveren. + + [:octicons-home-16: Honlap](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + Nem javasoljuk az [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) használatát a Nextcloudhoz, mivel adatvesztéshez vezethet; ez erősen kísérleti jellegű és nem gyártási minőségű. Emiatt nem ajánljuk a Nextcloud harmadik féltől származó szolgáltatóit. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + A **CryptPad** egy a népszerű irodai eszközök privátra tervezett alternatívája. A webes szolgáltatás minden tartalma végponttól végpontig titkosított, és könnyen megosztható más felhasználókkal. + + [:octicons-home-16: Honlap](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Közremőködés } + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +Általános esetben az kollaborációs platformokat olyan teljes értékű csomagokként határozzuk meg, amelyek ésszerűen helyettesíthetik az olyan kollaborációs platformokat, mint a Google Drive. + +- Nyílt forráskódú. +- WebDAV-on keresztül elérhetővé tesz fájlokat, kivéve, ha az End-to-End titkosítás miatt nem lehetséges. +- Szinkronizáló kliensekkel rendelkezik Linux, macOS és Windows rendszerekre. +- Támogat dokumentum- és táblázatkezelést. +- Támogat valós idejű dokumentum-kollaborációt. +- Támogatja a dokumentumok szabványos dokumentumformátumba (pl. ODF) történő exportálását. + +#### Legjobb Esetben + +A legjobb esetben alkalmazott követelményeink azt fejezik ki, hogy mit szeretnénk látni egy tökéletes projekttől ebben a kategóriában. Előfordulhat, hogy ajánlásaink nem tartalmazzák az összes ilyen funkciót, de azok, amelyek igen, magasabb helyen szerepelhetnek, mint mások ezen az oldalon. + +- Fájlokat egy hagyományos fájlrendszerben kell tárolnia. +- Támogatnia kell TOTP vagy FIDO2 többlépcsős hitelesítés használatát, vagy Passkey bejelentkezéseket. + +## Irodai Programcsomagok + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **A **LibreOffice** egy ingyenes és nyílt forráskódú irodai programcsomag széleskörű funkcionalitással. + + [:octicons-home-16: Honlap](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + Az **OnlyOffice** egy felhőalapú, ingyenes és nyílt forráskódú irodai programcsomag, amely széleskörű funkciókkal rendelkezik, beleértve a Nextclouddal való integrációt is. + + [:octicons-home-16: Honlap](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +Általános esetben az irodai programcsomagokat úgy határozzuk meg, mint olyan alkalmazásokat, amelyek a legtöbb igényt kielégítően helyettesíthetik a Microsoft Wordöt. + +- Cross-platformnak kell lennie. +- Nyílt forráskódú szoftvernek kell lennie. +- Működnie kell offline. +- Támogatnia kell a dokumentumok, táblázatok és diavetítések szerkesztését. +- Fájlokat szabványos dokumentumformátumba kell exportálnia. + +## Paste szolgáltatások + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **A **PrivateBin** egy minimalista, nyílt forráskódú online pastebin, ahol a szerver nem ismeri a pastelt adatokat. Az adatok titkosítása/dekódolása a böngészőben történik 256 bites AES használatával. Ez a ZeroBin továbbfejlesztett változata. Van egy [lista a példányokról](https://privatebin.info/directory/). + + [:octicons-home-16: Honlap](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Publikus Példányok"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Forráskód" } diff --git a/i18n/hu/real-time-communication.md b/i18n/hu/real-time-communication.md new file mode 100644 index 00000000..2f5e3ce5 --- /dev/null +++ b/i18n/hu/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Videó streamelő kliensek" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/hu/router.md b/i18n/hu/router.md new file mode 100644 index 00000000..e35d840a --- /dev/null +++ b/i18n/hu/router.md @@ -0,0 +1,47 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Lejjebb bemutatunk néhány alternatív operációs rendszert, amelyek használhatók routereken, Wi-Fi hozzáférési pontokon stb. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + Az **OpenWrt** egy Linux alapú operációs rendszer; elsősorban beágyazott eszközökön használatos, hálózati forgalom irányítására. Tartalmazza az util-linux, uClibc és BusyBox programokat. Az összes komponens otthoni routerekhez lett optimalizálva. + + [:octicons-home-16: Honlap](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Közreműködés } + +Az OpenWrt [hardvertáblázatában](https://openwrt.org/toh/start) ellenőrizheted, hogy az eszközöd támogatott-e. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + Az **OPNsense** egy nyílt forráskódú, FreeBSD-alapú tűzfal és forgalom irányító platform, amely számos fejlett funkciót tartalmaz, mint például forgalom alakítás, terheléselosztás és VPN-lehetőségek, és számos további funkcióval érhető el bővítmények formájában. Az OPNsense-t általában peremtűzfalként, routerként, vezeték nélküli hozzáférési pontként, DHCP-szerverként, DNS-szerverként és VPN végpontként vetik be. + + A pfSense-t általában perem tűzfalként, routerként, vezeték nélküli hozzáférési pontként, DHCP szerverként, DNS szerverként és VPN végpontként telepítik. + +Az OPNsense eredetileg a [pfSense](https://en.wikipedia.org/wiki/PfSense) forkjaként lett kifejlesztve, és mindkét projekt arról ismert, hogy ingyenes és megbízható tűzfal disztribúciók, amelyek gyakran csak drága kereskedelmi tűzfalakban található funkciókat kínálnak. A 2015-ben indított OPNsense fejlesztői számos biztonsági és kódminőségi problémára, a Netgate általi többségi pfSense felvásárlásra, valamint a pfSense projekt jövőbeli irányára [hivatkozva](https://docs.opnsense.org/history/thefork.html) a pfSense-el kapcsolatban úgy érezték, hogy ezek miatt az aggályok miatt szükségessé vált egy projekt fork létrehozása. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Nyílt forráskódúnak kell lennie. +- Rendszeres frissítéseket kell kapnia. +- Sokféle hardvert kell támogatnia. diff --git a/i18n/hu/search-engines.md b/i18n/hu/search-engines.md new file mode 100644 index 00000000..aaf0a3d3 --- /dev/null +++ b/i18n/hu/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Keresőmotorok" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/hu/tools.md b/i18n/hu/tools.md new file mode 100644 index 00000000..fa3885d0 --- /dev/null +++ b/i18n/hu/tools.md @@ -0,0 +1,477 @@ +--- +title: "Adatvédelmi Eszközök" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +Ha valamilyen konkrét megoldást keresel, ezek a hardver- és szoftvereszközök amiket ajánlunk, különböző kategóriákban. Az általunk ajánlott adatvédelmi eszközöket elsősorban biztonsági funkciók alapján választottuk ki, további hangsúlyt fektetve a decentralizált és nyílt forráskódú eszközökre. Ezek számos védelmi modellre alkalmazhatók, globális tömeges megfigyelési programok elleni védelemtől kezdve, big tech cégek elkerüléstől, támadások enyhítéséig, de csak te tudod meghatározni, hogy a te igényeidek mi felel meg a legjobban. + +Ha segítségre kérnél a legjobb adatvédelmi eszközök és alternatív programok kiválasztásához a munkaterhelésedhez/felhasználási módodhoz illően, indíts el egy beszélgetést a [fórumon](https://discuss.privacyguides.net/), vagy a [Matrix](https://matrix.to/#/#privacyguides:matrix.org) közösségünkben! + +Ha további információt szeretnél megtudni az egyes projektekről, hogy miért választottuk őket, és további tippekről vagy trükkökről amiket ajánlunk, kattints az egyes szakaszokban található "További információ" linkre, vagy kattints magára az ajánlásra, hogy az oldal ahhoz az adott szakaszához lépj. + +## Tor Hálózat + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Böngésző](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Okostelefon Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake nem növeli az adatvédelmet, azonban lehetővé teszi, hogy könnyedén hozzájárulj a Tor-hálózathoz, és segíts a cenzúrázott hálózatokon lévő személyeknek jobb magánéletet elérni. + +[További információ :material-arrow-right-drop-circle:](tor.md) + +## Asztali Web Böngészők + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[További információ :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Android + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[További információ :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobil Web Böngészők + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[További információ :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Android + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard iOS-hez](mobile-browsers.md#adguard) + +
+ +[További információ :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operációs Rendszerek + +### Mobil + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[További információ :material-arrow-right-drop-circle:](android.md) + +#### Android Alkalmazások + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Kliens)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Munka Profilok)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Támogatott Eszközök)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[További információ :material-arrow-right-drop-circle:](android.md#general-apps) + +### Asztal/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Disztribúció)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Élő Boot)](desktop.md#tails) + +
+ +[További információ :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[További információ :material-arrow-right-drop-circle:](router.md) + +## Szolgáltatók + +### Felhőtárhely + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[További információ :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Szolgáltatók + +Számos követelmény alapján [ajánlunk](dns.md#recommended-providers) több titkosított DNS szervert, mint [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) és [Quad9](https://quad9.net/) többek között. Javasoljuk, hogy egy szolgáltató kiválasztása előtt olvasd el a DNS-ről szóló oldalainkat. Sok esetben nem ajánlott alternatív DNS-szolgáltató használata. + +[További információ :material-arrow-right-drop-circle:](dns.md) + +#### Titkosított DNS proxyk + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[További információ :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Saját Üzemeltetésű Megoldások + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[További információ :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[További információ :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Szolgáltatások + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[További információ :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Saját Üzemeltetésű Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[További információ :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Pénzügyi Szolgáltatások + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[További információ :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[További információ :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Keresőmotorok + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[További információ :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Szolgáltatók + +??? danger "A VPN-ek nem nyújtanak anonimitást" + + Egy VPN használata **nem** fogja anonimizálni a böngészési szokásaidat, és nem biztosít további védelmet nem biztonságos (HTTP) forgalomnak. + + Ha **anonimitást** keresel, akkor a Tor böngészőt érdemes használnod egy VPN **helyett**. + + Ha több **biztonságot** keresel, mindig győződj meg arról, hogy a weboldalakhoz HTTPS használatával csatlakozol. Egy VPN nem helyettesít helyes biztonsági gyakorlatokat. + + [További információ :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[További információ :material-arrow-right-drop-circle:](vpn.md) + +## Szoftver + +### Naptár Szinkronizálás + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[További információ :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[További információ :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Adat és Metaadat Eltávolítás + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[További információ :material-arrow-right-drop-circle:](data-redaction.md) + +### Email kliensek + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP hagyományos webmailben)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[További információ :material-arrow-right-drop-circle:](email-clients.md) + +### Titkosító Szoftverek + +??? info "Operációs Rendszer Lemez Titkosítás" + + Az operációs rendszer meghajtódnak a titkosításához általában az operációs rendszer által biztosított titkosítási eszközt javasoljuk, legyen az **BitLocker** Windowson, **FileVault** macOS-en, vagy **LUKS** Linuxon. Ezek az eszközök az operációs rendszer részét képezik, és általában olyan hardveres titkosítási elemeket használnak, mint például a TPM, amit más teljes lemez titkosító szoftverek, például a VeraCrypt nem. A VeraCrypt továbbra is alkalmas nem operációs rendszer lemezek, például külső meghajtók számára, különösen olyan meghajtók esetében, amelyekhez több operációs rendszerből is hozzáférhetnek. + + [További információ :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (TLT)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Böngésző alapú)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[További információ :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Kliensek + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[További információ :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Fájlmegosztás és Szinkronizálás + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Sajár Üzemeltetésű)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[További információ :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontendek + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Asztal)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[További információ :material-arrow-right-drop-circle:](frontends.md) + +### Többlépcsős Hitelesítési Eszközök + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[További információ :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Híraggregátorok + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[További információ :material-arrow-right-drop-circle:](news-aggregators.md) + +### Jegyzetfüzetek + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[További információ :material-arrow-right-drop-circle:](notebooks.md) + +### Jelszókezelők + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS és macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[További információ :material-arrow-right-drop-circle:](passwords.md) + +### Produktivitás Eszközök + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Saját Üzemeltetésű)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[További információ :material-arrow-right-drop-circle:](productivity.md) + +### Videó streamelő kliensek + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar-android) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[További információ :material-arrow-right-drop-circle:](real-time-communication.md) + +### Videó Streamelő Kliensek + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[További információ :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/hu/tor.md b/i18n/hu/tor.md new file mode 100644 index 00000000..ce63debd --- /dev/null +++ b/i18n/hu/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Hálózat" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +A **Tor** hálózat egy önkéntesek által üzemeltetett szerverekből álló csoport, amely lehetővé teszi, hogy ingyenesen csatlakozhass, és javíts a magánéleteden, valamint a biztonságodon az Interneten. Személyek és szervezetek a Tor-hálózaton keresztül ".onion rejtett szolgáltatásokkal" is megoszthatnak információkat anélkül, hogy veszélyeztetnék a magánéletüket. Mivel a Tor forgalmat nehéz blokkolni és nyomon követni, a Tor egy hatékony cenzúra megkerülő eszköz. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Honlap } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Szolgáltatás" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Dokumentáció} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Forráskód" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Közreműküdés } + +A Tor úgy működik, hogy az internetes forgalmadat ezeken az önkéntesek által üzemeltetett szervereken keresztül irányítja át, ahelyett, hogy közvetlen kapcsolatot létesítene a meglátogatni kívánt oldallal. Ez elrejti, hogy honnan érkezik a forgalom, és a kapcsolat útvonalában egyetlen szerver sem látja a teljes útvonalat, ahonnan a forgalom érkezik és ahová tart, ami azt jelenti, hogy még az általad csatlakozásra használt szerverek sem tudják megtörni az anonimitásodat. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Csatlakozás a Torhoz + +A Tor-hálózathoz többféleképpen is csatlakozni lehet a készülékedről, a leggyakrabban használt módszer a **Tor Böngésző**, a Firefox egy asztali számítógépekre és Androidra tervezett forkja, ami alkalmas anonim böngészésre. Az alább felsorolt alkalmazásokon kívül léteznek olyan operációs rendszerek is, amelyeket kifejezetten a Tor-hálózathoz való csatlakozásra terveztek, mint például a [Whonix](desktop.md#whonix) [Qubes OS](desktop.md#qubes-os)-en, melyek még nagyobb biztonságot és védelmet nyújtanak, mint a hagyományos Tor böngésző. + +### Tor Böngésző + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + A **Tor Böngésző** a legjobb választás, ha anonimitásra van szükséged, mivel hozzáférést biztosít a Tor-hálózathoz és a Tor-hidakhoz, valamint alapértelmezett beállításokat és bővítményeket tartalmaz, amelyek automatikusan előre beállított biztonsági szintek alapján vannak konfigurálva: *Normál*, *Biztonságosabb* és *Legbiztonságosabb*. + + [:octicons-home-16: Honlap](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Szolgáltatás" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Dokumentáció } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + **Soha** nem telepíts semmilyen további bővítményt a Tor Böngészőre vagy szerkeszd az `about:config` beállításokat, beleértve azokat is, amelyeket a Firefoxhoz javasolunk. A böngésző bővítmények és a nem alap beállítások miatt kitűnsz a Tor-hálózat többi felhasználója közül, így téve a böngésződ könnyebben [fingerprintelhetővé](https://support.torproject.org/glossary/browser-fingerprinting). + +A Tor böngészőt úgy tervezték, hogy megakadályozza az fingerprintelést, vagyis a beazonosításodat a böngésző konfigurációja alapján. Ezért elengedhetetlen, hogy **ne** módosítsd a böngészőt az alapértelmezett [biztonsági szinteken](https://tb-manual.torproject.org/security-settings/) túl. + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + Az **Orbot** egy ingyenes Tor VPN okostelefonokhoz, amely a Tor hálózaton keresztül irányítja az eszközödön lévő bármely alkalmazás forgalmát. + + [:octicons-home-16: Honlap](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Adatvédelmi Nyilatkozat" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tippek Androidhoz" + + Az Orbot képes egyes alkalmazások forgalmát átküldeni egy proxyn, ha azok támogatják a SOCKS vagy a HTTP proxyt. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Az Orbot gyakran elavult szokott lenni a Guardian Project [F-Droid adattárjában](https://guardianproject.info/fdroid) és a [Google Playen](https://play.google.com/store/apps/details?id=org.torproject.android), ezért érdemes inkább közvetlenül a [GitHub adattárból](https://github.com/guardianproject/orbot/releases) letölteni. + + Minden verzió ugyanazzal az aláírással van tanusítva, így kompatibilisnek kéne egymással lenniük. + +## Elosztók and Hidak + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + A **Snowflake** lehetővé teszi, hogy sávszélességet adományozz a Tor projektnek azáltal, hogy egy "Snowflake proxy"-t működtetsz a böngésződben. + + Azok, akik cenzúra alatt állnak, Snowflake proxykat tudnak használni a Tor-hálózathoz való csatlakozáshoz. A Snowflake egy nagyszerű módja annak, hogy hozzájárulj a hálózathoz, még akkor is, ha nincs meg a technikai tudásod egy Tor elosztó vagy híd üzemeltetéséhez. + + [:octicons-home-16: Honlap](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Forráskód" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Közreműködés } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Beágyazott Snowflake" + + A Snowflake-et engedélyezheted a böngésződben, ha a lenti kapcsolóra kattintasz és ==megnyitva hagyod ezt az oldalt==. A Snowflake-et bővítményként is telepítheted, hogy az mindig fusson, amikor a böngésződ nyitva van, azonban a harmadik féltől származó bővítmények hozzáadása növelheti a támadási felületedet. + +
+ Ha a beágyazás nem jelenik meg nálad, győződj meg róla, hogy nem blokkolod a harmadik féltől származó keretet a `torproject.org`-ról. Alternatív megoldásként látogasson el [erre az oldalra](https://snowflake.torproject.org/embed.html). + +A Snowflake semmilyen módon nem növeli az magánéletedet, és a személyes böngésződön keresztül a Tor-hálózathoz kapcsolódni sem használatos. Ha azonban az internetkapcsolatod nincs cenzúrázva, érdemes megfontolni a futtatását, hogy segíts cenzúrázott hálózatokon lévő személyeknek jobb magánéletet elérni. Nem kell aggódnod amiatt, hogy személyek milyen weboldalakhoz férnek hozzá a proxydon keresztül - a látható böngészési IP-címük majd megegyezik a Tor kilépő csomópontjukkal nem pedig tieddel. + +Egy Snowflake proxy futtatása alacsony kockázatú, még inkább, mint egy Tor elosztó vagy híd futtatása, amelyek már eleve sem különösebben kockázatos vállalkozások. Ettől függetlenül még mindig forgalom kerül átküldésre a hálózatodon ami bizonyos szempontból hatással lehet arra, különösen, ha a hálózatod sávszélessége korlátozott. Győződj meg róla, hogy érted [hogyan működik a Snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) mielőtt eldöntöd, hogy futtatsz-e proxyt. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/hu/video-streaming.md b/i18n/hu/video-streaming.md new file mode 100644 index 00000000..060092f6 --- /dev/null +++ b/i18n/hu/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Videó Streamelés" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +A videó streamelő platformok használatakor az az elsődleges veszély, hogy a streaming-szokásaid és feliratkozás listáid felhasználhatók profilalkotásra rólad. Ezeket az eszközöket érdemes keverned egy [VPN](vpn.md)-nel vagy [Tor](https://www.torproject.org/)-ra, hogy megnehezítsd a felhasználás szokásaidról készített profilalkotást. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **A LBRY hálózat** egy decentralizált videómegosztó hálózat. Egy [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-szerű hálózatot használ a videotartalom tárolására, és egy [blockchain](https://wikipedia.org/wiki/Blockchain) hálózatot a videók indexeinek tárolására. Ennek a kialakításnak a fő előnye a cenzúrával szembeni ellenállás. + + **A LBRY asztali kliens** segít videókat streamelni a LBRY hálózatról, és a feliratkozás listádat a saját LBRY tárcádban tárolni. + + [:octicons-home-16: Honlap](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Csak az **LBRY asztali kliens** használata ajánlott, mivel a [Odysee](https://odysee.com) weboldal és az F-Droid, a Play Store, valamint az App Store LBRY kliensei kötelező szinkronizcióval és telemetriával rendelkeznek. + +!!! warning + + Videók megtekintése és kiszolgálása közben az IP-címed látható a LBRY-hálózat számára. Fontold meg egy [VPN](vpn.md) vagy a [Tor](https://www.torproject.org) használatát, ha a [védelmi modelled](basics/threat-modeling.md) igényli az IP-címed elrejtését. + +A tárcád szinkronizálását a LBRY Inc.-kel **nem ajánljuk**, mivel titkosított pénztárcák szinkronizálása még nem támogatott. Ha szinkronizálod a tárcád a LBRY Inc.-kel, meg kell bennük bíznod, hogy nem nézik meg az feliratkozás listádat, [LBC](https://lbry.com/faq/earn-credits) pénzösszegeidet, vagy nem veszik át az irányítást a csatornád felett. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Követelmények + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra. + +!!! example "Ez a szakasz új" + + Azon dolgozunk, hogy meghatározott követelményeket állapítsunk meg az oldalunk minden egyes szakaszára vonatkozóan, és ez még változhat. Ha bármilyen kérdésed van a követelményinkkel kapcsolatban, kérjük, [kérdezz a fórumon](https://discuss.privacyguides.net/latest), és ne feltételezd, hogy valamit nem vettünk figyelembe az ajánlásaink elkészítésekor, ha az nem szerepel itt. Számos tényezőt veszünk figyelembe és vitatunk meg, amikor egy projektet ajánlunk, és minden egyes tényező dokumentálása folyamatban lévő munka. + +- Nem igényelhet egy központi fiókot videók megtekintéséhez. + - Elfogadható a decentralizált hitelesítés, mint például a mobiltárca privát kulcsán keresztül. diff --git a/i18n/hu/vpn.md b/i18n/hu/vpn.md new file mode 100644 index 00000000..5ed45e63 --- /dev/null +++ b/i18n/hu/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Szolgáltatások" +icon: material/vpn +description: Ezek a legjobb VPN-szolgáltatások az online magánéleted és biztonságod megvédéséhez. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "A VPN-ek nem nyújtanak anonimitást" + + Egy VPN használata **nem** fogja anonimizálni a böngészési szokásaidat, és nem biztosít további védelmet nem biztonságos (HTTP) forgalomnak. + + Ha **anonimitást** keresel, akkor a Tor böngészőt érdemes használnod egy VPN **helyett**. + + Ha több **biztonságot** keresel, mindig győződj meg arról, hogy a weboldalakhoz HTTPS használatával csatlakozol. Egy VPN nem helyettesít helyes biztonsági gyakorlatokat. + + [A Tor Letöltése(https://www.torproject.org/){ .md-button .md-button--primary } [Tor Tévhitek és GYIK](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Ajánlott Szolgáltatók + +Az általunk ajánlott szolgáltatók titkosítást használnak, elfogadják a Monero-t, támogatják a WireGuard-ot és OpenVPN-t, valamint naplózásmentes irányelvekkel rendelkeznek. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + Az **IVPN** egy másik prémium VPN szolgáltató, és 2009 óta vannak működésben. Az IVPN székhelye Gibraltáron található. + + [:octicons-home-16: Honlap](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Ennek oka a célállomáshoz vezető rövidebb útvonal (kevesebb ugrás). +{ .annotate } + +1. Utoljára ellenőrizve: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Az IVPN támogatja a WireGuard® protokollt. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Emellett a WireGuard célja, hogy egyszerűbb és hatékonyabb legyen. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Az IVPN kliensei támogatják a kétfaktoros hitelesítést (a Mullvad kliensei nem). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + A **Mullvad** egy gyors és olcsó VPN, amely komoly hangsúlyt fektet az átláthatóságra és a biztonságra. **2009** óta vannak működésben. A Mullvad székhelye Svédországban van, és nem rendelkezik ingyenes próbaverzióval. + + [:octicons-home-16: Honlap](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Szolgáltatás" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Ennek oka a célállomáshoz vezető rövidebb útvonal (kevesebb ugrás). +{ .annotate } + +1. Utoljára ellenőrizve: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Emellett a WireGuard célja, hogy egyszerűbb és hatékonyabb legyen. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + A **Proton VPN** egy erős pályázó a VPN-térben, és 2016 óta vannak működésben. A svájci székhelyű Proton AG egy korlátozott ingyenes előfizetést, valamint egy jobban felszerelt prémium opciót is kínál. + + [:octicons-home-16: Honlap](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Adatvédelmi Tájékoztató" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Dokumentáció} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Forráskód" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Ennek oka a célállomáshoz vezető rövidebb útvonal (kevesebb ugrás). +{ .annotate } + +1. Utoljára ellenőrizve: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +A Proton VPN átesett a SEC Consult független felülvizsálatán 2020 januárjában. A SEC Consult közepes és alacsony kockázatú sebezhetőségeket talált a Proton VPN Windows, Android és iOS alkalmazásaiban, amelyeket a Proton VPN a jelentések közzététele előtt "megfelelően kijavított". Az azonosított problémák egyike sem biztosított volna egy támadó számára távoli hozzáférést az eszközödhöz vagy forgalmadhoz. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Elfogad Készpénzt + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +A Proton VPN többnyire támogatja a WireGuard® protokollt. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Emellett a WireGuard célja, hogy egyszerűbb és hatékonyabb legyen. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Különösen Peer-to-Peer alkalmazások, mint Torrent-kliensek. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +A Proton VPN kliensek jelenleg a Linux kivételével minden platformon támogatják a kétlépcsős hitelesítést. A Proton VPN saját szerverekkel és adatközpontokkal rendelkezik Svájcban, Izlandon és Svédországban. A DNS-szolgáltatásukkal együtt reklámblokkolást és ismert kártékony szoftverek domainjeinek blokkolását is kínálják. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. Ha szükséged van erre a funkcióra, és Intel chipsettel rendelkező Mac-et használsz, akkor fontold meg egy másik VPN szolgáltatás használatát. + +## Követelmények + +!!! danger + + Fontos megjegyezni, hogy egy VPN szolgáltató használata nem teszi téged anonimmá, de bizonyos helyzetekben jobb magánéletet biztosít. Egy VPN nem illegális tevékenységek eszköze. Ne hagyatkozz "no log" irányelvekre. + +**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem. Ez lehetővé teszi számunkra, hogy teljesen objektív ajánlásokat tegyünk.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki minden olyan VPN-szolgáltató számára, amelyet ajánlani kívánunk, beleértve az erős titkosítást, független biztonsági felülvizsgálatokat, modern technológiát és még sok mást. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy VPN-szolgáltatót, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy az általad választott VPN-szolgáltató a lehető legmegbízhatóbb. + +### Technológia + +Minden általunk ajánlott VPN-szolgáltatótól elvárjuk, hogy biztosítson OpenVPN konfigurációs fájlokat, amelyeket bármilyen kliensben használni lehet. **Ha** egy VPN saját egyedi klienst biztosít, akkor hálózati kapcsolat megszakadásakor az adatszivárgások megakadályozása miatt egy killswitch beépítését várjuk el. + +**Minimális Elvárások:** + +- Olyan erős protokollok támogatása, mint a WireGuard és az OpenVPN. +- Kliensekbe beépített killswitch. +- Multihop támogatás. Multihopping is important to keep data private in case of a single node compromise. +- Ha biztosítva vannak VPN-kliensek, akkor azoknak [nyílt forráskódúaknak](https://en.wikipedia.org/wiki/Open_source) kell lenniük, épp mint a VPN-szoftver, ami általában beléjük van építve. Úgy véljük, hogy a [forráskód](https://en.wikipedia.org/wiki/Source_code) elérhetősége nagyobb átláthatóságot biztosít arról, hogy az eszközöd valójában mit csinál. + +**Legjobb Esetben:** + +- WireGuard és OpenVPN támogatás. +- Killswitch jól konfigurálható beállításokkal (engedélyezés/tiltás bizonyos hálózatokon, indításkor stb.) +- Könnyen használható VPN kliensek +- [IPv6](https://en.wikipedia.org/wiki/IPv6) támogatása. Elvárjuk, hogy szerverek engedélyezzék az IPv6-on keresztül érkező kapcsolatokat, és lehetővé tegyék IPv6-címeken üzemeltetett szolgáltatások elérését. +- A [távoli port forwardolás](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) képessége segíti a P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) fájlmegosztó szoftverek használatát vagy egy szerver (pl. Mumble) üzemeltetése esetén a kapcsolatok létrehozását. + +### Adatvédelem + +Jobban szeretjük, ha az általunk ajánlott szolgáltatók a lehető legkevesebb adatot gyűjtik. Sszemélyes adatok nem gyűjtése a regisztráció során, és anonim fizetési formák elfogadása elvárás. + +**Minimális Elvárások:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- A regisztrációhoz nincs szükség személyes adatokra: Csak felhasználónév, jelszó és legfeljebb email cím. + +**Legjobb Esetben:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Adatbiztonság + +Egy VPN értelmetlen, ha még megfelelő biztonságot sem tud nyújtani. Minden általunk ajánlott szolgáltatótól elvárjuk, hogy betartsa az OpenVPN kapcsolataikra vonatkozó jelenlegi biztonsági szabványokat. Ideális esetben alapértelmezés szerint jövőbelátóbb titkosítási sémákat használnának. Azt is elvárjuk, hogy egy független harmadik fél vizsgálja felül a szolgáltató biztonságát, ideális esetben nagyon átfogó módon és ismételten (évente). + +**Minimális Elvárások:** + +- Erős Titkosítási Rendszerek: OpenVPN SHA-256 hitelesítssel; RSA-2048 vagy jobb handshake; AES-256-GCM vagy AES-256-CBC adattitkosítás. +- Perfect Forward Secrecy (PFS). +- Közzétett biztonsági felülvizsgálatok egy megbízható harmadik feles cégtől. + +**Best Case:** + +- Legerősebb Titkosítás: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Széleskürű és közzétett biztonsági felülvizsgálatok egy megbízható harmadik feles cégtől. +- Bug-bounty programok és/vagy összehangolt sebezhetőség-közzétételi folyamat. + +### Bizalom + +A pénzügyeidet sem bíznád egy hamis személyazonosságú valakire, miért bíznád rá az internetes adataidat? Az általunk ajánlott szolgáltatóktól elvárjuk, hogy nyilvánosak legyenek a tulajdonlásukról vagy vezetésükről. Szeretnénk továbbá gyakori átláthatósági jelentéseket látni, különösen a kormányzati kérelmek kezelésének módját illetően. + +**Minimális Elvárások:** + +- Nyilvános vezetés vagy tulajdonlás. + +**Legjobb Esetben:** + +- Nyilvános vezetés. +- Gyakori átláthatósági jelentések. + +### Marketing + +Az általunk ajánlott VPN-szolgáltatóknál felelős marketinget szeretünk látni. + +**Minimális Elvárások:** + +- Saját üzemeltetésű analitikai rendszerrel kell rendelkeznie (azaz nem Google Analytics). A szolgáltató webhelyének szintén be kell tartania a [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) kéréseket is, a követést elutasítani kívánó személyek számára. + +Nem használhat felelőtlen marketinget: + +- Az anonimitás 100%-os védelmének garantálása. Ha valaki azt állítja, hogy valami 100%-os, az azt jelenti, hogy nincs bizonyosság meghibásodásra. Tudjuk, hogy személyek elég könnyen és számos módon deanonimizálni tudják magukat, pl.: + - Olyan személyes adatok (pl. email fiókok, egyedi álnevek stb.) újrafelhasználása, amelyeket anonimitás szoftver (Tor, VPN stb.) nélkül értek el + - [Böngésző fingerprintelés](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Azt állítja, hogy egy egyáramkörös VPN "anonimabb", mint a Tor, amely egy három vagy több ugrásból álló, rendszeresen változó áramkör. +- Használjon felelősségteljes nyelvezetet: pl. nyugodtan mondhatja, hogy egy VPN "lecsatlakozott" vagy "nincs csatlakoztatva", azonban azt állítani, hogy valaki "védtelen", "sebezhető" vagy "veszélyeztetett", az riasztó nyelvezet felesleges használata, ami lehet, hogy helytelen is. Lehet, hogy az illető egyszerűen csak egy másik VPN-szolgáltató szolgáltatását, vagy a Tor-t használja. + +**Legjobb Esetben:** + +A felelős marketing, amely egyszerre oktató és hasznos a fogyasztó számára, a következőket foglalhatja magában: + +- Pontos összehasonlítás, hogy mikor használandó a [Tor](tor.md) egy VPN helyett. +- A VPN szolgáltató weboldalának elérhetősége egy [.onion szolgáltatáson](https://en.wikipedia.org/wiki/.onion) keresztül + +### További Funkciók + +Bár nem szigorúan követelmények, van néhány tényező, amelyet figyelembe vettünk, amikor eldöntöttük, hogy mely szolgáltatókat ajánljuk. Ezek közé tartozik a reklámblokkoló/tracker-blokkoló funkció, warrant canary-k, multihop kapcsolatok, kiváló ügyfélszolgálat, engedélyezett egyidejű kapcsolatok száma stb. diff --git a/i18n/id/404.md b/i18n/id/404.md new file mode 100644 index 00000000..e2432c79 --- /dev/null +++ b/i18n/id/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Tidak Ditemukan + +Kami tidak dapat menemukan laman yang Anda cari! Mungkin Anda sedang mencari salah satu dari ini? + +- [Pengantar Pemodelan Ancaman](basics/threat-modeling.md) +- [Penyedia DNS yang Direkomendasikan](dns.md) +- [Peramban Web Desktop Terbaik](desktop-browsers.md) +- [Penyedia VPN Terbaik](vpn.md) +- [Forum Privacy Guides](https://discuss.privacyguides.net) +- [Blog Kami](https://blog.privacyguides.org) diff --git a/i18n/id/CODE_OF_CONDUCT.md b/i18n/id/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..760e78cf --- /dev/null +++ b/i18n/id/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Kode Etik Komunitas + +**Kami berjanji** untuk membuat komunitas kami menjadi pengalaman yang bebas dari pelecehan bagi semua orang. + +**Kami berusaha** untuk menciptakan lingkungan yang positif, menggunakan bahasa yang ramah dan inklusif, dan menghormati sudut pandang orang lain. + +**Kami tidak memperbolehkan** perilaku yang tidak pantas atau tidak dapat diterima, seperti bahasa yang mengandung unsur seksual, komentar yang bersifat menjatuhkan dan menghina, atau mempromosikan intoleransi atau pelecehan. + +## Standar Komunitas + +Apa yang kami harapkan dari para anggota komunitas kami: + +1. **Jangan menyebarkan informasi yang salah** + + Kami menciptakan komunitas edukasi berbasis bukti seputar privasi dan keamanan informasi, bukan rumah bagi teori konspirasi. Misalnya, ketika membuat klaim bahwa perangkat lunak tertentu berbahaya atau data telemetri tertentu melanggar privasi, jelaskan secara rinci apa yang dikumpulkan dan bagaimana cara pengumpulannya. Klaim semacam ini harus didukung oleh bukti teknis. + +1. **Jangan menyalahgunakan kesediaan kita untuk membantu** + + Anggota komunitas kami bukanlah dukungan teknis gratis bagi Anda. Kami dengan senang hati membantu Anda dengan langkah-langkah spesifik dalam perjalanan privasi Anda jika Anda bersedia untuk berusaha. Kami tidak bersedia menjawab pertanyaan yang berulang-ulang tentang masalah komputer umum yang dapat Anda jawab sendiri dengan pencarian internet selama 30 detik. Jangan menjadi [vampir bantuan](https://slash7.com/2006/12/22/vampires/). + +1. **Berperilaku dengan cara yang positif dan konstruktif** + + Contoh perilaku yang berkontribusi pada lingkungan positif bagi komunitas kita meliputi: + + - Menunjukkan kepedulian dan kebaikan terhadap orang lain + - Menghormati opini, pandangan, dan pengalaman yang berbeda + - Memberikan dan menerima umpan balik yang konstruktif secara sopan + - Menerima tanggung jawab dan meminta maaf kepada yang terdampak dari kesalahan kita, dan belajar dari pengalaman + - Berfokus pada apa yang terbaik, bukan hanya untuk kita sebagai individu, tetapi juga untuk komunitas secara keseluruhan + +### Perilaku yang Tidak Dapat Diterima + +Perilaku berikut ini dianggap sebagai pelecehan dan tidak dapat diterima dalam komunitas kami: + +- Penggunaan bahasa atau gambar yang berbau seksual, dan perhatian atau rayuan seksual dalam bentuk apa pun +- Komentar yang bersifat mengganggu, menghina atau merendahkan, dan serangan pribadi atau politik +- Pelecehan publik atau pribadi +- Mempublikasikan informasi pribadi orang lain, seperti alamat fisik atau surel, tanpa izin eksplisit dari mereka +- Perilaku lain yang secara wajar dapat dianggap tidak pantas dalam lingkungan profesional + +## Jangkauan + +Kode Etik kami berlaku di semua ruang proyek, serta ketika seseorang mewakili proyek Privacy Guides di komunitas lain. + +Kami bertanggung jawab untuk mengklarifikasi standar komunitas kami, dan memiliki hak untuk menghapus atau mengubah komentar mereka yang berpartisipasi dalam komunitas kami, jika diperlukan dan atas kebijakan kami. + +### Kontak + +Jika Anda menemukan masalah di platform seperti Matrix atau Reddit, silakan hubungi moderator kami di platform tersebut dalam obrolan, melalui pesan langsung, atau melalui sistem "Modmail" yang telah ditentukan. + +Jika Anda memiliki masalah di tempat lain, atau masalah yang tidak dapat diselesaikan oleh moderator komunitas kami, hubungi `jonah@privacyguides.org` dan/atau `dngray@privacyguides.org`. + +Semua tokoh masyarakat berkewajiban untuk menghormati privasi dan keamanan pelapor insiden apa pun. diff --git a/i18n/id/about/criteria.md b/i18n/id/about/criteria.md new file mode 100644 index 00000000..f9151c1f --- /dev/null +++ b/i18n/id/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Kriteria Umum +--- + +!!! contoh "Pekerjaan yang Sedang Berlangsung" + + Halaman berikut ini masih dalam tahap pengembangan, dan tidak mencerminkan kriteria lengkap untuk rekomendasi kami saat ini. Diskusi sebelumnya tentang topik ini: [#24] (https://github.com/privacyguides/privacyguides.org/discussions/24) + +Di bawah ini adalah beberapa hal yang harus diterapkan pada semua pengajuan ke Privacy Guides. Setiap kategori akan memiliki persyaratan tambahan untuk dimasukkan. + +## Pengungkapan Keuangan + +Kami tidak menghasilkan uang dari merekomendasikan produk tertentu, kami tidak menggunakan tautan afiliasi, dan kami tidak memberikan pertimbangan khusus kepada para donatur proyek. + +## Pedoman Umum + +Kami menerapkan prioritas ini ketika mempertimbangkan rekomendasi baru: + +- **Aman**: Alat harus mengikuti praktik terbaik keamanan di mana pun berlaku. +- **Ketersediaan Sumber**: Proyek sumber terbuka umumnya lebih disukai daripada alternatif bersumber tertutup yang setara. +- **Lintas Platform**: Kami biasanya lebih memilih rekomendasi yang bersifat lintas platform, untuk menghindari penguncian penyedia. +- **Pengembangan Aktif**: Alat yang kami rekomendasikan harus dikembangkan secara aktif, proyek yang tidak terpelihara akan dihapus dalam banyak kasus. +- **Kegunaan**: Alat bantu harus dapat diakses oleh sebagian besar pengguna komputer, latar belakang yang terlalu teknis tidak diperlukan. +- **Terdokumentasi**: Alat harus memiliki dokumentasi yang jelas dan ekstensif untuk digunakan. + +## Pengajuan Diri Pengembang + +Kami memiliki persyaratan ini terkait dengan pengembang yang ingin mengajukan proyek atau perangkat lunak mereka untuk dipertimbangkan. + +- Harus mengungkapkan afiliasi, yaitu posisi Anda dalam proyek yang diajukan. + +- Harus memiliki whitepaper keamanan jika itu adalah proyek yang melibatkan penanganan informasi sensitif seperti messenger, pengelola kata sandi, penyimpanan cloud terenkripsi, dll. + - Status audit pihak ketiga. Kami ingin tahu apakah Anda memilikinya, atau sedang merencanakannya. Jika memungkinkan, sebutkan siapa yang akan melakukan audit. + +- Harus menjelaskan apa yang dibawa oleh proyek terkait privasi. + - Apakah ini memecahkan masalah baru? + - Mengapa orang harus menggunakannya daripada alternatif lain? + +- Harus menyatakan apa model ancaman yang tepat dengan proyek mereka. + - Harus jelas bagi calon pengguna apa yang dapat disediakan oleh proyek, dan apa yang tidak dapat disediakan. diff --git a/i18n/id/about/donate.md b/i18n/id/about/donate.md new file mode 100644 index 00000000..0c7d796e --- /dev/null +++ b/i18n/id/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Dukung Kami +--- + + +Dibutuhkan banyak [orang](https://github.com/privacyguides/privacyguides.org/graphs/contributors) dan [pekerjaan](https://github.com/privacyguides/privacyguides.org/pulse/monthly) untuk terus memperbarui Privacy Guides dan menyebarkan berita tentang privasi dan pengawasan massal. Jika Anda menyukai apa yang kami lakukan, pertimbangkan untuk terlibat dengan [menyunting situs](https://github.com/privacyguides/privacyguides.org) atau [berkontribusi terjemahan](https://crowdin.com/project/privacyguides). + +Jika Anda ingin mendukung kami secara finansial, metode yang paling mudah bagi kami adalah berkontribusi melalui Open Collective, sebuah situs web yang dioperasikan oleh host fiskal kami. Open Collective menerima pembayaran melalui kartu kredit/debit, PayPal, dan transfer bank. + +[Donasi di OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donasi yang diberikan secara langsung kepada kami di Open Collective umumnya dapat dikurangkan dari pajak di Amerika Serikat, karena tuan rumah fiskal kami (Open Collective Foundation) adalah organisasi 501(c)3 yang terdaftar. Anda akan menerima tanda terima dari Open Collective Foundation setelah berdonasi. Privacy Guides tidak memberikan saran keuangan, dan Anda harus menghubungi penasihat pajak Anda untuk mengetahui apakah ini berlaku untuk Anda. + +Jika Anda sudah menggunakan sponsor GitHub, Anda juga dapat mensponsori organisasi kami di sana. + +[Sponsori kami di GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Pendukung + +Terima kasih secara khusus kepada semua pihak yang mendukung misi kami! :heart: + +*Harap diperhatikan: Bagian ini memuat widget langsung dari Open Collective. Bagian ini tidak mencerminkan donasi yang dibuat di luar Open Collective, dan kami tidak memiliki kendali atas donatur tertentu yang ditampilkan di bagian ini.* + + + +## Bagaimana Kami Menggunakan Donasi + +Privacy Guides adalah organisasi **nirlaba**. Kami menggunakan donasi untuk berbagai tujuan, termasuk: + +**Pendaftaran Domain** +: + +Kami memiliki beberapa nama domain seperti `privacyguides.org` yang menghabiskan biaya sekitar $10 per tahun untuk mempertahankan registrasinya. + +**Hosting Web** +: + +Lalu lintas ke situs web ini menggunakan ratusan gigabyte data per bulan, kami menggunakan berbagai penyedia layanan untuk mengimbangi lalu lintas ini. + +**Layanan Daring** +: + +Kami menghost [layanan internet](https://privacyguides.net) untuk menguji dan menampilkan berbagai produk privasi yang kami sukai dan [rekomendasikan](../tools.md). Beberapa di antaranya tersedia untuk umum untuk digunakan oleh komunitas kami (SearXNG, Tor, dll.), dan beberapa disediakan untuk anggota tim kami (email, dll.). + +**Pembelian Produk** +: + +Kami terkadang membeli produk dan layanan untuk tujuan menguji [alat yang kami rekomendasikan](../tools.md). + +Kami masih bekerja sama dengan tuan rumah fiskal kami (Open Collective Foundation) untuk menerima donasi mata uang kripto, saat ini penghitungannya tidak memungkinkan untuk banyak transaksi yang lebih kecil, tetapi hal ini akan berubah di masa depan. Sementara itu, jika Anda ingin memberikan donasi mata uang kripto dalam jumlah yang cukup besar (> $100), silakan hubungi [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/id/about/index.md b/i18n/id/about/index.md new file mode 100644 index 00000000..a1403a69 --- /dev/null +++ b/i18n/id/about/index.md @@ -0,0 +1,102 @@ +--- +title: "Tentang Privacy Guides" +description: Privacy Guides adalah situs web bermotif sosial yang menyediakan informasi untuk melindungi keamanan dan privasi data Anda. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Logo Privacy Guides](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** adalah situs web bermotif sosial yang menyediakan [informasi](/kb) untuk melindungi keamanan dan privasi data Anda. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. Kami adalah kolektif nirlaba yang dioperasikan sepenuhnya oleh [anggota tim](https://discuss.privacyguides.net/g/team) dan kontributor sukarelawan. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title="Laman Beranda" } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Kode Sumber" } +[:octicons-heart-16:](donate.md){ .card-link title=Berkontribusi } + +> Untuk menemukan aplikasi [alternatif yang berfokus pada privasi], lihat situs-situs seperti Good Reports dan **Privacy Guides**, yang mencantumkan daftar aplikasi yang berfokus pada privasi dalam berbagai kategori, terutama termasuk penyedia email (biasanya dengan paket berbayar) yang tidak dijalankan oleh perusahaan-perusahaan teknologi besar. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> Jika Anda mencari VPN baru, Anda bisa membuka kode diskon dari hampir semua podcast. Jika Anda mencari **VPN** yang bagus, Anda memerlukan bantuan profesional. Hal yang sama berlaku untuk klien email, browser, sistem operasi, dan pengelola kata sandi. Bagaimana Anda tahu mana yang terbaik, opsi yang paling ramah privasi? Untuk itu ada **Privacy Guides**, sebuah platform di mana sejumlah sukarelawan mencari hari demi hari untuk alat ramah privasi terbaik untuk digunakan di internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## Sejarah + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Tim Kami + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Laman Beranda](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Surel](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Surel](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Laman Beranda](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Laman Beranda](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Lisensi Situs + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Kecuali dinyatakan lain, konten asli di situs web ini tersedia di bawah lisensi [Creative Commons Atribusi-TanpaTurunan 4.0 Internasional](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). Ini berarti Anda bebas menyalin dan mendistribusikan ulang materi dalam media atau format apa pun untuk tujuan apa pun, bahkan untuk tujuan komersial; selama Anda memberikan kredit yang sesuai kepada `Privacy Guides (www.privacyguides.org)` dan memberikan tautan ke lisensi. Anda dapat melakukannya dengan cara yang wajar, tetapi tidak dengan cara apa pun yang menyarankan Privacy Guides mendukung Anda atau penggunaan Anda. Jika Anda menggubah, mengubah, atau mengembangkan konten situs web ini, Anda tidak boleh mendistribusikan materi yang telah dimodifikasi. + +Lisensi ini diterapkan untuk mencegah orang membagikan karya kami tanpa memberikan kredit yang tepat, dan untuk mencegah orang memodifikasi karya kami dengan cara yang dapat digunakan untuk menyesatkan orang lain. Jika Anda merasa persyaratan lisensi ini terlalu membatasi proyek yang sedang Anda kerjakan, silakan hubungi kami di `jonah@privacyguides.org`. Kami dengan senang hati menyediakan opsi lisensi alternatif untuk proyek-proyek yang bermaksud baik di ruang privasi! diff --git a/i18n/id/about/notices.md b/i18n/id/about/notices.md new file mode 100644 index 00000000..6af95198 --- /dev/null +++ b/i18n/id/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Penafian Hukum + +Privacy Guides bukanlah firma hukum. Dengan demikian, situs web dan kontributor Privacy Guides tidak memberikan nasihat hukum. Materi dan rekomendasi di situs web dan panduan kami bukan merupakan nasihat hukum dan juga tidak berkontribusi pada situs web atau berkomunikasi dengan Privacy Guides atau kontributor lain tentang situs web kami menciptakan hubungan antara pengacara dan klien. + +Menjalankan situs web ini, seperti hal usaha manusia lainnya, melibatkan ketidakpastian dan kerugian. Kami harap situs web ini membantu, tetapi mungkin termasuk kesalahan dan tidak dapat mengatasi setiap situasi. Jika Anda memiliki pertanyaan tentang situasi Anda, kami mendorong Anda untuk melakukan penelitian Anda sendiri, mencari ahli lain, dan terlibat dalam diskusi dengan komunitas Privacy Guides. Jika Anda memiliki pertanyaan hukum, Anda harus berkonsultasi dengan penasihat hukum Anda sendiri sebelum melangkah lebih jauh. + +Privacy Guides adalah proyek sumber terbuka yang dikontribusikan di bawah lisensi yang mencakup persyaratan yang, demi perlindungan situs web dan kontributornya, menjelaskan bahwa proyek dan situs web Panduan Privasi ditawarkan "apa adanya", tanpa jaminan, dan melepaskan tanggung jawab atas kerugian yang diakibatkan oleh penggunaan situs web atau rekomendasi apa pun yang terkandung di dalamnya. Privacy Guides tidak menjamin atau membuat pernyataan apa pun mengenai keakuratan, kemungkinan hasil, atau keandalan penggunaan materi di situs web atau yang terkait dengan materi tersebut di situs web atau di situs pihak ketiga mana pun yang ditautkan di situs ini. + +Privacy Guides juga tidak menjamin bahwa situs web ini akan selalu tersedia, atau tersedia sama sekali. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Ini tidak termasuk kode pihak ketiga yang tertanam dalam repositori ini, atau kode di mana lisensi pengganti dinyatakan. Berikut ini adalah contoh penting, tetapi daftar ini mungkin tidak mencakup semuanya: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Ini berarti bahwa Anda dapat menggunakan konten yang dapat dibaca manusia dalam repositori ini untuk proyek Anda sendiri, sesuai dengan persyaratan yang diuraikan dalam teks Creative Commons Atribusi-TanpaTurunan 4.0 Internasional. Anda dapat melakukannya dengan cara yang wajar, tetapi tidak dengan cara apa pun yang menyarankan Privacy Guides mendukung Anda atau penggunaan Anda. Anda **tidak boleh** menggunakan merek Privacy Guides dalam proyek Anda sendiri tanpa persetujuan tertulis dari proyek ini. Merek dagang merek Privacy Guides mencakup tanda kata "Privacy Guides" dan logo perisai. + +Kami percaya bahwa logo dan gambar lain dalam `aset` yang diperoleh dari penyedia pihak ketiga berada dalam domain publik atau **penggunaan wajar**. Secara singkat, hukum [doktrin penggunaan wajar](https://www.copyright.gov/fair-use/more-info.html) memungkinkan penggunaan gambar berhak cipta untuk mengidentifikasi materi pelajaran untuk tujuan komentar publik. Namun, logo ini dan gambar lainnya mungkin masih tunduk pada undang-undang merek dagang di satu atau lebih yurisdiksi. Sebelum menggunakan konten ini, pastikan bahwa konten tersebut digunakan untuk mengidentifikasi entitas atau organisasi yang memiliki merek dagang dan bahwa Anda memiliki hak untuk menggunakannya berdasarkan hukum yang berlaku dalam situasi yang Anda inginkan. *Ketika menyalin konten dari situs web ini, Anda bertanggung jawab penuh untuk memastikan bahwa Anda tidak melanggar merek dagang atau hak cipta orang lain.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Penggunaan yang Dapat Diterima + +Anda tidak boleh menggunakan situs web ini dengan cara apa pun yang menyebabkan atau dapat menyebabkan kerusakan pada situs web atau gangguan ketersediaan atau aksesibilitas Privacy Guides, atau dengan cara apa pun yang melanggar hukum, ilegal, curang, berbahaya, atau sehubungan dengan tujuan atau aktivitas yang melanggar hukum, ilegal, curang, atau berbahaya. + +Anda tidak boleh melakukan aktivitas pengumpulan data secara sistematis atau otomatis pada atau sehubungan dengan situs web ini tanpa persetujuan tertulis, termasuk: + +* Pemindaian Otomatis yang Berlebihan +* Serangan Penolakan Layanan +* Mengikis +* Penambangan Data +* 'Pembingkaian' (IFrame) + +--- + +*Bagian dari pemberitahuan ini sendiri diadopsi dari [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) di GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/id/about/privacy-policy.md b/i18n/id/about/privacy-policy.md new file mode 100644 index 00000000..bb0992d2 --- /dev/null +++ b/i18n/id/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Kebijakan Privasi" +--- + +Privacy Guides adalah proyek komunitas yang dioperasikan oleh sejumlah kontributor sukarelawan yang aktif. Daftar publik anggota tim [dapat ditemukan di GitHub](https://github.com/orgs/privacyguides/people). + +## Data yang Kami Kumpulkan dari Pengunjung + +Privasi pengunjung situs web kami sangat penting bagi kami, jadi kami tidak melacak setiap orang. Sebagai pengunjung situs web kami: + +- Tidak ada informasi pribadi yang dikumpulkan +- Tidak ada informasi seperti kuki yang disimpan di peramban +- Tidak ada informasi yang dibagikan, dikirim atau dijual kepada pihak ketiga +- Tidak ada informasi yang dibagikan dengan perusahaan periklanan +- Tidak ada informasi yang ditambang dan dipanen untuk tren pribadi dan perilaku +- Tidak ada informasi yang dimonetisasi + +Anda dapat melihat data yang kami kumpulkan di halaman [statistik](statistics.md) kami. + +Kami menjalankan instalasi [Plausible Analytics](https://plausible.io) yang dihosting sendiri untuk mengumpulkan beberapa data penggunaan anonim untuk tujuan statistik. Tujuannya adalah untuk melacak tren keseluruhan dalam lalu lintas situs web kami, bukan untuk melacak pengunjung individu. Semua data hanya dalam agregat. Tidak ada data pribadi yang dikumpulkan. + +Data yang dikumpulkan termasuk sumber rujukan, halaman teratas, durasi kunjungan, informasi dari perangkat (jenis perangkat, sistem operasi, negara dan browser) yang digunakan selama kunjungan dan banyak lagi. Anda dapat mempelajari lebih lanjut tentang bagaimana Plausible bekerja dan mengumpulkan informasi dengan cara yang menghormati privasi [di sini](https://plausible.io/data-policy). + +## Data yang Kami Kumpulkan Dari Pemegang Akun + +Pada beberapa situs web dan layanan yang kami sediakan, banyak fitur yang mungkin memerlukan akun. Sebagai contoh, sebuah akun mungkin diperlukan untuk mengirim dan membalas topik pada platform forum. + +Untuk mendaftar ke sebagian besar akun, kami akan mengumpulkan nama, nama pengguna, surel, dan kata sandi. Jika sebuah situs web memerlukan lebih banyak informasi daripada data tersebut, hal itu akan ditandai dengan jelas dan dicatat dalam pernyataan privasi terpisah per situs. + +Kami menggunakan data akun Anda untuk mengidentifikasi Anda di situs web dan membuat halaman khusus untuk Anda, seperti halaman profil. Kami juga akan menggunakan data akun Anda untuk mempublikasikan profil publik untuk Anda di layanan kami. + +Kami menggunakan surel Anda untuk: + +- Memberi tahu Anda tentang kiriman dan aktivitas lain di situs web atau layanan. +- Mengatur ulang kata sandi Anda dan jaga keamanan akun Anda. +- Menghubungi Anda dalam keadaan khusus yang berkaitan dengan akun Anda. +- Menghubungi Anda tentang permintaan hukum, seperti permintaan penghapusan DMCA. + +Pada beberapa situs web dan layanan, Anda dapat memberikan informasi tambahan untuk akun Anda, seperti biografi singkat, avatar, lokasi Anda, atau hari ulang tahun Anda. Kami membuat informasi yang tersedia untuk semua orang yang dapat mengakses situs web atau layanan yang bersangkutan. Informasi ini tidak diperlukan untuk menggunakan layanan kami dan dapat dihapus kapan saja. + +Kami akan menyimpan data akun Anda selama akun Anda masih terbuka. Setelah menutup akun, kami dapat menyimpan sebagian atau seluruh data akun Anda dalam bentuk cadangan atau arsip hingga 90 hari. + +## Menghubungi Kami + +Tim Privacy Guides umumnya tidak memiliki akses ke data pribadi di luar akses terbatas yang diberikan melalui beberapa panel moderasi. Pertanyaan mengenai informasi pribadi Anda harus dikirim langsung ke: + +```text +Jonah Aragon +Administrator Layanan +jonah@privacyguides.org +``` + +Untuk semua pertanyaan lainnya, Anda dapat menghubungi anggota tim kami. + +Untuk keluhan berdasarkan GDPR secara umum, Anda dapat mengajukan keluhan kepada otoritas pengawas perlindungan data setempat. Di Prancis, Komisi Nasional Informasi dan Kebebasan yang mengurus dan menangani keluhan tersebut. Mereka menyediakan templat [surat keluhan](https://www.cnil.fr/en/plaintes) untuk digunakan. + +## Tentang Kebijakan Ini + +Kami akan mengirim versi baru dari pernyataan ini [di sini](privacy-policy.md). Kami dapat mengubah cara kami mengumumkan perubahan dalam versi mendatang dari dokumen ini. Sementara itu, kami dapat memperbarui informasi kontak kami kapan saja tanpa mengumumkan perubahan. Silakan merujuk ke [Kebijakan Privasi](privacy-policy.md) untuk informasi kontak terbaru setiap saat. + +Sebuah [riwayat](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) revisi lengkap dari halaman ini dapat ditemukan di GitHub. diff --git a/i18n/id/about/privacytools.md b/i18n/id/about/privacytools.md new file mode 100644 index 00000000..fbbe41f7 --- /dev/null +++ b/i18n/id/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "Pertanyaan Umum PrivacyTools" +--- + +# Mengapa kami pindah dari PrivacyTools + +Pada bulan September 2021, setiap kontributor aktif dengan suara bulat setuju untuk berpindah dari PrivacyTools untuk bekerja di situs ini: Privacy Guides. Keputusan ini diambil karena pendiri dan pengendali nama domain PrivacyTools telah menghilang dalam jangka waktu yang lama dan tidak dapat dihubungi. + +Setelah membangun situs dan serangkaian layanan yang memiliki reputasi baik di PrivacyTools.io, hal ini menimbulkan kekhawatiran besar bagi masa depan PrivacyTools, karena gangguan apa pun di masa depan dapat menghapus seluruh organisasi tanpa metode pemulihan. Transisi ini dikomunikasikan kepada komunitas PrivacyTools beberapa bulan sebelumnya melalui berbagai saluran termasuk blog, Twitter, Reddit, dan Mastodon untuk memastikan seluruh proses berjalan semulus mungkin. Kami melakukan ini untuk memastikan tidak ada siapa pun yang berada di dalam kegelapan, yang telah menjadi modus operandi kami sejak tim kami diciptakan, dan untuk memastikan Privacy Guides diakui sebagai organisasi terpercaya yang sama dengan PrivacyTools sebelum transisi. + +Setelah perpindahan organisasi selesai, pendiri PrivacyTools kembali dan mulai menyebarkan informasi yang salah tentang proyek Privacy Guides. Mereka terus menyebarkan informasi yang salah selain mengoperasikan peternakan tautan berbayar pada domain PrivacyTools. Kami membuat halaman ini untuk membereskan kesalahpahaman apa pun. + +## Apa itu PrivacyTools? + +PrivacyTools dibuat pada tahun 2015 oleh "BurungHantu," yang ingin membuat alat yang berguna untuk sumber daya informasi privasi setelah pengungkapan Snowden. Situs ini tumbuh menjadi proyek sumber terbuka yang berkembang dengan [banyak kontributor](https://github.com/privacytools/privacytools.io/graphs/contributors), beberapa akhirnya diberi berbagai tanggung jawab organisasi, seperti mengoperasikan layanan daring seperti Matrix dan Mastodon, mengelola dan meninjau perubahan pada situs di GitHub, mencari sponsor untuk proyek tersebut, menulis kiriman blog dan mengoperasikan platform penjangkauan media sosial seperti Twitter, dll. + +Mulai dari tahun 2019, BurungHantu semakin menjauh dari pengembangan aktif situs web dan komunitas, dan mulai menunda pembayaran yang menjadi tanggung jawabnya terkait dengan server yang kami operasikan. Untuk menghindari administrator sistem kami membayar biaya server menggunakan uang mereka sendiri, kami mengubah metode donasi yang tercantum di situs dari akun PayPal dan kripto pribadi BurungHantu ke halaman OpenCollective baru pada tanggal [31 Oktober 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Hal ini memiliki manfaat tambahan yaitu membuat keuangan kami benar-benar transparan, nilai yang sangat kami yakini, dan dapat dikurangkan dari pajak di Amerika Serikat, karena dipegang oleh Open Collective Foundation 501(c)3. Perubahan ini disetujui dengan suara bulat oleh tim dan tidak dapat diganggu gugat. + +## Mengapa Kami Pindah + +Pada tahun 2020, ketidakhadiran BurungHantu semakin terlihat. Pada suatu ketika, kami meminta supaya server nama domain diubah ke server nama yang dikendalikan oleh administrator sistem kami untuk menghindari gangguan di masa mendatang, dan perubahan ini belum selesai hingga lebih dari satu bulan setelah permintaan awal. Dia akan menghilang dari obrolan publik dan ruang obrolan tim pribadi di Matrix selama berbulan-bulan, sesekali muncul untuk memberikan sedikit umpan balik atau berjanji untuk lebih aktif sebelum menghilang lagi. + +Pada bulan Oktober 2020, administrator sistem PrivacyTools (Jonah) [meninggalkan](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) proyek karena kesulitan ini, menyerahkan kendali kepada kontributor lama lainnya. Jonah telah mengoperasikan hampir semua layanan PrivacyTools dan bertindak sebagai *de facto* pimpinan proyek untuk pengembangan situs web selama ketidakhadiran BurungHantu, sehingga kepergiannya merupakan perubahan yang signifikan bagi organisasi. Pada saat itu, karena perubahan organisasi yang signifikan ini, BurungHantu berjanji kepada tim yang tersisa bahwa ia akan kembali untuk mengambil alih kendali proyek ke depannya. ==Tim PrivacyTools menghubungi melalui beberapa metode komunikasi selama beberapa bulan berikutnya, tetapi tidak menerima tanggapan apa pun.== + +## Ketergantungan Nama Domain + +Pada awal tahun 2021, tim PrivacyTools semakin khawatir tentang masa depan proyek, karena nama domain akan kedaluwarsa pada tanggal 1 Maret 2021. Domain ini akhirnya diperbarui oleh BurungHantu tanpa komentar. + +Kekhawatiran tim tidak ditanggapi, dan kami menyadari bahwa hal ini akan menjadi masalah setiap tahun: Jika domain tersebut kedaluwarsa, maka domain tersebut dapat dicuri oleh penghuni liar atau pengirim spam, sehingga merusak reputasi organisasi. Kami juga akan kesulitan menghubungi komunitas untuk memberi tahu mereka tentang apa yang terjadi. + +Tanpa melakukan kontak dengan BurungHantu, kami memutuskan tindakan terbaik adalah pindah ke nama domain baru selagi kami masih memiliki jaminan kontrol atas nama domain lama, sebelum Maret 2022. Dengan cara ini, kami akan dapat mengarahkan semua sumber daya PrivacyTools dengan bersih ke situs baru tanpa gangguan dalam layanan. Keputusan ini dibuat berbulan-bulan sebelumnya dan dikomunikasikan kepada seluruh tim dengan harapan bahwa BurungHantu akan menjangkau dan memastikan dukungannya yang berkelanjutan untuk proyek ini, karena dengan nama merek yang sudah dikenal dan komunitas daring yang besar, berpindah dari "PrivacyTools" adalah hasil yang paling tidak diinginkan. + +Pada pertengahan 2021, tim PrivacyTools menghubungi Jonah, yang setuju untuk bergabung kembali dengan tim untuk membantu transisi. + +## Ajakan Komunitas untuk Bertindak + +Pada akhir Juli 2021, kami [memberi tahu](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) komunitas PrivacyTools tentang niat kami untuk memilih nama baru dan melanjutkan proyek di domain baru, yang akan [dipilih](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) pada tanggal 2 Agustus 2022. Pada akhirnya, "Privacy Guides" dipilih, dengan domain `privacyguides.org` yang telah dimiliki oleh Jonah untuk proyek sampingan dari tahun 2020 yang tidak berkembang. + +## Kontrol dari r/privacytoolsIO + +Bersamaan dengan masalah situs web yang sedang berlangsung di privacytools.io, tim moderasi r/privacytoolsIO menghadapi tantangan dalam mengelola subreddit. Subreddit selalu dioperasikan secara independen dari pengembangan situs web, tetapi BurungHantu adalah moderator utama dari subreddit tersebut, dan dia adalah satu-satunya moderator yang diberikan hak istimewa "Kendali Penuh". u/trai_dep adalah satu-satunya moderator aktif pada saat itu, dan [mengirim](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) permintaan kepada administrator Reddit pada tanggal 28 Juni 2021, meminta untuk diberikan posisi moderator utama dan hak kontrol penuh, untuk membuat perubahan yang diperlukan pada Subreddit. + +Reddit mengharuskan subreddit memiliki moderator yang aktif. Jika moderator utama tidak aktif dalam jangka waktu yang lama (seperti satu tahun), posisi moderator utama dapat ditunjuk kembali ke moderator berikutnya. Agar permintaan ini dikabulkan, BurungHantu harus benar-benar absen dari semua aktivitas Reddit untuk jangka waktu yang lama, yang konsisten dengan perilakunya di platform lain. + +> Jika Anda dihapus sebagai moderator dari subreddit melalui permintaan Reddit, itu karena kurangnya tanggapan dan kurangnya aktivitas Anda memenuhi syarat subreddit untuk transfer r/redditrequest. +> +> r/redditrequest adalah cara Reddit untuk memastikan komunitas memiliki moderator yang aktif dan merupakan bagian dari [Kode Etik Moderator](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Memulai Transisi + +Pada 14 September 2021, kami [mengumumkan](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) awal migrasi kami ke domain baru ini: + +> [...] kami merasa perlu untuk melakukan peralihan ini lebih cepat daripada nanti untuk memastikan orang akan mengetahui tentang transisi ini sesegera mungkin. Hal ini memberikan kami waktu yang cukup untuk melakukan transisi nama domain, yang saat ini dialihkan ke www.privacyguides.org, dan diharapkan dapat memberikan waktu yang cukup bagi semua orang untuk mengetahui perubahan tersebut, memperbarui markah dan situs web, dll. + +Perubahan ini [mensyaratkan:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Mengalihkan www.privacytools.io ke [www.privacyguides.org](https://www.privacyguides.org). +- Mengarsipkan kode sumber di GitHub untuk melestarikan pekerjaan masa lalu dan pelacak masalah kami, yang terus kami gunakan selama berbulan-bulan pengembangan dari situs ini di masa depan. +- Mengirim pengumuman ke subreddit kami dan berbagai komunitas lain yang menginformasikan orang-orang tentang perubahan resmi. +- Secara resmi menutup layanan privacytools.io, seperti Matrix dan Mastodon, dan mendorong pengguna lama untuk bermigrasi sesegera mungkin. + +Segala sesuatunya tampak berjalan dengan lancar, dan sebagian besar komunitas aktif kami beralih ke proyek baru kami persis seperti yang kami harapkan. + +## Peristiwa yang Diikuti + +Kira-kira seminggu setelah transisi, BurungHantu kembali daring untuk pertama kalinya dalam hampir satu tahun, namun tidak ada seorang pun dari tim kami yang ingin kembali ke PrivacyTools karena sejarahnya yang tidak dapat diandalkan. Daripada meminta maaf atas ketidakhadirannya yang berkepanjangan, ia segera melakukan serangan dan memposisikan transisi ke Privacy Guides sebagai serangan terhadapnya dan proyeknya. Dia kemudian [menghapus](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) banyak kiriman tersebut ketika ditunjukkan oleh komunitas bahwa dia tidak hadir dan meninggalkan proyek tersebut. + +Pada titik ini, BurungHantu menyatakan bahwa ia ingin melanjutkan pengerjaan privacytools.io secara mandiri dan meminta kami untuk menghapus pengalihan dari www.privacytools.io ke [www.privacyguides.org](https://www.privacyguides.org). Kami mewajibkan dan meminta supaya subdomain untuk Matrix, Mastodon, dan PeerTube tetap aktif agar kami dapat menjalankan layanan publik kepada komunitas kami setidaknya selama beberapa bulan, agar pengguna di platform tersebut dapat dengan mudah bermigrasi ke akun lain. Karena sifat federasi dari layanan yang kami sediakan, layanan ini terikat pada nama domain tertentu sehingga sangat sulit untuk dimigrasikan (dan dalam beberapa kasus tidak mungkin). + +Sayangnya, karena kontrol subreddit r/privacytoolsIO tidak dikembalikan ke BurungHantu atas permintaannya (informasi lebih lanjut di bawah), subdomain tersebut [terputus](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) pada awal Oktober, mengakhiri kemungkinan migrasi ke pengguna yang masih menggunakan layanan tersebut. + +Setelah itu, BurungHantu membuat tuduhan palsu tentang Jonah mencuri sumbangan dari proyek tersebut. BurungHantu memiliki waktu lebih dari setahun sejak insiden yang dituduhkan terjadi, namun dia tidak pernah membuat siapa pun menyadarinya sampai setelah migrasi Privacy Guides. BurungHantu telah berulang kali diminta untuk memberikan bukti dan memberikan komentar mengenai alasan kebungkamannya oleh tim [dan komunitas](https://twitter.com/TommyTran732/status/1526153536962281474), namun belum memberikannya. + +BurungHantu juga membuat [kiriman Twitter](https://twitter.com/privacytoolsIO/status/1510560676967710728) yang menuduh bahwa seorang "pengacara" telah menghubunginya di Twitter dan memberikan nasihat, dalam upaya lain untuk menggertak kami agar memberikannya kendali atas subreddit kami, dan sebagai bagian dari kampanye kotornya untuk mengotori air di sekitar peluncuran Privacy Guides sambil berpura-pura menjadi korban. + +## PrivacyTools.io Sekarang + +Pada tanggal 25 September 2022, kami melihat keseluruhan rencana BurungHantu terwujud di privacytools.io, dan ini adalah alasan utama kami memutuskan untuk membuat halaman penjelasan ini hari ini. Situs web yang dia operasikan tampaknya merupakan versi situs yang sangat dioptimalkan untuk SEO yang merekomendasikan alat dengan imbalan kompensasi finansial. Baru-baru ini, IVPN dan Mullvad, dua penyedia VPN yang hampir secara universal [direkomendasikan](../vpn.md) oleh komunitas privasi dan terkenal karena sikap mereka yang menentang program afiliasi telah dihapus dari PrivacyTools. Di tempat mereka? NordVPN, Surfshark, ExpressVPN, dan hide.me; Perusahaan VPN raksasa dengan platform dan praktik bisnis yang tidak dapat dipercaya, terkenal karena program pemasaran dan afiliasi mereka yang agresif. + +==**PrivacyTools telah menjadi jenis situs yang kami [peringatkan untuk dihindari](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) di blog PrivacyTools pada tahun 2019.**== Kami telah mencoba untuk menjaga jarak dari PrivacyTools sejak transisi, tetapi pelecehan mereka yang terus berlanjut terhadap proyek kami dan sekarang penyalahgunaan mereka yang tidak masuk akal terhadap kredibilitas merek mereka yang diperoleh selama 6 tahun kontribusi sumber terbuka sangat mengganggu kami. Kami yang benar-benar memperjuangkan privasi tidak bertengkar satu sama lain, dan tidak mendapatkan saran dari penawar tertinggi. + +## r/privacytoolsIO Sekarang + +Setelah peluncuran [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), tidak praktis bagi u/trai_dep untuk terus memoderasi kedua subreddit tersebut, dan dengan adanya komunitas yang ikut serta dalam transisi ini, r/privacytoolsIO [dijadikan](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) sebagai sub yang dibatasi dalam sebuah postingan pada tanggal 1 November 2021: + +> [...] Pertumbuhan Sub ini adalah hasil dari upaya besar, selama beberapa tahun, oleh tim PrivacyGuides.org. Dan oleh Anda semua. +> +> Subreddit adalah pekerjaan yang sangat banyak untuk dikelola dan dimoderasi. Seperti halnya sebuah taman, taman ini membutuhkan perawatan yang sabar dan perawatan harian. Ini bukanlah tugas untuk orang yang tidak suka bekerja keras atau orang yang sulit berkomitmen. Tanaman ini tidak dapat tumbuh subur di bawah seorang tukang kebun yang meninggalkannya selama beberapa tahun, lalu muncul dan menuntut hasil panen tahun ini sebagai penghargaan. Ini tidak adil bagi tim yang dibentuk beberapa tahun yang lalu. Ini tidak adil bagi Anda. [...] + +Subreddit bukan milik siapa pun, dan terutama bukan milik pemegang merek. Mereka adalah bagian dari komunitas mereka, dan komunitas serta para moderatornya membuat keputusan untuk mendukung perpindahan ke r/PrivacyGuides. + +Beberapa bulan setelahnya, BurungHantu telah mengancam dan memohon untuk mengembalikan kontrol subreddit ke akunnya dalam [pelanggaran](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) aturan Reddit: + +> Pembalasan dari moderator mana pun sehubungan dengan permintaan penghapusan tidak diperbolehkan. + +Untuk sebuah komunitas dengan ribuan pelanggan yang tersisa, kami merasa bahwa akan sangat tidak sopan untuk mengembalikan kendali platform besar tersebut kepada orang yang meninggalkannya selama lebih dari satu tahun, dan yang sekarang mengoperasikan situs web yang menurut kami memberikan informasi yang sangat berkualitas rendah. Melestarikan diskusi-diskusi masa lalu di komunitas tersebut lebih penting bagi kami, dan oleh karena itu u/trai_dep dan tim moderator subreddit lainnya telah membuat keputusan untuk mempertahankan r/privacytoolsIO apa adanya. + +## OpenCollective Sekarang + +Platform penggalangan dana kami, OpenCollective, adalah sumber perdebatan lainnya. Posisi kami adalah bahwa OpenCollective diberlakukan oleh tim kami dan dikelola oleh tim kami untuk mendanai layanan yang saat ini kami operasikan dan yang tidak lagi dilakukan PrivacyTools. Kami [menghubungi](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) kepada semua donatur kami mengenai perpindahan kami ke Privacy Guides, dan kami dengan suara bulat didukung oleh para sponsor dan komunitas kami. + +Dengan demikian, dana yang ada di OpenCollective adalah milik Privacy Guides, dana tersebut diberikan kepada proyek kami, dan bukan kepada pemilik nama domain terkenal. Dalam pengumuman yang disampaikan kepada para donatur pada tanggal 17 September 2021, kami menawarkan pengembalian dana kepada setiap donatur yang tidak setuju dengan sikap yang kami ambil, tetapi tidak ada yang menerima tawaran ini: + +> Jika ada sponsor atau pendukung yang tidak setuju atau merasa disesatkan oleh peristiwa baru ini dan ingin meminta pengembalian dana karena keadaan yang sangat tidak biasa ini, silakan hubungi admin proyek kami melalui surel ke jonah@triplebit.net. + +## Bacaan Lebih Lanjut + +Topik ini telah dibahas secara luas dalam komunitas kami di berbagai tempat, dan sepertinya sebagian besar orang yang membaca halaman ini sudah mengetahui tentang peristiwa yang terjadi sebelum perpindahan ke Privacy Guides. Beberapa tulisan kami sebelumnya mengenai masalah ini mungkin memiliki detail tambahan yang kami hilangkan di sini untuk mempersingkatnya. Mereka telah ditautkan di bawah ini demi kelengkapan. + +- [28 Juni 2021 permintaan untuk mengontrol r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 Juli 2021 pengumuman tentang niat kami untuk memindahkan blog PrivacyTools, yang ditulis oleh tim](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 September 2021 pengumuman awal transisi kami ke Privacy Guides di r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [17 September 2021 pengemuman di OpenCollective dari Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 September 2021 utas Twitter yang merinci sebagian besar peristiwa yang sekarang dijelaskan di halaman ini](https://twitter.com/privacy_guides/status/1443633412800225280) +- [1 Oktober 2021 dikirim oleh u/dng99 yang mencatat kegagalan subdomain](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 April 2022 tanggapan oleh u/dng99 untuk kiriman blog yang menuduh dari PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 Mei 2022 tanggapan oleh @TommyTran732 di Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [3 Sep 2022 kiriman di forum Techlore oleh @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/id/about/services.md b/i18n/id/about/services.md new file mode 100644 index 00000000..b056fdf4 --- /dev/null +++ b/i18n/id/about/services.md @@ -0,0 +1,38 @@ +# Layanan Privacy Guides + +Kami menjalankan sejumlah layanan web untuk menguji fitur dan mempromosikan proyek desentralisasi, federasi, dan/atau sumber terbuka yang keren. Banyak dari layanan ini tersedia untuk umum dan dirinci di bawah ini. + +[:material-comment-alert: Laporkan masalah](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Ketersediaan: Publik +- Sumber: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Ketersediaan: Khusus Undangan + Akses dapat diberikan berdasarkan permintaan kepada tim mana pun yang bekerja pada pengembangan atau konten yang berkaitan dengan *Privacy Guides*. +- Sumber: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Ketersediaan: Khusus Undangan + Akses dapat diberikan berdasarkan permintaan kepada anggota tim Privacy Guides, moderator Matrix, administrator komunitas Matrix pihak ketiga, operator bot Matrix, dan individu lain yang membutuhkan kehadiran di Matrix yang andal. +- Sumber: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Ketersediaan: Publik +- Sumber: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Ketersediaan: Semi-Publik + Kami melayani Invidious terutama untuk menyajikan video YouTube yang disematkan di situs web kami, layanan ini tidak dimaksudkan untuk penggunaan tujuan umum dan dapat dibatasi sewaktu-waktu. +- Sumber: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/id/about/statistics.md b/i18n/id/about/statistics.md new file mode 100644 index 00000000..57eab3dd --- /dev/null +++ b/i18n/id/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Statistik Lalu Lintas +--- + +## Statistik Situs Web + + +
Statistik didukung oleh Plausible Analytics
+ + + + +## Statistik Blog + + +
Statistik didukung oleh Plausible Analytics
+ + + diff --git a/i18n/id/advanced/communication-network-types.md b/i18n/id/advanced/communication-network-types.md new file mode 100644 index 00000000..480a8035 --- /dev/null +++ b/i18n/id/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Jenis Jaringan Komunikasi" +icon: 'material/transit-connection-variant' +description: Ikhtisar tentang beberapa arsitektur jaringan yang biasa digunakan oleh aplikasi perpesanan instan. +--- + +Ada beberapa arsitektur jaringan yang biasa digunakan untuk menyampaikan pesan antar orang. Jaringan ini dapat memberikan jaminan privasi yang berbeda, itulah sebabnya mengapa perlu mempertimbangkan [model ancaman](../basics/threat-modeling.md) Anda ketika memutuskan aplikasi mana yang akan digunakan. + +[Perpesanan Instan yang Direkomendasikan](../real-time-communication.md ""){.md-button} + +## Jaringan Terpusat + +![Diagram jaringan terpusat](../assets/img/layout/network-centralized.svg){ align=left } + +Perpesanan terpusat adalah di mana semua peserta berada di server yang sama atau jaringan server yang dikendalikan oleh organisasi yang sama. + +Beberapa perpesanan yang dihosting sendiri memungkinkan Anda untuk mengatur server Anda sendiri. Hosting sendiri dapat memberikan jaminan privasi tambahan, seperti tidak ada catatan penggunaan atau akses terbatas ke metadata (data tentang siapa yang berbicara dengan siapa). Perpesanan terpusat yang dihosting sendiri terisolasi dan semua orang harus berada di server yang sama untuk berkomunikasi. + +**Keuntungan:** + +- Fitur dan perubahan baru dapat diterapkan dengan lebih cepat. +- Lebih mudah untuk memulai dan menemukan kontak. +- Kebanyakan yang matang dan stabil memfiturkan ekosistem, karena lebih mudah diprogram dalam perangkat lunak terpusat. +- Masalah privasi dapat dikurangi ketika Anda mempercayai server yang Anda hosting sendiri. + +**Kekurangan:** + +- Dapat menyertakan [kontrol atau akses terbatas](https://drewdevault.com/2018/08/08/Signal.html). Ini dapat mencakup hal-hal seperti: +- Dilarang [menghubungkan klien pihak ketiga](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) ke jaringan terpusat yang mungkin memberikan penyesuaian yang lebih besar atau pengalaman yang lebih baik. Sering kali didefinisikan dalam Syarat dan Ketentuan penggunaan. +- Dokumentasi yang buruk atau tidak ada sama sekali untuk pengembang pihak ketiga. +- [Kepemilikan](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), kebijakan privasi, dan operasi layanan dapat berubah dengan mudah ketika satu entitas mengendalikannya, yang berpotensi membahayakan layanan di kemudian hari. +- Hosting mandiri membutuhkan upaya dan pengetahuan tentang cara menyiapkan layanan. + +## Jaringan Federasi + +![Diagram jaringan federasi](../assets/img/layout/network-decentralized.svg){ align=left } + +Perpesanan federasi menggunakan beberapa server yang independen dan terdesentralisasi yang dapat berbicara satu sama lain (surel adalah salah satu contoh layanan federasi). Federasi memungkinkan administrator sistem untuk mengontrol server mereka sendiri dan tetap menjadi bagian dari jaringan komunikasi yang lebih besar. + +Ketika dihosting sendiri, anggota server federasi dapat menemukan dan berkomunikasi dengan anggota server lain, meskipun beberapa server dapat memilih untuk tetap pribadi dengan menjadi nonfederasi (misalnya, server tim kerja). + +**Keuntungan:** + +- Memungkinkan kontrol yang lebih besar atas data Anda saat menjalankan server Anda sendiri. +- Memungkinkan Anda untuk memilih kepada siapa Anda akan memercayakan data Anda dengan memilih di antara beberapa server "publik". +- Sering kali memungkinkan klien pihak ketiga yang dapat memberikan pengalaman yang lebih asli, disesuaikan, atau dapat diakses. +- Perangkat lunak server dapat diverifikasi bahwa itu cocok dengan kode sumber publik, dengan asumsi Anda memiliki akses ke server atau Anda mempercayai orang yang memilikinya (misalnya, anggota keluarga). + +**Kekurangan:** + +- Menambahkan fitur baru lebih kompleks karena fitur ini perlu distandarisasi dan diuji untuk memastikan fitur tersebut bekerja dengan semua server di jaringan. +- Karena alasan sebelumnya, fiturnya mungkin kurang, atau tidak lengkap atau bekerja dengan cara yang tidak terduga dibandingkan dengan platform terpusat, seperti pengarah pesan saat luring atau penghapusan pesan. +- Beberapa metadata mungkin tersedia (misalnya, informasi seperti "siapa yang berbicara dengan siapa," tetapi bukan konten pesan yang sebenarnya jika E2EE digunakan). +- Server federasi umumnya membutuhkan kepercayaan dari administrator server Anda. Mereka mungkin hanya seorang penghobi atau bukan "profesional keamanan", dan mungkin tidak menyajikan dokumen standar seperti kebijakan privasi atau persyaratan layanan yang merinci bagaimana data Anda digunakan. +- Administrator server terkadang memilih untuk memblokir server lain, yang merupakan sumber penyalahgunaan yang tidak dimoderasi atau melanggar aturan umum perilaku yang dapat diterima. Hal ini akan menghalangi kemampuan Anda untuk berkomunikasi dengan anggota server tersebut. + +## Jaringan Peer-to-Peer + +![Diagram P2P](../assets/img/layout/network-distributed.svg){ align=left } + +Perpesanan P2P terhubung ke [jaringan node yang terdistribusi](https://en.wikipedia.org/wiki/Distributed_networking) untuk menyampaikan pesan ke penerima tanpa server pihak ketiga. + +Klien (peer) biasanya menemukan satu sama lain melalui penggunaan jaringan [komputasi terdistribusi](https://id.wikipedia.org/wiki/Komputasi_terdistribusi). Contohnya antara lain [Tabel Hash Terdistribusi](https://id.wikipedia.org/wiki/Tabel_Hash_Terdistribusi) (DHT), yang digunakan oleh [torrent](https://id.wikipedia.org/wiki/BitTorrent) dan [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) sebagai contoh. Pendekatan lain adalah jaringan berbasis kedekatan, di mana koneksi dibuat melalui WiFi atau Bluetooth (misalnya, Briar atau protokol jaringan sosial [Scuttlebutt](https://www.scuttlebutt.nz)). + +Setelah peer menemukan rute ke kontaknya melalui salah satu metode ini, koneksi langsung di antara mereka dibuat. Meskipun pesan biasanya dienkripsi, seorang pengamat masih dapat menyimpulkan lokasi dan identitas pengirim dan penerima. + +Jaringan P2P tidak menggunakan server, karena rekan-rekan berkomunikasi secara langsung antara satu sama lain dan karenanya tidak dapat dihosting sendiri. Namun, beberapa layanan tambahan mungkin bergantung pada server terpusat, seperti penemuan pengguna atau menyampaikan pesan luring, yang bisa mendapatkan keuntungan dari hosting mandiri. + +**Keuntungan:** + +- Informasi minimal diekspos ke pihak ketiga. +- Platform P2P modern menerapkan E2EE secara bawaan. Tidak ada server yang berpotensi mencegat dan mendekripsi transmisi Anda, tidak seperti model terpusat dan federasi. + +**Kekurangan:** + +- Set fitur yang dikurangi: +- Pesan hanya dapat dikirim ketika kedua rekan daring, namun, klien Anda dapat menyimpan pesan secara lokal untuk menunggu kontak kembali daring. +- Umumnya meningkatkan penggunaan baterai di ponsel, karena klien harus tetap terhubung ke jaringan terdistribusi untuk mengetahui siapa saja yang sedang daring. +- Beberapa fitur perpesanan yang umum mungkin tidak diimplementasikan atau tidak lengkap, seperti penghapusan pesan. +- Alamat IP Anda dan alamat IP kontak yang berkomunikasi dengan Anda dapat terekspos jika Anda tidak menggunakan perangkat lunak ini bersama dengan [VPN](../vpn.md) atau [Tor](../tor.md). Banyak negara memiliki beberapa bentuk pengawasan massal dan/atau penyimpanan metadata. + +## Perutean Anonim + +![Diagram perutean anonim](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Pengirim pesan yang menggunakan [perutean anonim](https://doi.org/10.1007/978-1-4419-5906-5_628) menyembunyikan identitas pengirim, penerima, atau bukti bahwa mereka telah berkomunikasi. Secara ideal, sebuah perpesanan seharusnya menyembunyikan ketiganya. + +Ada [banyak](https://doi.org/10.1145/3182658) cara yang berbeda untuk menerapkan perutean anonim. Salah satu yang paling terkenal adalah [perutean bawang](https://en.wikipedia.org/wiki/Onion_routing) (yaitu [Tor](tor-overview.md)), yang mengkomunikasikan pesan terenkripsi melalui jaringan hamparan [virtual](https://en.wikipedia.org/wiki/Overlay_network) yang menyembunyikan lokasi setiap node serta penerima dan pengirim setiap pesan. Pengirim dan penerima tidak pernah berinteraksi secara langsung dan hanya bertemu melalui simpul pertemuan rahasia sehingga tidak ada kebocoran alamat IP atau lokasi fisik. Node tidak dapat mendekripsi pesan, atau tujuan akhir; hanya penerima yang dapat melakukannya. Setiap node perantara hanya dapat mendekripsi bagian yang menunjukkan ke mana harus mengirim pesan yang masih terenkripsi berikutnya, sampai pesan tersebut tiba di penerima yang dapat mendekripsi sepenuhnya, oleh karena itu disebut sebagai "lapisan bawang." + +Melayani sebuah node secara sendiri dalam jaringan perutean anonim tidak memberikan manfaat privasi tambahan kepada penyedia, tetapi berkontribusi pada ketahanan seluruh jaringan terhadap serangan identifikasi untuk keuntungan semua orang. + +**Keuntungan:** + +- Tidak ada informasi atau informasi minimal yang diekspos ke pihak lain. +- Pesan dapat disampaikan secara terdesentralisasi meskipun salah satu pihak sedang luring. + +**Kekurangan:** + +- Penyebaran pesan lambat. +- Sering kali terbatas pada jenis media yang lebih sedikit, sebagian besar teks, karena jaringannya lambat. +- Kurang diandalkan jika node dipilih dengan perutean acak, beberapa node mungkin sangat jauh dari pengirim dan penerima, menambah latensi atau bahkan gagal mengirimkan pesan jika salah satu node luring. +- Lebih rumit untuk memulai, karena diperlukan pembuatan dan cadangan kunci kriptografi privat yang aman. +- Sama seperti platform terdesentralisasi lainnya, menambahkan fitur lebih kompleks bagi pengembang daripada platform terpusat. Oleh karena itu, fitur mungkin kurang atau tidak diterapkan secara lengkap, seperti pengiriman pesan secara luring atau penghapusan pesan. diff --git a/i18n/id/advanced/dns-overview.md b/i18n/id/advanced/dns-overview.md new file mode 100644 index 00000000..f5c1c138 --- /dev/null +++ b/i18n/id/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "Ikhtisar DNS" +icon: material/dns +description: Sistem Nama Domain adalah "buku telepon internet," yang membantu peramban Anda menemukan situs web yang dicari. +--- + +[Sistem Penamaan Domain (DNS)](https://id.wikipedia.org/wiki/Sistem_Penamaan_Domain) adalah 'buku telepon internet'. DNS menerjemahkan nama domain ke alamat IP sehingga peramban dan layanan lain dapat memuat sumber daya internet, melalui jaringan server yang terdesentralisasi. + +## Apa itu DNS? + +Ketika Anda mengunjungi situs web, alamat numerik akan dikembalikan. Misalnya, ketika Anda mengunjungi `privacyguides.org`, alamat `192.98.54.105` dikembalikan. + +DNS sudah ada sejak [masa-masa awal](https://id.wikipedia.org/wiki/Sistem_Penamaan_Domain#Sejarah) internet. Permintaan DNS yang dibuat ke dan dari server DNS **tidak** secara umum dienkripsi. Dalam lingkungan perumahan, pelanggan diberikan server oleh ISP melalui [DHCP](https://id.wikipedia.org/wiki/Protokol_Konfigurasi_Hos_Dinamik). + +Permintaan DNS yang tidak terenkripsi dapat dengan mudah **diawasi** dan **diubah** dalam transit. Di beberapa bagian dunia, kebanyakan ISP diperintahkan untuk melakukan [penyaringan DNS](https://en.wikipedia.org/wiki/DNS_blocking) primitif. Saat Anda meminta alamat IP domain yang diblokir, server mungkin tidak merespons atau mungkin merespons dengan alamat IP yang berbeda. Karena protokol DNS tidak dienkripsi, ISP (atau operator jaringan apa pun) dapat menggunakan [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) untuk memantau permintaan. ISP juga dapat memblokir permintaan berdasarkan karakteristik umum, terlepas dari server DNS yang digunakan. DNS yang tidak terenkripsi selalu menggunakan [porta](https://id.wikipedia.org/wiki/Porta_(jaringan_komputer)) 53 dan selalu menggunakan UDP. + +Di bawah ini, kami mendiskusikan dan menyediakan tutorial untuk membuktikan apa yang mungkin dilihat oleh pengamat luar dengan menggunakan DNS biasa yang tidak terenkripsi dan [DNS terenkripsi](#apa-itu-dns-terenkripsi). + +### DNS yang tidak terenkripsi + +1. Dengan menggunakan [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (bagian dari proyek [Wireshark](https://id.wikipedia.org/wiki/Wireshark)) kita bisa memantau dan merekam aliran paket internet. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## Apa itu "DNS terenkripsi"? + +DNS terenkripsi dapat merujuk pada salah satu dari sejumlah protokol, yang paling umum adalah: + +### DNSCrypt + +[**DNSCrypt**](https://id.wikipedia.org/wiki/DNSCrypt) adalah salah satu metode pertama untuk mengenkripsi permintaan DNS. DNSCrypt beroperasi pada porta 443 dan bekerja dengan protokol transportasi TCP atau UDP. DNSCrypt belum pernah diajukan ke [Internet Engineering Task Force (IETF)](https://id.wikipedia.org/wiki/Internet_Engineering_Task_Force) dan juga tidak melalui proses [Request for Comments (RFC)](https://id.wikipedia.org/wiki/Request_for_Comments), sehingga belum digunakan secara luas di luar beberapa [penerapan](https://dnscrypt.info/implementations). Sebagai hasilnya, sebagian besar telah digantikan oleh [DNS melalui HTTPS](#dns-melalui-https-doh) yang lebih populer. + +### DNS melalui TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS melalui HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Haruskah saya menggunakan DNS terenkripsi? + +Kami membuat diagram aliran ini untuk menjelaskan kapan Anda *harus* menggunakan DNS terenkripsi: + +``` mermaid +grafik TB + Mulai[Start] --> anonim{Mencoba menjadi
anonim?} + anonim --> | Ya | tor(Gunakan Tor) + anonim --> | Tidak | sensor{Menghindari
sensor?} + sensor --> | Ya | vpnOrTor(Gunakan
VPN atau Tor) + sensor --> | Tidak | privasi{Ingin privasi
dari ISP?} + privasi --> | Ya | vpnOrTor + privasi --> | Tidak | obnoxious{ISP melakukan
pengarahan
yang menjengkelkan?} + obnoxious --> | Ya | encryptedDNS(Gunakan
DNS terenkripsi
dengan pihak ketiga) + obnoxious --> | Tidak | ispDNS{Apakah ISP mendukung
DNS terenkripsi?} + ispDNS --> | Ya | useISP(Gunakan
DNS terenkripsi
dengan ISP) + ispDNS --> | Tidak | tidakAda(Tidak lakukan apa pun) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/id/advanced/payments.md b/i18n/id/advanced/payments.md new file mode 100644 index 00000000..b876244e --- /dev/null +++ b/i18n/id/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Pembayaran Pribadi +icon: material/hand-coin +--- + +Ada alasan mengapa data tentang kebiasaan membeli Anda dianggap sebagai cawan suci penargetan iklan: pembelian Anda dapat membocorkan harta karun data tentang Anda. Sayangnya, sistem keuangan saat ini dirancang antiprivasi, sehingga memungkinkan bank, perusahaan lain, dan pemerintah untuk melacak transaksi dengan mudah. Namun demikian, Anda memiliki banyak pilihan untuk melakukan pembayaran secara pribadi. + +## Uang Tunai + +Selama berabad-abad, **uang tunai** telah berfungsi sebagai bentuk utama pembayaran pribadi. Uang tunai memiliki sifat privasi yang sangat baik dalam banyak kasus, diterima secara luas di sebagian besar negara, dan **dapat dipertukarkan**, artinya tidak unik dan sepenuhnya dapat dipertukarkan. + +Undang-undang pembayaran tunai bervariasi menurut negara. Di Amerika Serikat, pengungkapan khusus diperlukan untuk pembayaran tunai lebih dari $10.000 kepada IRS di [Formulir 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). Bisnis penerima wajib memverifikasi nama, alamat, pekerjaan, tanggal lahir, dan Nomor Jaminan Sosial atau NPWP penerima (dengan beberapa pengecualian). Batas bawah tanpa ID seperti $3.000 atau kurang dari itu ada untuk pertukaran dan pengiriman uang. Uang tunai juga memiliki nomor seri. Ini hampir tidak pernah dilacak oleh pedagang, tetapi dapat digunakan oleh penegak hukum dalam penyelidikan yang ditargetkan. + +Meskipun demikian, ini biasanya merupakan pilihan terbaik. + +## Kartu Prabayar & Kartu Hadiah + +Membeli kartu hadiah dan kartu prabayar di sebagian besar toko kelontong dan minimarket dengan uang tunai relatif mudah. Kartu hadiah biasanya tidak dikenakan biaya, meskipun kartu prabayar sering kali dikenakan biaya, jadi perhatikan baik-baik biaya dan tanggal kedaluwarsanya. Beberapa toko mungkin akan meminta kartu identitas Anda pada saat pembayaran untuk mengurangi penipuan. + +Kartu hadiah biasanya memiliki batas hingga $200 per kartu, tetapi ada juga yang menawarkan batas hingga $2.000 per kartu. Kartu prabayar (misalnya: dari Visa atau Mastercard) biasanya memiliki batas hingga $1.000 per kartu. + +Kartu hadiah memiliki sisi negatif karena tunduk pada kebijakan merchant, yang dapat memiliki persyaratan dan batasan yang buruk. Misalnya, beberapa penjual tidak menerima pembayaran dengan kartu hadiah secara eksklusif, atau mereka mungkin membatalkan nilai kartu jika mereka menganggap Anda sebagai pengguna berisiko tinggi. Setelah Anda memiliki kredit penjual, penjual memiliki tingkat kontrol yang kuat atas kredit ini. + +Kartu prabayar tidak mengizinkan penarikan tunai dari ATM atau pembayaran "peer-to-peer" di Venmo dan aplikasi serupa. + +Uang tunai tetap menjadi pilihan terbaik untuk pembelian secara langsung bagi kebanyakan orang. Kartu hadiah dapat berguna untuk penghematan yang mereka bawa. Kartu prabayar dapat berguna untuk tempat-tempat yang tidak menerima uang tunai. Kartu hadiah dan kartu prabayar lebih mudah digunakan secara daring daripada uang tunai, dan lebih mudah diperoleh dengan mata uang kripto daripada uang tunai. + +### Pasar Daring + +Jika Anda memiliki [mata uang kripto](../cryptocurrency.md), Anda dapat membeli kartu hadiah dengan pasar kartu hadiah daring. Beberapa layanan ini menawarkan opsi verifikasi ID untuk batas yang lebih tinggi, tetapi mereka juga mengizinkan akun hanya dengan alamat surel. Batas dasar mulai dari $5.000-10.000 per hari untuk akun dasar, dan limit yang jauh lebih tinggi untuk akun terverifikasi ID (jika ditawarkan). + +Saat membeli kartu hadiah secara daring, biasanya ada sedikit diskon. Kartu prabayar biasanya dijual secara daring dengan harga nominal atau dengan biaya. Jika Anda membeli kartu prabayar dan kartu hadiah dengan mata uang kripto, Anda sebaiknya memilih untuk membayar dengan Monero yang memberikan privasi yang kuat, lebih lanjut tentang hal ini di bawah ini. Membayar kartu hadiah dengan metode pembayaran yang dapat dilacak meniadakan manfaat yang dapat diberikan oleh kartu hadiah ketika dibeli dengan uang tunai atau Monero. + +- [Pasar Kartu Hadiah Daring :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Kartu Virtual + +Cara lain untuk melindungi informasi Anda dari penjual daring adalah dengan menggunakan kartu virtual sekali pakai yang menyembunyikan informasi perbankan atau penagihan Anda yang sebenarnya. Hal ini terutama berguna untuk melindungi Anda dari pelanggaran data penjual, pelacakan yang kurang canggih atau korelasi pembelian oleh agen pemasaran, dan pencurian data daring. Mereka **tidak** membantu Anda dalam melakukan pembelian sepenuhnya secara anonim, dan mereka juga tidak menyembunyikan informasi apa pun dari lembaga perbankan itu sendiri. Lembaga keuangan biasa yang menawarkan kartu virtual tunduk pada undang-undang "Kenali Nasabah Anda" (KYC), yang berarti mereka mungkin memerlukan ID Anda atau informasi identifikasi lainnya. + +- [Layanan Penyamaran Pembayaran yang Direkomendasikan :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +Ini cenderung menjadi pilihan yang baik untuk pembayaran berulang/langganan secara daring, sementara kartu hadiah prabayar lebih disukai untuk transaksi satu kali. + +## Mata Uang Kripto + +Mata uang kripto adalah bentuk mata uang digital yang dirancang untuk bekerja tanpa otoritas pusat seperti pemerintah atau bank. Meskipun *beberapa* proyek mata uang kripto memungkinkan Anda untuk melakukan transaksi pribadi secara daring, banyak yang menggunakan blockchain publik yang tidak memberikan privasi transaksi. Mata uang kripto juga cenderung merupakan aset yang sangat fluktuatif, artinya nilainya dapat berubah dengan cepat dan signifikan kapan saja. Oleh karena itu, kami umumnya tidak menyarankan penggunaan mata uang kripto sebagai penyimpan nilai jangka panjang. Jika Anda memutuskan untuk menggunakan mata uang kripto secara daring, pastikan Anda memiliki pemahaman penuh mengenai aspek privasinya terlebih dahulu, dan hanya menginvestasikan jumlah yang tidak akan menyebabkan kerugian besar. + +!!! danger + + Sebagian besar mata uang kripto beroperasi pada blockchain **publik**, yang berarti bahwa setiap transaksi diketahui oleh publik. Ini termasuk mata uang kripto yang paling terkenal seperti Bitcoin dan Ethereum. Transaksi dengan mata uang kripto ini tidak dapat dianggap sebagai transaksi pribadi dan tidak akan melindungi anonimitas Anda. + + Selain itu, banyak atau bahkan sebagian besar mata uang kripto adalah penipuan. Lakukan transaksi dengan hati-hati hanya dengan proyek yang Anda percayai. + +### Koin Privasi + +Ada sejumlah proyek mata uang kripto yang bertujuan untuk memberikan privasi dengan membuat transaksi menjadi anonim. Kami menyarankan untuk menggunakan salah satu yang menyediakan anonimitas transaksi **secara bawaan** untuk menghindari kesalahan operasional. + +- [Mata Uang Kripto yang Direkomendasikan :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Koin privasi telah menjadi sasaran pengawasan yang semakin meningkat oleh badan-badan pemerintah. Pada tahun 2020, [IRS menerbitkan bounty $625,000](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) untuk alat yang dapat memecahkan Jaringan Lightning Bitcoin dan/atau privasi transaksi Monero. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/id/advanced/tor-overview.md b/i18n/id/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/id/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/id/android.md b/i18n/id/android.md new file mode 100644 index 00000000..481bad8a --- /dev/null +++ b/i18n/id/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/id/assets/img/account-deletion/exposed_passwords.png b/i18n/id/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/id/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/id/assets/img/android/rss-apk-dark.png b/i18n/id/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/id/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/id/assets/img/android/rss-apk-light.png b/i18n/id/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/id/assets/img/android/rss-apk-light.png differ diff --git a/i18n/id/assets/img/android/rss-changes-dark.png b/i18n/id/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/id/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/id/assets/img/android/rss-changes-light.png b/i18n/id/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/id/assets/img/android/rss-changes-light.png differ diff --git a/i18n/id/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/id/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..303b8074 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Perangkat + + Anda + + + + Mengirim data ke situs web + + + + + Menerima data dari situs web + + + + + Perangkat + + Anda + + + + Entri + + + + + Tengah + + + + + Keluar + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entri + + + + + Tengah + + + + + Keluar + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/how-tor-works/tor-encryption.svg b/i18n/id/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..9f924584 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Perangkat + + Anda + + + + Mengirim data ke situs web + + + + + Menerima data dari situs web + + + + + Perangkat + + Anda + + + + Entri + + + + + Tengah + + + + + Keluar + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entri + + + + + Tengah + + + + + Keluar + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/how-tor-works/tor-path-dark.svg b/i18n/id/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..136f24d3 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Perangkat + Anda + + + + Entri + + + + + Tengah + + + + + Keluar + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/id/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/id/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/how-tor-works/tor-path.svg b/i18n/id/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..9c1f0b99 --- /dev/null +++ b/i18n/id/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Perangkat + Anda + + + + Entri + + + + + Tengah + + + + + Keluar + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/id/assets/img/multi-factor-authentication/fido.png b/i18n/id/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/id/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/id/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/id/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/id/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/id/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/id/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/id/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/id/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/id/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/id/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/id/basics/account-creation.md b/i18n/id/basics/account-creation.md new file mode 100644 index 00000000..a303f86d --- /dev/null +++ b/i18n/id/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Pembuatan Akun" +icon: 'material/account-plus' +description: Membuat akun online bisa dibilang merupakan kebutuhan internet, lakukan langkah-langkah ini untuk memastikan Anda tetap privat. +--- + +Seringkali orang mendaftar untuk layanan tanpa berpikir. Mungkin itu adalah layanan streaming sehingga Anda dapat menonton acara baru yang dibicarakan semua orang, atau akun yang memberi Anda diskon untuk tempat makanan cepat saji favorit Anda. Apa pun masalahnya, Anda harus mempertimbangkan implikasi untuk data Anda sekarang dan di kemudian hari. + +Ada risiko yang terkait dengan setiap layanan baru yang Anda gunakan. Pelanggaran data; pengungkapan informasi pelanggan kepada pihak ketiga; karyawan nakal yang mengakses data; semuanya adalah kemungkinan yang harus dipertimbangkan ketika memberikan informasi Anda. Anda harus yakin bahwa Anda bisa mempercayai layanan ini, itulah sebabnya kami tidak menyarankan untuk menyimpan data berharga pada apa pun kecuali pada produk yang paling matang dan telah teruji. Hal ini biasanya berarti layanan yang menyediakan E2EE dan telah menjalani audit kriptografi. Audit meningkatkan jaminan bahwa produk dirancang tanpa masalah keamanan mencolok yang disebabkan oleh pengembang yang tidak berpengalaman. + +Mungkin juga sulit untuk menghapus akun pada beberapa layanan. Terkadang [menimpa data](account-deletion.md#overwriting-account-information) yang terkait dengan akun dapat dilakukan, tetapi dalam kasus lain layanan akan menyimpan seluruh riwayat perubahan pada akun. + +## Ketentuan Layanan & Kebijakan Privasi + +ToS adalah peraturan yang Anda setujui untuk diikuti saat menggunakan layanan. Pada layanan yang lebih besar aturan-aturan ini sering kali ditegakkan oleh sistem otomatis. Terkadang sistem otomatis ini bisa membuat kesalahan. Sebagai contoh, Anda mungkin diblokir atau dikunci dari akun Anda pada beberapa layanan karena menggunakan nomor VPN atau VOIP. Mengajukan banding atas larangan semacam itu sering kali sulit, dan melibatkan proses otomatis juga, yang tidak selalu berhasil. Ini akan menjadi salah satu alasan mengapa kami tidak menyarankan menggunakan Gmail untuk email sebagai contoh. Email sangat penting untuk akses ke layanan lain yang mungkin telah Anda daftarkan. + +Kebijakan Privasi adalah bagaimana layanan mengatakan bahwa mereka akan menggunakan data Anda dan perlu dibaca agar Anda memahami bagaimana data Anda akan digunakan. Perusahaan atau organisasi mungkin tidak diwajibkan secara hukum untuk mengikuti semua yang tercantum dalam kebijakan (tergantung pada yurisdiksi). Kami sarankan Anda mengetahui undang-undang setempat dan apa yang diizinkan oleh penyedia layanan untuk dikumpulkan. + +Sebaiknya cari istilah-istilah tertentu seperti "pengumpulan data", "analisis data", "cookie", "iklan", atau layanan "pihak ketiga". Kadang-kadang Anda dapat memilih untuk tidak ikut serta dalam pengumpulan data atau membagikan data Anda, tetapi yang terbaik adalah memilih layanan yang menghormati privasi Anda sejak awal. + +Ingatlah bahwa Anda juga menaruh kepercayaan pada perusahaan atau organisasi tersebut dan bahwa mereka akan mematuhi kebijakan privasi mereka sendiri. + +## Metode autentikasi + +Biasanya ada beberapa cara untuk mendaftar akun, masing-masing dengan kelebihan dan kekurangannya sendiri. + +### Email dan kata sandi + +Cara paling umum untuk membuat akun baru adalah dengan alamat email dan kata sandi. Saat menggunakan metode ini, Anda harus menggunakan pengelola kata sandi dan mengikuti [praktik terbaik](passwords-overview.md) mengenai kata sandi. + +!!! tip + + Anda juga dapat menggunakan pengelola kata sandi untuk mengatur metode autentikasi lainnya! Cukup tambahkan entri baru dan isi kolom yang sesuai, Anda bisa menambahkan catatan untuk hal-hal seperti pertanyaan keamanan atau kunci cadangan. + +Anda akan bertanggung jawab untuk mengelola kredensial login Anda. Untuk keamanan tambahan, Anda dapat mengatur [MFA](multi-factor-authentication.md) pada akun Anda. + +[Pengelola kata sandi yang direkomendasikan](../passwords.md ""){.md-button} + +#### Alias surel + +Jika Anda tidak ingin memberikan alamat surel asli Anda ke layanan, Anda memiliki opsi untuk menggunakan alias. Kami menjelaskannya secara lebih rinci di halaman rekomendasi layanan surel kami. Pada dasarnya, layanan alias memungkinkan Anda untuk membuat alamat surel baru yang meneruskan semua surel ke alamat utama Anda. Hal ini dapat membantu mencegah pelacakan di seluruh layanan dan membantu Anda mengelola surel pemasaran yang terkadang menyertai proses pendaftaran. Semua itu dapat disaring secara otomatis berdasarkan alias yang dikirim. + +Jika layanan diretas, Anda mungkin akan mulai menerima surel phishing atau spam ke alamat yang Anda gunakan untuk mendaftar. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Sistem masuk tunggal + +!!! catatan + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Kata sandi Anda tidak akan dibagikan tetapi beberapa informasi dasar akan (Anda dapat memeriksanya selama permintaan login). Proses ini diperlukan setiap kali Anda ingin masuk ke akun yang sama. + +Keuntungan utama adalah: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +Tetapi ada kelemahan: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Nomor telepon + +Kami sarankan untuk menghindari layanan yang memerlukan nomor telepon untuk mendaftar. Nomor telepon dapat menjadi identitas Anda di berbagai layanan dan tergantung pada perjanjian berbagi data, hal ini akan membuat penggunaan Anda lebih mudah dilacak, terutama jika salah satu layanan tersebut dibobol karena nomor telepon sering kali **tidak** dienkripsi. + +Anda harus menghindari memberikan nomor telepon asli Anda jika Anda bisa. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +Dalam banyak kasus, Anda perlu memberikan nomor yang dapat digunakan untuk menerima SMS atau telepon, terutama saat berbelanja internasional, untuk berjaga-jaga jika terjadi masalah dengan pesanan Anda saat pemeriksaan di perbatasan. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Nama pengguna dan kata sandi + +Beberapa layanan memungkinkan Anda untuk mendaftar tanpa menggunakan alamat email dan hanya mengharuskan Anda untuk mengatur nama pengguna dan kata sandi. Layanan ini dapat memberikan peningkatan anonimitas bila dikombinasikan dengan VPN atau Tor. Perlu diingat bahwa untuk akun-akun ini kemungkinan besar tidak akan ada **cara untuk memulihkan akun Anda** jika Anda lupa nama pengguna atau kata sandi Anda. diff --git a/i18n/id/basics/account-deletion.md b/i18n/id/basics/account-deletion.md new file mode 100644 index 00000000..ed8497e7 --- /dev/null +++ b/i18n/id/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Penghapusan Akun" +icon: 'material/account-remove' +description: Sangat mudah untuk mengumpulkan sejumlah besar akun internet, berikut ini beberapa tips tentang cara memangkas koleksi Anda. +--- + +Seiring waktu, mudah sekali untuk menumpuk sejumlah akun online, yang banyak di antaranya mungkin sudah tidak Anda gunakan lagi. Menghapus akun-akun yang tidak terpakai ini merupakan langkah penting untuk mendapatkan kembali privasi Anda, karena akun-akun yang tidak aktif rentan terhadap pelanggaran data. Pelanggaran data adalah ketika keamanan layanan terganggu dan informasi yang dilindungi dilihat, dikirim, atau dicuri oleh pihak yang tidak berwenang. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Menemukan Akun Lama + +### Pengelola Kata Sandi + +Jika Anda memiliki pengelola kata sandi yang telah Anda gunakan untuk seluruh kehidupan digital Anda, bagian ini akan sangat mudah. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Platform desktop juga sering kali memiliki pengelola kata sandi yang dapat membantu Anda memulihkan kata sandi yang Anda lupakan: + +- Windows [Manajer Kredensial](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Kata Sandi](https://support.apple.com/en-us/HT211145) +- iOS [Kata Sandi](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, yang dapat diakses melalui [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) atau [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +Jika Anda tidak menggunakan pengelola kata sandi di masa lalu atau Anda merasa memiliki akun yang tidak pernah ditambahkan ke pengelola kata sandi Anda, opsi lainnya adalah mencari akun email yang Anda yakini telah Anda daftarkan. Pada klien email Anda, cari kata kunci seperti "verifikasi" atau "selamat datang". Hampir setiap kali Anda membuat akun daring, layanan akan mengirim tautan verifikasi atau pesan pengantar ke email Anda. This can be a good way to find old, forgotten accounts. + +## Menghapus Akun Lama + +### Masuk + +Untuk menghapus akun lama Anda, Anda harus terlebih dahulu memastikan bahwa Anda dapat masuk ke akun tersebut. Sekali lagi, jika akun tersebut ada di dalam pengelola kata sandi Anda, langkah ini mudah dilakukan. Jika tidak, Anda dapat mencoba menebak kata sandi Anda. Jika gagal, biasanya ada opsi untuk mendapatkan kembali akses ke akun Anda, biasanya tersedia melalui tautan "lupa kata sandi" pada halaman login. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +Ketika mencoba untuk mendapatkan kembali akses, jika situs mengembalikan pesan kesalahan yang mengatakan bahwa email tidak terkait dengan akun, atau Anda tidak pernah menerima tautan reset setelah beberapa kali mencoba, maka Anda tidak memiliki akun di bawah alamat email itu dan harus mencoba yang lain. Jika Anda tidak dapat menemukan alamat email yang Anda gunakan, atau Anda tidak lagi memiliki akses ke email tersebut, Anda dapat mencoba menghubungi dukungan pelanggan layanan ini. Sayangnya, tidak ada jaminan bahwa Anda akan dapat memperoleh kembali akses ke akun Anda. + +### GDPR (hanya untuk penduduk EEA) + +Penduduk EEA memiliki hak tambahan terkait penghapusan data yang ditentukan dalam [Pasal 17](https://www.gdpr.org/regulation/article-17.html) GDPR. Jika itu berlaku untuk Anda, baca kebijakan privasi untuk setiap layanan yang diberikan untuk menemukan informasi tentang cara menggunakan hak Anda untuk menghapus. Membaca kebijakan privasi terbukti penting, karena beberapa layanan memiliki opsi "Hapus Akun" yang hanya menonaktifkan akun Anda dan untuk penghapusan yang sebenarnya Anda harus mengambil tindakan tambahan. Terkadang penghapusan yang sebenarnya mungkin melibatkan pengisian survei, mengirim email ke petugas perlindungan data layanan atau bahkan membuktikan tempat tinggal Anda di EEA. Jika Anda berencana untuk menggunakan cara ini,**jangan** menimpa informasi akun - identitas Anda sebagai penduduk EEA mungkin diperlukan. Perhatikan bahwa lokasi layanan tidak masalah; GDPR berlaku untuk siapa pun yang melayani pengguna Eropa. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +Dalam beberapa situasi di mana Anda berencana untuk meninggalkan sebuah akun, mungkin masuk akal untuk menimpa informasi akun dengan data palsu. Setelah Anda memastikan bahwa Anda dapat masuk, ubah semua informasi di akun Anda menjadi informasi yang dipalsukan. Alasannya adalah karena banyak situs akan menyimpan informasi yang sebelumnya Anda miliki bahkan setelah penghapusan akun. Harapannya adalah mereka akan menimpa informasi sebelumnya dengan data terbaru yang Anda masukkan. Namun, tidak ada jaminan bahwa tidak akan ada backup dengan informasi sebelumnya. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). Anda kemudian dapat menghapus alamat email alternatif Anda setelah Anda selesai. Kami menyarankan agar tidak menggunakan penyedia email sementara, karena seringkali dimungkinkan untuk mengaktifkan kembali email sementara. + +### Delete + +Anda dapat memeriksa [JustDeleteMe](https://justdeleteme.xyz) untuk petunjuk tentang cara menghapus akun untuk layanan tertentu. Beberapa situs akan dengan ramah memiliki opsi "Hapus Akun ", sementara yang lain akan memaksa Anda untuk berbicara dengan agen dukungan. Proses penghapusan dapat bervariasi dari satu situs ke situs lainnya, dan penghapusan akun tidak dapat dilakukan di beberapa situs. + +Untuk layanan yang tidak mengizinkan penghapusan akun, hal terbaik yang harus dilakukan adalah memalsukan semua informasi Anda seperti yang telah disebutkan sebelumnya dan memperkuat keamanan akun. Untuk melakukannya, aktifkan [MFA](multi-factor-authentication.md) dan fitur keamanan tambahan yang ditawarkan. Selain itu, ubah kata sandi menjadi kata sandi yang dibuat secara acak dengan ukuran maksimum yang diizinkan ([pengelola kata sandi](../passwords.md) dapat berguna untuk ini). + +Jika Anda merasa puas bahwa semua informasi yang Anda pedulikan telah dihapus, Anda dapat melupakan akun ini dengan aman. Jika tidak, sebaiknya simpan kredensial dengan kata sandi Anda yang lain dan sesekali login ulang untuk mengatur ulang kata sandi. + +Bahkan ketika Anda dapat menghapus akun, tidak ada jaminan bahwa semua informasi Anda akan dihapus. Bahkan, beberapa perusahaan diwajibkan oleh hukum untuk menyimpan informasi tertentu, terutama yang terkait dengan transaksi keuangan. Sebagian besar di luar kendali Anda atas apa yang terjadi pada data Anda ketika menyangkut situs web dan layanan cloud. + +## Hindari Akun Baru + +Seperti kata pepatah lama, "satu ons pencegahan sebanding dengan satu pon pengobatan." Kapan pun Anda merasa tergoda untuk mendaftar akun baru, tanyakan pada diri sendiri, "Apakah saya benar-benar membutuhkan ini? Dapatkah saya menyelesaikan apa yang saya butuhkan tanpa akun?" Menghapus akun sering kali lebih sulit daripada membuat akun. Dan bahkan setelah menghapus atau mengubah informasi di akun Anda, mungkin ada versi cache dari pihak ketiga-seperti [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/id/basics/common-misconceptions.md b/i18n/id/basics/common-misconceptions.md new file mode 100644 index 00000000..f94fcb33 --- /dev/null +++ b/i18n/id/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Kesalahpahaman Umum" +icon: 'material/robot-confused' +description: Privasi bukanlah topik yang mudah, dan mudah sekali terjebak dalam klaim pemasaran dan disinformasi lainnya. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + Kami banyak membicarakan tentang "pergeseran kepercayaan" saat membahas solusi seperti VPN (yang menggeser kepercayaan yang Anda tempatkan pada ISP Anda ke penyedia VPN). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Berfokus hanya pada kebijakan privasi dan pemasaran sebuah alat atau penyedia layanan bisa membutakan Anda terhadap kelemahannya. Ketika Anda mencari solusi yang lebih pribadi, Anda harus menentukan apa masalah yang mendasarinya dan menemukan solusi teknis untuk masalah tersebut. Sebagai contoh, Anda mungkin ingin menghindari Google Drive, yang memberikan akses ke semua data Anda kepada Google. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Beralih ke penyedia yang "berfokus pada privasi" (yang tidak menerapkan E2EE) tidak akan menyelesaikan masalah Anda: ini hanya mengalihkan kepercayaan dari Google ke penyedia tersebut. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + Kami sering melihat orang menggambarkan model ancaman privasi yang terlalu rumit. Sering kali, solusi ini mencakup masalah seperti banyak akun email yang berbeda atau pengaturan yang rumit dengan banyak bagian dan kondisi yang bergerak. The replies are usually answers to "What is the best way to do X?" + Menemukan solusi "terbaik" untuk diri Anda sendiri tidak selalu berarti Anda mencari solusi yang sempurna dengan lusinan kondisi—solusi ini sering kali sulit untuk diterapkan secara realistis. Seperti yang telah kami bahas sebelumnya, keamanan sering kali mengorbankan kenyamanan. +--- + +## "Perangkat lunak sumber terbuka selalu aman" atau "Perangkat lunak sumber tertutup lebih aman" + +Mitos-mitos ini berasal dari sejumlah prasangka, tetapi apakah kode sumber tersedia dan bagaimana perangkat lunak dilisensikan tidak secara inheren memengaruhi keamanannya dengan cara apa pun. ==Perangkat lunak sumber terbuka memiliki *potensi* untuk lebih aman daripada perangkat lunak sumber tertutup, tetapi sama sekali tidak ada jaminan bahwa hal ini benar adanya.== Ketika Anda mengevaluasi perangkat lunak, Anda harus melihat reputasi dan keamanan setiap alat secara individu. + +Perangkat lunak sumber terbuka *dapat* diaudit oleh pihak ketiga, dan sering kali lebih transparan mengenai potensi kerentanan daripada perangkat lunak sumber tertutup. Ini juga memungkinkan Anda untuk meninjau kode dan menonaktifkan fungsionalitas yang mencurigakan yang Anda temukan. Namun, *kecuali jika Anda melakukannya*, tidak ada jaminan bahwa kode pernah dievaluasi, terutama dengan proyek perangkat lunak yang lebih kecil. Proses pengembangan terbuka juga terkadang dieksploitasi untuk memperkenalkan kerentanan baru ke dalam proyek-proyek besar sekalipun.[^1] + +Di sisi lain, perangkat lunak sumber tertutup itu kurang transparan, tetapi bukan berarti tidak aman. Proyek-proyek perangkat lunak sumber tertutup utama dapat diaudit secara internal dan oleh lembaga pihak ketiga, dan para peneliti keamanan independen masih bisa menemukan kerentanan dengan teknik seperti rekayasa balik. + +Untuk menghindari keputusan yang memiliki bias, ini sangat *penting* bagi Anda untuk mengevaluasi standar privasi dan keamanan perangkat lunak yang Anda gunakan. + +## "Menggeser kepercayaan dapat meningkatkan privasi" + +Kami banyak membicarakan tentang "pergeseran kepercayaan" saat membahas solusi seperti VPN (yang menggeser kepercayaan yang Anda tempatkan pada ISP Anda ke penyedia VPN). Meskipun ini melindungi data penjelajahan Anda dari ISP Anda *secara khusus*, penyedia VPN yang Anda pilih masih memiliki akses ke data penjelajahan Anda: Data Anda tidak sepenuhnya aman dari semua pihak. Ini berarti bahwa: + +1. Anda harus berhati-hati saat memilih penyedia untuk mengalihkan kepercayaan. +2. Anda tetap harus menggunakan teknik lain, seperti E2EE, untuk melindungi data Anda sepenuhnya. Hanya dengan tidak mempercayai satu penyedia layanan untuk mempercayai penyedia layanan lainnya tidak akan mengamankan data Anda. + +## "Solusi yang berfokus pada privasi pada dasarnya dapat dipercaya" + +Berfokus hanya pada kebijakan privasi dan pemasaran sebuah alat atau penyedia layanan bisa membutakan Anda terhadap kelemahannya. Ketika Anda mencari solusi yang lebih pribadi, Anda harus menentukan apa masalah yang mendasarinya dan menemukan solusi teknis untuk masalah tersebut. Sebagai contoh, Anda mungkin ingin menghindari Google Drive, yang memberikan akses ke semua data Anda kepada Google. Masalah yang mendasari dalam kasus ini adalah kurangnya E2EE, jadi Anda harus memastikan bahwa penyedia yang Anda pilih benar-benar mengimplementasikan E2EE, atau menggunakan alat bantu (seperti [Cryptomator](../encryption.md#cryptomator-cloud)) yang menyediakan E2EE pada penyedia cloud mana pun. Beralih ke penyedia yang "berfokus pada privasi" (yang tidak menerapkan E2EE) tidak akan menyelesaikan masalah Anda: ini hanya mengalihkan kepercayaan dari Google ke penyedia tersebut. + +Kebijakan privasi dan praktik bisnis penyedia yang Anda pilih sangat penting, tetapi harus dianggap nomor dua setelah jaminan teknis privasi Anda: Anda seharusnya tidak boleh mengalihkan kepercayaan ke penyedia lain ketika mempercayai penyedia sama sekali tidak menjadi persyaratan. + +## "Rumit itu lebih baik" + +Kami sering melihat orang menggambarkan model ancaman privasi yang terlalu rumit. Sering kali, solusi ini mencakup masalah seperti banyak akun email yang berbeda atau pengaturan yang rumit dengan banyak bagian dan kondisi yang bergerak. Balasan biasanya berupa jawaban atas pertanyaan "Apa cara terbaik untuk melakukan *X*?" + +Menemukan solusi "terbaik" untuk diri Anda sendiri tidak selalu berarti Anda mencari solusi yang sempurna dengan lusinan kondisi—solusi ini sering kali sulit untuk diterapkan secara realistis. Seperti yang telah kami bahas sebelumnya, keamanan sering kali mengorbankan kenyamanan. Di bawah ini, kami memberikan beberapa kiat: + +1. ==Tindakan harus memiliki tujuan tertentu:== Pikirkan tentang cara melakukan apa yang Anda inginkan dengan tindakan yang paling sedikit. +2. ==Menghilangkan titik-titik kegagalan manusia:== Kita gagal, lelah, dan melupakan hal-hal. Untuk menjaga keamanan, hindari mengandalkan kondisi dan proses manual yang harus Anda ingat. +3. ==Gunakan tingkat perlindungan yang tepat untuk apa yang Anda inginkan.== Kami sering melihat rekomendasi yang disebut sebagai solusi penegakan hukum atau solusi antisomasi. Hal ini sering kali membutuhkan pengetahuan khusus dan umumnya tidak sesuai dengan keinginan banyak orang. Tidak ada gunanya membangun model ancaman yang rumit untuk anonimitas jika Anda dapat dengan mudah dibocorkan identitasnya hanya karena sebuah kesalahan. + +Jadi, bagaimana ini terlihat? + +Salah satu model ancaman yang paling jelas adalah model di mana orang *tahu siapa Anda* dan model di mana mereka tidak tahu. Di situ akan selalu ada situasi di mana Anda harus menyatakan nama resmi Anda dan ada situasi lain di mana Anda tidak perlu melakukannya. + +1. **Identitas yang diketahui** - Identitas yang diketahui digunakan untuk hal-hal yang mengharuskan Anda untuk menyatakan nama Anda. Ada banyak dokumen hukum dan kontrak yang memerlukan identitas hukum. Hal ini dapat berkisar dari membuka rekening bank, menandatangani sewa properti, mendapatkan paspor, deklarasi bea cukai saat mengimpor barang, atau berurusan dengan pemerintah Anda. Hal-hal ini biasanya akan mengarah pada kredensial seperti kartu kredit, pemeriksaan peringkat kredit, nomor rekening, dan mungkin alamat fisik. + + Kami tidak menyarankan menggunakan VPN atau Tor untuk hal-hal ini, karena identitas Anda sudah diketahui melalui cara lain. + + !!! tip + + Saat berbelanja secara daring, penggunaan [loker paket] (https://en.wikipedia.org/wiki/Parcel_locker) dapat membantu menjaga kerahasiaan alamat fisik Anda. + +2. **Identitas tidak dikenal** - Identitas yang tidak dikenal dapat berupa nama samaran yang stabil yang sering Anda gunakan. Ini tidak anonim karena tidak berubah. Jika Anda adalah bagian dari komunitas daring, Anda mungkin ingin mempertahankan persona yang dikenal orang lain. Nama samaran ini tidak anonim karena—jika dipantau cukup lama—rincian tentang pemiliknya dapat mengungkapkan informasi lebih lanjut, seperti cara mereka menulis, pengetahuan umum mereka tentang topik yang diminati, dll. + + Anda mungkin ingin menggunakan VPN untuk hal ini, untuk menyembunyikan alamat IP Anda. Transaksi keuangan lebih sulit untuk disamarkan: Anda dapat mempertimbangkan untuk menggunakan mata uang kripto anonim, seperti [Monero](https://www.getmonero.org/). Menggunakan pengalihan altcoin juga dapat membantu menyamarkan dari mana mata uang Anda berasal. Biasanya, bursa memerlukan KYC (kenali pelanggan Anda) untuk diselesaikan sebelum mereka mengizinkan Anda menukar mata uang fiat ke mata uang kripto apa pun. Opsi pertemuan lokal juga dapat menjadi solusi; namun, biasanya lebih mahal dan terkadang juga memerlukan KYC. + +3. **Identitas anonim** - Bahkan dengan pengalaman, identitas anonim sulit untuk dipertahankan dalam jangka waktu yang lama. Identitas tersebut haruslah identitas jangka pendek dan berumur pendek yang dirotasi secara teratur. + + Menggunakan Tor dapat membantu dalam hal ini. Perlu juga dicatat bahwa anonimitas yang lebih baik dimungkinkan melalui komunikasi asinkron: Komunikasi waktu nyata rentan terhadap analisis pola pengetikan (misalnya lebih dari satu paragraf teks, didistribusikan di forum, melalui surel, dll.) + +[^1]: Salah satu contoh penting dari hal ini adalah [insiden pada 2021 di mana para peneliti Universitas Minnesota memperkenalkan tiga kerentanan ke dalam proyek pengembangan kernel Linux](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/id/basics/common-threats.md b/i18n/id/basics/common-threats.md new file mode 100644 index 00000000..da762a09 --- /dev/null +++ b/i18n/id/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Ancaman Umum" +icon: 'material/eye-outline' +description: Model ancaman Anda bersifat pribadi bagi Anda, tetapi ini adalah beberapa hal yang dipedulikan oleh banyak pengunjung situs ini. +--- + +Secara garis besar, kami mengkategorikan rekomendasi kami ke dalam [ancaman](threat-modeling.md) atau tujuan yang berlaku untuk kebanyakan orang. ==Anda mungkin tidak peduli dengan tidak ada, satu, beberapa, atau semua kemungkinan ini==, dan alat dan layanan yang Anda gunakan tergantung pada tujuan Anda. Anda mungkin juga memiliki ancaman khusus di luar kategori ini, dan itu tidak masalah! Bagian yang penting adalah mengembangkan pemahaman tentang manfaat dan kekurangan alat yang Anda pilih untuk digunakan, karena hampir tidak ada satu pun yang akan melindungi Anda dari setiap ancaman. + +- :material-incognito: Anonimitas - Melindungi aktivitas daring Anda dari identitas asli Anda, melindungi Anda dari orang-orang yang mencoba mengungkap identitas *Anda* secara khusus. +- :material-target-account: Serangan yang Ditargetkan - Terlindungi dari peretas atau aktor jahat lainnya yang mencoba untuk mendapatkan akses ke data atau perangkat *Anda* secara khusus. +- :material-bug-outline: Serangan Pasif - Terlindungi dari hal-hal seperti malware, pembobolan data, dan serangan lain yang dilakukan terhadap banyak orang sekaligus. +- :material-server-network: Penyedia Layanan - Melindungi data Anda dari penyedia layanan (misalnya dengan E2EE, yang membuat data Anda tidak dapat dibaca oleh server). +- :material-eye-outline: Pengawasan Massal - Perlindungan dari lembaga, organisasi, situs web, dan layanan pemerintah yang bekerja sama untuk melacak aktivitas Anda. +- :material-account-cash: Kapitalisme Pengawasan - Melindungi diri Anda dari jaringan periklanan besar, seperti Google dan Facebook, serta segudang pengumpul data pihak ketiga lainnya. +- :material-account-search: Paparan Publik - Membatasi informasi tentang Anda yang dapat diakses secara daring—pada mesin pencari atau masyarakat umum. +- :material-close-outline: Penyensoran - Menghindari akses yang disensor terhadap informasi atau disensor ketika berbicara secara daring. + +Beberapa ancaman ini mungkin lebih penting bagi Anda daripada yang lain, tergantung pada kekhawatiran Anda. Sebagai contoh, seorang pengembang perangkat lunak yang memiliki akses ke data yang berharga atau penting mungkin sangat peduli dengan :material-target-account: Serangan Bertarget, tetapi mereka mungkin masih ingin melindungi data pribadi mereka agar tidak terseret ke dalam program :material-eye-outline: Pengawasan Massal. Demikian pula, banyak orang mungkin lebih peduli dengan :material-account-search: Paparan Publik pada data pribadi mereka, tetapi mereka tetap harus waspada terhadap masalah yang berfokus pada keamanan, seperti :material-bug-outline: Serangan Pasif—seperti perangkat lunak jahat yang memengaruhi perangkat mereka. + +## Anonimitas vs. Privasi + +:material-incognito: Anonimitas + +Anonimitas sering disalahartikan sebagai privasi, tetapi keduanya merupakan konsep yang berbeda. Sementara privasi adalah serangkaian pilihan yang Anda buat tentang bagaimana data Anda digunakan dan dibagikan, anonimitas adalah pemisahan aktivitas daring Anda dari identitas asli Anda. + +Pelapor dan jurnalis, misalnya, dapat memiliki model ancaman yang jauh lebih ekstrem yang membutuhkan anonimitas total. Hal itu tidak hanya menyembunyikan apa yang mereka lakukan, data apa yang mereka miliki, dan tidak diretas oleh pihak-pihak jahat atau pemerintah, tetapi juga menyembunyikan siapa mereka sepenuhnya. Mereka sering kali akan mengorbankan segala jenis kenyamanan jika itu berarti melindungi anonimitas, privasi, atau keamanan mereka, karena hidup mereka dapat bergantung pada hal tersebut. Kebanyakan orang tidak perlu melangkah terlalu jauh. + +## Keamanan dan Privasi + +:material-bug-outline: Serangan Pasif + +Keamanan dan privasi juga sering tertukar, karena Anda membutuhkan keamanan untuk mendapatkan kemiripan dengan privasi: Menggunakan alat—bahkan jika alat itu dirancang untuk—tidak ada gunanya jika alat itu dapat dengan mudah dieksploitasi oleh penyerang yang kemudian merilis data Anda. Namun, kebalikannya belum tentu benar: Layanan yang paling aman di dunia *belum tentu* pribadi. Contoh terbaik dari hal ini adalah mempercayakan data kepada Google yang, mengingat skalanya, hanya mengalami sedikit insiden keamanan dengan mempekerjakan pakar keamanan terkemuka di industri untuk mengamankan infrastruktur mereka. Meskipun Google menyediakan layanan yang sangat aman, hanya sedikit orang yang menganggap data mereka pribadi di produk konsumen gratis Google (Gmail, YouTube, dll.) + +Dalam hal keamanan aplikasi, umumnya kami tidak (dan terkadang tidak bisa) mengetahui apakah perangkat lunak yang kita gunakan berbahaya, atau suatu hari nanti bisa menjadi berbahaya. Bahkan pada pengembang yang paling tepercaya sekalipun, pada umumnya tidak ada jaminan bahwa perangkat lunak mereka tidak memiliki kerentanan serius yang nantinya dapat dieksploitasi. + +Untuk meminimalkan kerusakan *yang dapat* dilakukan oleh perangkat lunak berbahaya, Anda harus menggunakan keamanan dengan kompartementalisasi. Sebagai contoh, hal ini dapat berupa penggunaan komputer yang berbeda untuk pekerjaan yang berbeda, menggunakan mesin virtual untuk memisahkan berbagai kelompok aplikasi yang terkait, atau menggunakan sistem operasi yang aman dengan fokus yang kuat pada kotak pasir aplikasi dan kontrol akses yang wajib. + +!!! tip + + Sistem operasi seluler umumnya memiliki kotak pasir aplikasi yang lebih baik daripada sistem operasi desktop: Aplikasi tidak dapat memperoleh akses akar, dan memerlukan izin untuk mengakses sumber daya sistem. + + Sistem operasi desktop umumnya tertinggal dalam hal kotak pasir yang tepat. ChromeOS memiliki kemampuan kotak pasir yang mirip dengan Android, dan macOS memiliki kontrol izin sistem penuh (dan pengembang dapat memilih untuk ikut serta dalam kotak pasir untuk aplikasi). Namun demikian, sistem operasi ini mengirimkan informasi identifikasi ke OEM masing-masing. Linux cenderung tidak menyerahkan informasi kepada vendor sistem, tetapi memiliki perlindungan yang buruk terhadap eksploitasi dan aplikasi jahat. Hal ini dapat dikurangi dengan distribusi khusus yang memanfaatkan mesin virtual atau kontainer secara signifikan, seperti [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Serangan Bertarget + +Serangan yang ditargetkan terhadap orang tertentu akan lebih sulit ditangani. Serangan yang umum terjadi termasuk mengirim dokumen berbahaya melalui surel, mengeksploitasi kerentanan (misalnya pada peramban dan sistem operasi), dan serangan fisik. Jika hal ini menjadi perhatian Anda, Anda harus menggunakan strategi mitigasi ancaman yang lebih canggih. + +!!! tip + + Secara rancangan, **peramban web**, **klien surel**, dan **aplikasi perkantoran** biasanya menjalankan kode yang tidak dipercaya, yang dikirimkan kepada Anda dari pihak ketiga. Menjalankan beberapa mesin virtual—untuk memisahkan aplikasi seperti ini dari sistem hos Anda, dan juga satu sama lain—adalah salah satu teknik yang bisa Anda gunakan untuk mengurangi kemungkinan eksploitasi pada aplikasi-aplikasi ini yang mengorbankan sistem Anda yang lain. Sebagai contoh, teknologi seperti Qubes OS atau Microsoft Defender Application Guard pada Windows menyediakan metode yang nyaman untuk melakukan hal ini. + +Jika Anda khawatir tentang **serangan fisik** Anda harus menggunakan sistem operasi dengan implementasi boot terverifikasi yang aman, seperti Android, iOS, macOS, atau [Windows (dengan TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). Anda juga harus memastikan bahwa penyimpanan Anda dienkripsi, dan bahwa sistem operasi menggunakan TPM atau Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) atau [Element](https://developers.google.com/android/security/android-ready-se) untuk menilai batas upaya memasukkan frasa sandi enkripsi. Anda sebaiknya menghindari berbagi komputer dengan orang yang tidak Anda percayai, karena sebagian besar sistem operasi desktop tidak mengenkripsi data secara terpisah per pengguna. + +## Privasi Dari Penyedia Layanan + +:material-server-network: Penyedia Layanan + +Kita hidup di dunia di mana hampir semua hal terhubung ke internet. Pesan, surel, dan interaksi sosial "pribadi" kita biasanya disimpan di sebuah server, di suatu tempat. Umumnya, ketika Anda mengirim pesan kepada seseorang, pesan tersebut disimpan di server, dan ketika teman Anda ingin membaca pesan tersebut, server akan menampilkannya kepada mereka. + +Masalah yang jelas dengan hal ini adalah penyedia layanan (atau peretas yang telah membobol server) dapat mengakses percakapan Anda kapan pun dan bagaimanapun mereka inginkan, tanpa Anda ketahui. Hal ini berlaku untuk banyak layanan umum, seperti pesan SMS, Telegram, dan Discord. + +Untungnya, E2EE dapat mengatasi masalah ini dengan mengenkripsi komunikasi antara Anda dan penerima yang Anda inginkan bahkan sebelum dikirim ke server. Kerahasiaan pesan Anda dijamin, dengan asumsi penyedia layanan tidak memiliki akses ke kunci pribadi salah satu pihak. + +!!! note "Catatan Tentang Enkripsi Berbasis Web" + + Dalam praktiknya, efektivitas implementasi E2EE yang berbeda bervariasi. Aplikasi, seperti [Signal](../real-time-communication.md#signal), berjalan secara asli pada perangkat Anda, dan setiap salinan aplikasi sama pada instalasi yang berbeda. Jika penyedia layanan memperkenalkan sebuah [pintu belakang](https://id.wikipedia.org/wiki/Pintu_belakang_(komputer)) dalam aplikasi mereka—dalam upaya untuk mencuri kunci pribadi Anda—nantinya dapat dideteksi dengan [rekayasa balik] (https://id.wikipedia.org/wiki/Rekayasa_balik). + + Di sisi lain, implementasi E2EE berbasis web, seperti surel web Proton Mail atau *Web Vault* dari Bitwarden, bergantung pada server yang secara dinamis menyajikan kode JavaScript ke peramban untuk menangani kriptografi. Sebuah server jahat dapat menargetkan Anda dan mengirimkan kode JavaScript berbahaya untuk mencuri kunci enkripsi Anda (dan akan sangat sulit untuk diketahui). Karena server dapat memilih untuk melayani klien web yang berbeda untuk orang yang berbeda—bahkan jika Anda menyadari serangan itu—akan sangat sulit untuk membuktikan kesalahan penyedia. + + Oleh karena itu, Anda seharusnya menggunakan aplikasi asli daripada klien web bila memungkinkan. + +Bahkan dengan E2EE, penyedia layanan masih bisa membuat profil Anda berdasarkan **metadata**, yang biasanya tidak dilindungi. Meskipun penyedia layanan tidak dapat membaca pesan Anda, mereka masih dapat mengamati hal-hal penting, seperti siapa yang Anda ajak bicara, seberapa sering Anda mengirim pesan kepada mereka, dan kapan Anda biasanya aktif. Perlindungan metadata cukup jarang dilakukan, dan—jika ada dalam [model ancaman](threat-modeling.md)—Anda harus memperhatikan dengan seksama dokumentasi teknis perangkat lunak yang Anda gunakan untuk mengetahui apakah ada minimalisasi atau perlindungan metadata sama sekali. + +## Program Pengawasan Massal + +:material-eye-outline: Pengawasan Massal + +Pengawasan massal adalah upaya yang rumit untuk memantau "perilaku, berbagai aktivitas, atau informasi" dari seluruh (atau sebagian besar) populasi.[^1] Hal ini sering merujuk pada program pemerintah, seperti yang [diungkapkan oleh Edward Snowden pada tahun 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). Namun, hal ini juga dapat dilakukan oleh perusahaan, baik atas nama lembaga pemerintah maupun atas inisiatif sendiri. + +!!! abstract "Atlas Pengawasan" + + Jika Anda ingin mempelajari lebih lanjut tentang metode pengawasan dan bagaimana metode tersebut diterapkan di kota Anda, Anda juga dapat melihat [Atlas Pengawasan (Atlas of Surveillance)](https://atlasofsurveillance.org/) oleh [Electronic Frontier Foundation](https://www.eff.org/). + + Di Prancis, Anda dapat melihat [situs web Technolopolice] (https://technopolice.fr/villes/) yang dikelola oleh asosiasi nirlaba La Quadrature du Net. + +Pemerintah sering kali membenarkan program pengawasan massal sebagai cara yang diperlukan untuk memerangi terorisme dan mencegah kejahatan. Namun, melanggar hak asasi manusia, hal ini paling sering digunakan untuk menargetkan kelompok minoritas dan pembangkang politik secara tidak proporsional. + +!!! quote "ACLU: [*Pelajaran Privasi dari Peristiwa 9/11: Pengawasan Massal Bukanlah Jalan ke Depan*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Dalam menghadapi [pengungkapan Edward Snowden tentang program-program pemerintah seperti [PRISM](https://en.wikipedia.org/wiki/PRISM) dan [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], para pejabat intelijen juga mengakui bahwa NSA selama bertahun-tahun secara diam-diam telah mengumpulkan catatan tentang hampir semua panggilan telepon setiap orang Amerika—siapa yang menelepon siapa, kapan panggilan itu dilakukan, dan berapa lama panggilan itu berlangsung. Informasi semacam ini, ketika dikumpulkan oleh NSA dari hari ke hari, dapat mengungkapkan detail yang sangat sensitif tentang kehidupan dan pergaulan seseorang, seperti apakah mereka pernah menelepon pendeta, penyedia layanan aborsi, konselor kecanduan, atau bantuan pencegahan bunuh diri. + +Meskipun pengawasan massal semakin meningkat di Amerika Serikat, pemerintah telah menemukan bahwa program pengawasan massal seperti Bagian 215 hanya memiliki "sedikit nilai unik" dalam hal menghentikan kejahatan aktual atau plot teroris, dengan upaya-upaya yang sebagian besar menduplikasi program pengawasan yang ditargetkan oleh FBI.[^2] + +Secara daring, Anda dapat dilacak melalui berbagai metode: + +- Alamat IP Anda +- Kuki peramban +- Data yang Anda kirimkan ke situs web +- Sidik jari peramban atau perangkat Anda +- Korelasi metode pembayaran + +\[Daftar ini tidak lengkap]. + +Jika Anda khawatir dengan program pengawasan massal, Anda bisa menggunakan strategi seperti membagi identitas daring Anda, berbaur dengan pengguna lain, atau, jika memungkinkan, hindari memberikan informasi identitas. + +:material-account-cash: Kapitalisme Pengawasan + +> Kapitalisme pengawasan adalah sistem ekonomi yang berpusat di sekitar penangkapan dan komodifikasi data pribadi untuk tujuan utama mencari keuntungan.[^3] + +Bagi banyak orang, pelacakan dan pengawasan oleh perusahaan swasta merupakan masalah yang terus meningkat. Jaringan iklan yang tersebar luas, seperti yang dioperasikan oleh Google dan Facebook, menjangkau internet jauh lebih dari sekadar situs yang mereka kendalikan, melacak tindakan Anda di sepanjang jalan. Menggunakan alat seperti pemblokir konten untuk membatasi permintaan jaringan ke server mereka, dan membaca kebijakan privasi layanan yang Anda gunakan bisa membantu Anda menghindari banyak musuh dasar (meskipun tidak bisa sepenuhnya mencegah pelacakan).[^4] + +Selain itu, bahkan perusahaan di luar *AdTech* atau industri pelacakan dapat membagikan informasi Anda dengan [pialang data](https://en.wikipedia.org/wiki/Information_broker) (seperti Cambridge Analytica, Experian, atau Datalogix) atau pihak lain. Anda tidak bisa secara otomatis berasumsi bahwa data Anda aman hanya karena layanan yang Anda gunakan tidak termasuk dalam model bisnis AdTech atau pelacakan pada umumnya. Perlindungan terkuat terhadap pengumpulan data perusahaan adalah dengan mengenkripsi atau mengaburkan data Anda jika memungkinkan, sehingga menyulitkan penyedia layanan yang berbeda untuk menghubungkan data satu sama lain dan membuat profil Anda. + +## Membatasi Informasi Publik + +:material-account-search: Paparan Publik + +Cara terbaik untuk menjaga data Anda tetap pribadi adalah dengan tidak mempublikasikannya sejak awal. Menghapus informasi yang tidak diinginkan yang Anda temukan tentang diri Anda secara daring adalah salah satu langkah pertama terbaik yang dapat Anda lakukan untuk mendapatkan kembali privasi Anda. + +- [Lihat panduan kami tentang penghapusan akun :material-arrow-right-drop-circle:](account-deletion.md) + +Di situs-situs di mana Anda berbagi informasi, memeriksa pengaturan privasi akun Anda untuk membatasi seberapa luas data tersebut disebarkan sangatlah penting. Misalnya, aktifkan "mode pribadi" pada akun Anda jika diberi opsi: Hal ini akan memastikan bahwa akun Anda tidak diindeks oleh mesin pencari, dan tidak dapat dilihat tanpa izin Anda. + +Jika Anda telah mengirimkan informasi asli Anda ke situs-situs yang seharusnya tidak memilikinya, pertimbangkan untuk menggunakan taktik disinformasi, seperti mengirimkan informasi fiktif yang terkait dengan identitas daring tersebut. Hal ini membuat informasi asli Anda tidak dapat dibedakan dari informasi palsu. + +## Menghindari Penyensoran + +:material-close-outline: Penyensoran + +Penyensoran secara daring bisa dilakukan (dalam berbagai tingkatan) oleh berbagai pihak, termasuk pemerintah totaliter, administrator jaringan, dan penyedia layanan. Upaya-upaya untuk mengendalikan komunikasi dan membatasi akses terhadap informasi akan selalu tidak sesuai dengan hak asasi manusia atas Kebebasan Berekspresi.[^5] + +Penyensoran pada platform perusahaan semakin umum terjadi, karena platform seperti Twitter dan Facebook menyerah pada permintaan publik, tekanan pasar, dan tekanan dari lembaga pemerintah. Tekanan pemerintah dapat berupa permintaan terselubung kepada bisnis, seperti Gedung Putih [yang meminta penghapusan](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) video YouTube yang provokatif, atau secara terang-terangan, seperti pemerintah Cina yang mewajibkan perusahaan untuk mematuhi rezim sensor yang ketat. + +Orang-orang yang khawatir dengan ancaman penyensoran dapat menggunakan teknologi seperti [Tor](../advanced/tor-overview.md) untuk mengelakkannya, dan mendukung platform komunikasi yang tahan sensor seperti [Matrix](../real-time-communication.md#element), yang tidak memiliki otoritas akun terpusat yang dapat menutup akun secara sewenang-wenang. + +!!! tip + + Meskipun menghindari penyensoran itu sendiri bisa jadi mudah, menyembunyikan fakta bahwa Anda melakukannya bisa jadi sangat bermasalah. + + Anda harus mempertimbangkan aspek mana dari jaringan yang dapat diamati oleh musuh Anda, dan apakah Anda memiliki penyangkalan yang masuk akal atas tindakan Anda. Sebagai contoh, menggunakan [DNS terenkripsi](../advanced/dns-overview.md#what-is-encrypted-dns) bisa membantu Anda melalui sistem sensor berbasis DNS yang belum sempurna, tetapi tidak bisa menyembunyikan apa yang Anda kunjungi dari ISP Anda. Sebuah VPN atau Tor bisa membantu menyembunyikan apa yang Anda kunjungi dari administrator jaringan, tetapi tidak bisa menyembunyikan kalau Anda menggunakan jaringan tersebut sejak awal. Transport yang dapat dicolokkan (seperti Obfs4proxy, Meek, atau Shadowsocks) dapat membantu Anda menghindari dinding api yang memblokir protokol VPN umum atau Tor, tetapi upaya pengelabuan Anda masih bisa dideteksi dengan metode seperti pengujian atau [inspeksi paket dalam](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +Anda harus selalu mempertimbangkan risiko mencoba menerobos sensor, konsekuensi potensial, dan seberapa canggih musuh Anda. Anda harus berhati-hati dalam memilih perangkat lunak, dan memiliki rencana cadangan untuk berjaga-jaga seandainya Anda ketahuan. + +[^1]: Wikipedia: [*Pengawasan Massal*](https://en.wikipedia.org/wiki/Mass_surveillance) dan [*Pengawasan*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: Badan Pengawasan Privasi dan Kebebasan Sipil Amerika Serikat: [*Laporan tentang Program Rekaman Telepon yang Dilakukan berdasarkan Pasal 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Kapitalisme pengawasan*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Mencatat keburukan](https://www.ranum.com/security/computer_security/editorials/dumb/)" (atau, "membuat daftar semua hal buruk yang kita ketahui"), seperti yang dilakukan banyak pemblokir iklan dan program antivirus, tidak cukup melindungi Anda dari ancaman baru dan tidak dikenal karena ancaman tersebut belum ditambahkan ke daftar saringan. Anda juga harus menggunakan teknik mitigasi lainnya. +[^5]: Perserikatan Bangsa-Bangsa: [*Deklarasi Universal Hak Asasi Manusia*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/id/basics/email-security.md b/i18n/id/basics/email-security.md new file mode 100644 index 00000000..bf289179 --- /dev/null +++ b/i18n/id/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Keamanan Email +icon: material/email +description: Email pada dasarnya tidak aman dalam banyak hal, dan ini adalah beberapa alasan mengapa email bukanlah pilihan utama kami untuk komunikasi yang aman. +--- + +Email adalah bentuk komunikasi yang tidak aman secara default. Anda bisa meningkatkan keamanan email Anda dengan alat seperti OpenPGP, yang menambahkan Enkripsi End-to-End pada pesan Anda, tetapi OpenPGP masih memiliki sejumlah kekurangan dibandingkan dengan enkripsi pada aplikasi perpesanan lainnya, dan beberapa data email tidak pernah bisa dienkripsi secara inheren karena bagaimana email dirancang. + +Akibatnya, email paling baik digunakan untuk menerima email transaksional (seperti pemberitahuan, email verifikasi, pengaturan ulang kata sandi, dll.) dari layanan yang Anda daftarkan secara online, bukan untuk berkomunikasi dengan orang lain. + +## Email Encryption Overview + +Cara standar untuk menambahkan E2EE ke email antara penyedia email yang berbeda adalah dengan menggunakan OpenPGP. Ada beberapa implementasi yang berbeda dari standar OpenPGP, yang paling umum adalah [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) dan [OpenPGP.js](https://openpgpjs.org). + +Ada standar lain yang populer di kalangan bisnis yang disebut [S/MIME](https://en.wikipedia.org/wiki/S/MIME), namun standar ini membutuhkan sertifikat yang dikeluarkan dari [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (tidak semua dari mereka mengeluarkan sertifikat S/MIME). Ini memiliki dukungan di [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) dan [Outlook untuk Web atau Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Bahkan jika Anda menggunakan OpenPGP, ia tidak mendukung kerahasiaan [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), yang berarti jika kunci privat Anda atau penerima dicuri, semua pesan sebelumnya yang dienkripsi dengan kunci tersebut akan terekspos. Inilah sebabnya mengapa kami merekomendasikan [instant messenger](../real-time-communication.md) yang menerapkan kerahasiaan ke depan melalui email untuk komunikasi orang-ke-orang bila memungkinkan. + +### Klien Email Apa yang Mendukung E2EE? + +Penyedia email yang memungkinkan Anda menggunakan protokol akses standar seperti IMAP dan SMTP dapat digunakan dengan salah satu klien email [yang kami rekomendasikan](../email-clients.md). Tergantung pada metode otentikasi, ini dapat menyebabkan penurunan keamanan jika baik penyedia atau klien email tidak mendukung SUMPAH atau aplikasi jembatan sebagai [otentikasi multi-faktor](multi-factor-authentication.md) tidak mungkin dengan otentikasi kata sandi biasa. + +### Bagaimana Cara Melindungi Kunci Pribadi Saya? + +Smartcard (seperti [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) atau [Nitrokey](https://www.nitrokey.com)) bekerja dengan menerima pesan email terenkripsi dari perangkat (ponsel, tablet, komputer, dll) yang menjalankan klien email/webmail. Pesan tersebut kemudian didekripsi oleh smartcard dan konten yang telah didekripsi dikirim kembali ke perangkat. + +Hal ini menguntungkan untuk dekripsi terjadi pada smartcard sehingga untuk menghindari kemungkinan mengekspos kunci pribadi Anda ke perangkat dikompromikan. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. Ada juga sejumlah header tersembunyi yang disertakan oleh banyak klien dan penyedia email yang dapat mengungkapkan informasi tentang akun Anda. + +Perangkat lunak klien dapat menggunakan metadata email untuk menunjukkan dari siapa pesan itu berasal dan jam berapa diterima. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Siapa yang Dapat Melihat Metadata Email? + +Metadata email dilindungi dari pengamat luar dengan [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) melindunginya dari pengamat luar, tetapi masih dapat dilihat oleh perangkat lunak klien email Anda (atau webmail) dan server mana pun yang meneruskan pesan dari Anda ke penerima mana pun, termasuk penyedia email Anda. Terkadang server email juga akan menggunakan layanan pihak ketiga untuk melindungi dari spam, yang umumnya juga memiliki akses ke pesan Anda. + +### Mengapa Metadata tidak bisa menjadi E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE pada awalnya tidak dibangun ke dalam protokol email, melainkan membutuhkan perangkat lunak tambahan seperti OpenPGP. Karena pesan OpenPGP masih harus bekerja dengan penyedia email tradisional, ia tidak dapat mengenkripsi metadata email, hanya isi pesan itu sendiri. Itu berarti bahwa bahkan ketika menggunakan OpenPGP, pengamat luar dapat melihat banyak informasi tentang pesan Anda, seperti siapa yang Anda kirimi email, baris subjek, ketika Anda mengirim email, dll. diff --git a/i18n/id/basics/multi-factor-authentication.md b/i18n/id/basics/multi-factor-authentication.md new file mode 100644 index 00000000..f095a00f --- /dev/null +++ b/i18n/id/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Autentikasi Multifaktor" +icon: 'material/two-factor-authentication' +description: MFA adalah mekanisme keamanan penting untuk mengamankan akun online Anda, tetapi beberapa metode lebih kuat daripada yang lain. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. Metode yang paling umum adalah kode terbatas waktu yang mungkin Anda terima dari SMS atau aplikasi. + +Biasanya, jika seorang peretas (atau musuh) dapat mengetahui kata sandi Anda, maka mereka akan mendapatkan akses ke akun milik kata sandi tersebut. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. Jika orang yang tidak berwenang mendapatkan akses ke email Anda, mereka akan dapat menggunakan akses tersebut untuk mengatur ulang kata sandi dan menerima kode autentikasi, sehingga memberikan akses penuh ke akun Anda. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Menginstal aplikasi mungkin juga mengharuskan Anda untuk menerima hak istimewa invasif yang memberikan akses ke data lain pada perangkat Anda. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/id/basics/passwords-overview.md b/i18n/id/basics/passwords-overview.md new file mode 100644 index 00000000..69e86d4a --- /dev/null +++ b/i18n/id/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Pengantar Kata Sandi" +icon: 'material/form-textbox-password' +description: Berikut ini adalah beberapa tips dan trik tentang cara membuat kata sandi terkuat dan menjaga akun Anda tetap aman. +--- + +Kata sandi adalah bagian penting dari kehidupan digital kita sehari-hari. Kami menggunakannya untuk melindungi akun, perangkat, dan rahasia kami. Meskipun sering kali menjadi satu-satunya hal antara kita dan musuh yang mengincar informasi pribadi kita, tidak banyak yang memikirkannya, yang sering kali membuat orang menggunakan kata sandi yang dapat dengan mudah ditebak atau dipaksakan. + +## Praktik Terbaik + +### Gunakan kata sandi yang unik untuk setiap layanan + +Bayangkan ini; Anda mendaftar untuk akun dengan email dan kata sandi yang sama pada beberapa layanan daring. Jika salah satu dari penyedia layanan tersebut jahat, atau layanan mereka mengalami pembobolan data yang mengekspos kata sandi Anda dalam format yang tidak terenkripsi, maka yang harus dilakukan oleh pelaku kejahatan adalah mencoba kombinasi email dan kata sandi tersebut pada beberapa layanan populer hingga berhasil. Tidak masalah seberapa kuat satu kata sandi itu, karena mereka sudah memilikinya. + +Ini disebut [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), dan merupakan salah satu cara paling umum akun Anda dapat disusupi oleh pihak-pihak yang tidak bertanggung jawab. To avoid this, make sure that you never re-use your passwords. + +### Gunakan kata sandi yang dibuat secara acak + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +Semua [pengelola kata sandi yang kami rekomendasikan](../passwords.md) menyertakan pembuat kata sandi bawaan yang dapat Anda gunakan. + +### Memutar Kata Sandi + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Sebagian besar pengelola kata sandi memungkinkan Anda untuk mengatur tanggal kedaluwarsa untuk kata sandi Anda agar lebih mudah dikelola. + +!!! tip "Memeriksa pelanggaran data" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Sebagai alternatif, Anda dapat mengikuti [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) dengan bantuan [news aggregator](../news-aggregators.md). + +## Membuat kata sandi yang kuat + +### Kata sandi + +Banyak layanan yang memberlakukan kriteria tertentu dalam hal kata sandi, termasuk panjang minimum atau maksimum, serta karakter khusus apa saja, jika ada, yang dapat digunakan. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +Jika Anda memerlukan kata sandi yang dapat Anda hafal, kami merekomendasikan [kata sandi diceware](#diceware-passphrases). + +### Diceware Passphrases + +Diceware adalah sebuah metode untuk membuat kata sandi yang mudah diingat, tetapi sulit ditebak. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! catatan + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Lempar dadu enam sisi sebanyak lima kali, catat nomornya setelah setiap lemparan. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. Anda akan menemukan kata `mengenkripsi`. Tuliskan kata itu. + +4. Ulangi proses ini hingga kata sandi Anda memiliki kata sebanyak yang Anda butuhkan, yang harus Anda pisahkan dengan spasi. + +!!! peringatan "Penting" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? catatan "Penjelasan tentang entropi dan kekuatan frasa sandi diceware" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Musuh Anda tahu bahwa Anda menggunakan metode diceware. + - Musuh Anda mengetahui daftar kata tertentu yang Anda gunakan. + - Musuh Anda mengetahui berapa banyak kata yang terkandung dalam kata sandi Anda. + +Singkatnya, kata sandi diceware adalah pilihan terbaik Anda ketika Anda membutuhkan sesuatu yang mudah diingat *dan* sangat kuat. + +## Menyimpan Kata Sandi + +### Pengelola Kata Sandi + +Cara terbaik untuk menyimpan kata sandi Anda adalah dengan menggunakan pengelola kata sandi. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. Dengan begitu, Anda hanya perlu mengingat satu kata sandi yang kuat, yang memungkinkan Anda mengakses kata sandi lainnya. + +There are many good options to choose from, both cloud-based and local. Pilih salah satu pengelola kata sandi yang kami rekomendasikan dan gunakan untuk membuat kata sandi yang kuat di semua akun Anda. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[Daftar pengelola kata sandi yang direkomendasikan](../passwords.md ""){.md-button} + +!!! peringatan "Jangan letakkan kata sandi dan token TOTP Anda di dalam pengelola kata sandi yang sama" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Selain itu, kami tidak menyarankan untuk menyimpan kode pemulihan sekali pakai di pengelola kata sandi Anda. Data tersebut harus disimpan secara terpisah, misalnya dalam wadah terenkripsi pada perangkat penyimpanan offline. + +### Cadangan + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. Hal ini dapat membantu Anda mengakses kata sandi jika terjadi sesuatu pada perangkat utama atau layanan yang Anda gunakan. diff --git a/i18n/id/basics/threat-modeling.md b/i18n/id/basics/threat-modeling.md new file mode 100644 index 00000000..59118709 --- /dev/null +++ b/i18n/id/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Menyeimbangkan keamanan, privasi, dan kegunaan adalah salah satu tugas pertama dan paling sulit yang akan Anda hadapi dalam perjalanan privasi Anda. +--- + +Menyeimbangkan keamanan, privasi, dan kegunaan adalah salah satu tugas pertama dan paling sulit yang akan Anda hadapi dalam perjalanan privasi Anda. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Sering kali, orang menemukan bahwa masalah dengan alat yang mereka lihat direkomendasikan adalah bahwa alat tersebut terlalu sulit untuk mulai digunakan! + +Jika Anda ingin menggunakan **sebagian besar** alat aman yang tersedia, Anda harus mengorbankan *banyak* kegunaan. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. Itulah mengapa model ancaman itu penting. + +**Jadi, apa saja model ancaman ini?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. Dalam keamanan komputer, ancaman adalah peristiwa yang dapat merusak upaya Anda untuk tetap pribadi dan aman. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +Untuk mengidentifikasi apa yang dapat terjadi pada hal-hal yang Anda hargai dan menentukan siapa yang perlu Anda lindungi, Anda harus menjawab lima pertanyaan berikut: + +1. Apa yang ingin saya lindungi? +2. Dari siapa saya ingin melindunginya? +3. Seberapa besar kemungkinan saya perlu melindunginya? +4. Seberapa buruk konsekuensinya jika saya gagal? +5. Seberapa besar masalah yang ingin saya hadapi untuk mencoba mencegah konsekuensi yang mungkin terjadi? + +### Apa yang ingin saya lindungi? + +"Aset" adalah sesuatu yang Anda hargai dan ingin Anda lindungi. Dalam konteks keamanan digital, ==aset biasanya berupa beberapa jenis informasi.== Misalnya, email, daftar kontak, pesan instan, lokasi, dan file Anda adalah aset yang mungkin. Perangkat Anda sendiri juga bisa menjadi aset. + +*Buatlah daftar aset Anda: data yang Anda simpan, di mana data tersebut disimpan, siapa yang memiliki akses ke data tersebut, dan apa yang mencegah orang lain untuk mengaksesnya.* + +### Dari siapa saya ingin melindunginya? + +Untuk menjawab pertanyaan ini, penting untuk mengidentifikasi siapa yang mungkin ingin menargetkan Anda atau informasi Anda. ==Seseorang atau entitas yang menjadi ancaman bagi aset Anda adalah "musuh".== Contoh musuh potensial adalah atasan Anda, mantan mitra Anda, pesaing bisnis Anda, pemerintah Anda, atau peretas di jaringan publik. + +*Buatlah daftar musuh Anda atau mereka yang mungkin ingin mendapatkan aset Anda. Daftar Anda dapat mencakup individu, lembaga pemerintah, atau perusahaan.* + +Tergantung pada siapa musuh Anda, dalam beberapa keadaan, daftar ini mungkin sesuatu yang ingin Anda hancurkan setelah Anda selesai merencanakan keamanan. + +### Seberapa besar kemungkinan saya perlu melindunginya? + +==Risiko adalah kemungkinan bahwa ancaman tertentu terhadap aset tertentu akan benar-benar terjadi.== Hal ini sejalan dengan kemampuan. Meskipun penyedia ponsel Anda memiliki kemampuan untuk mengakses semua data Anda, risiko mereka memposting data pribadi Anda secara online untuk merusak reputasi Anda adalah rendah. + +Penting untuk membedakan antara apa yang mungkin terjadi dan probabilitas yang mungkin terjadi. Misalnya, ada ancaman bahwa bangunan Anda mungkin runtuh, tetapi risiko ini terjadi jauh lebih besar di San Francisco (di mana gempa bumi biasa terjadi) daripada di Stockholm (di mana mereka tidak). + +Menilai risiko adalah proses pribadi dan subjektif. Banyak orang yang menganggap ancaman tertentu tidak dapat diterima, tidak peduli seberapa besar kemungkinannya, karena keberadaan ancaman tersebut tidak sebanding dengan biayanya. Dalam kasus lain, orang mengabaikan risiko tinggi karena mereka tidak melihat ancaman tersebut sebagai masalah. + +*Tuliskan ancaman mana yang akan Anda anggap serius, dan mana yang mungkin terlalu jarang atau tidak berbahaya (atau terlalu sulit untuk dilawan) untuk dikhawatirkan.* + +### Seberapa buruk konsekuensinya jika saya gagal? + +Ada banyak cara yang dapat dilakukan oleh musuh untuk mendapatkan akses ke data Anda. Misalnya, musuh dapat membaca komunikasi pribadi Anda saat mereka melewati jaringan, atau mereka dapat menghapus atau merusak data Anda. + +==Motif pihak-pihak yang berseteru sangat beragam, begitu pula taktik mereka.== Pemerintah yang berusaha mencegah penyebaran video yang menunjukkan kekerasan polisi mungkin akan puas dengan menghapus atau mengurangi ketersediaan video tersebut. Sebaliknya, lawan politik mungkin ingin mendapatkan akses ke konten rahasia dan mempublikasikan konten itu tanpa Anda sadari. + +Perencanaan keamanan melibatkan pemahaman tentang seberapa buruk konsekuensi yang bisa terjadi jika musuh berhasil mendapatkan akses ke salah satu aset Anda. Untuk menentukan ini, Anda harus mempertimbangkan kemampuan lawan Anda. Misalnya, penyedia ponsel Anda memiliki akses ke semua catatan telepon Anda. Peretas di jaringan Wi-Fi terbuka dapat mengakses komunikasi Anda yang tidak terenkripsi. Pemerintah Anda mungkin memiliki kemampuan yang lebih kuat. + +*Tuliskan apa yang mungkin ingin dilakukan lawan Anda dengan data pribadi Anda.* + +### Seberapa besar masalah yang ingin saya hadapi untuk mencoba mencegah konsekuensi yang mungkin terjadi? + +==Tidak ada pilihan yang sempurna untuk keamanan.== Tidak semua orang memiliki prioritas, kekhawatiran, atau akses yang sama ke sumber daya. Penilaian risiko Anda akan memungkinkan Anda untuk merencanakan strategi yang tepat untuk Anda, dengan menyeimbangkan kenyamanan, biaya, dan privasi. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Tuliskan pilihan apa saja yang tersedia bagi Anda untuk membantu mengurangi ancaman unik Anda. Perhatikan jika Anda memiliki kendala keuangan, kendala teknis, atau kendala sosial.* + +### Cobalah sendiri: Melindungi Barang Milik Anda + +Pertanyaan-pertanyaan ini dapat diterapkan pada berbagai situasi, baik online maupun offline. Sebagai demonstrasi umum tentang bagaimana pertanyaan-pertanyaan ini bekerja, mari kita buat rencana untuk menjaga rumah dan harta benda Anda tetap aman. + +**Apa yang ingin Anda lindungi? (Atau, *apa yang Anda miliki yang layak dilindungi?*)** +: + +Aset Anda mungkin termasuk perhiasan, barang elektronik, dokumen penting, atau foto. + +**Anda ingin melindunginya dari siapa?** +: + +Musuh Anda mungkin termasuk pencuri, teman sekamar, atau tamu. + +**Seberapa besar kemungkinan Anda perlu melindunginya?** +: + +Apakah lingkungan Anda memiliki riwayat pencurian? Seberapa tepercaya teman sekamar atau tamu Anda? Apa saja kemampuan musuh Anda? Apa saja risiko yang harus Anda pertimbangkan? + +**Seberapa buruk konsekuensinya jika Anda gagal?** +: + +Apakah Anda memiliki sesuatu di rumah Anda yang tidak dapat Anda ganti? Apakah Anda punya waktu atau uang untuk mengganti barang-barang tersebut? Apakah Anda memiliki asuransi yang menanggung barang yang dicuri dari rumah Anda? + +**Seberapa besar masalah yang ingin Anda hadapi untuk mencegah konsekuensi ini?** +: + +Apakah Anda bersedia membeli brankas untuk dokumen sensitif? Apakah Anda mampu membeli kunci berkualitas tinggi? Apakah Anda memiliki waktu untuk membuka kotak penyimpanan di bank setempat dan menyimpan barang berharga Anda di sana? + +Hanya setelah Anda mengajukan pertanyaan-pertanyaan ini kepada diri Anda sendiri, Anda akan dapat menilai tindakan apa yang harus diambil. Jika harta benda Anda berharga, tetapi kemungkinan pembobolan rendah, maka Anda mungkin tidak ingin menginvestasikan terlalu banyak uang untuk sebuah kunci. Namun, jika kemungkinan terjadinya pembobolan cukup besar, Anda sebaiknya membeli kunci terbaik di pasaran dan mempertimbangkan untuk menambahkan sistem keamanan. + +Membuat rencana keamanan akan membantu Anda memahami ancaman yang unik bagi Anda dan mengevaluasi aset Anda, musuh Anda, dan kemampuan musuh Anda, serta kemungkinan risiko yang Anda hadapi. + +## Bacaan Lebih Lanjut + +Bagi orang-orang yang ingin meningkatkan privasi dan keamanan daring mereka, kami telah menyusun daftar ancaman umum yang dihadapi pengunjung kami atau tujuan yang dimiliki pengunjung kami, untuk memberi Anda beberapa inspirasi dan menunjukkan dasar rekomendasi kami. + +- [Tujuan dan Ancaman Umum :material-arrow-right-drop-circle:](common-threats.md) + +## Sumber + +- [Ef Surveillance Self Defense: Rencana Keamanan Anda](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/id/basics/vpn-overview.md b/i18n/id/basics/vpn-overview.md new file mode 100644 index 00000000..7f17d2af --- /dev/null +++ b/i18n/id/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: Ikhtisar VPN +icon: material/vpn +description: Virtual Private Networks mengalihkan risiko dari ISP Anda ke pihak ketiga yang Anda percayai. Anda harus mengingat hal-hal ini. +--- + +Virtual Private Networks adalah cara untuk memperluas ujung jaringan Anda untuk keluar ke tempat lain di dunia. ISP dapat melihat arus lalu lintas internet yang masuk dan keluar dari perangkat terminasi jaringan Anda (misalnya modem). + +Protokol enkripsi seperti HTTPS umumnya digunakan di internet, jadi mereka mungkin tidak dapat melihat dengan tepat apa yang Anda posting atau baca, tetapi mereka dapat mengetahui [domain yang Anda minta](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +VPN dapat membantu karena dapat mengalihkan kepercayaan ke server di tempat lain di dunia. Akibatnya, ISP kemudian hanya melihat bahwa Anda tersambung ke VPN dan tidak ada aktivitas apa pun yang Anda kirimkan ke VPN tersebut. + +## Haruskah saya menggunakan VPN? + +**Ya**, kecuali Anda sudah menggunakan Tor. VPN melakukan dua hal: mengalihkan risiko dari Penyedia Layanan Internet Anda ke dirinya sendiri dan menyembunyikan IP Anda dari layanan pihak ketiga. + +VPN tidak dapat mengenkripsi data di luar koneksi antara perangkat Anda dan server VPN. Penyedia VPN dapat melihat dan memodifikasi lalu lintas Anda dengan cara yang sama seperti yang dilakukan ISP Anda. Dan tidak ada cara untuk memverifikasi kebijakan "tanpa pencatatan" dari penyedia VPN dengan cara apa pun. + +Namun, mereka menyembunyikan IP Anda yang sebenarnya dari layanan pihak ketiga, asalkan tidak ada kebocoran IP. Mereka membantu Anda berbaur dengan orang lain dan mengurangi pelacakan berbasis IP. + +## Kapan sebaiknya saya tidak menggunakan VPN? + +Menggunakan VPN jika Anda menggunakan [identitas yang diketahui](common-threats.md#common-misconceptions) kemungkinan tidak akan berguna. + +Melakukan hal itu dapat memicu sistem deteksi spam dan penipuan, seperti jika Anda masuk ke situs web bank Anda. + +## Bagaimana dengan enkripsi? + +Enkripsi yang ditawarkan oleh penyedia VPN berada di antara perangkat Anda dan server mereka. Ini menjamin bahwa tautan khusus ini aman. Ini merupakan langkah maju dari penggunaan proxy yang tidak terenkripsi, di mana pihak yang tidak bertanggung jawab dalam jaringan dapat mencegat komunikasi antara perangkat Anda dan proxy tersebut dan memodifikasinya. Namun, enkripsi antara aplikasi atau browser Anda dengan penyedia layanan tidak ditangani oleh enkripsi ini. + +Untuk menjaga agar apa yang Anda lakukan di situs web yang Anda kunjungi tetap privat dan aman, Anda harus menggunakan HTTPS. Ini akan menjaga kata sandi, token sesi, dan kueri Anda aman dari penyedia VPN. Pertimbangkan untuk mengaktifkan "HTTPS di mana saja" di peramban Anda untuk mengurangi serangan downgrade seperti [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Haruskah saya menggunakan DNS terenkripsi dengan VPN? + +Kecuali penyedia VPN Anda melayani server DNS terenkripsi, **tidak**. Menggunakan DOH/DOT (atau bentuk lain dari DNS terenkripsi) dengan server pihak ketiga hanya akan menambah lebih banyak entitas untuk dipercaya dan sama sekali **tidak** meningkatkan privasi/keamanan Anda. Penyedia VPN Anda masih dapat melihat situs web mana yang Anda kunjungi berdasarkan alamat IP dan metode lainnya. Alih-alih hanya mempercayai penyedia VPN Anda, Anda sekarang mempercayai penyedia VPN dan penyedia DNS. + +Alasan umum untuk merekomendasikan DNS terenkripsi adalah karena ini membantu melawan pemalsuan DNS. Namun, peramban Anda seharusnya sudah memeriksa [sertifikat TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) dengan **HTTPS** dan memperingatkan Anda tentang hal itu. Jika Anda tidak menggunakan **HTTPS**, maka pihak lawan masih bisa memodifikasi apa pun selain kueri DNS Anda dan hasil akhirnya tidak akan jauh berbeda. + +Tidak perlu dikatakan lagi, **Anda tidak boleh menggunakan DNS terenkripsi dengan Tor**. Ini akan mengarahkan semua permintaan DNS Anda melalui satu sirkuit dan memungkinkan penyedia DNS terenkripsi untuk mendeanonimkan Anda. + +## Haruskah saya menggunakan Tor *dan* VPN? + +Dengan menggunakan VPN dengan Tor, Anda pada dasarnya menciptakan simpul masuk permanen, sering kali dengan jejak uang yang melekat. Ini tidak memberikan manfaat tambahan apa pun bagi Anda, sekaligus meningkatkan permukaan serangan koneksi Anda secara dramatis. Jika Anda ingin menyembunyikan penggunaan Tor Anda dari ISP atau pemerintah Anda, Tor memiliki solusi bawaan untuk itu: Jembatan Tor. [Baca lebih lanjut tentang jembatan Tor dan mengapa menggunakan VPN tidak diperlukan](../advanced/tor-overview.md). + +## Bagaimana jika saya membutuhkan anonimitas? + +VPN tidak dapat memberikan anonimitas. Penyedia VPN Anda masih akan melihat alamat IP asli Anda, dan sering memiliki jejak uang yang dapat dihubungkan langsung kembali kepada Anda. Anda tidak dapat mengandalkan kebijakan "tanpa pencatatan" untuk melindungi data Anda. Gunakan [Tor](https://www.torproject.org/) sebagai gantinya. + +## Bagaimana dengan penyedia VPN yang menyediakan node Tor? + +Jangan gunakan fitur tersebut. Inti dari penggunaan Tor adalah Anda tidak mempercayai penyedia VPN Anda. Saat ini Tor hanya mendukung protokol [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol). [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (digunakan di [WebRTC](https://en.wikipedia.org/wiki/WebRTC) untuk berbagi suara dan video, protokol [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) yang baru, dll), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) dan paket-paket lainnya akan dibatalkan. Untuk mengimbangi hal ini, penyedia VPN biasanya akan merutekan semua paket non-TCP melalui server VPN mereka (loncatan pertama Anda). Ini adalah kasus pada [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Selain itu, ketika menggunakan pengaturan Tor melalui VPN ini, Anda tidak memiliki kendali atas fitur Tor penting lainnya seperti [Alamat Tujuan Terisolasi](https://www.whonix.org/wiki/Stream_Isolation) (menggunakan sirkuit Tor yang berbeda untuk setiap domain yang Anda kunjungi). + +Fitur ini harus dilihat sebagai cara yang nyaman untuk mengakses Jaringan Tor, bukan untuk tetap anonim. Untuk anonimitas yang tepat, gunakan Tor Browser, TorSocks, atau gateway Tor. + +## Kapan VPN berguna? + +VPN mungkin masih berguna bagi Anda dalam berbagai skenario, seperti: + +1. Menyembunyikan lalu lintas Anda dari **hanya** Penyedia Layanan Internet Anda. +1. Menyembunyikan unduhan Anda (seperti torrent) dari ISP dan organisasi anti-pembajakan. +1. Menyembunyikan IP Anda dari situs web dan layanan pihak ketiga, mencegah pelacakan berbasis IP. + +Untuk situasi seperti ini, atau jika Anda memiliki alasan kuat lainnya, penyedia VPN yang kami sebutkan di atas adalah yang menurut kami paling dapat dipercaya. Namun, menggunakan penyedia VPN masih berarti Anda *mempercayai* penyedia. Dalam hampir semua skenario lain, Anda sebaiknya menggunakan alat**-by-design** yang aman seperti Tor. + +## Sumber dan Bacaan Lebih Lanjut + +1. [VPN - Narasi yang Sangat Genting](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) oleh Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Apakah saya memerlukan VPN?"](https://www.doineedavpn.com)sebuah alat yang dikembangkan oleh IVPN untuk menantang pemasaran VPN yang agresif dengan membantu individu memutuskan apakah VPN tepat untuk mereka. + +## Informasi VPN Terkait + +- [Masalah dengan VPN dan Situs Ulasan Privasi](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Investigasi Aplikasi VPN Gratis](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [Perusahaan Tiongkok ini diam-diam berada di balik 24 aplikasi populer yang meminta izin berbahaya](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/id/calendar.md b/i18n/id/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/id/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/id/cloud.md b/i18n/id/cloud.md new file mode 100644 index 00000000..e375d093 --- /dev/null +++ b/i18n/id/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/id/cryptocurrency.md b/i18n/id/cryptocurrency.md new file mode 100644 index 00000000..176c2553 --- /dev/null +++ b/i18n/id/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Mata Uang Kripto +icon: material/bank-circle +--- + +Melakukan pembayaran secara daring adalah salah satu tantangan terbesar bagi privasi. Mata uang kripto di bawah ini menyediakan privasi transaksi secara bawaan (sesuatu yang **tidak** dijamin oleh sebagian besar mata uang kripto), asalkan Anda memiliki pemahaman yang kuat tentang cara melakukan pembayaran pribadi secara efektif. Kami sangat menyarankan Anda untuk membaca artikel ikhtisar pembayaran kami terlebih dahulu sebelum melakukan pembelian: + +[Melakukan Pembayaran Pribadi :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Banyak atau bahkan sebagian besar proyek mata uang kripto adalah penipuan. Lakukan transaksi dengan hati-hati hanya dengan proyek yang Anda percayai. + +## Monero + +!!! recommendation + + ![Logo Monero](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** menggunakan blockchain dengan teknologi yang meningkatkan privasi yang mengaburkan transaksi untuk mencapai anonimitas. Setiap transaksi Monero menyembunyikan jumlah transaksi, alamat pengirim dan penerima, dan sumber dana tanpa ada rintangan yang harus dilewati, menjadikannya pilihan ideal untuk pemula mata uang kripto. + + [:octicons-home-16: Laman Beranda](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Kode Sumber" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Berkontribusi } + +Dengan Monero, pengamat luar tidak dapat menguraikan alamat yang memperdagangkan Monero, jumlah transaksi, saldo alamat, atau riwayat transaksi. + +Untuk privasi yang optimal, pastikan untuk menggunakan dompet nonkustodian di mana kunci tampilan tetap berada di perangkat. Ini berarti hanya Anda yang dapat menggunakan dana Anda dan melihat transaksi yang masuk dan keluar. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/id/data-redaction.md b/i18n/id/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/id/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/id/desktop-browsers.md b/i18n/id/desktop-browsers.md new file mode 100644 index 00000000..85ee0d78 --- /dev/null +++ b/i18n/id/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/id/desktop.md b/i18n/id/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/id/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/id/dns.md b/i18n/id/dns.md new file mode 100644 index 00000000..60934bf5 --- /dev/null +++ b/i18n/id/dns.md @@ -0,0 +1,139 @@ +--- +title: "Penyelesai DNS" +icon: material/dns +description: Berikut ini adalah beberapa penyedia DNS terenkripsi yang kami sarankan untuk Anda gunakan, untuk menggantikan konfigurasi bawaan ISP Anda. +--- + +DNS terenkripsi dengan server pihak ketiga sebaiknya hanya digunakan untuk mengatasi pemblokiran [DNS dasar](https://en.wikipedia.org/wiki/DNS_blocking) ketika Anda yakin tidak akan ada konsekuensi apa pun. DNS terenkripsi tidak akan membantu Anda menyembunyikan aktivitas penjelajahan Anda. + +[Pelajari lebih lanjut tentang DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Penyedia yang Direkomendasikan + +| Penyedia DNS | Kebijakan Privasi | Protokol | Pencatatan Log | ECS | Pemfilteran | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | -------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Teks biasa
DoH/3
DoT
DNSCrypt | Beberapa[^1] | Tidak | Berdasarkan pilihan server. Daftar filter yang digunakan dapat ditemukan di sini. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Teks biasa
DoH/3
DoT | Beberapa[^2] | Tidak | Berdasarkan pilihan server. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Teks biasa
DoH/3
DoT
DoQ | Opsional[^3] | Tidak | Berdasarkan pilihan server. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Tidak[^4] | Tidak | Berdasarkan pilihan server. Daftar filter yang digunakan dapat ditemukan di sini. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Teks biasa
DoH/3
DoT | Opsional[^5] | Opsional | Berdasarkan pilihan server. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Teks biasa
DoH
DoT
DNSCrypt | Beberapa[^6] | Opsional | Berdasarkan pilihan server, pemblokiran malware secara default. | + +## Kriteria + +**Harap dicatat bahwa kami tidak berafiliasi dengan proyek-proyek yang kami rekomendasikan.** Selain [kriteria standar kami](about/criteria.md), kami telah mengembangkan serangkaian persyaratan yang jelas untuk memungkinkan kami memberikan rekomendasi yang objektif. Kami sarankan Anda membiasakan diri dengan daftar ini sebelum memilih untuk menggunakan sebuah proyek, dan melakukan riset sendiri untuk memastikan bahwa itu adalah pilihan yang tepat untuk Anda. + +!!! contoh "Bagian ini baru" + + Kami sedang berupaya menetapkan kriteria yang ditentukan untuk setiap bagian dari situs kami, dan hal ini dapat berubah sewaktu-waktu. Jika Anda memiliki pertanyaan tentang kriteria kami, silakan [tanyakan di forum kami](https://discuss.privacyguides.net/latest) dan jangan berasumsi bahwa kami tidak mempertimbangkan sesuatu saat membuat rekomendasi jika tidak tercantum di sini. Ada banyak faktor yang dipertimbangkan dan didiskusikan saat kami merekomendasikan sebuah proyek, dan mendokumentasikan setiap faktor tersebut merupakan pekerjaan yang sedang berjalan. + +- Harus mendukung [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [Minimalisasi QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- Mengizinkan [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) untuk dinonaktifkan. +- Lebih suka dukungan [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) atau dukungan kemudi geografis. + +## Dukungan Sistem Operasi Asli + +### Android + +Android 9 ke atas mendukung DNS melalui TLS. Pengaturan dapat ditemukan di: **Pengaturan** → **Jaringan & Internet** → **DNS Pribadi**. + +### Perangkat Apple + +Versi terbaru iOS, iPadOS, tvOS, dan macOS, mendukung DoT dan DoH. Kedua protokol didukung secara bawaan melalui [profil konfigurasi](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) atau melalui [API Pengaturan DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +Setelah pemasangan profil konfigurasi atau aplikasi yang menggunakan API Pengaturan DNS, konfigurasi DNS dapat dipilih. Jika VPN aktif, resolusi di dalam terowongan VPN akan menggunakan pengaturan DNS VPN dan bukan pengaturan seluruh sistem Anda. + +#### Profil yang Ditandatangani + +Apple tidak menyediakan antarmuka asli untuk membuat profil DNS terenkripsi. [Pembuat profil DNS aman](https://dns.notjakob.com/tool.html) adalah alat tidak resmi untuk membuat profil DNS terenkripsi Anda sendiri, namun profil tersebut tidak akan ditandatangani. Profil yang ditandatangani lebih disukai; penandatanganan memvalidasi asal profil dan membantu memastikan integritas profil. Label "Terverifikasi" berwarna hijau diberikan pada profil konfigurasi yang telah ditandatangani. Untuk informasi lebih lanjut tentang penandatanganan kode, lihat [Tentang Penandatanganan Kode](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Profil yang ditandatangani** ditawarkan oleh [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), dan [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, yang digunakan banyak distribusi Linux untuk melakukan pencarian DNS, belum [mendukung DoH](https://github.com/systemd/systemd/issues/8639). Jika Anda ingin menggunakan DoH, Anda perlu menginstal proxy seperti [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) dan [konfigurasikan] (https://wiki.archlinux.org/title/Dnscrypt-proxy) untuk mengambil semua permintaan DNS dari resolver sistem Anda dan meneruskannya melalui HTTPS. + +## Proxy DNS Terenkripsi + +Perangkat lunak proxy DNS terenkripsi menyediakan proxy lokal untuk [DNS tidak terenkripsi](advanced/dns-overview.md#unencrypted-dns) resolver untuk diteruskan. Biasanya digunakan pada platform yang tidak mendukung [DNS terenkripsi](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo ]( assets/img/android/rethinkdns.svg#only-light ){ align=right } + ![RethinkDNS logo ]( assets/img/android/rethinkdns-dark.svg#only-dark ){ align=right } + + ** RethinkDNS ** adalah klien Android sumber terbuka yang mendukung [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) dan Proksi DNS bersama dengan tanggapan DNS cache, pencatatan permintaan DNS lokal dan dapat digunakan sebagai tembok api juga. + + [:octicons-home-16: Beranda ]( https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:]( https://rethinkdns.com/privacy ){.card-link title="Kebijakan Privasi"} + [:octicons-info-16:]( https://docs.rethinkdns.com/){.card-link title=Dokumentasi} + [:octicons-code-16:]( https://github.com/celzero/rethink-app ){.card-link title="Kode Sumber"} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt - proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt - proxy ** adalah proxy DNS dengan dukungan untuk [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), dan [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonimized-DNS). + + !!! peringatan "Fitur DNS anonim tidak [**tidak**]( advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) menganonimkan lalu lintas jaringan lainnya." + + [:octicons-repo-16: Repositori](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Kode Sumber" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Kontribusi } + + ??? unduhan + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Solusi yang dihosting sendiri + +Solusi DNS yang dihosting sendiri berguna untuk menyediakan penyaringan pada platform terkontrol, seperti Smart TV dan perangkat IoT lainnya, karena tidak ada perangkat lunak di sisi klien yang diperlukan. + +### AdGuard Home + +!!! recommendation + + ![Logo AdGuard Home](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** adalah [lubang penyaring DNS](https://en.wikipedia.org/wiki/DNS_sinkhole) yang menggunakan [penyaringan DNS] (https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) untuk memblokir konten web yang tidak diinginkan, seperti iklan. + + AdGuard Home memiliki antarmuka web yang dipoles untuk melihat wawasan dan mengelola konten yang diblokir. + + [:octicons-home-16: Beranda](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Kode Sumber" } + +### Pi-hole + +!!! recommendation + + ![Logo Pi-hole](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** adalah [lubang penyaring DNS](https://en.wikipedia.org/wiki/DNS_sinkhole) yang menggunakan [penyaringan DNS] (https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) untuk memblokir konten web yang tidak diinginkan, seperti iklan. + + Pi-hole dirancang untuk dilayani di Raspberry Pi, tetapi tidak terbatas pada perangkat keras tersebut. Perangkat lunak ini memiliki antarmuka web yang ramah untuk melihat wawasan dan mengelola konten yang diblokir. + + [:octicons-home-16: Beranda](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Kode Sumber" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Kontribusi } + +[^1]: AdGuard menyimpan metrik kinerja agregat dari server DNS mereka, yaitu jumlah permintaan lengkap ke server tertentu, jumlah permintaan yang diblokir, dan kecepatan pemrosesan permintaan. Mereka juga menjaga dan menyimpan basis data domain yang diminta dalam waktu 24 jam terakhir. "Kami membutuhkan informasi ini untuk mengidentifikasi dan memblokir pelacak dan ancaman baru." "Kami juga mencatat berapa kali pelacak ini atau itu telah diblokir. Kami membutuhkan informasi ini untuk menghapus aturan usang dari filter kami." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare hanya mengumpulkan dan menyimpan data permintaan DNS terbatas yang dikirim ke resolver 1.1.1.1. Layanan resolver 1.1.1.1 tidak mencatat data pribadi, dan sebagian besar data kueri yang tidak dapat diidentifikasi secara pribadi hanya disimpan selama 25 jam. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D hanya mencatat untuk resolver Premium dengan profil DNS khusus. Resolver gratis tidak mencatat data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Layanan DNS Mullvad tersedia untuk pelanggan dan non-pelanggan Mullvad VPN. Kebijakan privasi mereka secara eksplisit mengklaim bahwa mereka tidak mencatat permintaan DNS dengan cara apa pun. [https://mullvad.net/en/help/no-logging-data-policy](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS dapat menyediakan fitur wawasan dan pencatatan berdasarkan basis partisipasi. Anda dapat memilih waktu penyimpanan dan lokasi penyimpanan log untuk setiap log yang Anda pilih untuk disimpan. Jika tidak diminta secara khusus, tidak ada data yang dicatat. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 mengumpulkan beberapa data untuk tujuan pemantauan dan tanggapan ancaman. Data itu kemudian dapat dicampur ulang dan dibagikan, seperti untuk tujuan penelitian keamanan. Quad9 tidak mengumpulkan atau mencatat alamat IP atau data lain yang mereka anggap dapat diidentifikasi secara pribadi. [https://www.quad9.net/privacy/policy](https://www.quad9.net/privacy/policy/) diff --git a/i18n/id/email-clients.md b/i18n/id/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/id/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/id/email.md b/i18n/id/email.md new file mode 100644 index 00000000..6a49d712 --- /dev/null +++ b/i18n/id/email.md @@ -0,0 +1,503 @@ +--- +title: "Layanan Surel" +icon: material/email +description: Penyedia surel ini menawarkan tempat yang baik untuk menyimpan surel Anda dengan aman, dan banyak yang menawarkan enkripsi OpenPGP yang dapat dioperasikan dengan penyedia lain. +--- + +Surel bisa dibilang merupakan kebutuhan untuk menggunakan layanan daring apa pun, namun kami tidak merekomendasikannya untuk percakapan antar orang. Daripada menggunakan surel untuk menghubungi orang lain, pertimbangkan untuk menggunakan media pesan instan yang mendukung kerahasiaan penerusan. + +[Perpesanan Instan yang Direkomendasikan](real-time-communication.md ""){.md-button} + +Untuk yang lainnya, kami merekomendasikan berbagai penyedia surel yang didasarkan pada model bisnis yang berkelanjutan serta fitur keamanan dan privasi bawaan. + +- [Penyedia Email yang Kompatibel dengan OpenPGP :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Penyedia Terenkripsi Lainnya :material-arrow-right-drop-circle:](#more-providers) +- [Layanan Alias Surel :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Opsi yang Dilayani Sendiri :material-arrow-right-drop-circle:](#self-hosting-email) + +## Layanan yang Kompatibel dengan OpenPGP + +Penyedia layanan ini secara asli mendukung enkripsi/dekripsi OpenPGP dan standar Web Key Directory (WKD), yang memungkinkan email E2EE yang bersifat agnostik pada penyedia. Sebagai contoh, pengguna Proton Mail dapat mengirim pesan E2EE ke pengguna Mailbox.org, atau Anda dapat menerima notifikasi terenkripsi OpenPGP dari layanan internet yang mendukungnya. + +
+ +- ![Logo Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Logo Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + Ketika menggunakan teknologi E2EE seperti OpenPGP, surel akan tetap memiliki beberapa metadata yang tidak dienkripsi di tajuk surel. Baca lebih lanjut tentang [metadata surel] (basics/email-security.md#email-metadata-overview). + + OpenPGP juga tidak mendukung kerahasiaan Penerusan, yang berarti jika kunci privat Anda atau penerima dicuri, semua pesan sebelumnya yang dienkripsi dengan kunci tersebut akan terekspos. [Bagaimana cara melindungi kunci pribadi saya?](basics/email-security.md#bagaimana-saya-melindungi-kunci-pribadi-saya) + +### Proton Mail + +!!! recommendation + + ![ Proton Mail logo ]( assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** adalah layanan surel dengan fokus pada privasi, enkripsi, keamanan, dan kemudahan penggunaan. Mereka telah beroperasi sejak **2013**. Proton AG berbasis di Genewa, Swiss. Akun dimulai dengan penyimpanan 500 MB dengan paket gratis mereka. + + [:octicons-home-16: Beranda](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Layanan Onion" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Kode Sumber" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Akun gratis memiliki beberapa keterbatasan, seperti tidak dapat mencari teks tubuh dan tidak memiliki akses ke [Proton Mail Bridge](https://proton.me/mail/bridge), yang diperlukan untuk menggunakan [klien surel desktop yang direkomendasikan](email-clients.md) (misalnya Thunderbird). Akun berbayar mencakup fitur-fitur seperti Proton Mail Bridge, penyimpanan tambahan, dan dukungan domain khusus. [Surat pengesahan](https://proton.me/blog/security-audit-all-proton-apps) diberikan untuk aplikasi Proton Mail pada tanggal 9 November 2021 oleh [Securitum](https://research.securitum.com). + +Jika Anda memiliki paket Proton Unlimited, Bisnis, atau Visioner, Anda juga mendapatkan [SimpleLogin](#simplelogin) Premium secara gratis. + +Proton Mail memiliki laporan mogok internal yang tidak **dibagikan kepada pihak ketiga**. Ini dapat dinonaktifkan di: **Pengaturan** > **Buka Pengaturan** > **Akun** > **Keamanan dan privasi** > **Kirim laporan kemogokan**. + +#### :material-check:{ .pg-green } Domain dan Alias Khusus + +Pelanggan Proton Mail berbayar dapat menggunakan domain mereka sendiri dengan layanan ini atau alamat [yang mencakup semua](https://proton.me/support/catch-all). Proton Mail juga mendukung [subalamat](https://proton.me/support/creating-aliases), yang berguna bagi orang-orang yang tidak ingin membeli domain. + +#### :material-check:{ .pg-green } Metode Pembayaran Pribadi + +Proton Mail [menerima](https://proton.me/support/payment-options) uang tunai melalui pos selain kartu kredit/debit standar, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), dan pembayaran PayPal. + +#### :material-check:{ .pg-green } Keamanan Akun + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Email ke akun Proton Mail lainnya dienkripsi secara otomatis, dan enkripsi ke alamat non-Proton Mail dengan kunci OpenPGP dapat diaktifkan dengan mudah di pengaturan akun Anda. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Hal ini memungkinkan orang yang tidak menggunakan Proton Mail untuk menemukan kunci OpenPGP akun Proton Mail dengan mudah, untuk lintas-penyedia E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. Setelah 30 hari, akun Anda akan menjadi tunggakan dan tidak akan menerima surat masuk. Anda akan terus ditagih selama periode ini. + +#### :material-information-outline:{ .pg-blue } Fungsionalitas Tambahan + +Proton Mail menawarkan akun "Unlimited" seharga €9,99/Bulan, yang juga memungkinkan akses ke Proton VPN selain menyediakan beberapa akun, domain, alias, dan penyimpanan 500GB. + +Proton Mail tidak menawarkan fitur warisan digital. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. Mereka telah beroperasi sejak 2014. Mailbox.org berbasis di Berlin, Jerman. Akun dimulai dengan penyimpanan 2 GB, yang dapat ditingkatkan sesuai kebutuhan. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? unduhan + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Domain dan Alias Khusus + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Metode Pembayaran Pribadi + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. Namun, mereka menerima uang tunai melalui pos, pembayaran tunai ke rekening bank, transfer bank, kartu kredit, PayPal, dan beberapa prosesor khusus Jerman: paydirekt dan Sofortüberweisung. + +#### :material-check:{ .pg-green } Keamanan Akun + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). Pesan baru yang Anda terima akan segera dienkripsi dengan kunci publik Anda. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. Fitur ini berguna ketika penerima jarak jauh tidak memiliki OpenPGP dan tidak dapat mendekripsi salinan email di kotak surat mereka sendiri. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Hal ini memungkinkan orang di luar Mailbox.org untuk menemukan kunci OpenPGP dari akun Mailbox.org dengan mudah, untuk lintas-penyedia E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Fungsionalitas Tambahan + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org memiliki fitur warisan digital untuk semua paket. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## Penyedia Lainnya + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail telah beroperasi sejak 2014 dan berbasis di Boulevard 11, Zeist Belanda. Akun dimulai dengan 10GB. Mereka menawarkan uji coba 30 hari. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? unduhan + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Domain dan Alias Khusus + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail menerima Visa, MasterCard, American Express, dan Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Keamanan Akun + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. Ketika Anda masuk, brankas dibuka, dan email kemudian dipindahkan ke brankas dari antrian di mana ia didekripsi oleh kunci pribadi yang sesuai. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Fungsionalitas Tambahan + +StartMail memungkinkan untuk proxy gambar dalam email. Jika Anda mengizinkan gambar jarak jauh dimuat, pengirim tidak akan tahu alamat IP Anda. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota telah beroperasi sejak **2011** dan berbasis di Hanover, Jerman. Akun dimulai dengan penyimpanan 1GB dengan paket gratis mereka. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Domain dan Alias Khusus + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Keamanan Akun + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Fungsionalitas Tambahan + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Teknologi + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum untuk Memenuhi Syarat:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Kasus Terbaik:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privasi + +Kami lebih memilih penyedia yang kami rekomendasikan untuk mengumpulkan data sesedikit mungkin. + +**Minimum untuk Memenuhi Syarat:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Kasus Terbaik:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Keamanan + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum untuk Memenuhi Syarat:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Kasus Terbaik:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Program bug-bounty dan/atau proses pengungkapan kerentanan yang terkoordinasi. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Kepercayaan + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? Kami mewajibkan penyedia layanan yang kami rekomendasikan untuk terbuka mengenai kepemilikan atau kepemimpinan mereka. Kami juga ingin melihat laporan transparansi yang lebih sering, terutama dalam hal bagaimana permintaan pemerintah ditangani. + +**Minimum untuk Memenuhi Syarat:** + +- Kepemimpinan atau kepemilikan yang berhadapan dengan publik. + +**Kasus Terbaik:** + +- Kepemimpinan yang berhadapan dengan publik. +- Laporan transparansi yang sering. + +### Pemasaran + +With the email providers we recommend we like to see responsible marketing. + +**Minimum untuk Memenuhi Syarat:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Tidak boleh melakukan pemasaran yang tidak bertanggung jawab: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Menjamin perlindungan anonimitas 100%. Ketika seseorang membuat klaim bahwa sesuatu itu 100%, itu berarti tidak ada kepastian untuk gagal. Kami tahu bahwa orang dapat dengan mudah menyamarkan nama mereka dengan beberapa cara, misalnya: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Sidik jari peramban](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Kasus Terbaik:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Fungsionalitas Tambahan + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/id/encryption.md b/i18n/id/encryption.md new file mode 100644 index 00000000..ca8dffbf --- /dev/null +++ b/i18n/id/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Perangkat Lunak Enkripsi" +icon: material/file-lock +description: Enkripsi data adalah satu-satunya cara untuk mengendalikan siapa saja yang dapat mengaksesnya. These tools allow you to encrypt your emails and any other files. +--- + +Enkripsi data adalah satu-satunya cara untuk mengendalikan siapa saja yang dapat mengaksesnya. Jika saat ini Anda tidak menggunakan perangkat lunak enkripsi untuk perangkat penyimpanan, surel, atau berkas Anda, Anda seharusnya memilih opsi di sini. + +## Multi-platform + +Opsi yang tercantum di sini adalah multi-platform dan sangat bagus untuk membuat cadangan terenkripsi data Anda. + +### Cryptomator (Awan) + +!!! recommendation + + ![Logo Cryptomator](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** adalah solusi enkripsi yang dirancang untuk menyimpan berkas secara pribadi ke penyedia layanan awan mana pun. Ini memungkinkan Anda untuk membuat brankas yang disimpan di penyimpanan virtual, yang isinya dienkripsi dan disinkronkan dengan penyedia penyimpanan awan Anda. + + [:octicons-home-16: Laman Beranda](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Kode Sumber" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Berkontribusi } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/id/file-sharing.md b/i18n/id/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/id/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/id/financial-services.md b/i18n/id/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/id/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/id/frontends.md b/i18n/id/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/id/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/id/index.md b/i18n/id/index.md new file mode 100644 index 00000000..7e56cab1 --- /dev/null +++ b/i18n/id/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.id.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Mengapa saya harus peduli? + +##### “Saya tidak memiliki apa-apa untuk disembunyikan. Mengapa saya harus peduli dengan privasi saya?” + +Sama seperti hak untuk menikah antar ras, hak pilih perempuan, kebebasan berbicara, dan banyak lainnya, hak kita untuk mendapatkan privasi tidak selalu ditegakkan. Dalam beberapa kediktatoran, masih belum. Generasi sebelum kita memperjuangkan untuk hak privasi kita. ==Privasi adalah hak asasi manusia, yang melekat pada kita semua,== yang berhak kita dapatkan (tanpa diskriminasi). + +Anda tidak harus bingung antara privasi dengan kerahasiaan. Kami tahu apa yang terjadi di kamar mandi, tapi Anda tetap menutup pintunya. Itu karena Anda menginginkan privasi, bukan kerahasiaan. **Setiap orang** memiliki sesuatu untuk dilindungi. Privasi adalah sesuatu yang membuat kita menjadi manusia. + +[:material-target-account: Ancaman Internet Umum](basics/common-threats.md ""){.md-button.md-button--primary} + +## Apa yang harus saya lakukan? + +##### Pertama, Anda perlu membuat rencana + +Mencoba untuk melindungi semua data Anda dari semua orang setiap saat tidaklah praktis, mahal, dan melelahkan. Tetapi jangan khawatir! Keamanan adalah sebuah proses, dan dengan berpikir ke depan, Anda dapat menyusun rencana yang tepat untuk Anda. Keamanan bukan hanya tentang alat yang Anda gunakan atau perangkat lunak yang Anda unduh. Sebaliknya, itu dimulai dengan memahami ancaman unik yang Anda hadapi, dan bagaimana Anda dapat memitigasinya. + +==Proses mengidentifikasi ancaman dan mendefinisikan tindakan penanggulangan disebut **pemodelan ancaman**==, dan ini menjadi dasar dari setiap rencana keamanan dan privasi yang baik. + +[:material-book-outline: Pelajari Lebih Lanjut Tentang Pemodelan Ancaman](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Kami membutuhkan Anda! Berikut adalah cara untuk terlibat: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Bergabung dengan Forum kami" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Ikuti kami di Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Berkontribusi ke situs web ini" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Bantu menerjemahkan situs web ini" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Obrol dengan kami di Matrix" } +[:material-information-outline:](about/index.md){ title="Pelajari lebih lanjut tentang kami" } +[:material-hand-coin-outline:](about/donate.md){ title="Dukung proyek ini" } + +Ini penting bagi situs web seperti Privacy Guides untuk selalu mendapatkan informasi yang terbaru. Kami membutuhkan audiens kami untuk mengawasi pembaruan perangkat lunak untuk aplikasi yang terdaftar di situs kami dan mengikuti berita terbaru tentang penyedia yang kami rekomendasikan. Memang sulit untuk mengimbangi kecepatan internet yang begitu cepat, tetapi kami berusaha sebaik mungkin. Jika Anda menemukan kesalahan, merasa bahwa sebuah penyedia tidak seharusnya terdaftar, melihat penyedia yang memenuhi syarat tidak ada, merasa plugin peramban tidak lagi menjadi pilihan terbaik, atau menemukan masalah lain, silakan beri tahu kami. diff --git a/i18n/id/kb-archive.md b/i18n/id/kb-archive.md new file mode 100644 index 00000000..0759938b --- /dev/null +++ b/i18n/id/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: Arsip Basis Pengetahuan +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Halaman Dipindahkan ke Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Pengerasan Konfigurasi Signal](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Pengerasan Sistem](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Kotak Pasir Aplikasi](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Penghapusan Data Aman](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Mengintegrasikan Penghapusan Metadata](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [Panduan Konfigurasi iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/id/meta/brand.md b/i18n/id/meta/brand.md new file mode 100644 index 00000000..7337a73e --- /dev/null +++ b/i18n/id/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Pedoman Merek +--- + +Nama situs web adalah **Privacy Guides** dan **tidak boleh** diubah menjadi: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +Nama subreddit adalah **r/PrivacyGuides** atau **Privacy Guides Subreddit**. + +Panduan merek tambahan dapat ditemukan di [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Merek dagang + +"Privacy Guides" dan logo perisai adalah merek dagang yang dimiliki oleh Jonah Aragon, penggunaan tidak terbatas diberikan kepada proyek Privacy Guides. + +Tanpa mengesampingkan hak-haknya, Privacy Guides tidak menyarankan orang lain tentang ruang lingkup hak kekayaan intelektualnya. Privacy Guides tidak mengizinkan atau menyetujui penggunaan merek dagangnya dengan cara apa pun yang dapat menyebabkan kebingungan dengan menyiratkan hubungan dengan atau sponsor oleh Privacy Guides. Jika Anda mengetahui adanya penggunaan semacam itu, silakan hubungi Jonah Aragon di jonah@privacyguides.org. Konsultasikan dengan penasihat hukum Anda jika Anda memiliki pertanyaan. diff --git a/i18n/id/meta/git-recommendations.md b/i18n/id/meta/git-recommendations.md new file mode 100644 index 00000000..d11ad0d4 --- /dev/null +++ b/i18n/id/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Rekomendasi Git +--- + +Jika Anda membuat perubahan pada situs web ini di editor web GitHub.com secara langsung, Anda tidak perlu khawatir tentang hal ini. Jika Anda mengembangkan secara lokal dan/atau merupakan editor situs web jangka panjang (yang mungkin harus mengembangkan secara lokal!), pertimbangkan rekomendasi ini. + +## Aktifkan Penandatanganan Komit dengan Kunci SSH + +Anda dapat menggunakan kunci SSH yang sudah ada untuk masuk, atau [membuat kunci baru](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Konfigurasikan klien Git Anda untuk menandatangani komit dan tag secara default (hapus `--global` untuk hanya menandatangani secara bawaan untuk repo ini): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Salin kunci publik SSH Anda ke papan klip, misalnya: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Atur kunci SSH Anda untuk masuk ke Git dengan perintah berikut, ganti string terakhir dalam tanda kutip dengan kunci publik di papan klip Anda: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Pastikan Anda [menambahkan kunci SSH Anda ke akun GitHub](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **Signing Key** (sebagai lawan atau tambahan dari Kunci Autentikasi). + +## Rebase pada tarikan Git + +Gunakan `git pull --rebase` alih-alih `git pull` saat menarik perubahan dari GitHub ke mesin lokal Anda. Dengan cara ini perubahan lokal Anda akan selalu "di atas" perubahan terbaru di GitHub, dan Anda menghindari komit gabungan (yang dilarang dalam repo ini). + +Anda dapat mengatur ini menjadi perilaku default: + +``` +git config --global pull.rebase true +``` + +## Rebase dari `utama` sebelum mengirimkan PR + +Jika Anda bekerja pada cabang Anda sendiri, jalankan perintah ini sebelum mengirimkan PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/id/meta/uploading-images.md b/i18n/id/meta/uploading-images.md new file mode 100644 index 00000000..5a84e3b2 --- /dev/null +++ b/i18n/id/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Mengunggah Gambar +--- + +Berikut ini adalah beberapa aturan umum untuk berkontribusi pada Privacy Guides: + +## Gambar + +- Kami **lebih suka** gambar SVG, tetapi jika tidak ada, kami dapat menggunakan gambar PNG + +Logo perusahaan memiliki ukuran kanvas: + +- 128x128px +- 384x128px + +## Optimasi + +### PNG + +Gunakan [OptiPNG](https://sourceforge.net/projects/optipng/) untuk mengoptimalkan gambar PNG: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +*[Scour](https://github.com/scour-project/scour)* semua gambar SVG. + +Dalam Inkscape: + +1. Simpan Berkas Sebagai.. +2. Atur jenis ke SVG yang Dioptimalkan (*.svg) + +Pada tab **Opsi**: + +- **Jumlah digit signifikan untuk koordinat** > **5** +- [x] Aktifkan **Persingkat nilai warna** +- [x] Aktifkan **Konversi atribut CSS ke atribut XML** +- [x] Aktifkan **Runtuhkan grup** +- [x] Aktifkan **Buat grup untuk atribut serupa** +- [ ] Matikan **Simpan data editor** +- [ ] Matikan **Simpan definisi yang tidak direferensikan** +- [x] Hidupkan **Bekerja di sekitar bug renderer** + +Pada tab **SVG Output** di bawah **Opsi dokumen**: + +- [ ] Matikan **Hapus deklarasi XML** +- [x] Aktifkan **Hapus metadata** +- [x] Aktifkan **Hapus komentar** +- [x] Aktifkan **Gambar raster yang disematkan** +- [x] Aktifkan **Aktifkan viewboxing** + +Pada tab **SVG Output** di bawah **Opsi dokumen**: + +- [ ] Matikan **Format keluaran dengan pemisah baris dan indentasi** +- **Intentasi karakter** > Pilih **Spasi** +- **Kedalaman indentasi** > **1** +- [ ] Matikan **Hapus atribut "xml:space" dari elemen SVG akar** + +Pada tab **IDs**: + +- [x] Aktifkan **Hapus ID yang tidak digunakan** +- [] Nonaktifkan **Persingkat ID** +- **Awalan ID singkat dengan** > `biarkan kosong` +- [x] Nyalakan **Simpan ID yang dibuat secara manual yang tidak diakhiri dengan angka** +- **Awalan ID singkat dengan** > `biarkan kosong` +- **Simpan ID yang dimulai dengan** > `biarkan kosong` + +#### CLI + +Hal yang sama dapat dicapai dengan perintah [Scour](https://github.com/scour-project/scour): + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/id/meta/writing-style.md b/i18n/id/meta/writing-style.md new file mode 100644 index 00000000..4e68d568 --- /dev/null +++ b/i18n/id/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Gaya Penulisan +--- + +Privacy Guides ditulis dalam bahasa Inggris Amerika, dan Anda harus merujuk ke [pedoman Gaya APA](https://apastyle.apa.org/style-grammar-guidelines/grammar) jika ragu. + +Secara umum, [pedoman bahasa sederhana federal Amerika Serikat](https://www.plainlanguage.gov/guidelines/) memberikan gambaran umum yang baik tentang cara menulis dengan jelas dan ringkas. Kami menyoroti beberapa catatan penting dari panduan ini di bawah ini. + +## Menulis untuk audiens kami + +[Audiens](https://www.plainlanguage.gov/guidelines/audience/) yang dituju oleh Privacy Guides terutama adalah orang dewasa yang menggunakan teknologi. Jangan membuat konten yang bodoh seolah-olah Anda sedang berbicara kepada kelas sekolah menengah, tetapi jangan terlalu sering menggunakan terminologi yang rumit tentang konsep yang tidak dipahami oleh pengguna komputer pada umumnya. + +### Sampaikan hanya apa yang ingin diketahui oleh orang lain + +Orang tidak membutuhkan artikel yang terlalu rumit dengan sedikit relevansi bagi mereka. Cari tahu apa yang Anda ingin orang capai saat menulis artikel, dan hanya sertakan detail itu. + +> Beri tahu audiens Anda mengapa materi itu penting bagi mereka. Katakanlah, "Jika Anda menginginkan hibah penelitian, inilah yang harus Anda lakukan." Atau, "Jika Anda ingin menambang batu bara federal, inilah yang harus Anda ketahui." Atau, "Jika Anda merencanakan perjalanan ke Rwanda, bacalah ini terlebih dahulu." + +### Tujukan orang secara langsung + +Kami menulis *untuk* berbagai macam orang, tetapi kami menulis *untuk* orang yang benar-benar membacanya. Gunakan "Anda" untuk menyapa pembaca secara langsung. + +> Lebih dari teknik tunggal lainnya, penggunaan kata "Anda" menarik pengguna ke dalam informasi dan membuatnya relevan bagi mereka. +> +> Ketika Anda menggunakan kata "Anda" untuk menyapa pengguna, mereka akan lebih mudah memahami apa yang menjadi tanggung jawab mereka. + +Sumber: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Hindari "pengguna" + +Hindari menyebut orang sebagai "pengguna", lebih baik gunakan "orang", atau deskripsi yang lebih spesifik tentang kelompok orang yang Anda tulis. + +## Mengatur konten + +Organisasi adalah kuncinya. Konten harus mengalir dari informasi yang paling penting hingga yang paling tidak penting, dan gunakan tajuk sebanyak yang diperlukan untuk memisahkan ide-ide yang berbeda secara logis. + +- Batasi dokumen menjadi sekitar lima atau enam bagian. Dokumen panjang mungkin harus dipecah menjadi halaman terpisah. +- Tandai ide-ide penting dengan **cetak tebal** atau *cetak miring*. + +Sumber: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Mulailah dengan kalimat topik + +> Jika Anda memberi tahu pembaca apa yang akan mereka baca, kemungkinan besar mereka tidak perlu membaca paragraf Anda lagi. Judul memang membantu, tetapi tidak cukup. Tetapkan konteks untuk audiens Anda sebelum Anda memberi mereka detailnya. +> +> Kita sering menulis sesuai dengan cara kita berpikir, dengan mengutamakan premis-premis kita terlebih dahulu, baru kemudian kesimpulan. Ini mungkin cara alami untuk mengembangkan pikiran, tetapi kita berakhir dengan kalimat topik di akhir paragraf. Pindahkan ke depan dan beri tahu pengguna ke mana tujuan Anda. Jangan membuat pembaca menyimpan banyak informasi di kepala mereka sebelum sampai ke intinya. + +Sumber: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Pilih kata-kata Anda dengan hati-hati + +> Kata-kata itu penting. Mereka adalah blok bangunan paling dasar dari komunikasi tertulis dan lisan. Jangan mempersulit dengan menggunakan jargon, istilah teknis, atau singkatan yang tidak dimengerti orang. + +Kita harus mencoba menghindari singkatan jika memungkinkan, tetapi teknologi penuh dengan singkatan. Secara umum, menguraikan singkatan/akronim pertama kali digunakan pada halaman, dan menambahkan singkatan ke file glosarium singkatan ketika digunakan berulang kali. + +> Kathy McGinty memberikan petunjuk yang mudah dipahami untuk meningkatkan kalimat-kalimat Anda yang sederhana dan langsung: +> +> > Tidak dapat dipungkiri bahwa sangat penting untuk dicatat bahwa sejumlah penelitian yang berlaku secara ipso facto secara umum telah mengidentifikasi fakta bahwa tambahan pekerjaan malam hari yang sesuai biasanya dapat mencegah remaja dari jalan raya pada jam-jam malam, termasuk namun tidak terbatas pada waktu sebelum tengah malam pada akhir pekan dan/atau jam 2 pagi pada akhir pekan. +> +> Dan yang asli, menggunakan kata-kata yang lebih kuat dan lebih sederhana: +> +> > Lebih banyak pekerjaan malam akan menjauhkan anak muda dari jalanan. + +## Tulis secara ringkas + +> Kata-kata yang tidak perlu akan membuang waktu audiens Anda. Tulisan yang bagus itu seperti sebuah percakapan. Hilangkan informasi yang tidak perlu diketahui oleh audiens. Hal ini bisa menjadi sulit sebagai seorang ahli materi, jadi penting untuk memiliki seseorang yang melihat informasi dari sudut pandang audiens. + +Sumber: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Buat teks seperti percakapan + +> Kata kerja adalah bahan bakar untuk menulis. Mereka memberikan kekuatan dan arah pada kalimat Anda. Mereka menghidupkan tulisan Anda dan membuatnya lebih menarik. +> +> Kata kerja memberi tahu audiens Anda apa yang harus dilakukan. Pastikan jelas siapa yang melakukan apa. + +### Gunakan suara aktif + +> Suara aktif memperjelas siapa yang seharusnya melakukan apa. Hal ini menghilangkan ambiguitas tentang tanggung jawab. Bukan "Ini harus dilakukan," tetapi "Anda harus melakukannya." + +Sumber: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Gunakan "harus" untuk persyaratan + +> - "harus" untuk suatu kewajiban +> - "tidak boleh" untuk sebuah larangan +> - "dapat" untuk tindakan diskresioner +> - "seharusnya" untuk sebuah rekomendasi diff --git a/i18n/id/mobile-browsers.md b/i18n/id/mobile-browsers.md new file mode 100644 index 00000000..c6be3a37 --- /dev/null +++ b/i18n/id/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/id/multi-factor-authentication.md b/i18n/id/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/id/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/id/news-aggregators.md b/i18n/id/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/id/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/id/notebooks.md b/i18n/id/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/id/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/id/os/android-overview.md b/i18n/id/os/android-overview.md new file mode 100644 index 00000000..c029c0a5 --- /dev/null +++ b/i18n/id/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android adalah sistem operasi sumber terbuka dengan perlindungan keamanan yang kuat, yang menjadikannya pilihan utama kami untuk ponsel. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Memilih Distribusi Android + +Ketika Anda membeli ponsel Android, sistem operasi bawaan perangkat sering kali dilengkapi dengan integrasi invasif dengan aplikasi dan layanan yang bukan merupakan bagian dari [Android Open-Source Project](https://source.android.com/). Contohnya adalah Layanan Google Play, yang memiliki hak istimewa yang tidak dapat dibatalkan untuk mengakses file, penyimpanan kontak, log panggilan, pesan SMS, lokasi, kamera, mikrofon, pengidentifikasi perangkat keras, dan sebagainya. Aplikasi dan layanan ini meningkatkan permukaan serangan pada perangkat Anda dan merupakan sumber dari berbagai masalah privasi pada Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Idealnya, ketika memilih distribusi Android kustom, Anda harus memastikan bahwa distribusi tersebut menjunjung tinggi model keamanan Android. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). Semua distribusi Android yang kami rekomendasikan memenuhi kriteria ini. + +[Rekomendasi Sistem Android kami :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). Hal ini dapat mengurangi privasi jika ada eksploitasi yang dibantu oleh penurunan keamanan. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. Mereka juga bukan cara yang tepat untuk menyelesaikan tujuan yang dimaksudkan. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Pembaruan Firmware + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEM memiliki perjanjian dukungan dengan mitra mereka untuk menyediakan komponen sumber tertutup untuk periode dukungan terbatas. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Oleh karena itu, penting bagi Anda untuk membeli perangkat dalam siklus dukungan yang aktif. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) dan [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) mendukung perangkat mereka selama 4 tahun, sementara produk yang lebih murah sering kali memiliki siklus dukungan yang lebih pendek. Dengan diperkenalkannya [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google kini membuat SoC sendiri dan mereka akan memberikan dukungan minimal 5 tahun. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. Ini berarti bahwa masalah keamanan pada perangkat tersebut akan tetap tidak diperbaiki. + +Fairphone, misalnya, memasarkan perangkat mereka dengan dukungan selama 6 tahun. Namun, SoC (Qualcomm Snapdragon 750G pada Fairphone 4) memiliki tanggal EOL yang jauh lebih pendek. Ini berarti bahwa pembaruan keamanan firmware dari Qualcomm untuk Fairphone 4 akan berakhir pada bulan September 2023, terlepas dari apakah Fairphone terus merilis pembaruan keamanan perangkat lunak. + +## Versi Android + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Versi Android yang lebih baru tidak hanya menerima pembaruan keamanan untuk sistem operasi, tetapi juga pembaruan penting untuk meningkatkan privasi. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Izin Android + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. Lebih baik tidak membayar perangkat lunak antivirus dan menghemat uang untuk membeli smartphone baru seperti Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! peringatan + + Jika sebuah aplikasi sebagian besar merupakan layanan berbasis web, pelacakan dapat terjadi di sisi server. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) menunjukkan "tidak ada pelacak" tetapi tentu saja melacak minat dan perilaku pengguna di seluruh situs. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! catatan + + Aplikasi ramah privasi seperti [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) dapat menampilkan beberapa pelacak seperti [Google Firebase Analytics] (https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. Ini [adalah kasus] (https://fosstodon.org/@bitwarden/109636825700482007) dengan Bitwarden. Itu tidak berarti bahwa Bitwarden menggunakan semua fitur analisis yang disediakan oleh Google Firebase Analytics. + +## Akses Media + +Cukup banyak aplikasi yang memungkinkan Anda untuk "berbagi" file dengan mereka untuk mengunggah media. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## Profil Pengguna + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Program Perlindungan Lanjutan + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### ID Iklan + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/id/os/linux-overview.md b/i18n/id/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/id/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/id/os/qubes-overview.md b/i18n/id/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/id/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/id/passwords.md b/i18n/id/passwords.md new file mode 100644 index 00000000..8cb4817a --- /dev/null +++ b/i18n/id/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Pengelola Kata Sandi + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Pengelola Kata Sandi + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Pengelola Kata Sandi + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Pengelola Kata Sandi + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Pengelola Kata Sandi + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Pengelola Kata Sandi + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Pengelola Kata Sandi + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/id/productivity.md b/i18n/id/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/id/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/id/real-time-communication.md b/i18n/id/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/id/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/id/router.md b/i18n/id/router.md new file mode 100644 index 00000000..a494c017 --- /dev/null +++ b/i18n/id/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/id/search-engines.md b/i18n/id/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/id/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/id/tools.md b/i18n/id/tools.md new file mode 100644 index 00000000..d9e57d9b --- /dev/null +++ b/i18n/id/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/id/tor.md b/i18n/id/tor.md new file mode 100644 index 00000000..251533ae --- /dev/null +++ b/i18n/id/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Logo Tor](assets/img/self-contained-networks/tor.svg){ align=right } + +Jaringan **Tor** adalah sekelompok server yang dioperasikan secara sukarela yang memungkinkan Anda terhubung secara gratis dan meningkatkan privasi dan keamanan Anda di Internet. Individu dan organisasi juga dapat berbagi informasi melalui jaringan Tor dengan "layanan tersembunyi .onion" tanpa mengorbankan privasi mereka. Karena lalu lintas Tor sulit diblokir dan dilacak, Tor merupakan alat pengelabuan sensor yang efektif. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title="Laman Beranda" } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Layanan Onion" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Dokumentasi} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Kode Sumber" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Berkontribusi } + +Tor bekerja dengan merutekan lalu lintas internet Anda melalui server yang dioperasikan secara sukarela, daripada membuat koneksi langsung ke situs yang Anda coba kunjungi. Hal ini mengaburkan dari mana lalu lintas berasal, dan tidak ada server di jalur koneksi yang dapat melihat jalur penuh dari mana lalu lintas berasal dan pergi, yang berarti bahkan server yang Anda gunakan untuk terhubung tidak dapat merusak anonimitas Anda. + +[Ikhtisar Tor Terperinci :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Menghubungkan ke Tor + +Ada berbagai cara untuk terhubung ke jaringan Tor dari perangkat Anda, yang paling umum digunakan adalah **Tor Browser**, sebuah fork dari Firefox yang dirancang untuk penjelajahan anonim untuk komputer desktop dan Android. Selain aplikasi yang tercantum di bawah ini, ada juga sistem operasi yang dirancang khusus untuk terhubung ke jaringan Tor seperti [Whonix](desktop.md#whonix) di [Qubes OS](desktop.md#qubes-os), yang menyediakan keamanan dan perlindungan yang lebih besar daripada Tor Browser standar. + +### Tor Browser + +!!! recommendation + + ![Logo Tor Browser](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** adalah pilihan jika Anda membutuhkan anonimitas, dengan menyediakan akses ke jaringan dan jembatan Tor, dan termasuk pengaturan dan ekstensi bawaan yang secara otomatis dikonfigurasikan oleh tingkat keamanan bawaan: *Standar*, *Lebih Aman* dan *Paling Aman*. + + [:octicons-home-16: Beranda](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Layanan Onion" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Dokumentasi } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Kode Sumber" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Berkontribusi } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + Anda sebaiknya **jangan pernah** memasang ekstensi tambahan apa pun pada Tor Browser atau menyunting pengaturan `about:config`, termasuk yang kami sarankan untuk Firefox. Ekstensi browser dan pengaturan nonstandar membuat Anda menonjol dari orang lain di jaringan Tor, sehingga membuat peramban Anda lebih mudah untuk [disidik jari](https://support.torproject.org/glossary/browser-fingerprinting). + +Tor Browser dirancang untuk mencegah sidik jari, atau mengidentifikasi Anda berdasarkan konfigurasi peramban Anda. Oleh karena itu, sangat penting bagi Anda untuk tidak **tidak** memodifikasi peramban di luar [tingkat keamanan](https://tb-manual.torproject.org/security-settings/) bawaan. + +### Orbot + +!!! recommendation + + ![Logo Orbot](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** adalah VPN Tor gratis untuk ponsel pintar yang merutekan lalu lintas dari aplikasi apa pun pada perangkat Anda melalui jaringan Tor. + + [:octicons-home-16: Beranda](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Kode Sumber" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Berkontribusi } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips untuk Android" + + Orbot dapat memproksi aplikasi individual jika aplikasi tersebut mendukung proksi SOCKS atau HTTP. Ini juga dapat memproksi semua koneksi jaringan Anda menggunakan [VpnService](https://developer.android.com/reference/android/net/VpnService) dan dapat digunakan dengan killswitch VPN di :gear: **Pengaturan** → **Jaringan & internet** → **VPN** → :gear: → **Blokir koneksi tanpa VPN**. + + Orbot sering kali ketinggalan versi di [repositori F-Droid] (https://guardianproject.info/fdroid) dan [Google Play] (https://play.google.com/store/apps/details?id=org.torproject.android) milik Guardian Project, jadi pertimbangkan untuk mengunduh langsung dari [repositori GitHub] (https://github.com/guardianproject/orbot/releases). + + Semua versi ditandatangani menggunakan tanda tangan yang sama sehingga seharusnya kompatibel satu sama lain. + +## Relai dan Jembatan + +### Snowflake + +!!! recommendation + + ![Logo Snowflake](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Logo Snowflake](assets/img/browsers/snowflake-gelap.svg#only-dark){ align=right } + + **Snowflake** memungkinkan Anda untuk menyumbangkan bandwidth ke Proyek Tor dengan mengoperasikan "proksi Snowflake" di dalam peramban Anda. + + Orang-orang yang disensor bisa menggunakan proksi Snowflake untuk menyambung ke jaringan Tor. Snowflake adalah cara yang bagus untuk berkontribusi pada jaringan bahkan jika Anda tidak memiliki pengetahuan teknis untuk menjalankan relai atau jembatan Tor. + + [:octicons-home-16: Beranda](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Kode Sumber" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Berkontribusi } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Tinggalkan laman ini terbuka untuk menjadi proksi Snowflake") + +??? tip "Snowflake Tertanam" + + Anda dapat mengaktifkan Snowflake di browser Anda dengan mengeklik tombol di bawah ini dan ==membiarkan halaman ini terbuka==. Anda juga bisa memasang Snowflake sebagai ekstensi peramban agar selalu berjalan ketika peramban Anda terbuka, namun menambahkan ekstensi pihak ketiga bisa meningkatkan permukaan serangan. + +
+ Jika sematan tidak muncul untuk Anda, pastikan Anda tidak memblokir bingkai pihak ketiga dari `torproject.org`. Atau, kunjungi [halaman ini](https://snowflake.torproject.org/embed.html). + +Snowflake tidak meningkatkan privasi Anda dengan cara apa pun, dan tidak juga tidak digunakan untuk terhubung ke jaringan Tor dalam peramban pribadi Anda. Namun, jika koneksi internet Anda tidak disensor, Anda sebaiknya mempertimbangkan untuk menjalankannya untuk membantu orang-orang di jaringan yang disensor mencapai privasi yang lebih baik. Tidak perlu khawatir tentang situs web mana yang diakses orang melalui proksi Anda—alamat IP penjelajahan mereka yang terlihat akan cocok dengan node keluar Tor mereka, bukan milik Anda. + +Menjalankan proxy Snowflake berisiko rendah, bahkan lebih rendah daripada menjalankan Tor relay atau bridge yang sudah tidak terlalu berisiko. Namun, itu masih memproksi lalu lintas melalui jaringan Anda yang dapat berdampak pada beberapa hal, terutama jika jaringan Anda memiliki bandwidth terbatas. Pastikan Anda memahami [cara kerja Snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) sebelum memutuskan apakah akan menjalankan proksi. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/id/video-streaming.md b/i18n/id/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/id/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/id/vpn.md b/i18n/id/vpn.md new file mode 100644 index 00000000..b75d19c8 --- /dev/null +++ b/i18n/id/vpn.md @@ -0,0 +1,327 @@ +--- +title: "Layanan VPN" +icon: material/vpn +description: Ini adalah layanan VPN terbaik untuk melindungi privasi dan keamanan daring Anda. Temukan penyedia di sini yang tidak memata-matai Anda. +--- + +Jika Anda mencari **privasi tambahan** dari ISP Anda, pada jaringan Wi-Fi publik, atau saat melakukan torrent file, VPN bisa jadi solusi untuk Anda selama Anda memahami risiko yang ada. Menurut kami, penyedia layanan ini adalah yang terbaik di antara yang lain: + +
+ +- ![Logo IVPN](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Logo Mullvad](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Logo Proton VPN](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPN tidak menyediakan anonimitas" + + Menggunakan VPN **tidak** akan menjaga kebiasaan jelajah Anda tetap anonim, dan juga tidak akan menambah keamanan tambahan pada lalu lintas yang tidak aman (HTTP). + + Jika Anda membutuhkan **anonimitas**, Anda sebaiknya menggunakan Tor Browser **daripada** menggunakan VPN. + + Jika Anda membutuhkan **keamanan** tambahan, Anda harus selalu memastikan bahwa Anda terhubung ke situs web menggunakan HTTPS. VPN bukanlah pengganti praktik keamanan yang baik. + + [Unduh Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Mitos Tor & Soal Sering Ditanya](advanced/tor-overview.md){ .md-button } + +[Ikhtisar VPN Terperinci :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Penyedia yang Direkomendasikan + +Penyedia yang kami rekomendasikan menggunakan enkripsi, menerima Monero, mendukung WireGuard & OpenVPN, dan memiliki kebijakan tanpa pencatatan. Baca [daftar lengkap kriteria kami](#criteria) untuk informasi lebih lanjut. + +### IVPN + +!!! recommendation + + ![Logo IVPN](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** adalah penyedia VPN premium, dan mereka telah beroperasi sejak 2009. IVPN berbasis di Gibraltar. + + [:octicons-home-16: Laman Beranda](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Kode Sumber" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Negara + +IVPN memiliki server [di 35 negara](https://www.ivpn.net/server-locations).(1) Memilih penyedia VPN dengan server terdekat dengan Anda akan mengurangi latensi lalu lintas jaringan yang Anda kirim. Ini karena rute yang lebih pendek (lebih sedikit loncatan) ke tempat tujuan. +{ .annotate } + +1. Terakhir diperiksa: 2022-09-16 + +Kami juga berpikir akan lebih baik untuk keamanan kunci pribadi penyedia VPN jika mereka menggunakan [server khusus](https://en.wikipedia.org/wiki/Dedicated_hosting_service), daripada solusi berbagi pakai yang lebih murah (dengan pelanggan lain) seperti [peladen pribadi virtual](https://id.wikipedia.org/wiki/Peladen_pribadi_virtual). + +#### :material-check:{ .pg-green } Diaudit Secara Independen + +IVPN telah menjalani [audit tanpa pencatatan dari Cure53](https://cure53.de/audit-report_ivpn.pdf) yang menyimpulkan bahwa klaim tanpa pencatatan dari IVPN disetujui. IVPN juga telah menyelesaikan [laporan pentest komprehensif Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) pada Januari 2020. IVPN juga mengatakan bahwa mereka berencana untuk memiliki [laporan tahunan](https://www.ivpn.net/blog/independent-security-audit-concluded) di masa depan. Tinjauan lebih lanjut dilakukan [pada bulan April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) dan diproduksi oleh Cure53 [di situs web mereka](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Klien Sumber Terbuka + +Pada Februari 2020 [aplikasi IVPN sekarang menjadi sumber terbuka](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Kode sumber dapat diperoleh dari [organisasi GitHub](https://github.com/ivpn) mereka. + +#### :material-check:{ .pg-green } Menerima Uang Tunai dan Monero + +Selain menerima kartu kredit/debit dan PayPal, IVPN menerima Bitcoin, **Monero** dan **uang tunai/mata uang lokal** (pada paket tahunan) sebagai bentuk pembayaran anonim. + +#### :material-check:{ .pg-green } Dukungan WireGuard + +IVPN mendukung protokol WireGuard®. [WireGuard](https://www.wireguard.com) adalah protokol yang lebih baru yang menggunakan kriptografi [yang canggih](https://www.wireguard.com/protocol/). Selain itu, WireGuard bertujuan untuk menjadi lebih sederhana dan lebih berkinerja. + +IVPN [merekomendasikan](https://www.ivpn.net/wireguard/) penggunaan WireGuard dengan layanan mereka dan, dengan demikian, protokol ini merupakan standar pada semua aplikasi IVPN. IVPN juga menawarkan generator konfigurasi WireGuard untuk digunakan dengan [aplikasi resmi](https://www.wireguard.com/install/) WireGuard. + +#### :material-check:{ .pg-green } Penerusan Porta Jarak Jauh + +[Penerusan porta jarak jauh](https://en.wikipedia.org/wiki/Port_forwarding) dimungkinkan dengan paket Pro. Port forwarding [dapat diaktifkan](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) melalui area klien. Penerusan porta jarak kauh hanya tersedia di IVPN ketika menggunakan protokol WireGuard atau OpenVPN dan [dinonaktifkan di server AS](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Klien Ponsel + +Selain menyediakan berkas konfigurasi OpenVPN standar, IVPN memiliki klien ponsel untuk [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), dan [GitHub](https://github.com/ivpn/android-app/releases) yang memungkinkan koneksi yang mudah ke server mereka. + +#### :material-information-outline:{ .pg-blue } Fungsionalitas Tambahan + +Klien IVPN mendukung autentikasi dua faktor (klien Mullvad tidak). IVPN juga menyediakan fungsionalitas "[AntiTracker](https://www.ivpn.net/antitracker)", yang memblokir jaringan iklan dan pelacak dari tingkat jaringan. + +### Mullvad + +!!! recommendation + + ![Logo Mullvad](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** adalah VPN yang cepat dan murah dengan fokus serius pada transparansi dan keamanan. Mereka telah beroperasi sejak **2009**. Mullvad berbasis di Swedia dan tidak memiliki uji coba gratis. + + [:octicons-home-16: Laman Beranda](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Layanan Onion" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Kode Sumber" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Negara + +Mullvad memiliki server [di 41 negara](https://mullvad.net/servers/).(1) Memilih penyedia VPN dengan server terdekat dengan Anda akan mengurangi latensi lalu lintas jaringan yang Anda kirim. Ini karena rute yang lebih pendek (lebih sedikit loncatan) ke tempat tujuan. +{ .annotate } + +1. Terakhir diperiksa: 2023-01-19 + +Kami juga berpikir akan lebih baik untuk keamanan kunci pribadi penyedia VPN jika mereka menggunakan [server khusus](https://en.wikipedia.org/wiki/Dedicated_hosting_service), daripada solusi berbagi pakai yang lebih murah (dengan pelanggan lain) seperti [peladen pribadi virtual](https://id.wikipedia.org/wiki/Peladen_pribadi_virtual). + +#### :material-check:{ .pg-green } Diaudit Secara Independen + +Klien VPN Mullvad telah diaudit oleh Cure53 dan Assured AB dalam laporan pentest [yang diterbitkan di cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). Para peneliti keamanan menyimpulkan: + +> Cure53 dan Assured AB senang dengan hasil audit dan perangkat lunak ini meninggalkan kesan positif secara keseluruhan. Dengan dedikasi keamanan dari tim internal di kompleks VPN Mullvad, para penguji tidak meragukan proyek ini berada di jalur yang benar dari sudut pandang keamanan. + +Pada tahun 2020, audit kedua [diumumkan](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) dan laporan audit akhir [](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) tersedia di situs web Cure53: + +> Hasil dari proyek Mei-Juni 2020 yang menargetkan kompleks Mullvad ini cukup positif. [...] Keseluruhan ekosistem aplikasi yang digunakan oleh Mullvad meninggalkan kesan yang baik dan terstruktur. Struktur keseluruhan aplikasi memudahkan untuk meluncurkan patch dan perbaikan secara terstruktur. Lebih dari segalanya, temuan yang ditemukan oleh Cure53 menunjukkan pentingnya untuk terus mengaudit dan menilai ulang vektor kebocoran saat ini, untuk selalu memastikan privasi pengguna akhir. Dengan demikian, Mullvad melakukan pekerjaan yang sangat baik dalam melindungi pengguna akhir dari kebocoran PII yang umum terjadi dan risiko terkait privasi. + +Pada tahun 2021, audit kedua [diumumkan](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) dan laporan audit akhir [](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) tersedia di situs web Cure53. Laporan lain ditugaskan [pada bulan Juni 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) dan tersedia di situs web [Assured](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Klien Sumber Terbuka + +Mullvad menyediakan kode sumber untuk klien desktop dan seluler mereka di [organisasi GitHub](https://github.com/mullvad/mullvadvpn-app) mereka. + +#### :material-check:{ .pg-green } Menerima Uang Tunai dan Monero + +Mullvad, selain menerima kartu kredit/debit dan PayPal, juga menerima Bitcoin, Bitcoin Cash, **Monero** dan **uang tunai/mata uang lokal** sebagai bentuk pembayaran anonim. Mereka juga menerima transfer Swish dan transfer bank. + +#### :material-check:{ .pg-green } Dukungan WireGuard + +Mullvad mendukung protokol WireGuard®. [WireGuard](https://www.wireguard.com) adalah protokol yang lebih baru yang menggunakan kriptografi [yang canggih](https://www.wireguard.com/protocol/). Selain itu, WireGuard bertujuan untuk menjadi lebih sederhana dan lebih berkinerja. + +Mullvad [merekomendasikan](https://mullvad.net/en/help/why-wireguard/) penggunaan WireGuard dengan layanan mereka. Ini adalah protokol default atau satu-satunya protokol pada aplikasi Mullvad di Android, iOS, macOS, dan Linux, tetapi pada Windows Anda harus [secara manual mengaktifkan](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad juga menawarkan generator konfigurasi WireGuard untuk digunakan dengan [aplikasi resmi](https://www.wireguard.com/install/) WireGuard. + +#### :material-check:{ .pg-green } Dukungan IPv6 + +Mullvad mendukung masa depan jaringan [IPv6](https://id.wikipedia.org/wiki/IPv6). Jaringan mereka memungkinkan Anda untuk [mengakses layanan yang dihosting pada IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) dibandingkan dengan penyedia lain yang memblokir koneksi IPv6. + +#### :material-check:{ .pg-green } Penerusan Porta Jarak Jauh + +[Penerusan porta jarak jauh](https://en.wikipedia.org/wiki/Port_forwarding) diperbolehkan untuk orang yang melakukan pembayaran satu kali, tetapi tidak diperbolehkan untuk akun dengan metode pembayaran berulang/berlangganan. Hal ini untuk mencegah Mullvad mengidentifikasi Anda berdasarkan penggunaan porta dan informasi langganan yang tersimpan. Lihat [Penerusan porta dengan Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) untuk informasi lebih lanjut. + +#### :material-check:{ .pg-green } Klien Ponsel + +Mullvad telah menerbitkan klien [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) dan [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), keduanya mendukung antarmuka yang mudah digunakan dan tidak mengharuskan Anda untuk mengkonfigurasi koneksi WireGuard secara manual. Klien Android juga tersedia di [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Fungsionalitas Tambahan + +Mullvad sangat transparan tentang node mana yang mereka [miliki atau sewa](https://mullvad.net/en/servers/). Mereka menggunakan [ShadowSocks](https://shadowsocks.org/) dalam konfigurasi ShadowSocks + OpenVPN mereka, membuat mereka lebih tahan terhadap tembok api dengan [Inspeksi Paket Dalam](https://en.wikipedia.org/wiki/Deep_packet_inspection) yang mencoba memblokir VPN. Seharusnya, [Cina harus menggunakan metode yang berbeda untuk memblokir server ShadowSocks](https://github.com/net4people/bbs/issues/22). Situs web Mullvad juga dapat diakses melalui Tor di [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Logo Proton VPN](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** adalah pesaing kuat dalam bidang VPN, dan mereka telah beroperasi sejak 2016. Proton AG berbasis di Swiss dan menawarkan tingkat gratis terbatas, serta opsi premium yang lebih berfitur. + + [:octicons-home-16: Laman Beranda](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Kebijakan Privasi" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Dokumentasi} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Kode Sumber" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Negara + +Proton VPN memiliki server [di 67 negara](https://protonvpn.com/vpn-servers).(1) Memilih penyedia VPN dengan server terdekat dengan Anda akan mengurangi latensi lalu lintas jaringan yang Anda kirim. Ini karena rute yang lebih pendek (lebih sedikit loncatan) ke tempat tujuan. +{ .annotate } + +1. Terakhir diperiksa: 2022-09-16 + +Kami juga berpikir akan lebih baik untuk keamanan kunci pribadi penyedia VPN jika mereka menggunakan [server khusus](https://en.wikipedia.org/wiki/Dedicated_hosting_service), daripada solusi berbagi pakai yang lebih murah (dengan pelanggan lain) seperti [peladen pribadi virtual](https://id.wikipedia.org/wiki/Peladen_pribadi_virtual). + +#### :material-check:{ .pg-green } Diaudit Secara Independen + +Pada Januari 2020, Proton VPN telah menjalani audit independen oleh SEC Consult. SEC Consult menemukan beberapa kerentanan berisiko sedang dan rendah di aplikasi Proton VPN di Windows, Android, dan iOS, yang semuanya telah "diperbaiki dengan benar" oleh Proton VPN sebelum laporan diterbitkan. Tidak satu pun dari masalah yang diidentifikasi akan memberikan penyerang akses jarak jauh ke perangkat atau lalu lintas Anda. Anda dapat melihat laporan individual untuk setiap platform di [protonvpn.com](https://protonvpn.com/blog/open-source/). Pada bulan April 2022, Proton VPN menjalani [audit lagi](https://protonvpn.com/blog/no-logs-audit/) dan laporannya [dibuat oleh Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). [Surat pengesahan ](https://proton.me/blog/security-audit-all-proton-apps) diberikan untuk aplikasi Proton VPN pada tanggal 9 November 2021 oleh [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Klien Sumber Terbuka + +Proton VPN menyediakan kode sumber untuk klien desktop dan seluler mereka di [organisasi GitHub](https://github.com/ProtonVPN) mereka. + +#### :material-check:{ .pg-green } Menerima Uang Tunai + +Proton VPN, selain menerima kartu kredit/debit, PayPal, dan [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), juga menerima **uang tunai/mata uang lokal** sebagai bentuk pembayaran anonim. + +#### :material-check:{ .pg-green } Dukungan WireGuard + +Proton VPN sebagian besar mendukung protokol WireGuard®. [WireGuard](https://www.wireguard.com) adalah protokol yang lebih baru yang menggunakan kriptografi [yang canggih](https://www.wireguard.com/protocol/). Selain itu, WireGuard bertujuan untuk menjadi lebih sederhana dan lebih berkinerja. + +Proton VPN [merekomendasikan](https://protonvpn.com/blog/wireguard/) penggunaan WireGuard dengan layanan mereka. Pada aplikasi Proton VPN di Windows, macOS, iOS, Android, Android, ChromeOS, dan Android TV, WireGuard merupakan protokol bawaan; namun, [dukungan](https://protonvpn.com/support/how-to-change-vpn-protocols/) untuk protokol ini tidak ada pada aplikasi Linux mereka. + +#### :material-alert-outline:{ .pg-orange } Penerusan Porta Jarak Jauh + +Proton VPN saat ini hanya mendukung penerusan porta [jarak jauh](https://protonvpn.com/support/port-forwarding/) di Windows, yang mungkin berdampak pada beberapa aplikasi. Terutama aplikasi peer-to-peer seperti klien Torrent. + +#### :material-check:{ .pg-green } Klien Ponsel + +Selain menyediakan file konfigurasi OpenVPN standar, Proton VPN memiliki klien seluler untuk [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), dan [GitHub](https://github.com/ProtonVPN/android-app/releases) yang memungkinkan koneksi yang mudah ke server mereka. + +#### :material-information-outline:{ .pg-blue } Fungsionalitas Tambahan + +Klien Proton VPN mendukung autentikasi dua faktor di semua platform kecuali Linux saat ini. Proton VPN memiliki server dan pusat data mereka sendiri di Swiss, Islandia, dan Swedia. Mereka menawarkan pemblokiran iklan dan pemblokiran domain malware yang dikenal dengan layanan DNS mereka. Selain itu, Proton VPN juga menawarkan server "Tor" yang memungkinkan Anda untuk dengan mudah terhubung ke situs-situs onion, tetapi kami masih sangat menyarankan untuk menggunakan [Tor Browser resmi](https://www.torproject.org/) untuk tujuan ini. + +#### :material-alert-outline:{ .pg-orange } Fitur killswitch rusak pada Mac berbasis Intel + +Kerusakan sistem [dapat terjadi](https://protonvpn.com/support/macos-t2-chip-kill-switch/) pada Mac berbasis Intel saat menggunakan killswitch VPN. Jika Anda memerlukan fitur ini, dan Anda menggunakan Mac dengan chipset Intel, Anda sebaiknya mempertimbangkan untuk menggunakan layanan VPN lain. + +## Kriteria + +!!! danger + + Penting untuk dicatat bahwa menggunakan penyedia VPN tidak akan membuat Anda menjadi anonim, tetapi akan memberi Anda privasi yang lebih baik dalam situasi tertentu. VPN bukanlah alat untuk aktivitas ilegal. Jangan bergantung pada kebijakan "tanpa pencatatan". + +**Harap diperhatikan bahwa kami tidak berafiliasi dengan penyedia yang kami rekomendasikan. Hal ini memungkinkan kami untuk memberikan rekomendasi yang sepenuhnya objektif.** Selain [kriteria standar kami](about/criteria.md), kami telah mengembangkan serangkaian persyaratan yang jelas untuk setiap penyedia VPN yang ingin direkomendasikan, termasuk enkripsi yang kuat, audit keamanan independen, teknologi modern, dan banyak lagi. Kami menyarankan Anda membiasakan diri dengan daftar ini sebelum memilih penyedia VPN, dan melakukan penelitian sendiri untuk memastikan penyedia VPN yang Anda pilih dapat dipercaya. + +### Teknologi + +Kami mewajibkan semua penyedia VPN yang kami rekomendasikan untuk menyediakan berkas konfigurasi OpenVPN untuk digunakan pada klien mana pun. **Jika** VPN menyediakan klien khusus mereka sendiri, kami memerlukan killswitch untuk memblokir kebocoran data jaringan saat terputus. + +**Minimum untuk Memenuhi Syarat:** + +- Dukungan untuk protokol yang kuat seperti WireGuard & OpenVPN. +- Killswitch yang terpasang pada klien. +- Dukungan multihop. Multihopping penting untuk menjaga kerahasiaan data jika terjadi kompromi pada satu node. +- Jika klien VPN disediakan, klien tersebut seharusnya [perangkat lunak sumber terbuka](https://id.wikipedia.org/wiki/Perangkat_lunak_sumber_terbuka), seperti perangkat lunak VPN yang umumnya sudah terpasang di dalamnya. Kami percaya bahwa ketersediaan [kode sumber](https://id.wikipedia.org/wiki/Kode_sumber) memberikan transparansi yang lebih besar tentang apa yang sebenarnya dilakukan oleh perangkat Anda. + +**Kasus Terbaik:** + +- Dukungan WireGuard dan OpenVPN. +- Killswitch dengan opsi yang sangat mudah dikonfigurasi (aktifkan/nonaktifkan pada jaringan tertentu, saat boot, dll.) +- Klien VPN yang mudah digunakan +- Mendukung [IPv6](https://id.wikipedia.org/wiki/IPv6). Kami berharap server akan mengizinkan koneksi masuk melalui IPv6 dan memungkinkan Anda untuk mengakses layanan yang dihosting pada alamat IPv6. +- Kemampuan [penerusan porta jarak jauh](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) membantu dalam membuat koneksi ketika menggunakan perangkat lunak berbagi file P2P ([Peer-to-Peer](https://id.wikipedia.org/wiki/Peer-to-peer)) atau hosting server (misalnya, Mumble). + +### Privasi + +Kami lebih memilih penyedia yang kami rekomendasikan untuk mengumpulkan data sesedikit mungkin. Tidak mengumpulkan informasi pribadi pada saat pendaftaran, dan tidak menerima bentuk pembayaran anonim. + +**Minimum untuk Memenuhi Syarat:** + +- [Mata uang kripto anonim](cryptocurrency.md) **atau** opsi pembayaran tunai. +- Tidak ada informasi pribadi yang diperlukan untuk mendaftar: Hanya nama pengguna, kata sandi, dan surel. + +**Kasus Terbaik:** + +- Menerima beberapa opsi [pembayaran anonim](advanced/payments.md). +- Tidak ada informasi pribadi yang diterima (nama pengguna yang dibuat secara otomatis, tidak perlu surel, dll.). + +### Keamanan + +VPN tidak ada gunanya jika tidak bisa menyediakan keamanan yang memadai. Kami mewajibkan semua penyedia yang kami rekomendasikan untuk mematuhi standar keamanan saat ini untuk koneksi OpenVPN mereka. Secara ideal, mereka akan menggunakan skema enkripsi yang lebih tahan terhadap masa depan secara bawaan. Kami juga mewajibkan pihak ketiga yang independen untuk mengaudit keamanan penyedia layanan, secara ideal dengan cara yang sangat komprehensif dan secara berulang (tahunan). + +**Minimum untuk Memenuhi Syarat:** + +- Skema enkripsi yang kuat: OpenVPN dengan autentikasi SHA-256; RSA-2048 atau jabat tangan yang lebih baik; enkripsi data AES-256-GCM atau AES-256-CBC. +- Kerahasiaan Maju Sempurna (PFS). +- Audit keamanan yang dipublikasikan dari perusahaan pihak ketiga yang memiliki reputasi baik. + +**Kasus Terbaik:** + +- Enkripsi terkuat: RSA-4096. +- Kerahasiaan Maju Sempurna (PFS). +- Audit keamanan yang dipublikasikan secara komprehensif dari perusahaan pihak ketiga yang memiliki reputasi baik. +- Program bug-bounty dan/atau proses pengungkapan kerentanan yang terkoordinasi. + +### Kepercayaan + +Anda tidak akan mempercayakan keuangan Anda pada seseorang dengan identitas palsu, jadi mengapa mempercayakan data internet Anda pada mereka? Kami mewajibkan penyedia layanan yang kami rekomendasikan untuk terbuka mengenai kepemilikan atau kepemimpinan mereka. Kami juga ingin melihat laporan transparansi yang lebih sering, terutama dalam hal bagaimana permintaan pemerintah ditangani. + +**Minimum untuk Memenuhi Syarat:** + +- Kepemimpinan atau kepemilikan yang berhadapan dengan publik. + +**Kasus Terbaik:** + +- Kepemimpinan yang berhadapan dengan publik. +- Laporan transparansi yang sering. + +### Pemasaran + +Dengan penyedia VPN yang kami rekomendasikan, kami ingin melihat pemasaran yang bertanggung jawab. + +**Minimum untuk Memenuhi Syarat:** + +- Harus menyediakan analitik sendiri (yaitu, tanpa Google Analytics). Situs penyedia juga harus mematuhi [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) untuk orang-orang yang ingin menolak pelacakan. + +Tidak boleh melakukan pemasaran yang tidak bertanggung jawab: + +- Menjamin perlindungan anonimitas 100%. Ketika seseorang membuat klaim bahwa sesuatu itu 100%, itu berarti tidak ada kepastian untuk gagal. Kami tahu bahwa orang dapat dengan mudah menyamarkan nama mereka dengan beberapa cara, misalnya: + - Menggunakan kembali informasi pribadi (misalnya, akun surel, nama samaran unik, dll.) yang mereka akses tanpa perangkat lunak anonimitas (Tor, VPN, dll.) + - [Sidik jari peramban](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Klaim bahwa VPN sirkuit tunggal "lebih anonim" daripada Tor, yang merupakan sirkuit tiga atau lebih loncatan yang secara teratur berubah. +- Gunakan bahasa yang bertanggung jawab: misalnya, tidak masalah untuk mengatakan bahwa VPN "terputus" atau "tidak tersambung", namun mengklaim bahwa seseorang "terpapar", "rentan", atau "terkompromi" merupakan penggunaan bahasa yang tidak perlu dan tidak benar. Sebagai contoh, orang tersebut mungkin saja menggunakan layanan penyedia VPN lain atau menggunakan Tor. + +**Kasus Terbaik:** + +Pemasaran yang bertanggung jawab yang mendidik dan bermanfaat bagi konsumen dapat mencakup: + +- Perbandingan yang akurat dengan kapan [Tor](tor.md) harus digunakan sebagai gantinya. +- Ketersediaan situs web penyedia VPN melalui [layanan .onion](https://id.wikipedia.org/wiki/.onion) + +### Fungsionalitas Tambahan + +Meskipun tidak sepenuhnya merupakan persyaratan, ada beberapa faktor yang kami pertimbangkan ketika menentukan penyedia mana yang akan direkomendasikan. Ini termasuk fungsionalitas pemblokiran iklan/pelacak, kenari surat perintah, koneksi multihop, dukungan pelanggan yang luar biasa, jumlah koneksi simultan yang diizinkan, dll. diff --git a/i18n/it/404.md b/i18n/it/404.md new file mode 100644 index 00000000..685575bb --- /dev/null +++ b/i18n/it/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Non Trovato + +Non siamo riusciti a trovare la pagina che stavi cercando! Forse stavi cercando una di queste pagine? + +- [Introduzione alla modellazione delle minacce](basics/threat-modeling.md) +- [Provider DNS consigliati](dns.md) +- [Migliori browser web per desktop](desktop-browsers.md) +- [Migliori fornitori VPN](vpn.md) +- [Forum di Privacy Guides](https://discuss.privacyguides.net) +- [Il nostro blog](https://blog.privacyguides.org) diff --git a/i18n/it/CODE_OF_CONDUCT.md b/i18n/it/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..84cd0d93 --- /dev/null +++ b/i18n/it/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Non diffondere disinformazione** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Molestie pubbliche o private +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/it/about/criteria.md b/i18n/it/about/criteria.md new file mode 100644 index 00000000..8fa923a9 --- /dev/null +++ b/i18n/it/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Criteri generali +--- + +!!! example "Lavori in corso" + + La pagina seguente è un lavoro in corso e non riflette i criteri completi per le nostre raccomandazioni in questo momento. Discussione precedente su questo argomento: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Ogni categoria avrà requisiti aggiuntivi per l'inclusione. + +## Financial Disclosure + +Non guadagniamo denaro consigliando determinati prodotti, non utilizziamo link di affiliazione e non offriamo una considerazione speciale ai donatori di progetti. + +## Linee guida generali + +Applichiamo queste priorità quando prendiamo in considerazione nuove raccomandazioni: + +- **Sicuro**: gli strumenti dovrebbero seguire le migliori pratiche di sicurezza, ove applicabile. +- **Disponibilità dei sorgenti**: i progetti open source sono generalmente preferiti rispetto alle alternative proprietarie equivalenti. +- **Multipiattaforma**: in genere preferiamo che le raccomandazioni siano multipiattaforma, per evitare il blocco del venditore. +- **Sviluppo attivo**: Gli strumenti che raccomandiamo dovrebbero essere sviluppati attivamente, i progetti non mantenuti verranno rimossi nella maggior parte dei casi. +- **Usabilità**: gli strumenti devono essere accessibili alla maggior parte degli utenti, senza richiedere un background troppo tecnico. +- **Documentato**: Gli strumenti dovrebbero avere una documentazione chiara ed estesa per l'uso. + +## Autocandidatura degli sviluppatori + +Abbiamo questi requisiti per quanto riguarda gli sviluppatori che desiderano presentare il loro progetto o software per essere presi in considerazione. + +- Deve indicare l'affiliazione, cioè la sua posizione all'interno del progetto presentato. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. Se possibile, indicare chi condurrà l'audit. + +- Must explain what the project brings to the table in regard to privacy. + - Risolve qualche nuovo problema? + - Perché qualcuno dovrebbe usarlo rispetto alle alternative? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/it/about/donate.md b/i18n/it/about/donate.md new file mode 100644 index 00000000..713cea45 --- /dev/null +++ b/i18n/it/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supportaci +--- + + +Sono necessari molte [persone](https://github.com/privacyguides/privacyguides.org/graphs/contributors) e [lavoro](https://github.com/privacyguides/privacyguides.org/pulse/monthly) per mantenere Privacy Guides aggiornato e diffondere il verbo sulla privacy e la sorveglianza di massa. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Se ci vuoi supportare economicamente, il metodo per noi più conveniente è attraverso Open Collective, un sito operato dal nostro host fiscale. Open Collective accetta pagamenti via carta di credito/debito, PayPal e bonifici. + +[Dona su OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. In seguito alla tua donazione, riceverai una ricevuta dalla Open Collective Foundation. Privacy Guides non fornisce consulenza finanziaria e suggeriamo di contattare il proprio consulente finanziario per sapere se ciò è applicabile al proprio caso. + +È possibile sponsorizzare la nostra organizzazione anche mediante le sponsorizzazioni di Github. + +[Sponsorizzaci su Github](https://github.com/sponsors/privacyguides ""){.md-button} + +## Sostenitori + +Un ringraziamento speciale a tutti coloro che supportano la nostra missione! :heart: + +*Nota bene: Questa sezione carica un widget direttamente da Open Collective. Questa sezione non riflette le donazioni effettuate al di fuori di Open Collective, e non abbiamo il controllo sui donatori specifici presenti in questa sezione.* + + + +## Come utilizziamo le donazioni + +Privacy Guides è un'organizzazione **no-profit**. Utilizziamo le donazioni per una serie di scopi, tra cui: + +**Registrazione dei domini** +: + +Abbiamo alcuni nomi di dominio, come `privacyguides.org`, la cui registrazione costa circa $10 euro all'anno. + +**Web Hosting** +: + +Il traffico di questo sito utilizza centinaia di gigabytes di dati al mese; per tenerci al passo, utilizziamo diversi fornitori di servizi. + +**Servizi online** +: + +Hostiamo dei [servizi internet](https://privacyguides.net) per testare e mostrare diversi prodotti relativi alla privacy che ci piacciono e [raccomandiamo](../tools.md). Alcuni di questi sono disponibili pubblicamente per l'uso della nosta comunità (SearXNG, Tor, etc.), altri sono forniti ai membri del nostro team (email, etc.). + +**Acquisto di beni** +: + +Occasionalmente acquistiamo beni e servizi con lo scopo di testare i nostri [strumenti consigliati](../tools.md). + +Stiamo ancora lavorando con il nostro host fiscale (la Open Collective Foundation) per ricevere donazioni via criptovalute; al momento la contabilità non è fattibile per piccole transazioni, cosa che dovrebbe cambiare in futuro. Nel mentre, se desideri effettuare una donazione consistente in criptovalure (> $100), ti preghiamo di contattarci a [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/it/about/index.md b/i18n/it/about/index.md new file mode 100644 index 00000000..d54d4275 --- /dev/null +++ b/i18n/it/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. **Non è possibile** utilizzare il marchio Privacy Guides nel proprio progetto senza l'esplicita approvazione da questo progetto. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/it/about/notices.md b/i18n/it/about/notices.md new file mode 100644 index 00000000..bf37411d --- /dev/null +++ b/i18n/it/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Avviso legale + +Privacy Guides non è uno studio legale. Pertanto, il sito web Privacy Guides e i collaboratori non forniscono consulenza legale. Il materiale e le raccomandazioni nel nostro sito web e nelle guide non costituiscono una consulenza legale, né contribuire al sito web o comunicare con Privacy Guides o altri collaboratori riguardo il nostro sito web crea un rapporto avvocato-cliente. + +La gestione di questo sito, come ogni impresa umana, comporta incertezze e compromessi. Speriamo che questo sito sia d'aiuto, ma può contenere errori e non può affrontare tutte le situazioni. Se avete domande sulla vostra situazione, vi incoraggiamo a fare le vostre ricerche, cercare altri esperti e impegnarvi in discussioni con la comunità di Privacy Guides. Se avete delle domande legali, dovreste consultare il vostro consulente legale prima di procedere. + +Privacy Guides è un progetto open source a cui si contribuisce sotto licenze che includono termini che, per la protezione del sito web e dei suoi collaboratori, chiariscono che il progetto Privacy Guides e il sito web sono offerti "così come sono", senza garanzia, e declinando la responsabilità per danni derivanti dall'uso del sito web o di qualsiasi raccomandazione contenuta al suo interno. Privacy Guides non garantisce né rilascia alcuna dichiarazione riguardante l'accuratezza, i risultati probabili o l'affidabilità dell'uso dei materiali sul sito web o comunque relativi a tali materiali sul sito web o su qualsiasi sito di terzi collegato a questo sito. + +Privacy Guides inoltre non garantisce che questo sito sarà costantemente disponibile, o disponibile affatto. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Questo non include codice di terze parti incorporato in questo repository, o codice dove una licenza sostitutiva è altrimenti indicata. I seguenti sono esempi degni di nota, ma questa lista potrebbe non essere onnicomprensiva: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Questo significa che puoi usare il contenuto leggibile dall'uomo in questo repository per il tuo progetto, secondo i termini delineati nel testo CC0 1.0 Universal. **Non è possibile** utilizzare il marchio Privacy Guides nel proprio progetto senza l'esplicita approvazione da questo progetto. I marchi di fabbrica di Privacy Guides includono il marchio denominativo "Privacy Guides" e il logo dello scudo. I marchi registrati di Privacy Guides includono il marchio "Privacy Guides" e il logo dello scudo. + +Riteniamo che i loghi e le altre immagini in `assets` ottenuti da fornitori terzi siano di dominio pubblico o **fair use**. In poche parole, la dottrina legale del [fair use](https://it.wikipedia.org/wiki/Fair_use) permette l'uso di immagini protette da copyright al fine di identificare l'argomento per scopi di commento pubblico. Tuttavia, questi loghi e altre immagini possono ancora essere soggetti alle leggi sui marchi in una o più giurisdizioni. Prima di usare questo contenuto, assicurati che sia usato per identificare l'entità o l'organizzazione che possiede il marchio e che tu abbia il diritto di usarlo secondo le leggi che si applicano nelle circostanze del tuo uso previsto. *Durante la copia di contenuti da questo sito Web, l'utente è l'unico responsabile di assicurarsi di non violare il marchio o il copyright di qualcun altro.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Uso accettabile + +L'utente non può utilizzare questo sito web in qualsiasi modo che causi o possa causare danni al sito web o compromettere la disponibilità o l'accessibilità di Privacy Guides, o in qualsiasi modo che sia illegale, illegale, fraudolento, dannoso, o in connessione con qualsiasi scopo o attività illegale, illegale, fraudolento o dannoso. + +L'utente non deve condurre alcuna attività di raccolta dati sistematica o automatizzata su o in relazione a questo sito web senza l'espresso consenso scritto di Aragon Ventures LLC, incluso: + +* Scansioni automatiche eccessive +* Attacchi Denial of Service +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Porzioni di questo avviso sono state adottate da [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) su GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/it/about/privacy-policy.md b/i18n/it/about/privacy-policy.md new file mode 100644 index 00000000..3e342454 --- /dev/null +++ b/i18n/it/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Informativa sulla privacy" +--- + +Privacy Guides è un progetto comunitario gestito da un certo numero di collaboratori volontari attivi. La lista pubblica dei membri del team [può essere trovata su GitHub](https://github.com/orgs/privacyguides/people). + +## Quali dati raccogliamo dai visitatori + +La privacy di chi visita il nostro sito web è importante per noi, quindi non tracciamo nessuna persona individualmente. Come visitatore del nostro sito: + +- Non vengono raccolte informazioni personali +- No information such as cookies are stored in the browser +- Nessuna informazione è condivisa, inviata o venduta a terze parti +- Nessuna informazione viene condivisa con compagnie pubblicitarie +- Nessuna informazione è minata e raccolta per individuare tendenze personali e comportamentali +- Nessuna informazione viene monetizzata + +You can view the data we collect on our [statistics](statistics.md) page. + +Utilizziamo un'installazione da noi gestita di [Plausible Analytics](https://plausible.io) per raccogliere alcuni dati anonimi di utilizzo a fini statistici. L'obbiettivo è quello di tracciare tendenze generali del traffico del nostro sito web, e non di tracciare singoli visitatori. Tutti i dati sono esclusivamente aggregati. Nessun dato personale viene raccolto. + +I dati raccolti includono le fonti di riferimento, le pagine più visistate, la durata della visita, informazioni del dispositivo usato durante la visita (tipo di dispositivo, sistema operativo, nazione e browser) e altro. È possibile sapere di più su come Plausible funziona e raccoglie informazioni rispettando la privacy [qui](https://plausible.io/data-policy). + +## Dati raccolti da titolari di account + +In alcuni siti e servizi che provvediamo, molte funzioni richiedono un account, ad esempio per postare e rispondere in un forum. + +Nella creazioni di molti degli account, richiediamo un nome, un nome utente, una email e una password. Nell'eventualità in cui in sito web richieda maggiori informazioni di queste, verrà adeguatamente segnalato e annotato in un'ulteriore dichiarazione della privacy per ogni sito. + +Utilizziamo i dati del tuo account per identificarti sul sito web e per creare pagine specifiche per te, come ad esempio la pagina del tuo profilo. Utilizziamo inoltre i dati dell'acount per pubblicare un tuo profilo pubblico sui nostri servizi. + +Utilizziamo la tua email per: + +- Notificarti riguardo post e altre attività sul sito web o sui servizi. +- Reimpostare la tua password e contribuire alla sicurezza del tuo account. +- Contattarti in circostanze speciali relative al tuo account. +- Contattarti riguardo richieste legali, come richieste di rimozione DMCA. + +In alcuni siti web e servizi, puoi fornire ulteriori informazioni sul tuo account, come una breve biografia, un avatar, la tua posizione, o il tuo compleanno. Le informazioni saranno disponibili a chiunque abbia accesso al sito web o servizio in questione. Queste informazioni non sono necessarie per l'utilizzo di nessuno dei nostri servizi e possono essere rimosse in qualsiasi momento. + +Conserveremo i dati del tuo account finche rimarrà aperto. Dopo la chiusura di un account, potremmo conservare alcuni o tutti i dati del tuo account in forma di backup o archivio, per un massimo 90 giorni. + +## Contattaci + +Il tem di Privacy Guides generalmente non ha accesso ai dati personali al di fuori di accessi limitati garantiti mediante alcuni pannelli di moderazione. Richieste relative i tuoi dati personali devono essere inviate direttamente a: + +```text +Jonah Aragon +Amministratore di servizi +jonah@privacyguides.org +``` + +Per tutte le altre richieste è possibile contattare qualsiasi membro del nostro team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Con chi vengono condivisi i miei dati? + +We will post any new versions of this statement [here](privacy-policy.md). Potremo cambiare il modo in cui annunciamo modifiche in future versioni di questo documento. Nel mentre, possiamo aggiornare le nostre informazioni di contatto in qualsiasi momento senza annunciarlo. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/it/about/privacytools.md b/i18n/it/about/privacytools.md new file mode 100644 index 00000000..1f314363 --- /dev/null +++ b/i18n/it/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Perché abbiamo abbandonato PrivacyTools + +Nel settembre 2021, tutti i collaboratori attivi hanno accettato all'unanimità di passare da PrivacyTools a questo sito: Privacy Guides. La decisione è stata presa perché il fondatore di PrivacyTools e controllore del nome di dominio era scomparso per un lungo periodo di tempo e non poteva essere contattato. + +Avendo costruito un sito e una serie di servizi affidabili su PrivacyTools.io, questo ha causato gravi preoccupazioni per il futuro di PrivacyTools, in quanto qualsiasi futura interruzione avrebbe potuto spazzare via l'intera organizzazione senza alcun metodo di recupero. Questa transizione è stata comunicata alla community di PrivacyTools con molti mesi di anticipo attraverso una serie di canali, tra cui il blog, Twitter, Reddit e Mastodon, per garantire che l'intero processo si svolgesse nel modo più semplice possibile. Lo abbiamo fatto per garantire che nessuno fosse tenuto all'oscuro, come è stato il nostro modus operandi fin dalla creazione del nostro team e per assicurarci che Privacy Guides fosse riconosciuta come la stessa organizzazione affidabile che PrivacyTools era prima della transizione. + +Una volta completata la transizione, il fondatore di PrivacyTools è tornato e ha iniziato a diffondere false informazioni sul progetto Privacy Guides. Continuano a diffondere disinformazione oltre a gestire una link farm a pagamento sul dominio PrivacyTools. Abbiamo creato questa pagina per chiarire eventuali malintesi. + +## Che cos'è PrivacyTools? + +PrivacyTools è stato creato nel 2015 da "BurungHantu", che voleva creare una risorsa d'informazione sulla privacy - strumenti utili dopo le rivelazioni di Snowden. Il sito si è trasformato in un fiorente progetto open-source con [molti collaboratori](https://github.com/privacytools/privacytools.io/graphs/contributors), ad alcuni dei quali sono state affidate diverse responsabilità organizzative, come la gestione di servizi online come Matrix e Mastodon, la gestione e la revisione delle modifiche al sito su GitHub, la ricerca di sponsor per il progetto, la scrittura di post sul blog e la gestione di piattaforme di sensibilizzazione sui social media come Twitter, ecc. + +A partire dal 2019, BurungHantu si è allontanato sempre più dallo sviluppo attivo del sito web e delle community e ha iniziato a ritardare i pagamenti di cui era responsabile per i server che gestivamo. Per evitare che il nostro amministratore di sistema pagasse di tasca propria i costi del server, abbiamo cambiato i metodi di donazione elencati sul sito, passando dai conti personali PayPal e crypto di BurungHantu a una nuova pagina OpenCollective su [31 ottobre 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Questo ha avuto l'ulteriore vantaggio di rendere le nostre finanze completamente trasparenti, un valore in cui crediamo fermamente, e deducibili dalle tasse negli Stati Uniti, in quanto detenute dalla Open Collective Foundation 501(c)3. Questa modifica è stata approvata all'unanimità dal team e non è stata contestata. + +## Why We Moved On + +Nel 2020, l'assenza di BurungHantu è diventata molto più evidente. A un certo punto, abbiamo richiesto che i nameservers del dominio fossero modificati in nameservers controllati dal nostro amministratore di sistema per evitare interruzioni future, e questa modifica non è stata completata per oltre un mese dopo la richiesta iniziale. Scompariva dalla chat pubblica e dalle chat private del team su Matrix per mesi e mesi, facendo di tanto in tanto capolino per dare qualche piccolo feedback o promettere di essere più attivo prima di scomparire di nuovo. + +Nell'ottobre 2020, l'amministratore di sistema di PrivacyTools (Jonah) [ha lasciato](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) il progetto a causa di queste difficoltà, passando il controllo a un altro collaboratore di lunga data. Jonah ha gestito quasi tutti i servizi di PrivacyTools e ha agito come responsabile del progetto *de facto* per lo sviluppo del sito web in assenza di BurungHantu, pertanto la sua partenza ha rappresentato un cambiamento significativo per l'organizzazione. All'epoca, a causa di questi significativi cambiamenti organizzativi, BurungHantu promise al team rimanente che sarebbe tornato per assumere il controllo del progetto in futuro. ==Il team PrivacyTools ha contattato tramite diversi metodi di comunicazione nei mesi successivi, ma non ha ricevuto alcuna risposta.== + +## Domain Name Reliance + +All'inizio del 2021, il team di PrivacyTools si è preoccupato per il futuro del progetto, poiché il nome di dominio era destinato a scadere il 1° marzo 2021. Il dominio è stato infine rinnovato da BurungHantu senza alcun commento. + +Le preoccupazioni del team non sono state affrontate e ci siamo resi conto che questo sarebbe stato un problema ogni anno: con un dominio scaduto si rischiava che squatter o spammer rubassero il dominio, rovinando così la reputazione dell'organizzazione. Avremmo anche avuto delle difficoltà a raggiungere la community per informarli di ciò che è accaduto. + +Senza essere in contatto con BurungHantu, abbiamo deciso che la migliore linea d'azione sarebbe stata quella di passare a un nuovo nome di dominio mentre avevamo ancora il controllo garantito sul vecchio nome di dominio, prima di marzo 2022. In questo modo, avremmo potuto reindirizzare in modo pulito tutte le risorse PrivacyTools al nuovo sito senza alcuna interruzione del servizio. Questa decisione è stata presa con molti mesi di anticipo e comunicata a tutto il team nella speranza che BurungHantu si facesse sentire e assicurasse il suo sostegno continuo al progetto, perché con un brand riconoscibile e grandi community online, allontanarsi da "PrivacyTools" era il risultato meno desiderabile possibile. + +A metà del 2021 il team di PrivacyTools ha contattato Jonah, che ha accettato di rientrare nel team per dare una mano nella transizione. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Ora + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Letture consigliate + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/it/about/services.md b/i18n/it/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/it/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/it/about/statistics.md b/i18n/it/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/it/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/it/advanced/communication-network-types.md b/i18n/it/advanced/communication-network-types.md new file mode 100644 index 00000000..748720f2 --- /dev/null +++ b/i18n/it/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Tipi di reti di comunicazione" +icon: 'material/transit-connection-variant' +description: Una panoramica dei diversi tipi di architetture di rete comunemente usate da applicazioni di messaggistica istantanea. +--- + +Esistono diverse architetture di rete comunemente usate per trasmettere messaggi tra le persone. Queste reti possono fornire garanzie di privacy diverse, motivo per cui vale la pena considerare il [modello di minaccia](../basics/threat-modeling.md) quando si decide quale app utilizzare. + +[Messaggistica istantanea consigliata](../real-time-communication.md ""){.md-button} + +## Reti centralizzate + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +I servizi di messaggistica centralizzati sono quelli in cui tutti i partecipanti si trovano sullo stesso server o rete di server controllati dalla stessa organizzazione. + +Alcuni servizi di messaggistica self-hosted consentono di configurare il proprio server. Il self-hosting può fornire ulteriori garanzie di privacy, come l'assenza di log o l'accesso limitato ai metadati (dati su chi parla con chi). I servizi centralizzati self-hosted sono isolati e tutti devono essere sullo stesso server per comunicare. + +**Vantaggi:** + +- Le nuove funzionalità e le modifiche possono essere implementate più rapidamente. +- È più facile iniziare e trovare contatti. +- Gli ecosistemi con le caratteristiche più mature e stabili sono più facili da programmare in un software centralizzato. +- I problemi di privacy possono essere ridotti quando ci si affida a un server in self-hosting. + +**Svantaggi:** + +- Possono includere [controllo o accesso limitato](https://drewdevault.com/2018/08/08/Signal.html). Questo può includere cose come: +- Il [divieto di connettere client di terze parti](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) alla rete centralizzata che potrebbero fornire una migliore personalizzazione o esperienza. Spesso definito nei Termini e condizioni d'uso. +- Documentazione scarsa o assente per gli sviluppatori di terze parti. +- La [proprietà](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), la politica sulla privacy e le operazioni del servizio possono cambiare facilmente quando un'unica entità lo controlla, compromettendo potenzialmente il servizio in un secondo momento. +- Il self-hosting richiede impegno e conoscenza di come impostare un servizio. + +## Reti federate + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +I servizi di messaggistica federati usano più server indipendenti e decentralizzati, i quali sono in grado di comunicare l'uno con l'altro (la posta elettronica è un esempio di servizio federato). La federazione permette agli amministratori di sistema di controllare i loro server e far comunque parte di una rete di comunicazione più ampia. + +Quando "self-hostati", i membri di un server federato possono scoprire e comunicare con i membri di altri server, anche se alcuni server possono scegliere di rimanere privati disabilitando la federazione (es. Il server di un gruppo di lavoro). + +**Vantaggi:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Svantaggi:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Reti peer-to-peer + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Vantaggi:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Svantaggi:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Instradamento anonimo + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Vantaggi:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Svantaggi:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/it/advanced/dns-overview.md b/i18n/it/advanced/dns-overview.md new file mode 100644 index 00000000..232ed7dc --- /dev/null +++ b/i18n/it/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "Panoramica DNS" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +Il [Domain Name System](https://it.wikipedia.org/wiki/Domain_Name_System) è 'l'elenco telefonico di Internet'. Il DNS traduce i nomi di dominio in indirizzi IP, in modo che i browser e altri servizi possano caricare le risorse internet mediante un network decentralizzato di server. + +## Che cos'è il DNS? + +Quando visiti un sito, viene restituito un indirizzo numerico. Per esempio, quando visiti `privacyguides.org`,viene restituito l'indirizzo `192.98.54.105`. + +Il DNS esiste dai [primi giorni](https://en.wikipedia.org/wiki/Domain_Name_System#History) di Internet. Le richieste DNS fatte da e verso i server DNS **non sono** crittografate generalmente. In un ambiente residenziale, un cliente riceve i server dall'ISP mediante [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Le richieste DNS non crittografate possono essere facilmente **sorvegliate** e **modificate** in transito. In alcune parti del mondo, agli ISP viene ordinato di eseguire un [filtraggio primitivo del DNS](https://en.wikipedia.org/wiki/DNS_blocking). Quando viene effettuata una richiesta dell'indirizzo IP di un dominio bloccato, il server potrebbe non rispondere o fornire un indirizzo IP differente. Dato che il protocollo DNS non è crittografato, l'ISP (o qualsiasi operatore di rete) può utilizzare la [DPI](https://it.wikipedia.org/wiki/Deep_packet_inspection) per monitorare le richieste. Gli ISP possono inoltre bloccare richieste aventi caratteristiche comuni, indipendentemente dal server DNS utilizzato. DNS non crittografato utilizza sempre la [porta](https://it.wikipedia.org/wiki/Porta_(reti)) 53 e l'UDP. + +Di seguito, discutiamo e foniamo un tutorial per dimostrare cosa un osservatore esterno potrebbe vedere in entrambi i casi di [DNS crittografato](#what-is-encrypted-dns) e non. + +### DNS non crittografato + +1. Utilizzando [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (parte del progetto [Wireshark](https://it.wikipedia.org/wiki/Wireshark)) possiamo monitorare e registrare il flusso di pacchetti Internet. Il comando registra pacchetti che soddisfano le regole specificate: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. Possiamo poi utilizzare il comando [`dig`](https://it.wikipedia.org/wiki/Domain_Information_Groper) (Linux, MacOS ecc.) o [`nslookup`](https://it.wikipedia.org/wiki/Nslookup) (Windows) per inviare la ricerca DNS ad entrambi i server. Software come i browser web effettuano queste ricerche automaticamente, a meno che non venga specificato di utilizzare DNS crittografato. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Successivamente vogliamo [analizzare](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) i risultati: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Se esegui il comando Wireshark sopra citato, il pannello superiora mostra i "[frame](https://en.wikipedia.org/wiki/Ethernet_frame)", mentre quello inferiore mostra tutti i dati riguardanti il "frame" selezionato. Soluzioni di filtraggio e monitoraggio aziendali (come quelle acquistate dalle amministrazioni pubbliche) possono eseguire il processo automaticamente, senza interazione umana, e aggregare i "frame" per produrre dati statistici utili all'osservatore della rete. + +| No. | Tempo | Fonte | Destinazione | Protocollo | Lunghezza | Info | +| --- | -------- | --------- | ------------ | ---------- | --------- | --------------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Query standard 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Risposta standard alla query 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Query standard 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Risposta standard alla query 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Un osservatore potrebbe modificare uno qualsiasi di questi pacchetti. + +## Che cos'è il "DNS crittografato"? + +Il DNS crittografato può riferirsi a uno dei diversi protocolli, i più comuni dei quali sono: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) fu uno dei primi metodi per la crittografia delle query DNS. DNSCrypt opera sulla porta 443 e funziona con entrambi i protocolli di trasporto TCP e UDP. DNSCrypt non è mai stato sottoposto alla [Internet Engineering Task Force (IETF)](https://it.wikipedia.org/wiki/Internet_Engineering_Task_Force), né è passato attraverso il processo di [Request for Comments (RFC, "richiesta di commenti")](https://it.wikipedia.org/wiki/Request_for_Comments); non è mai stato quindi ampiamente utilizzato al di fuori di alcune [implementazioni](https://dnscrypt.info/implementations). DI conseguenza, è stato largamente rimpiazzato dal più popolare [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) è un altro metodo per criptare le comunicazioni DNS, definito in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Il supporto è stato implementato per la prima volta in Android 9, iOS 14 e su Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) nella versione 237. Negli ultimi anni la preferenza del settore si è spostata da DoT a DoH, in quanto DoT è [protocollo complesso](https://dnscrypt.info/faq/) e presenta una conformità variabile all'RFC tra le implementazioni esistenti. DoT opera anche su una porta dedicata 853 che può essere facilmente bloccata da firewall restrittivi. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://it.wikipedia.org/wiki/DNS_over_HTTPS) come definito in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) pacchettizza le query nel protocollo [HTTP/2](https://it.wikipedia.org/wiki/HTTP/2) e fornisce sicurezza con HTTPS. Il supporto è stato aggiunto per la prima volta in browser web come Firefox 60 e Chrome 83. + +L'implementazione nativa di DoH è presente in iOS 14, macOS 11, Microsoft Windows e Android 13 (tuttavia, non sarà abilitata [per impostazione predefinita](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). Il supporto generale per i desktop Linux è in attesa dell'implementazione di systemd [](https://github.com/systemd/systemd/issues/8639) quindi [l'installazione di software di terze parti è ancora necessaria](../dns.md#linux). + +## Cosa può vedere un esterno? + +In questo esempio registreremo ciò che accade quando facciamo una richiesta al DoH: + +1. Per prima cosa, avviare `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. In secondo luogo, fare una richiesta con `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Dopo aver effettuato la richiesta, possiamo interrompere la cattura dei pacchetti con CTRL + C. + +4. Analizzare i risultati con Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +Possiamo vedere l'[instaurazione della connessione](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) e l'[handshake TLS](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) che si verifica con qualsiasi connessione crittografata. Osservando i pacchetti "application data" che seguono, nessuno di essi contiene il dominio richiesto o l'indirizzo IP restituito. + +## Perché **non dovrei** utilizzare un DNS criptato? + +Nei luoghi in cui vige il filtraggio (o la censura) di Internet, la visita a risorse proibite può avere conseguenze che vanno considerate nel [modello di minaccia](../basics/threat-modeling.md). Noi **non** suggeriamo l'uso di DNS criptati per questo scopo. Utilizza [Tor](https://torproject.org) o una [VPN](../vpn.md). Se utilizzi una VPN, usufruisci dei server DNS della VPN. Quando si utilizza una VPN, ci si affida già a loro per tutte le attività di rete. + +Quando si effettua una ricerca DNS, in genere è perché si vuole accedere a una risorsa. Di seguito verranno illustrati alcuni dei metodi che possono rivelare le attività di navigazione dell'utente anche quando si utilizza un DNS crittografato: + +### Indirizzo IP + +Il modo più semplice per determinare l'attività di navigazione potrebbe essere quello di esaminare gli indirizzi IP a cui accedono i dispositivi. Ad esempio, se l'osservatore sa che `privacyguides.org` si trova all'indirizzo `198.98.54.105`, e il tuodispositivo sta richiedendo dati da `198.98.54.105`, è molto probabile che tu stia visitando Privacy Guides. + +Questo metodo è utile solo quando l'indirizzo IP appartiene a un server che ospita solo pochi siti web. Inoltre, non è molto utile se il sito è ospitato su una piattaforma condivisa (ad esempio, Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, ecc). Inoltre, non è molto utile se il server è ospitato dietro un reverse proxy [](https://it.wikipedia.org/wiki/Reverse_proxy), molto comune nella moderna Internet. + +### Indicazione del nome del server (Server Name Indication, SNI) + +L'indicazione del nome del server è tipicamente utilizzata quando un indirizzo IP ospita molti siti web. Potrebbe trattarsi di un servizio come Cloudflare o di un'altra protezione [attacco denial-of-service](https://it.wikipedia.org/wiki/Denial_of_service). + +1. Avviare nuovamente la cattura con `tshark`. Abbiamo aggiunto un filtro con il nostro indirizzo IP in modo da non catturare molti pacchetti: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Poi visitiamo [https://privacyguides.org](https://privacyguides.org). + +3. Dopo aver visitato il sito web, vogliamo interrompere la cattura dei pacchetti con CTRL + C. + +4. Poi vogliamo analizzare i risultati: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + Vedremo la creazione della connessione, seguita dall'handshake TLS per il sito web di Privacy Guides. Intorno al frame 5. vedrai "Client Hello". + +5. Espandi il triangolo ▸ accanto a ciascun campo: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. Possiamo vedere il valore SNI che rivela il sito web che stiamo visitando. Il comando `tshark` può fornire direttamente il valore per tutti i pacchetti contenenti un valore SNI: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Ciò significa che anche se si utilizzano server "DNS criptati", il dominio sarà probabilmente divulgato tramite SNI. Il protocollo [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) porta con sé [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), che impedisce questo tipo di fuga d'informazioni. + +I governi, in particolare [Cina](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) e [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), hanno[già iniziato a bloccarlo](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) o hanno espresso il desiderio di farlo. Recentemente, la Russia ha [iniziato a bloccare i siti web](https://github.com/net4people/bbs/issues/108) stranieri che utilizzano lo standard [HTTP/3](https://it.wikipedia.org/wiki/HTTP/3). Questo perché il protocollo [QUIC](https://it.wikipedia.org/wiki/QUIC) che fa parte di HTTP/3 richiede che anche `ClientHello` sia criptato. + +### Online Certificate Status Protocol (OCSP) + +Un altro modo in cui il browser può rivelare le attività di navigazione è il protocollo [Online Certificate Status Protocol](https://it.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Quando si visita un sito web HTTPS, il browser potrebbe verificare se il [certificato](https://it.wikipedia.org/wiki/Certificato_digitale) del sito web è stato revocato. Questo avviene generalmente tramite il protocollo HTTP, il che significa che è **non** crittografato. + +La richiesta OCSP contiene il certificato "[numero seriale](https://it.wikipedia.org/wiki/Certificato_digitale#Struttura_dei_Certificati)", che è unico. Viene inviato al "responder OCSP" per verificarne lo stato. + +Possiamo simulare quello che farebbe un browser usando il comando [`openssl`](https://it.wikipedia.org/wiki/OpenSSL). + +1. Ottenere il certificato del server e utilizzare [`sed`](https://it.wikipedia.org/wiki/Sed_(Unix)) per conservare solo la parte importante e scriverla in un file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Ottenere il certificato intermedio. [Autorità di certificazione (CA)](https://it.wikipedia.org/wiki/Certificate_authority) di solito non firmano direttamente un certificato, ma utilizzano un cosiddetto certificato "intermedio". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. Il primo certificato in `pg_and_intermediate.cert` è in realtà il certificato del server dal passo 1. Possiamo usare di nuovo `sed` per cancellare fino alla prima istanza di END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Ottenere il responder OCSP per il certificato del server: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Il nostro certificato mostra il risponditore del certificato Lets Encrypt. Se si desidera visualizzare tutti i dettagli del certificato, è possibile utilizzare: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Avviare l'acquisizione dei pacchetti: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Effettuare la richiesta OCSP: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Aprire l'acquisizione: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + Il protocollo "OCSP" prevede due pacchetti: una "Richiesta" e una "Risposta". Per la "Richiesta" possiamo vedere il "numero seriale" espandendo il triangolo ▸ accanto a ciascun campo: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + Per la "Risposta" possiamo vedere anche il "numero seriale": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Oppure utilizzare `tshark` per filtrare i pacchetti per il numero seriale: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Se l'osservatore della rete dispone del certificato pubblico, che è pubblicamente disponibile, può abbinare il numero seriale a quel certificato e quindi determinare il sito che stai visitando. Il processo può essere automatizzato e può associare gli indirizzi IP ai numeri seriali. È anche possibile controllare i log di [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) per il numero seriale. + +## Dovrei utilizzare un DNS criptato? + +Abbiamo creato questo diagramma di flusso per descrivere quando *dovresti* utilizzare il DNS criptato: + +``` mermaid +graph TB + Inizio[Inizio] --> anonymous{Cerchi di
essere anonimo?} + anonymous--> | Sì | tor(Usa Tor) + anonymous --> | No | censorship{Evitare
la censura?} + censorship --> | Sì | vpnOrTor(Usa
VPN o Tor) + censorship --> | No | privacy{Vuoi privacy
dall'ISP?} + privacy --> | Sì | vpnOrTor + privacy --> | No | obnoxious{ISP fa
reindirizzamenti
odiosi?} + obnoxious --> | Sì | encryptedDNS(Usa
DNS criptato
di terze parti) + obnoxious --> | No | ispDNS{L'ISP supporta
DNS criptato?} + ispDNS --> | Sì | useISP(Usa
DNS criptato
con l'ISP) + ispDNS --> | No | nothing(Non fare nulla) +``` + +Il DNS criptato con una terza parte dovrebbe essere usato solo per aggirare i reindirizzamenti e il [blocco DNS](https://en.wikipedia.org/wiki/DNS_blocking) basilare quando puoi essere sicuro che non ci saranno conseguenze o sei interessato a un provider che faccia qualche filtro rudimentale. + +[Elenco dei server DNS consigliati](../dns.md ""){.md-button} + +## Che cosa sono le DNSSEC? + +Le [Domain Name System Security Extensions](https://it.wikipedia.org/wiki/DNSSEC) (DNSSEC) sono una funzione del DNS che autentica le risposte alle ricerche di nomi di dominio. Non forniscono una protezione della privacy per tali ricerche, ma piuttosto impedisce agli aggressori di manipolare o avvelenare le risposte alle richieste DNS. + +In altre parole, le DNSSEC firmano digitalmente i dati per garantirne la validità. Per garantire una ricerca sicura, la firma avviene a ogni livello del processo di ricerca DNS. Di conseguenza, tutte le risposte del DNS sono affidabili. + +Il processo di firma delle DNSSEC è simile a quello di una persona che firma un documento legale con una penna; quella persona firma con una firma unica che nessun altro può creare e un esperto del tribunale può esaminare quella firma e verificare che il documento è stato firmato da quella persona. Queste firme digitali garantiscono che i dati non siano stati manomessi. + +Le DNSSEC implementano una politica di firma digitale gerarchica su tutti i livelli del DNS. Ad esempio, nel caso di una ricerca su `privacyguides.org`, un server DNS root firmerà una chiave per il server dei nomi `.org` e il server dei nomi `.org` firmerà una chiave per il server dei nomi autoritativo `privacyguides.org`. + +Adattato da [DNS Security Extensions (DNSSEC) overview (Panoramica delle DNS Security Extensions (DNSSEC))](https://cloud.google.com/dns/docs/dnssec) di Google e [DNSSEC: An Introduction (DNSSEC: una introduzione)](https://blog.cloudflare.com/dnssec-an-introduction/) di Cloudflare, entrambi con licenza [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## Che cos'è la minimizzazione del QNAME? + +Un QNAME è un "nome qualificato", ad esempio `privacyguides.org`. La minimizzazione del QNAME riduce la quantità di informazioni inviate dal server DNS al [server dei nomi autoritativi](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Invece di inviare l'intero dominio `privacyguides.org`, la minimizzazione del QNAME significa che il server DNS chiederà tutti i record che terminano in `.org`. Ulteriori descrizioni tecniche sono definite in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## Che cos'è la sottorete client EDNS (EDNS Client Subnet, ECS)? + +La [sottorete client EDNS](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) è un metodo che consente a un resolver DNS ricorsivo di specificare una [sottorete](https://it.wikipedia.org/wiki/Sottorete) per l'host o il [client](https://it.wikipedia.org/wiki/Client) che sta effettuando la query DNS. + +Ha lo scopo di "velocizzare" la consegna dei dati fornendo al client una risposta che appartiene a un server vicino, come ad esempio una rete di distribuzione di contenuti [](https://it.wikipedia.org/wiki/Content_Delivery_Network), spesso utilizzata per lo streaming video e per servire applicazioni web in JavaScript. + +Questa funzione ha un costo in termini di privacy, in quanto comunica al server DNS alcune informazioni sulla posizione del client. diff --git a/i18n/it/advanced/payments.md b/i18n/it/advanced/payments.md new file mode 100644 index 00000000..ce42fc36 --- /dev/null +++ b/i18n/it/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Criptovaluta + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger "Pericolo" + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/it/advanced/tor-overview.md b/i18n/it/advanced/tor-overview.md new file mode 100644 index 00000000..bb17131e --- /dev/null +++ b/i18n/it/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Panoramica Tor" +icon: 'simple/torproject' +description: Tor è una rete decentralizzata e gratuita progettata per utilizzare Internet con la massima privacy possibile. +--- + +Tor è una rete decentralizzata e gratuita progettata per utilizzare Internet con la massima privacy possibile. Se utilizzata correttamente, la rete consente di navigare e comunicare in modo privato e anonimo. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Ciascuno di questi nodi ha una propria funzione: + +### Il nodo di ingresso + +Il nodo di ingresso, spesso chiamato nodo di guardia, è il primo nodo a cui si connette il client Tor. Il nodo di ingresso è in grado di vedere il tuo indirizzo IP, ma non è in grado di vedere a cosa ti stai connettendo. + +A differenza degli altri nodi, il client Tor seleziona casualmente un nodo di ingresso e vi rimane per due o tre mesi per proteggerti da alcuni attacchi.[^1] + +### Il nodo centrale + +Il nodo centrale è il secondo nodo a cui si connette il client Tor. Può vedere da quale nodo proviene il traffico, il nodo di ingresso, e a quale nodo va successivamente. Il nodo centrale non può vedere il tuo indirizzo IP o il dominio a cui ti stai connettendo. + +Per ogni nuovo circuito, il nodo centrale viene selezionato a caso tra tutti i nodi Tor disponibili. + +### Il nodo di uscita + +Il nodo di uscita è il punto in cui il traffico web lascia la rete Tor e viene inoltrato alla destinazione desiderata. Il nodo di uscita non è in grado di vedere l'indirizzo IP, ma sa a quale sito ti stai collegando. + +Il nodo di uscita sarà scelto a caso tra tutti i nodi Tor disponibili con un flag di uscita.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Crittografia + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Risorse aggiuntive + +- [Manuale d'uso del Tor browser](https://tb-manual.torproject.org) +- [Come funziona Tor - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/it/android.md b/i18n/it/android.md new file mode 100644 index 00000000..a3d537d6 --- /dev/null +++ b/i18n/it/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'fontawesome/brands/android' +description: Puoi sostituire il sistema operativo del tuo telefono Android con queste alternative sicure e rispettose della privacy. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Sistemi operativi Android privati + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Logo di Android](assets/img/android/android.svg){ align=right } + +**Android Open Source Project** è un sistema operativo mobile open-source sviluppato da Google che viene utilizzato nella maggior parte dei dispositivi mobile del mondo. La maggior parte dei telefoni venduti con Android sono modificati per includere integrazioni e applicazioni invasive come Google Play Services, quindi è possibile migliorare significativamente la privacy sul proprio dispositivo mobile sostituendo l'installazione predefinita del telefono con una versione di Android priva di queste caratteristiche invasive. + +[:octicons-home-16:](https://source.android.com/){ .card-link title="Pagina principale" } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentazione} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Codice sorgente" } + +Questi sono i sistemi operativi, i dispositivi e le applicazioni Android che consigliamo per massimizzare la sicurezza e la privacy del proprio dispositivo mobile. Maggiori informazioni su Android: + +[Panoramica generale di Android :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Perché consigliamo GrapheneOS rispetto a CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## Derivati di AOSP + +Consigliamo di installare sul dispositivo uno dei seguenti sistemi operativi basati su Android, elencati in ordine di preferenza, a seconda della compatibilità del proprio dispositivo con questi sistemi operativi. + +!!! note + + I dispositivi a fine vita (come i dispositivi a "supporto esteso" di GrapheneOS o CalyxOS) non hanno patch di sicurezza complete (aggiornamenti del firmware) a causa dell'interruzione del supporto da parte dell'OEM. Questi dispositivi non possono essere considerati completamente sicuri, indipendentemente dal software installato. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** è la scelta migliore quando si tratta di privacy e sicurezza. + + GrapheneOS offre miglioramenti aggiuntivi in termini di [hardening della sicurezza] (https://it.wikipedia.org/wiki/Hardening) e di privacy. Dispone di un [allocatore di memoria rafforzato](https://github.com/GrapheneOS/hardened_malloc), di autorizzazioni per la rete e per i sensori, di varie altre [caratteristiche di sicurezza](https://grapheneos.org/features). GrapheneOS viene inoltre fornito con aggiornamenti completi del firmware e build firmate, quindi il verified boot è pienamente supportato. + + [:octicons-home-16: Pagina principale](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://grapheneos.org/donate/){ .card-link title=Contribuisci } + +GrapheneOS supporta [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), che esegue [Google Play Services](https://it.wikipedia.org/wiki/Google_Play_Services) totalmente confinato in una sandbox come qualsiasi altra app normale. Ciò significa che è possibile sfruttare la maggior parte dei servizi di Google Play, come le [notifiche push](https://firebase.google.com/docs/cloud-messaging/), pur avendo il pieno controllo delle autorizzazioni e dell'accesso, mentre sono contenuti in un [profilo di lavoro](os/android-overview.md#work-profile) specifico o in un [profilo utente](os/android-overview.md#user-profiles) di propria scelta. + +I telefoni Google Pixel sono gli unici dispositivi che attualmente soddisfano i [requisiti di sicurezza hardware](https://grapheneos.org/faq#device-support) di GrapheneOS. + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** è un soft-fork di [LineageOS](https://lineageos.org/). + DivestOS eredita molti [dispositivi supportati] (https://divestos.org/index.php?page=devices&base=LineageOS) da LineageOS. Fornisce build firmate, che consentono di avere [verified boot](https://source.android.com/security/verifiedboot) su alcuni dispositivi non-Pixel. + + [:octicons-home-16: Pagnia principale](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title=Onion } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribuisci } + +DivestOS offre [patch](https://gitlab.com/divested-mobile/cve_checker) automatizzate per vulnerabilità del kernel ([CVE](https://it.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)), meno blob proprietari e un file [hosts](https://divested.dev/index.php?page=dnsbl) modificato. Il suo WebView rafforzato, [Mulch](https://gitlab.com/divested-mobile/mulch), attiva [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) per tutte le architetture e [il partizionamento dello stato di rete](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), e riceve aggiornamenti fuori programma. DivestOS include anche le patch del kernel di GrapheneOS e abilita tutte le funzionalità di sicurezza del kernel disponibili tramite [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Tutti i kernel più recenti della versione 3.4 includono una completa [sanificazione](https://lwn.net/Articles/334747/) delle pagine e tutti i ~22 kernel compilati con Clang hanno [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) abilitato. + +DivestOS implementa alcune patch di hardening del sistema originariamente sviluppate per GrapheneOS. DivestOS 16.0 e versioni successive importa da GrapheneOS l'attivazione delle autorizzazioni [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) e SENSORS, [l'allocatore di memoria rafforzato](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](android/grapheneos-vs-calyxos.md#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), e patch parziali di rafforzamento di [bionic](https://en.wikipedia.org/wiki/Bionic_(software)). Le versioni 17.1 e successive importano da GrapheneOS l'opzione di [randomizzazione MAC](https://it.wikipedia.org/wiki/Indirizzo_MAC#Visualizzazione_e_modifica) completa per-rete, il controllo [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) e [opzioni di timeout](https://grapheneos.org/features) per riavvio automatico/Wi-Fi/Bluetooth. + +DivestOS usa F-Droid come app store predefinito. Normalmente, consiglieremmo di evitare F-Droid a causa dei suoi numerosi [problemi di sicurezza](#f-droid). Tuttavia, farlo su DivestOS non è fattibile; gli sviluppatori aggiornano le loro applicazioni tramite i propri repository F-Droid ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) e [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). Consigliamo di disattivare l'app ufficiale F-Droid e di usare [Neo Store](https://github.com/NeoApplications/Neo-Store/) con i repository DivestOS abilitati per mantenere aggiornati tali componenti. Per le altre app, sono ancora validi i nostri metodi consigliati per ottenerle. + +!!! warning + + Lo [stato](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) degli aggiornamenti del firmware di DivestOS e il controllo di qualità variano a seconda dei dispositivi supportati. Consigliamo ancora GrapheneOS a seconda della compatibilità del dispositivo. Per altri dispositivi, DivestOS è una buona alternativa. + + Non tutti i dispositivi supportati hanno il verified boot e alcuni lo eseguono meglio di altri. + +## Dispositivi Android + +Quando acquisti un dispositivo, si consiglia di prenderne uno il più recente possibile. Il software e il firmware dei dispositivi mobili sono supportati solo per un periodo di tempo limitato, quindi l'acquisto di un prodotto recente ne prolunga il più possibile la durata. + +Evita di acquistare telefoni dagli operatori di rete mobile. Spesso hanno il **bootloader bloccato** e non supportano [lo sblocco OEM](https://source.android.com/devices/bootloader/locking_unlocking). Queste varianti impediscono l'installazione di qualsiasi tipo di distribuzione Android alternativa sul dispositivo. + +Fai molta **attenzione** all'acquisto di telefoni di seconda mano dai mercati online. Controlla sempre la reputazione del venditore. Se il dispositivo è rubato, c'è la possibilità che [l'IMEI venga bloccato](https://www.gsma.com/security/resources/imei-blacklisting/). Il rischio è anche quello di essere associati all'attività del precedente proprietario. + +Altri suggerimenti sui dispositivi Android e sulla compatibilità del sistema operativo: + +- Non acquistare dispositivi che hanno raggiunto o sono prossimi alla fine del loro ciclo di vita, ulteriori aggiornamenti del firmware devono essere forniti dal produttore. +- Non acquistare telefoni con preinstallato LineageOS o /e/ OS o qualsiasi telefono Android senza il supporto a [Verified Boot](https://source.android.com/security/verifiedboot) e agli aggiornamenti firmware. Inoltre, questi dispositivi non ti consentono di verificare se sono stati manomessi. +- In breve, se un dispositivo o una distribuzione Android non sono elencati qui, probabilmente c'è una buona ragione. Visita il nostro [forum](https://discuss.privacyguides.net/) per ulteriori dettagli! + +### Google Pixel + +I telefoni Google Pixel sono gli **unici** dispositivi che consigliamo di acquistare. I telefoni Pixel hanno una sicurezza hardware migliore di qualsiasi altro dispositivo Android attualmente sul mercato, grazie ad un supporto AVB adeguato per i sistemi operativi di terze parti e ai chip di sicurezza [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) personalizzati di Google che fungono da Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + I dispositivi **Google Pixel** sono noti per avere una buona sicurezza e per supportare correttamente il [Verified Boot](https://source.android.com/security/verifiedboot), anche quando si installano sistemi operativi personalizzati. + + A partire dal **Pixel 6** e dal **6 Pro**, i dispositivi Pixel ricevono un minimo di 5 anni di aggiornamenti di sicurezza garantiti, assicurando una durata di vita molto più lunga rispetto ai 2-4 anni offerti in genere dagli OEM concorrenti. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +I Secure Elements come il Titan M2 sono più limitati rispetto al Trusted Execution Environment del processore utilizzato dalla maggior parte degli altri telefoni, in quanto vengono utilizzati solo per la memorizzazione dei segreti, l'attestazione hardware e la limitazione della velocità, non per l'esecuzione di programmi "affidabili". I telefoni privi di un Secure Element devono utilizzare il TEE per *tutte* quelle funzioni, con una conseguente superficie di attacco più ampia. + +I telefoni Google Pixel utilizzano un sistema operativo TEE chiamato Trusty che è [open-source](https://source.android.com/security/trusty#whyTrusty), a differenza di molti altri telefoni. + +L'installazione di GrapheneOS su un telefono Pixel è facile grazie al [web installer](https://grapheneos.org/install/web). Se non ti senti a tuo agio a farlo da solo e sei disposto a spendere un po' di soldi in più, controlla il [NitroPhone](https://shop.nitrokey.com/shop) su cui viene preinstallato GrapheneOS dalla rispettabile società [Nitrokey](https://www.nitrokey.com/about). + +Altri suggerimenti per l'acquisto di un Google Pixel: + +- Se vuoi fare un affare con un dispositivo Pixel, ti consigliamo di acquistare un modello "**a**", subito dopo l'uscita del modello seguente. Gli sconti sono solitamente disponibili perché Google cercherà di smaltire le scorte. +- Considera gli sconti e le offerte speciali offerte nei negozi fisici. +- Consulta le community di sconti online del proprio Paese. Possono segnalarti le vendite più convenienti. +- Google pubblica un elenco che mostra il [ciclo di supporto](https://support.google.com/nexus/answer/4457705) per ciascuno dei suoi dispositivi. Il prezzo giornaliero di un dispositivo può essere calcolato come: $\text{Prezzo} \over \text {Data fine vita}-\text{Data attuale}$, il che significa che più lungo è l'uso del dispositivo, minore è il costo giornaliero. + +## App Generali + +In questo sito raccomandiamo un'ampia gamma di applicazioni per Android. Le app qui elencate sono esclusive di Android e migliorano o sostituiscono in modo specifico le principali funzionalità del sistema. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** è un'app che ti aiuta a sfruttare la funzionalità Profilo di Lavoro di Android per isolare o duplicare le app sul tuo dispositivo. + + Shelter supporta il blocco della ricerca dei contatti tra i profili e la condivisione dei file tra i profili tramite il gestore file predefinito ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter è consigliato rispetto a [Insular](https://secure-system.gitlab.io/Insular/) e [Island](https://github.com/oasisfeng/island) perché supporta il [blocco della ricerca dei contatti] (https://secure-system.gitlab.io/Insular/faq.html). + + Utilizzando Shelter, l'utente si affida completamente al suo sviluppatore, in quanto Shelter agisce come [amministratore del dispositivo](https://developer.android.com/guide/topics/admin/device-admin) per creare il profilo di lavoro e ha ampio accesso ai dati memorizzati all'interno del profilo di lavoro. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark. vg#only-dark){ align=right } + + **Auditor** è un'app che sfrutta le funzionalità di sicurezza hardware per fornire il monitoraggio dell'integrità del dispositivo per [dispositivi supportati](https://attestation.app/about#device-support). Attualmente funziona solo con GrapheneOS e con il sistema operativo originale del dispositivo. + + [:octicons-home-16: Pagina principale](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentazione} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor esegue l'attestazione e il rilevamento delle intrusioni: + +- Utilizzando un [modello Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) tra un *revisore* e un *oggetto verificato*, la coppia stabilisce una chiave privata nel [keystore dell'hardware](https://source.android.com/security/keystore/) del *revisore*. +- Il *revisore* può essere un'altra istanza dell'applicazione Auditor o il [Remote Attestation Service](https://attestation.app). +- Il *revisore* registra lo stato attuale e la configurazione dell'*oggetto verificato*. +- In caso di manomissione del sistema operativo dell'*oggetto verificato* dopo il completamento dell'accoppiamento, il revisore sarà a conoscenza della modifica dello stato e delle configurazioni del dispositivo. +- Verrai avvisato della modifica. + +Al servizio di attestazione non vengono inviate informazioni d'identificazione personale. Ti consigliamo di registrarti con un account anonimo e di attivare l'attestazione remota per un monitoraggio continuo. + +Se il proprio [modello di minaccia](basics/threat-modeling.md) richiede privacy, potresti considerare l'utilizzo di [Orbot](tor.md#orbot) o di una VPN per nascondere il proprio indirizzo IP al servizio di attestazione. Per assicurarsi che l'hardware e il sistema operativo siano autentici, [esegui l'attestazione locale](https://grapheneos.org/install/web#verifying-installation) subito dopo l'installazione del dispositivo e prima di qualsiasi connessione a Internet. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark. vg#only-dark){ align=right } + + **Secure Camera** è un'app per fotocamera incentrata sulla privacy e sulla sicurezza che può catturare immagini, video e codici QR. Le estensioni del vendor CameraX (Ritratto, HDR, Visione Notturna, Ritocco del Viso e Auto) sono supportate su dispositivi disponibili. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Le principali funzionalità di privacy includono: + +- Rimozione automatica dei metadati [Exif](https://it.wikipedia.org/wiki/Exchangeable_image_file_format) (attivata in modo predefinito) +- Utilizzo della nuova API [Media](https://developer.android.com/training/data-storage/shared/media), pertanto non è richiesta [l'autorizzazione per tutti i file](https://developer.android.com/training/data-storage) +- L'autorizzazione al microfono non è necessaria, a meno che non si voglia registrare l'audio + +!!! note + + Attualmente i metadati non vengono eliminati dai file video, ma la funzione è in sviluppo. + + I metadati sull'orientamento dell'immagine non vengono eliminati. Se attivi la posizione (in Secure Camera), anche questa **non** verrà rimossa. Se vuoi eliminarla in un secondo momento, dovrai usare un'app esterna come [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** è un visualizzatore di PDF basato su [pdf.js](https://it.wikipedia.org/wiki/PDF.js) che non richiede alcuna autorizzazione. Il PDF viene inserito in una [webview](https://developer.android.com/guide/webapps/webview) [sandboxed](https://it.wikipedia.org/wiki/Sandbox). Ciò significa che non richiede direttamente l'autorizzazione per accedere a contenuti o file. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) viene utilizzato per imporre che le proprietà JavaScript e di stile all'interno della WebView siano interamente di contenuto statico. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Ottenere le applicazioni + +### App Store di GrapheneOS + +L'app store di GrapheneOS è disponibile su [GitHub](https://github.com/GrapheneOS/Apps/releases). Supporta Android 12 e versioni successive ed è in grado di aggiornarsi da solo. L'app store contiene applicazioni standalone realizzate dal progetto GrapheneOS, come [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera) e [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). Se stai cercando queste applicazioni, ti consigliamo vivamente di scaricarle dal distributore di app di GrapheneOS invece che dal Play Store, in quanto le app presenti nel loro distributore sono firmate dal progetto GrapheneOS con una firma propria a cui Google non ha accesso. + +### Aurora Store + +Il Google Play Store richiede un account Google per l'accesso, il che non è un bene per la privacy. È possibile ovviare a questo problema utilizzando un client alternativo, come Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** è un client di Google Play Store che non richiede un account Google, Google Play Services o microG per scaricare le app. + + [:octicons-home-16: Pagina principale](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Codice sorgente" }. + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store non consente di scaricare app a pagamento con la funzione di account anonimo. Puoi facoltativamente accedere con il tuo account Google in Aurora Store per scaricare le app che hai acquistato, il che dà accesso a Google all'elenco delle app che hai installato, ma puoi comunque trarre vantaggio dal fatto di non richiedere il client Google Play completo e i servizi Google Play o microG sul tuo dispositivo. + +### Manualmente con le notifiche RSS + +Per le app pubblicate su piattaforme come GitHub e GitLab, potresti aggiungere un feed RSS al tuo [aggregatore di notizie](/news-aggregators) che ti aiuterà a tenere traccia delle nuove versioni. + +![APK da RSS](./assets/img/android/rss-apk-light.png#only-light) ![APK da RSS](./assets/img/android/rss-apk-dark.png#only-dark) ![Modifiche APK](./assets/img/android/rss-changes-light.png#only-light) ![Modifiche APK](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +Su GitHub, usando [Secure Camera](#secure-camera) come esempio, si dovrebbe navigare alla sua [pagina releases](https://github.com/GrapheneOS/Camera/releases) e aggiungere `.atom` all'URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +Su GitLab, usando [Aurora Store](#aurora-store) come esempio, si dovrebbe navigare al [repository del progetto](https://gitlab.com/AuroraOSS/AuroraStore) e aggiunge `/-/tags?format=atom` all'URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifica delle impronte digitali degli APK + +Se scarichi i file APK da installare manualmente, è possibile verificarne la firma con lo strumento [`apksigner`](https://developer.android.com/studio/command-line/apksigner), che fa parte dei [build-tools](https://developer.android.com/studio/releases/build-tools) di Android. + +1. Installa [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Scarica gli [strumenti da riga di comando di Android Studio](https://developer.android.com/studio#command-tools). + +3. Estrai l'archivio scaricato: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Esegui il comando di verifica della firma: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. Gli hash risultanti possono poi essere confrontati con un'altra fonte. Alcuni sviluppatori, come per Signal, [mostrano le impronte digitali](https://signal.org/android/apk/) sul loro sito web. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![Logo di F-Droid](assets/img/android/f-droid.svg){ align=right width=120px } + +**Non** raccomandiamo attualmente F-Droid come metodo per ottenere applicazioni.== F-Droid è spesso consigliato come alternativa a Google Play, in particolare nelle comunità sulla privacy. La possibilità di aggiungere repository di terze parti e di non essere confinati nel giardino recintato di Google ne ha determinato la popolarità. F-Droid ha inoltre [build riproducibili](https://f-droid.org/en/docs/Reproducible_Builds/) per alcune applicazioni ed è dedicato al software libero e open-source. Tuttavia, ci sono [problemi notevoli](https://privsec.dev/posts/android/f-droid-security-issues/) con il client ufficiale F-Droid, il loro controllo di qualità e il modo in cui costruiscono, firmano e pubblicano i pacchetti. + +A causa del processo di costruzione delle app, le applicazioni presenti nel repository ufficiale di F-Droid sono spesso in ritardo con gli aggiornamenti. Inoltre i manutentori di F-Droid riutilizzano gli ID dei pacchetti mentre firmano le app con le proprie chiavi, il che non è l'ideale perché conferisce al team di F-Droid la massima fiducia. + +Altri popolari repository di terze parti, come [IzzyOnDroid](https://apt.izzysoft.de/fdroid/), alleviano alcuni di questi problemi. Il repository IzzyOnDroid estrae le build direttamente da GitHub ed è la seconda scelta migliore dopo i repository degli sviluppatori. Tuttavia, non è qualcosa che possiamo consigliare, poiché le app vengono solitamente [rimosse](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) da quel repository quando arrivano al repository principale di F-Droid. Sebbene ciò abbia senso (dato che l'obiettivo di questo particolare repository è ospitare le app prima che vengano accettate nel repository principale di F-Droid), ti può lasciare con le app installate senza ricevere più aggiornamenti. + +Detto ciò, i repository [F-Droid](https://f-droid.org/en/packages/) e [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) ospitano innumerevoli app, quindi possono essere uno strumento utile per cercare e scoprire applicazioni open-source che si possono poi scaricare tramite Play Store, Aurora Store o ottenendo l'APK direttamente dallo sviluppatore. È importante tenere presente che alcune app presenti in questi repository non sono state aggiornate da anni e possono fare affidamento su librerie non supportate, costituendo un potenziale rischio per la sicurezza. Quando cerchi nuove app con questo metodo, è bene usare il tuo miglior giudizio. + +!!! note + + In alcuni rari casi, lo sviluppatore di un'app la distribuisce solo attraverso F-Droid ([Gadgetbridge](https://gadgetbridge.org/) ne è un esempio). Se hai davvero bisogno di un'app del genere, ti consigliamo di usare [Neo Store](https://github.com/NeoApplications/Neo-Store/) al posto dell'app ufficiale di F-Droid per ottenerla. + +## Criteri + +**Si noti che non siamo affiliati a nessuno dei progetti che consigliamo.** Oltre a [i nostri criteri standard](about/criteria.md), abbiamo sviluppato una chiara serie di requisiti che ci permettono di fornire raccomandazioni obiettive. Ti consigliamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e condurre le tue ricerche per assicurarti che sia la scelta giusta per te. + +!!! example "Questa sezione è nuova" + + Stiamo lavorando per stabilire criteri definiti per ogni sezione del nostro sito, e ciò potrebbe essere soggetto a modifiche. Se hai domande sui nostri criteri, [chiedi sul nostro forum](https://discuss.privacyguides.net/latest) e non dare per scontato che non abbiamo preso in considerazione qualcosa quando formuliamo i nostri consigli se non è elencato qui. Sono molti i fattori presi in considerazione e discussi quando raccomandiamo un progetto e documentare ogni singolo fattore è un lavoro in corso. + +### Sistemi operativi + +- Deve essere un software open-source. +- Deve supportare il blocco del bootloader con supporto della chiave AVB personalizzata. +- Deve ricevere nuove versioni di Android entro 0-1 mesi dalla pubblicazione. +- Deve ricevere gli aggiornamenti delle funzionalità Android (versione minore) entro 0-14 giorni dalla pubblicazione. +- Deve ricevere regolarmente le patch di sicurezza entro 0-5 giorni dalla pubblicazione. +- **Non** deve essere preconfigurato con il "root". +- **Non** deve abilitare Google Play Services per impostazione predefinita. +- **Non** deve richiedere la modifica del sistema per supportare Google Play Services. + +### Dispositivi + +- Deve supportare almeno uno dei sistemi operativi personalizzati consigliati. +- Deve essere venduto nuovo nei negozi. +- Deve ricevere un minimo di 5 anni di aggiornamenti di sicurezza. +- Deve disporre di un hardware Secure Element dedicato. + +### Applicazioni + +- Le applicazioni presenti in questa pagina non devono essere applicabili a nessun'altra categoria di software presente sul sito. +- Le applicazioni generali devono estendere o sostituire le funzionalità di base del sistema. +- Le applicazioni devono ricevere aggiornamenti e manutenzione regolari. diff --git a/i18n/it/assets/img/account-deletion/exposed_passwords.png b/i18n/it/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5f301ae7 Binary files /dev/null and b/i18n/it/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/it/assets/img/android/rss-apk-dark.png b/i18n/it/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/it/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/it/assets/img/android/rss-apk-light.png b/i18n/it/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/it/assets/img/android/rss-apk-light.png differ diff --git a/i18n/it/assets/img/android/rss-changes-dark.png b/i18n/it/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/it/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/it/assets/img/android/rss-changes-light.png b/i18n/it/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/it/assets/img/android/rss-changes-light.png differ diff --git a/i18n/it/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/it/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/how-tor-works/tor-encryption.svg b/i18n/it/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/how-tor-works/tor-path-dark.svg b/i18n/it/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..ccc6b52e --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Il tuo + Dispositivo + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/it/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/it/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/how-tor-works/tor-path.svg b/i18n/it/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..915f1540 --- /dev/null +++ b/i18n/it/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Il tuo + Dispositivo + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/it/assets/img/multi-factor-authentication/fido.png b/i18n/it/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..07a2c0b1 Binary files /dev/null and b/i18n/it/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/it/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/it/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..1068ed05 Binary files /dev/null and b/i18n/it/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/it/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/it/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/it/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/it/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/it/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/it/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/it/basics/account-creation.md b/i18n/it/basics/account-creation.md new file mode 100644 index 00000000..6b1693a2 --- /dev/null +++ b/i18n/it/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Creazione account" +icon: 'material/account-plus' +description: La creazione di account online è praticamente una necessità di internet, adottate questi accorgimenti per assicurarvi di rimanere privati. +--- + +Spesso le persone si iscrivono a servizi senza riflettere. Forse si tratta di un servizio di streaming per guardare la nuova serie di cui tutti parlano, o di un account che ti offre uno sconto per il tuo supermercato preferito. In ogni caso, dovresti considerare le implicazioni per i tuoi dati ora e in futuro. + +Ci sono rischi associati ad ogni nuovo servizio che utilizzi. Violazioni dei dati, divulgazione d'informazioni sui clienti a terzi, accesso ai dati da parte di dipendenti furfanti: sono tutte possibilità che devono essere prese in considerazione al momento in cui fornisci le tue informazioni. Devi essere sicuro di poterti fidare del servizio, motivo per cui non consigliamo di archiviare dati preziosi su nulla se non sui prodotti più maturi e testati. Ciò di solito significa servizi che forniscono E2EE e sono stati sottoposti a un ispezione crittografica. Un ispezione aumenta la garanzia che il prodotto sia stato progettato senza problemi di sicurezza evidenti causati da uno sviluppatore inesperto. + +Può anche essere difficile eliminare gli account su alcuni servizi. A volte [sovrascrivere i dati](account-deletion.en.md#overwriting-account-information) associati a un account può essere possibile, ma in altri casi il servizio manterrà un'intera cronologia delle modifiche apportate all'account. + +## Termini di servizio & Informativa sulla privacy + +I ToS sono le regole che accetti di seguire quando utilizzi il servizio. Nei servizi più grandi queste regole sono spesso applicate da sistemi automatici. A volte questi sistemi automatici possono commettere errori. Ad esempio, potresti essere bandito o bloccato dal tuo account di alcuni servizi per l'utilizzo di una VPN o un numero VOIP. Appellare l'espulsione è spesso difficile e comporta anche un processo automatizzato, che non sempre ha successo. Questo è uno dei motivi per cui non suggeriamo di usare Gmail per la posta elettronica ad esempio. L'email è fondamentale per l'accesso ad altri servizi a cui potresti esserti iscritto. + +L'informativa sulla privacy è il modo in cui il servizio dichiara di utilizzare i tuoi dati e vale la pena di leggerla per capire come verranno utilizzati. Un'azienda o un'organizzazione potrebbe non essere legalmente obbligata a seguire tutto ciò che è contenuto nell'informativa (dipende dalla giurisdizione). Ti consigliamo di avere un'idea di quali sono le leggi locali e cosa consentono a un fornitore di raccogliere. + +Consigliamo di cercare termini particolari come "raccolta dati", "analisi dei dati", "cookie", "annunci" o servizi "di terze parti". A volte potrai rifiutare la raccolta o la condivisione dei tuoi dati, ma è meglio scegliere un servizio che rispetti la tua privacy fin dall'inizio. + +Inoltre, riponi la tua fiducia nell'azienda o nell'organizzazione per rispettare effettivamente la loro informativa sulla privacy. + +## Metodi di autenticazione + +Di solito ci sono diversi modi per iscriversi ad un account, ognuno con i propri vantaggi e svantaggi. + +### Email e password + +Il modo più comune per creare un nuovo account è tramite un indirizzo e-mail e una password. Quando si utilizza questo metodo, è necessario utilizzare un gestore di password e seguire le [migliori pratiche](passwords-overview.md) per quanto riguarda le password. + +!!! important + + Puoi utilizzare il tuo gestore di password per organizzare anche altri metodi di autenticazione! Basta aggiungere la nuova voce e compilare i campi appropriati, è possibile aggiungere note per cose come domande di sicurezza o una chiave di backup. + +Sarai responsabile della gestione delle tue credenziali di accesso. Per una maggiore sicurezza, puoi impostare [MFA](multi-factor-authentication.md) sui tuoi account. + +[Gestori di password consigliati](../passwords.md ""){.md-button} + +#### Alias email + +Se non vuoi fornire il tuo vero indirizzo email ad un servizio, hai la possibilità di utilizzare un alias. Li abbiamo descritti in modo più dettagliato nella nostra pagina di raccomandazione dei servizi di posta elettronica. In sostanza, i servizi alias consentono di generare nuovi indirizzi email che inoltrano tutte le email al tuo indirizzo principale. Questo può aiutare a prevenire il tracciamento tra i vari servizi e a gestire le email di marketing che talvolta accompagnano il processo di iscrizione. Questi possono essere filtrati automaticamente in base all'alias a cui vengono inviati. + +Se un servizio viene violato, potresti iniziare a ricevere email di phishing o spam all'indirizzo che hai utilizzato per iscriverti. L'uso di alias unici per ogni servizio può aiutare a identificare esattamente quale servizio è stato violato. + +[Servizi di aliasing email consigliati](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + Stiamo parlando di Single sign-on per uso personale, non per utenti aziendali. + +Il single sign-on (SSO) è un metodo di autenticazione che consente di registrarsi a un servizio senza condividere molte informazioni, se non nessuna. Ogni volta che vedi qualcosa sulla falsariga di "Accedi con *nome gestore*" su un modulo di registrazione, è il SSO. + +Quando scegli il single sign-on in un sito web, viene mostrata la pagina di accesso del gestore SSO e successivamente l'account viene collegato. La tua password non verrà condivisa, ma alcune informazioni di base lo saranno (puoi rivederle durante la richiesta di accesso). Questo processo è necessario ogni volta che si desidera accedere allo stesso account. + +I principali vantaggi sono: + +- **Sicurezza**: nessun rischio di essere coinvolti in una [violazione dei dati](https://en.wikipedia.org/wiki/Data_breach) perché il sito non memorizza le tue credenziali. +- **Facilità d'uso**: gli account multipli sono gestiti da un unico accesso. + +Ma ci sono degli svantaggi: + +- **Privacy**: un gestore SSO conoscerà i servizi che utilizzi. +- **Centralizzazione**: se il tuo account SSO viene compromesso o non riesci ad accedervi, tutti gli altri account ad esso collegati sono interessati. + +Il SSO può essere particolarmente utile in quelle situazioni in potresti beneficiare di un integrazione più profonda tra i servizi. Ad esempio, uno di questi servizi potrebbe offrire il SSO per gli altri. La nostra raccomandazione è di limitare il SSO solo dove ne hai bisogno e proteggere l'account principale con [MFA](multi-factor-authentication.md). + +Tutti i servizi che utilizzano il SSO saranno sicuri come il tuo account SSO. Ad esempio, se desideri proteggere un account con una chiave hardware ma tale servizio non supporta le chiavi hardware, è possibile proteggere l'account SSO con una chiave hardware e ora disporrai essenzialmente di MFA hardware su tutti i tuoi account. Vale la pena notare, tuttavia, che un autenticazione debole sul tuo account SSO significa che qualsiasi account legato a quel accesso sarà a sua volta debole. + +### Numero di telefono + +Consigliamo di evitare i servizi che richiedono un numero di telefono per l'iscrizione. Un numero di telefono può identificarti su più servizi e, a seconda degli accordi di condivisione dei dati, ciò renderà più facile tenere traccia del tuo utilizzo, in particolare se uno di questi servizi viene violato poiché il numero di telefono è spesso **non** crittografato. + +Dovresti evitare di dare il tuo vero numero di telefono se puoi. Alcuni servizi consentono l'uso di numeri VOIP, ma spesso questi attivano i sistemi di rilevamento delle frodi, causando il blocco del account, quindi non li consigliamo per i account importanti. + +In molti casi dovrai fornire un numero da cui puoi ricevere SMS o chiamate, in particolare quando fai acquisti a livello internazionale, nel caso in cui ci sia un problema con il tuo ordine ai controlli doganali. È comune che i servizi utilizzino il tuo numero come metodo di verifica; non lasciarti bloccare un account importante perché volevi essere furbo e dare un numero falso! + +### Nome utente e password + +Alcuni servizi ti consentono di registrarti senza utilizzare un indirizzo email e richiedono solo d'impostare un nome utente e una password. Questi servizi possono fornire un maggiore anonimato se combinati con una VPN o Tor. Tieni presente che per questi account molto probabilmente non ci sarà **nessun modo per recuperare il tuo account** nel caso in cui dimentichi il tuo nome utente o password. diff --git a/i18n/it/basics/account-deletion.md b/i18n/it/basics/account-deletion.md new file mode 100644 index 00000000..cc83c6c1 --- /dev/null +++ b/i18n/it/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Eliminazione account" +icon: 'material/account-remove' +description: È facile accumulare un gran numero di account Internet, ecco alcuni consigli su come sfoltire la vostra collezione. +--- + +Con il tempo, può essere facile accumulare una serie di profili online, molti dei quali potrebbero non essere più utilizzati. L'eliminazione di questi account inutilizzati è un passo importante per recuperare la propria privacy, poiché gli account inattivi sono vulnerabili alle violazioni dei dati. Una violazione dei dati (anche detta data breach) avviene quando la sicurezza di un servizio è compromessa e le informazioni protette vengono visualizzate, trasmesse o rubate da soggetti non autorizzati. Le violazioni dei dati sono purtroppo [troppo comuni](https://haveibeenpwned.com/PwnedWebsites) al giorno d'oggi e quindi praticare una buona igiene digitale è il modo migliore per ridurre al minimo l'impatto che hanno sulla propria vita. L'obiettivo di questa guida è quindi quello di aiutarvi a superare il fastidioso processo di cancellazione dell'account, spesso reso difficile da un [design ingannevole](https://www.deceptive.design/), per migliorare la propria presenza online. + +## Trovare i vecchi account + +### Gestore di password + +Se hai un gestore di password che hai usato per tutta la tua vita digitale, questa parte sarà molto semplice. Spesso includono funzionalità integrate per rilevare se le vostre credenziali sono state esposte in una violazione dei dati, come ad esempio [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/) di Bitwarden. + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Anche se non hai mai utilizzato un gestore di password, è probabile che tu abbia usato quello del tuo browser o del tuo telefono senza nemmeno accorgetene. Per esempio: [Gestore Password Firefox ](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins),[Gestore Password Google](https://passwords.google.com/intro) e [ Gestore Password Edge ](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Le piattaforme desktop spesso dispongono di un gestore di password che può aiutarvi a recuperare le password dimenticate: + +- [Gestione credenziali](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) Windows +- [Password ](https://support.apple.com/en-us/HT211145) macOS +- [ Password ](https://support.apple.com/en-us/HT211146) iOS +- Linux, GNOME Keyring, accessibile tramite [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) o [Gestione portafogli di KDE](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +Se non avete mai usato un gestore di password o pensate di avere account che non sono stati aggiunti al vostro gestore di password, potete provare a cercare l'account (o gli account) email utilizzato per registrarvi. Sul vostro client email, cercate parole chiave come "verifica" o "benvenuto." Quasi ogni volta che create un account online, il servizio vi manderà un link di verifica o un messaggio introduttivo alla vostra email. Questo può essere un ottimo modo per trovare vecchi account dimenticati. + +## Eliminazione vecchi account + +### Accedi + +Per eliminare i vostri vecchi account, dovrete prima assicurarvi di poter accedere. Ancora una volta, se l'account era già nel tuo gestore di password, questo passaggio è molto più semplice. In caso contrario, si può provare a indovinare la password. Altrimenti, ci sono metodi per riottenere l'accesso al tuo account, tipicamente disponibili tramite un link "password dimenticata" nella pagina d'accesso. È anche possibile che gli account abbandonati siano stati già stati eliminati: a volte i servizi eliminano tutti i vecchi account. + +Quando si tenta di recuperare l'account, se il sito restituisce un messaggio di errore in cui dice che l'e-mail non è associata a un account, o se non si riceve mai un link di recupero dopo svariati tentativi, allora non c'è nessun account con quell'indirizzo e-mail e si deve provare con un altro. Se non riesci a capire quale email hai utilizzato, o non hai più accesso a quella email, puoi provare a contattare l'assistenza clienti del servizio in questione. Purtroppo, non vi è alcuna garanzia di poter riottenere l'accesso all'account. + +### GDPR (solo per i residenti nello SEE) + +I residenti dello SEE hanno ulteriori diritti in materia di cancellazione dei dati personali come specificato nell' [ Articolo 17 ](https://www.gdpr.org/regulation/article-17.html) del GDPR. Se applicabile, leggere l'informativa sulla privacy per qualsiasi servizio per trovare informazioni su come esercitare il diritto alla cancellazione. Leggere l'informativa sulla privacy può rivelarsi importante, poiché alcuni servizi prevedono l'opzione "Elimina account" che si limita a disabilitare l'account, mentre per la vera e propria eliminazione è necessario intraprendere ulteriori azioni. A volte la cancellazione vera e propria può comportare la compilazione di sondaggi, l'invio di un'e-mail al responsabile della protezione dei dati del servizio o addirittura la dimostrazione della propria residenza nel SEE. Se intendi procedere in questo modo, **NON** sovrascrivere le informazioni dell'account: La tua identità come residente del SEE potrebbe venirti richiesta. Nota che la posizione geografica del servizio non ha alcuna importanza; il GDPR si applica a chiunque serva utenti Europei. Se il servizio non rispetta il vostro diritto alla cancellazione, puoi contattare il tuo [Garante per la protezione dei dati personali](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) e potreste avere diritto anche ad un risarcimento in denaro. + +### Sovrascrivere Informazioni dell'Account + +In alcune situazioni in cui si prevede di abbandonare un account, può avere senso sovrascrivere le informazioni dell'account con dati falsi. Una volta che sei sicuro di poter accedere, modifica tutte le informazioni di quell'account con informazioni false. Il motivo è che molti siti conservano le informazioni precedentemente in possesso dell'utente anche dopo la cancellazione dell'account. La speranza è che sovrascrivano le informazioni precedenti con i dati più recenti da te inseriti. Tuttavia, non è garantito che non vi siano backup con le informazioni precedenti. + +Per l'e-mail dell'account, o create un nuovo account e-mail utilizzando il vostro provider oppure create un alias utilizzando un [servizio di alias e-mail ](../email.md#email-aliasing-services). Una volta fatto ciò, potete eliminare l'indirizzo email alternativo. Consigliamo di NON utilizzare i provider di email temporanee, poiché spesso è possibile riattivarle. + +### Elimina + +È possibile consultare [JustDeleteMe](https://justdeleteme.xyz) per le istruzioni sull'eliminazione dell'account per un servizio specifico. Alcuni siti offrono fortunatamente l'opzione "Elimina account", mentre altri si spingono fino a costringervi a parlare con un agente di supporto. Il processo di cancellazione può variare da un sito all'altro, e in alcuni casi la cancellazione dell'account sarà impossibile. + +Per i servizi che non permettono l'eliminazione dell'account, la cosa migliore da fare è quella di falsificare tutte le informazioni (come detto in precedenza) e di rafforzare la sicurezza dell'account. Per fare ciò, abilita [MFA](multi-factor-authentication.md) e qualsiasi altra funzionalità che il sito offre. Inoltre, cambia la password con una generata casualmente che sia della lunghezza massima consentita (un [gestore di password](../passwords.md)può esserti utile per questo). + +Se siete soddisfatti che tutte le informazioni che vi interessano siano state rimosse, potete tranquillamente dimenticarvi di questo account. In caso contrario, potrebbe essere una buona idea quella di conservare le credenziali insieme alle altre password e di tanto in tanto effettuare un nuovo accesso per reimpostare la password. + +Anche quando riesci a eliminare un account, non vi è alcuna garanzia che tutte le tue informazioni vengano rimosse. Infatti, alcune società sono tenute per legge a conservare determinate informazioni, in particolare quando si tratta di operazioni finanziarie. È per lo più fuori dal tuo controllo ciò che accade ai tuoi dati quando si tratta di siti Web e servizi cloud. + +## Evita nuovi account + +Come dice il vecchio detto, "un grammo di prevenzione vale un chilo di cura." Ogni volta che ti senti tentato di registrare un nuovo account, chiediti: "Ne ho davvero bisogno? Posso realizzare ciò che mi serve senza un account?" Spesso è molto più difficile eliminare un account piuttosto che crearne uno. E anche dopo aver eliminato o modificato le info del tuo account, potrebbe esserci una versione nella cache di qualche sito di terze parti, come [Internet Archive](https://archive.org/). Evitate la tentazione quando potete: il te stesso del futuro ti ringrazierà! diff --git a/i18n/it/basics/common-misconceptions.md b/i18n/it/basics/common-misconceptions.md new file mode 100644 index 00000000..b54f6455 --- /dev/null +++ b/i18n/it/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "I malintesi più comuni" +icon: 'material/robot-confused' +description: Non è semplice trattare di privacy, ed è facile farsi abbindolare da semplice marketing o altri tipi di disinformazione. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Il software open source è intrinsecamente sicuro? + acceptedAnswer: + "@type": Answer + text: | + Il fatto che il codice sorgente sia disponibile e la licenza a cui è sottoposto il software non implica che il codice sia sicuro a prescindere. Il software open-source è potenzialmente più sicuro del software proprietario, tuttavia non c'è alcuna garanzia che sia così. Quando si valuta un software, è necessario esaminare la reputazione e la sicurezza di ogni programma in modo indipendente. + - + "@type": Question + name: '"Spostare la fiducia" ad un altro provider può migliorare la privacy?' + acceptedAnswer: + "@type": Answer + text: | + Si parla spesso di "spostamento della fiducia" quando si parla di soluzioni come le VPN (che spostano la fiducia riposta nel proprio ISP al fornitore di VPN). Sebbene questo protegga i tuoi dati di navigazione dal tuo ISP, il provider VPN che hai scelto ha l'accesso ai tuoi dati: non è certo che i tuoi dati siano al sicuro da terzi. + - + "@type": Question + name: Le soluzioni incentrate sulla privacy sono intrinsecamente affidabili? + acceptedAnswer: + "@type": Answer + text: | + Concentrarsi esclusivamente sulle politiche sulla privacy e sul marketing di uno strumento o di un fornitore può indurti a ignorare i suoi punti deboli. Quando si cerca una soluzione più privata, è necessario determinare il problema di fondo e trovare soluzioni tecniche per risolverlo. Ad esempio, sarebbe meglio evitare Google Drive, che dà a Google accesso a tutti i tuoi dati. In questo caso il problema di fondo è la mancanza di cifratura E2EE, quindi è necessario assicurarsi che il fornitore a cui si passa implementi effettivamente l'E2EE, oppure utilizzare uno strumento (come Cryptomator) che fornisce l'E2EE per qualsiasi fornitore di servizi di archiviazione cloud. Passare a un fornitore "finalizzato alla privacy" (che non implementa l'E2EE) non risolve il problema: sposta solo la fiducia da Google a quel fornitore. + - + "@type": Question + name: Quando dovrebbe essere complesso il mio modello di minaccia? + acceptedAnswer: + "@type": Answer + text: | + Spesso si vedono descrivere modelli di minaccia per la privacy eccessivamente complessi. Spesso queste soluzioni includono problemi come l'uso di molteplici account di posta elettronica o di configurazioni complicate con molte parti mobili e condizioni. Le risposte sono solitamente soluzioni alla domanda "qual è il modo migliore per fare X?" + Trovare la soluzione "migliore" per te non significa necessariamente cercare una soluzione infallibile con decine di condizioni: queste soluzioni sono spesso difficili da gestire in modo realistico. Come abbiamo detto in precedenza, la sicurezza spesso va a scapito della comodità. +--- + +## "Il software open-source è sempre sicuro" o "il software proprietario è più sicuro" + +Questi miti derivano da una serie di pregiudizi, ma la disponibilità del codice sorgente e le modalità di licenza del software non influiscono in alcun modo sulla sua sicurezza. ==Il software open-source ha il *potenziale* di essere più sicuro del software proprietario, ma non c'è alcuna garanzia che sia così.== Quando si valuta il software, è necessario esaminare la reputazione e la sicurezza di ogni strumento su base individuale. + +Il software open-source *può* essere ispezionato da terzi e spesso è più trasparente sulle potenziali vulnerabilità rispetto alle controparti proprietarie. Permette inoltre di esaminare il codice e di disabilitare qualsiasi funzionalità sospetta. Tuttavia, *a meno che non lo si faccia*, non c'è alcuna garanzia che il codice sia mai stato valutato, soprattutto nei progetti software più piccoli. Il processo di sviluppo aperto è stato talvolta sfruttato per introdurre nuove vulnerabilità anche in progetti di grandi dimensioni.[^1] + +D'altra parte, il software proprietario è meno trasparente, ma ciò non significa che non sia sicuro. I grandi progetti di software proprietario possono essere controllati internamente e da agenzie di terze parti, e i ricercatori di sicurezza indipendenti possono ancora trovare vulnerabilità con tecniche come il reverse engineering. + +Per evitare decisioni distorte, è *fondamentale* valutare gli standard di privacy e sicurezza del software che utilizzi. + +## "Spostare la fiducia può aumentare la privacy" + +Si parla spesso di "spostamento della fiducia" quando si parla di soluzioni come le VPN (che spostano la fiducia riposta nel proprio ISP al fornitore di VPN). Sebbene queste proteggano i vostri dati di navigazione dal vostro ISP *in particolare*, il fornitore di VPN che scegli ha comunque accesso ai tuoi dati di navigazione: i tuoi dati non sono completamente protetti da tutte le parti. Ciò implica che + +1. è necessario prestare attenzione quando si sceglie un fornitore a cui affidarsi; +2. è comunque necessario utilizzare altre tecniche, come E2EE, per proteggere completamente i dati. Diffidare di un fornitore per affidarsi a un altro non significa mettere al sicuro i propri dati. + +## "Le soluzioni incentrate sulla privacy sono intrinsecamente affidabili" + +Concentrarsi esclusivamente sulle politiche sulla privacy e sul marketing di uno strumento o di un fornitore può indurti a ignorare i suoi punti deboli. Quando si cerca una soluzione più privata, è necessario determinare il problema di fondo e trovare soluzioni tecniche per risolverlo. Ad esempio, sarebbe meglio evitare Google Drive, che dà a Google accesso a tutti i tuoi dati. Il problema di fondo in questo caso è la mancanza di E2EE, quindi è necessario assicurarsi che il fornitore a cui si passa implementi effettivamente l'E2EE, oppure utilizzare uno strumento (come [Cryptomator](../encryption.md#cryptomator-cloud)) che fornisce l'E2EE a qualsiasi fornitore di archiviazione in cloud. Passare a un fornitore "finalizzato alla privacy" (che non implementa l'E2EE) non risolve il problema: sposta solo la fiducia da Google a quel fornitore. + +Le politiche sulla privacy e le pratiche commerciali dei fornitori scelti sono molto importanti, ma devono essere considerate secondarie rispetto alle garanzie tecniche della tua privacy: non si dovrebbe trasferire la fiducia a un altro fornitore quando la fiducia in un fornitore non è affatto un requisito. + +## "Complicato è meglio" + +Spesso si vedono descrivere modelli di minaccia per la privacy eccessivamente complessi. Spesso queste soluzioni includono problemi come l'uso di molteplici account di posta elettronica o di configurazioni complicate con molte parti mobili e condizioni. Le risposte sono solitamente risposte a "qual è il modo migliore per fare *X*?" + +Trovare la soluzione "migliore" per te non significa necessariamente cercare una soluzione infallibile con decine di condizioni: queste soluzioni sono spesso difficili da gestire in modo realistico. Come abbiamo detto in precedenza, la sicurezza spesso va a scapito della comodità. Di seguito vi forniamo alcuni suggerimenti: + +1. ==le azioni devono servire a uno scopo particolare:== pensa a come fare ciò che desideri con il minor numero di azioni; +2. ==eliminare i punti di fallimento umani:== Falliamo, ci stanchiamo e dimentichiamo le cose. Per mantenere la sicurezza, evita di affidarti a condizioni e processi manuali che dovi ricordare; +3. ==utilizza il giusto livello di protezione per ciò che intendi fare.== Spesso vediamo consigliate le cosiddette soluzioni a prova di forze dell'ordine o di citazione in giudizio. Spesso richiedono conoscenze specialistiche e in genere non sono ciò che la gente vuole. Non ha senso costruire un intricato modello di minaccia per l'anonimato se si può essere facilmente de-anonimizzati da una semplice svista. + +Quindi, come potrebbe apparire? + +Uno dei modelli di minaccia più chiari è quello in cui le persone *sanno chi sei* e quello in cui non lo sanno. Ci saranno sempre situazioni in cui dovrai dichiara il tuo nome legale e altre in cui non sarà necessario. + +1. **Identità nota** - L'identità nota viene utilizzata per le situazioni in cui è necessario dichiarare il proprio nome. Sono molti i documenti legali e i contratti per i quali è richiesta un'identità legale. Si può trattare dell'apertura di un conto bancario, della firma di un contratto di locazione immobiliare, dell'ottenimento di un passaporto, delle dichiarazioni doganali per l'importazione di articoli o di altri rapporti con il governo. Queste cose di solito portano a credenziali come carte di credito, controlli del rating, numeri di conto ed eventuali indirizzi fisici. + + Non suggeriamo di utilizzare una VPN o Tor per queste cose, poiché la vostra identità è già nota attraverso altri mezzi. + + !!! important + + Quando si fanno acquisti online, l'uso di un [punto pacchi automatico](https://it.wikipedia.org/wiki/Paccomat) può aiutare a mantenere privato il proprio indirizzo fisico. + +2. **Identità sconosciuta** - Un'identità sconosciuta potrebbe essere uno pseudonimo stabile che si usa regolarmente. Non è anonimo perché non cambia. Se fate parte di una comunità online, potreste voler mantenere un'identità che gli altri conoscono. Questo pseudonimo non è anonimo perché, se monitorato abbastanza a lungo, i dettagli sul proprietario possono rivelare ulteriori informazioni, come il modo in cui scrive, la sua conoscenza generale degli argomenti di interesse, ecc. + + A tal fine è possibile utilizzare una VPN per mascherare il proprio indirizzo IP. Le transazioni finanziarie sono più difficili da mascherare: si può prendere in considerazione l'utilizzo di criptovalute anonime, come [Monero](https://www.getmonero.org/). L'utilizzo del cambio di altcoin può anche aiutare a nascondere l'origine della valuta. In genere, le borse richiedono il completamento del KYC (know your customer) prima di consentire lo scambio di valuta fiat in qualsiasi tipo di criptovaluta. Anche le opzioni di incontro locali possono essere una soluzione; tuttavia, spesso sono più costose e talvolta richiedono anche il KYC. + +3. **Identità anonima** - Anche con l'esperienza, le identità anonime sono difficili da mantenere per lunghi periodi di tempo. Dovrebbero essere identità a breve termine e di breve durata che vengono ruotate regolarmente. + + L'uso di Tor può aiutare in questo caso. Vale anche la pena di notare che un maggiore anonimato è possibile attraverso la comunicazione asincrona: la comunicazione in tempo reale è vulnerabile all'analisi dei modelli di digitazione (ad esempio, più di un paragrafo di testo, distribuito su un forum, via e-mail, ecc.) + +[^1]: Un esempio notevole è [l'incidente del 2021 in cui i ricercatori dell'Università del Minnesota hanno introdotto tre vulnerabilità nel progetto di sviluppo del kernel Linux](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/it/basics/common-threats.md b/i18n/it/basics/common-threats.md new file mode 100644 index 00000000..8de65443 --- /dev/null +++ b/i18n/it/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Minacce comuni" +icon: 'material/eye-outline' +description: Il modello di minaccia è individuale, ma ci sono alcuni aspetti che stanno a cuore a molti visitatori di questo sito. +--- + +In linea di massima, le nostre raccomandazioni sono suddivise in [minacce](threat-modeling.md) o obiettivi che si applicano alla maggior parte delle persone. ==Potete essere interessati a nessuna, una, alcune o tutte queste possibilità== e gli strumenti e i servizi che utilizzate dipendono dai vostri obiettivi. Potreste avere minacce specifiche anche al di fuori di queste categorie, il che è perfettamente normale! È importante sviluppare una comprensione dei vantaggi e dei difetti degli strumenti che scegli di utilizzare, perché in astratto nessuno di questi ti proteggerà da qualunque minaccia. + +- :material-incognito: Anonimizzazione - Separa la tua attività online dalla tua reale identità, proteggendoti da persone che mirano a scoprire *la tua* identità. +- :material-target-account: Attacchi mirati - Protezione da hacker o altri malintenzionati che provano a prendere il controllo miratamente dei *tuoi* dati o dispositivo. +- :material-bug-outline: Attacchi passivi - Protezione da malware, violazioni di dati, e altri attacchi non mirati che colpiscono molte persone alla volta. +- :material-server-network: Service Providers - Proteggi i tuoi dati dai service providers (per esempio con la crittografia E2EE, che rende i tuoi dati illeggibili dal server). +- :material-eye-outline: Sorveglianza di massa - Protezione dalle agenzie governative, organizzazioni, siti e serviti che lavorano assieme per tracciare le tue attività. +- :material-account-cash: Capitalismo di sorveglianza - Proteggiti dai network di pubblicità, come Google e Facebook, e altre miriadi di collezionisti di dati di terze parti. +- :material-account-search: Esposizione pubblica - Limitare le informazioni che ti riguardano accessibili online ai motori di ricerca o pubblico in generale. +- :material-close-outline: Censura - Aggirare le censure o evitare di essere censurati a propria volta quando si comunica online. + +Alcune di queste minacce possono essere più importanti per te di altre, a seconda delle tue specifiche preoccupazioni. Per esempio, uno sviluppatore con accesso a dati critici o di valore potrebbe essere particolarmente preoccupato degli :material-target-account: attacchi mirati, ma probabilmente vuole anche proteggere i propri dati personali dalla raccolta di programmi di :material-eye-outline: sorveglianza di massa. Allo stesso modo, molte persone potrebbero essere preoccupate principalmente dell' :material-account-search: esposizione pubblica dei propri dati personali, ma dovrebbero comunque stare attenti ai problemi legati alla sicurezza, come gli :material-bug-outline: attacchi passivi- come malware che colpiscono i loro dispositivi. + +## Anonimato vs. Privacy + +:material-incognito: Anonimato + +L'anonimato viene spesso confuso con la privacy, ma si tratta di concetti distinti. Mentre la privacy è un insieme di scelte che si fanno su come i propri dati vengono utilizzati e condivisi, l'anonimato è la completa dissociazione delle proprie attività online dalla propria identità reale. + +Gli informatori e i giornalisti, ad esempio, possono avere un modello di minaccia molto più estremo che richiede il totale anonimato. Questo non significa solo nascondere ciò che fanno, i dati che possiedono e non farsi hackerare da malintenzionati o governi, ma anche nascondere completamente chi sono. Spesso sacrificano qualsiasi tipo di comodità se ciò significa proteggere il loro anonimato, la loro privacy o la loro sicurezza, perché la loro vita potrebbe dipendere da questo. La maggior parte delle persone non ha bisogno di andare così lontano. + +## Sicurezza e privacy + +:material-bug-outline: Attacchi passivi + +Sicurezza e privacy vengono spesso confuse, perché per ottenere una parvenza di privacy è necessaria la sicurezza: L'utilizzo di strumenti, anche se progettati per essere privati, è inutile se possono essere facilmente sfruttati da aggressori che in seguito renderanno pubblici i vostri dati. Tuttavia, non è necessariamente vero il contrario: il servizio più sicuro al mondo *non è necessariamente* privato. L'esempio migliore è quello di affidare i dati a Google che, date le sue dimensioni, ha avuto pochi incidenti di sicurezza grazie all'impiego di esperti di sicurezza leader del settore per proteggere la propria infrastruttura. Anche se Google offre servizi molto sicuri, pochissime persone considererebbero i propri dati privati nei prodotti gratuiti di Google per i consumatori (Gmail, YouTube, ecc.) + +Quando si parla di sicurezza delle applicazioni, in genere non sappiamo (e a volte non possiamo) se il software che utilizziamo è dannoso o se un giorno potrebbe diventarlo. Anche con gli sviluppatori più affidabili, in genere non c'è garanzia che il loro software non presenti una grave vulnerabilità che potrebbe essere sfruttata in seguito. + +Per ridurre al minimo i danni che un software dannoso *potrebbe* arrecare, è necessario utilizzare la sicurezza per compartimentazione. Ad esempio, si potrebbe utilizzare computer diversi per lavori diversi, macchine virtuali per separare gruppi diversi di applicazioni correlate o un sistema operativo sicuro con una forte attenzione al sandboxing delle applicazioni e al controllo obbligatorio degli accessi. + +!!! suggerimento + + I sistemi operativi mobile hanno in genere un sandboxing delle applicazioni migliore rispetto ai sistemi operativi desktop: Le applicazioni non possono ottenere l'accesso root e richiedono l'autorizzazione per accedere alle risorse di sistema. + + I sistemi operativi desktop sono generalmente in ritardo per quanto riguarda una corretta sandboxing. ChromeOS ha funzionalità di sandboxing simili a quelle di Android e macOS ha un controllo completo dei permessi di sistema (e gli sviluppatori possono optare per il sandboxing per le applicazioni). Tuttavia, questi sistemi operativi trasmettono informazioni di identificazione ai rispettivi OEM. Linux tende a non fornire informazioni ai fornitori di sistemi, ma ha una scarsa protezione contro gli exploit e le applicazioni dannose. Questo problema può essere in qualche modo mitigato con distribuzioni specializzate che fanno un uso significativo di macchine virtuali o container, come [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Attacchi mirati + +Gli attacchi mirati contro una persona specifica sono più problematici da gestire. Gli attacchi più comuni includono l'invio di documenti dannosi via e-mail, lo sfruttamento di vulnerabilità (ad esempio nei browser e nei sistemi operativi) e gli attacchi fisici. Se questo è un problema per voi, dovreste impiegare strategie di mitigazione delle minacce più avanzate. + +!!! suggerimento + + Per loro natura, i **web browser**, i **client di posta elettronica** e le **applicazioni per ufficio** eseguono tipicamente codice non attendibile, inviato da terzi. L'esecuzione di più macchine virtuali, per separare applicazioni come queste dal sistema host e da ogni altra, è una tecnica che si può utilizzare per ridurre la possibilità che un exploit in queste applicazioni comprometta il resto del sistema. Ad esempio, tecnologie come Qubes OS o Microsoft Defender Application Guard su Windows offrono metodi pratici per farlo. + +Se si temono **attacchi fisici** si dovrebbe utilizzare un sistema operativo con un'implementazione di avvio sicuro verificato, come Android, iOS, macOS o [Windows (con TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). È inoltre necessario assicurarsi che l'unità sia crittografata e che il sistema operativo utilizzi un TPM o un Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) o [Element](https://developers.google.com/android/security/android-ready-se) per limitare i tentativi di immissione della passphrase di crittografia. Dovreste evitare di condividere il vostro computer con persone di cui non vi fidate, perché la maggior parte dei sistemi operativi desktop non cripta i dati separatamente per ogni utente. + +## Privacy da parte dei Service providers + +:material-server-network: Service Provides + +Viviamo in un mondo in cui quasi tutto è collegato a Internet. I nostri messaggi "privati", le e-mail e le interazioni sui social sono in genere archiviati su un server, da qualche parte. In genere, quando si invia un messaggio a qualcuno, questo viene memorizzato su un server e quando l'amico vuole leggerlo il server glielo mostra. + +Il problema evidente è che il fornitore di servizi (o un hacker che abbia compromesso il server) può accedere alle vostre conversazioni quando e come vuole, senza che voi ve ne accorgiate. Questo vale per molti servizi comuni, come la messaggistica SMS, Telegram e Discord. + +Fortunatamente, E2EE può alleviare questo problema crittografando le comunicazioni tra l'utente e i destinatari desiderati prima ancora che vengano inviate al server. La riservatezza dei messaggi è garantita, a patto che il fornitore del servizio non abbia accesso alle chiavi private di entrambe le parti. + +!!! note "Nota sulla crittografia Web-based". + + In pratica, l'efficacia delle diverse implementazioni E2EE varia. Le applicazioni, come [Signal](../real-time-communication.md#signal), vengono eseguite in modo nativo sul dispositivo e ogni copia dell'applicazione è la stessa in tutte le installazioni. Se il fornitore di servizi introducesse una [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) nella propria applicazione - nel tentativo di rubare le chiavi private - potrebbe in seguito essere individuato con il [reverse engineering] (https://en.wikipedia.org/wiki/Reverse_engineering). + + D'altro canto, le implementazioni E2EE web-based, come la webmail di Proton Mail o il *Web Vault* di Bitwarden, si affidano al server che serve dinamicamente il codice JavaScript al browser per gestire la crittografia. Un server malintenzionato può prendere di mira l'utente e inviargli del codice JavaScript maligno per rubare la sua chiave di crittografia (e sarebbe estremamente difficile accorgersene). Poiché il server può scegliere di servire diversi web-clients a persone diverse - anche se ci si accorge dell'attacco - sarebbe incredibilmente difficile dimostrare la colpevolezza del provider. + + Pertanto, quando possibile, si dovrebbero utilizzare le applicazioni native rispetto ai web-client. + +Anche con E2EE, i service provider possono comunque tracciare un profilo dell'utente in base ai **metadati**, che in genere non sono protetti. Anche se il fornitore di servizi non può leggere i messaggi, può comunque osservare cose importanti, come le persone con cui si parla, la frequenza dei messaggi e i momenti in cui si è tipicamente attivi. La protezione dei metadati è piuttosto rara e, se rientra nel vostro modello di minaccia [](threat-modeling.md), dovreste prestare molta attenzione alla documentazione tecnica del software che state utilizzando per verificare se esiste una minimizzazione o una protezione dei metadati. + +## Programmi di sorveglianza di massa + +:material-eye-outline: Sorveglianza di massa + +La sorveglianza di massa consiste nello sforzo di monitorare il "comportamento, molte attività o informazioni" di un'intera popolazione (o di una frazione sostanziale di essa).[^1] Spesso si riferisce a programmi governativi, come quelli [rivelati da Edward Snowden nel 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). Tuttavia, può essere svolta anche da aziende, per conto di agenzie governative o di propria iniziativa. + +!!! abstract "Atlas of Surveillance" + + Se vuoi saperne di più sui metodi di sorveglianza e su come vengono attuati nella tua città, puoi anche dare un'occhiata all'[Atlas of Surveillance](https://atlasofsurveillance.org/) della [Electronic Frontier Foundation](https://www.eff.org/). + + In Francia è possibile consultare il [sito web Technolopolice](https://technopolice.fr/villes/) gestito dall'associazione no-profit La Quadrature du Net. + +I governi spesso giustificano i programmi di sorveglianza di massa come mezzi necessari per combattere il terrorismo e prevenire il crimine. Tuttavia, in violazione dei diritti umani, viene spesso utilizzata per colpire in modo sproporzionato gruppi di minoranza e dissidenti politici, tra gli altri. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Di fronte alle [rivelazioni di Edward Snowden su programmi governativi come [PRISM](https://en.wikipedia.org/wiki/PRISM) e [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], i funzionari dell'intelligence hanno anche ammesso che l'NSA ha raccolto segretamente per anni i dati relativi alle telefonate di quasi tutti gli americani: chi chiama chi, quando vengono effettuate le chiamate e quanto durano. Questo tipo di informazioni, accumulate dall'NSA giorno dopo giorno, può rivelare dettagli incredibilmente sensibili sulla vita e sulle associazioni delle persone, come ad esempio se hanno chiamato un pastore, un fornitore di aborti, un consulente per le dipendenze o una linea diretta per i suicidi. + +Nonostante la crescente sorveglianza di massa negli Stati Uniti, il governo ha riscontrato che i programmi di sorveglianza di massa, come la Sezione 215, hanno avuto "poco valore unico" per quanto riguarda l'arresto di crimini reali o di complotti terroristici, con sforzi che in gran parte duplicano i programmi di sorveglianza mirata dell'FBI.[^2] + +Online è possibile essere rintracciati con diversi metodi: + +- Il tuo indirizzo IP +- Cookies del browser +- I dati che invii ai siti web +- L'impronta digitale del browser o del dispositivo +- Correlazione tramite il metodo di pagamento + +\[Questo elenco non è esaustivo]. + +Se sei preoccupato per i programmi di sorveglianza di massa, puoi utilizzare strategie come compartimentare le tue identità online, confonderti con altri utenti o, quando possibile, semplicemente evitare di fornire informazioni identificative. + +:material-account-cash: Capitalismo di sorveglianza + +> Il capitalismo della sorveglianza è un sistema economico incentrato sulla raccolta e la commercializzazione dei dati personali che ha come obiettivo principale il profitto.[^3] + +Per molte persone, il tracciamento e la sorveglianza da parte di aziende private sono una preoccupazione crescente. Le reti pubblicitarie pervasive, come quelle gestite da Google e Facebook, si estendono su Internet ben oltre i siti che controllano, tracciando le vostre azioni lungo il percorso. L'utilizzo di strumenti come i blocchi dei contenuti per limitare le richieste di rete ai loro server e la lettura delle politiche sulla privacy dei servizi utilizzati possono aiutare a evitare molti avversari di base (anche se non possono impedire completamente il tracciamento).[^4] + +Inoltre, anche le aziende al di fuori del settore *AdTech* o del tracking possono condividere le informazioni dell'utente con [intermediari di dati](https://en.wikipedia.org/wiki/Information_broker) (come Cambridge Analytica, Experian o Datalogix) o altre parti. Non potete pensare automaticamente che i vostri dati siano al sicuro solo perché il servizio che state utilizzando non rientra nel tipico modello di business AdTech o di tracciamento. La protezione più efficace contro la raccolta di dati aziendali consiste nel criptare o offuscare i vostri dati ogni volta che è possibile, rendendo difficile per i diversi fornitori correlare i dati tra loro e costruire un profilo su di voi. + +## Limitare l'esposizione al pubblico + +:material-account-search: Esposizione pubblica + +Il modo migliore per mantenere i dati privati è semplicemente non renderli pubblici. Eliminare le informazioni indesiderate che si trovano online è uno dei primi passi da fare per recuperare la propria privacy. + +- [Visualizza la nostra guida sull'eliminazione dell'account :material-arrow-right-drop-circle:](account-deletion.md) + +Sui siti in cui si condividono informazioni, è molto importante controllare le impostazioni sulla privacy del proprio account per limitare la diffusione dei dati. Ad esempio, attivate la "modalità privata" sui vostri account, se ne avete la possibilità: Questo assicura che il vostro account non venga indicizzato dai motori di ricerca e che non possa essere visualizzato senza il vostro permesso. + +Se avete già inviato le vostre informazioni reali a siti che non dovrebbero averle, prendete in considerazione l'utilizzo di tattiche di disinformazione, come l'invio di informazioni fittizie relative a quell'identità online. In questo modo le informazioni reali sono indistinguibili da quelle false. + +## Aggirare la censura + +:material-close-outline: Censura + +La censura online può essere attuata (in varia misura) da attori quali governi totalitari, amministratori di rete e service provider. Questi sforzi per controllare la comunicazione e limitare l'accesso alle informazioni saranno sempre incompatibili con il diritto umano alla libertà di espressione.[^5] + +La censura sulle piattaforme aziendali è sempre più comune, in quanto piattaforme come Twitter e Facebook cedono alle richieste del pubblico, alle pressioni del mercato e a quelle delle agenzie governative. Le pressioni governative possono essere richieste occulte alle aziende, come la Casa Bianca [che chiede la rimozione](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) di un video provocatorio su YouTube, o palesi, come il governo cinese che impone alle aziende di aderire a un rigido regime di censura. + +Le persone preoccupate dalla minaccia della censura possono utilizzare tecnologie come [Tor](../advanced/tor-overview.md) per aggirarla e sostenere piattaforme di comunicazione resistenti alla censura come [Matrix](../real-time-communication.md#element), che non hanno un'autorità centralizzata che può chiudere gli account arbitrariamente. + +!!! suggerimento + + Se eludere la censura in sé può essere facile, nascondere il fatto che lo si sta facendo può essere molto problematico. + + Dovete considerare quali aspetti della rete possono essere osservati dall'avversario e se avete la possibilità di negare plausibilmente le vostre azioni. Ad esempio, l'utilizzo di [DNS criptato](../avanzato/dns-overview.md#che cos'è-encrypted-dns) può aiutare a bypassare i sistemi di censura rudimentali basati sul DNS, ma non può nascondere veramente ciò che si visita al proprio ISP. Una VPN o Tor può aiutare a nascondere agli amministratori di rete ciò che si sta visitando, ma non può nascondere il fatto che si sta usando quella rete. I trasporti collegabili (come Obfs4proxy, Meek o Shadowsocks) possono aiutarvi a eludere i firewall che bloccano i comuni protocolli VPN o Tor, ma i vostri tentativi di elusione possono comunque essere individuati con metodi come il probing o la [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +Dovete sempre considerare i rischi del tentativo di aggirare la censura, le potenziali conseguenze e quanto sofisticato possa essere il vostro avversario. Dovete essere cauti nella scelta del software e avere un piano di backup nel caso in cui veniate scoperti. + +[^1]: Wikipedia: [*Sorveglianza di massa*](https://en.wikipedia.org/wiki/Mass_surveillance) e [*Sorveglianza*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: Comitato di supervisione della privacy e delle libertà civili degli Stati Uniti: [*Rapporto sul programma di registrazione dei tabulati telefonici condotto ai sensi della Sezione 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Capitalismo di sorveglianza*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerare la cattiveria](https://www.ranum.com/security/computer_security/editorials/dumb/)" (o "elencare tutte le cose cattive di cui siamo a conoscenza"), come fanno molti adblocker e programmi antivirus, non riesce a proteggere adeguatamente l'utente da nuove e sconosciute minacce perché non sono ancora state aggiunte all'elenco dei filtri. Dovreste anche utilizzare altre tecniche di mitigazione. +[^5]: Nazioni Unite: [*Dichiarazione universale dei diritti umani*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/it/basics/email-security.md b/i18n/it/basics/email-security.md new file mode 100644 index 00000000..8f5b5fda --- /dev/null +++ b/i18n/it/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Sicurezza Email +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Chi può visualizzare i metadati delle email? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Perché i metadati non possono essere E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/it/basics/multi-factor-authentication.md b/i18n/it/basics/multi-factor-authentication.md new file mode 100644 index 00000000..db3a0503 --- /dev/null +++ b/i18n/it/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Autenticazione a più fattori" +icon: 'material/two-factor-authentication' +description: L'MFA è un meccanismo di sicurezza fondamentale per proteggere i vostri account online, ma alcuni metodi sono più efficaci di altri. +--- + +**L'autenticazione a più fattori** (**MFA**) è un meccanismo di sicurezza che richiede ulteriori passaggi oltre all'inserimento del nome utente (o email) e della password. Il metodo più comune è quello dei codici a tempo limitato che si possono ricevere via SMS o tramite un'applicazione. + +Solitamente, se un hacker (o un avversario) è in grado di scoprire una password, ha la possibilità di accedere all'account a cui la password appartiene. Un account con MFA costringe l'hacker ad avere sia la password (qualcosa che *conosci*) sia un dispositivo di tua proprietà (qualcosa che *hai*), come un cellulare. + +I metodi MFA variano in termini di sicurezza, ma si basano sulla premessa che più è difficile per un attaccante accedere al tuo metodo MFA, meglio è. Esempi di metodi MFA (dal più debole al più forte) sono: SMS, codici email, notifiche push delle app, TOTP, Yubico OTP e FIDO. + +## Confrontra tra i metodi MFA + +### MFA tramite SMS o email + +Ricevere codici OTP via SMS o email è uno dei modi più deboli per proteggere i tuoi account con MFA. Ottenere un codice via email o SMS elimina l'idea di "qualcosa che *possiedi*", perchè ci sono svariati modi con cui un hacker potrebbe [impossessarsi del tuo numero di telefono](https://en.wikipedia.org/wiki/SIM_swap_scam) o accedere alla tua mail senza avere accesso fisico a un tuo dispositivo. Se una persona non autorizzata accedesse alla tua email, sarebbe in grado di resettare la tua password e ricevere il codice di autenticazione, ottenendo così il pieno controllo del'account. + +### Notifiche push + +L'MFA con notifica push si presenta come un messaggio inviato a un'applicazione sul tuo telefono, chiedendo di confermare nuovi accessi a un account. Questo metodo è molto migliore degli SMS o delle mail, in quanto un attaccante tipicamente non è in grado di ricevere questi notifiche push senza avere un dispositivo già connesso, il che significa che dovrebbe prima compromettere uno dei tuoi altri dispositivi. + +Facciamo tutti degli errori, e c'è il rischio che tu possa accettare il tentativo di accesso per errore. Le notifiche push per le autorizzazioni di accesso sono tipicamente inviate a *tutti* i tuoi dispositivi in una volta, ampliando la disponibilità del codice MFA se si possiedono molti device. + +La sicurezza delle notifiche push MFA dipende sia dalla qualità dell'app, sia dalla componente server, sia dalla fiducia verso lo sviluppatore che la produce. Un'applicazione installata può anche richiedere di accettare privilegi invasivi che garantiscono l'accesso ad altri dati sul tuo dispositivo. Una singola app può anche richiedere un'applicazione specifica per ogni servizio che non richiede una password per essere aperta, a differenza di una buona app generatrice di TOTP. + +### Time-based One-time Password (TOTP) + +Il TOTP è una delle forme più comuni di MFA disponibili. Quando imposti il TOTP, è generalmente necessario eseguire la scansione di un [codice QR](https://it.wikipedia.org/wiki/Codice_QR) che stabilisce un "[segreto condiviso](https://en.wikipedia.org/wiki/Shared_secret)" con il servizio che si intende utilizzare. Il segreto condiviso è protetto tra i dati dell'app di autenticazione e talvolta è protetto da password. + +Il codice a tempo limitato è quindi derivato dal segreto condiviso e l'ora corrente. Poiché il codice è valido solo per un breve periodo di tempo, senza l'accesso al segreto condiviso, un avversario non può generare nuovi codici. + +Se si possiede una chiave di sicurezza hardware che supporta TOTP (come ad esempio YubiKey con [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), consigliamo di memorizzare i "segreti condivisi" nell'hardware. Hardware come YubiKey sono stati sviluppati con l'intenzione di rendere il segreto condiviso difficile da estrarre e copiare. Anche una YubiKey non è connessa a Internet, a differenza di un telefono con un'app TOTP. + +A differenza di [WebAuthn](#fido-fast-identity-online), TOTP non offre alcuna protezione contro [il phishing](https://en.wikipedia.org/wiki/Phishing) o gli attacchi di riutilizzo. Se un malintenzionato ottiene un codice valido da te, può usarlo tutte le volte che vuole fino alla scadenza (generalmente 60 secondi). + +Un avversario potrebbe creare un sito web per imitare un servizio ufficiale nel tentativo di indurti a fornire nome utente, password e codice TOTP corrente. Se l'avversario utilizza le credenziali registrate, può essere in grado di accedere al servizio reale e dirottare l'account. + +Sebbene non sia perfetto, il TOTP è abbastanza sicuro per la maggior parte delle persone e quando le [chiavi di sicurezza hardware](../multi-factor-authentication.md#hardware-security-keys) non sono supportate le [app di autenticazione](../multi-factor-authentication.md#authenticator-apps) sono ancora una buona opzione. + +### Chiavi di sicurezza hardware + +La YubiKey memorizza i dati su un chip a stato solido resistente alle manomissioni che è [impossibile da accedere](https://security.stackexchange.com/a/245772) in modo non distruttivo senza un processo costoso e un laboratorio forense. + +Queste chiavi sono generalmente multifunzione e forniscono una serie di metodi per l'autenticazione. Di seguito sono riportati i più comuni. + +#### Yubico OTP + +Yubico OTP è un protocollo di autenticazione tipicamente implementato nelle chiavi di sicurezza hardware. Quando si decide di utilizzare Yubico OTP, la chiave genererà un ID pubblico, un ID privato e una chiave segreta che viene quindi caricata sul server OTP Yubico. + +Quando si accede a un sito web, è sufficiente toccare fisicamente la chiave di sicurezza. La chiave di sicurezza emulerà una tastiera e stamperà una password una tantum nel campo password. + +Il servizio inoltrerà quindi la one-time password al server OTP di Yubico per la convalida. Un contatore viene incrementato sia sulla chiave che sul server di convalida di Yubico. L'OTP può essere utilizzato una sola volta e, quando l'autenticazione ha esito positivo, il contatore viene incrementato per impedire il riutilizzo dell'OTP. Yubico fornisce un documento dettagliato [](https://developers.yubico.com/OTP/OTPs_Explained.html) sul processo. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +L'utilizzo di Yubico OTP presenta alcuni vantaggi e svantaggi rispetto a TOTP. + +Il server di convalida di Yubico è un servizio basato su cloud e l'utente si affida a Yubico per la conservazione dei dati in modo sicuro e senza profilazione. L'ID pubblico associato a Yubico OTP viene riutilizzato su ogni sito web e potrebbe essere un'altra strada per terze parti di profilarti. Come TOTP, Yubico OTP non offre resistenza al phishing. + +Se il modello di minaccia richiede di avere identità diverse su siti web diversi, **non** utilizzare Yubico OTP con la stessa chiave di sicurezza hardware su tutti i siti web, poiché l'ID pubblico è unico per ogni chiave di sicurezza. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) include una serie di standard, prima c'era U2F e poi [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) che include lo standard web [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F e FIDO2 fanno riferimento al protocollo da [Client a Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), che è il protocollo tra la chiave di sicurezza e il computer, ad esempio un laptop o un telefono. È complementare a WebAuthn, che è il componente utilizzato per l'autenticazione con il sito web (la "Relying Party") a cui si sta cercando di accedere. + +WebAuthn è la forma più sicura e privata di autenticazione a due fattori. Sebbene l'esperienza di autenticazione sia simile a Yubico OTP, la chiave non stampa una password unica e non viene convalidata da un server di terze parti. Invece, utilizza la [crittografia a chiave pubblica](https://it.wikipedia.org/wiki/Crittografia_asimmetrica) per l'autenticazione. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +Quando crei un account, la chiave pubblica viene inviata al servizio, quindi quando accedi, il servizio ti richiederà di "firmare" alcuni dati con la tua chiave privata. Il vantaggio di questo è che nessun dato della password viene mai memorizzato dal servizio, quindi non c'è nulla che un malintenzionato possa rubare. + +Questa presentazione illustra la storia dell'autenticazione tramite password, le insidie (come il riutilizzo delle password) e discute gli standard FIDO2 e [WebAuthn](https://webauthn.guide). + +
+ +
+ +FIDO2 e WebAuthn hanno proprietà di sicurezza e privacy superiori rispetto a qualsiasi altro metodo MFA. + +In genere per i servizi web viene utilizzato con WebAuthn, che fa parte delle raccomandazioni del W3C [](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). Utilizza l'autenticazione a chiave pubblica ed è più sicura dei segreti condivisi utilizzati nei metodi OTP e TOTP di Yubico, poiché include il nome di origine (di solito, il nome del dominio) durante l'autenticazione. L'attestazione viene fornita per proteggerti dagli attacchi di phishing, in quanto ti aiuta a determinare che stai utilizzando il servizio autentico e non una copia falsa. + +A differenza di Yubico OTP, WebAuthn non utilizza alcun ID pubblico, quindi la chiave **non** è identificabile tra diversi siti web. Inoltre, non utilizza alcun server cloud di terze parti per l'autenticazione. Tutte le comunicazioni avvengono tra la chiave e il sito web a cui si accede. FIDO utilizza anche un contatore che viene incrementato al momento dell'uso al fine di prevenire il riutilizzo della sessione e delle chiavi clonate. + +Se un sito web o un servizio supporta WebAuthn per l'autenticazione, si consiglia vivamente di utilizzarlo rispetto a qualsiasi altra forma di MFA. + +## Consigli generali + +Abbiamo queste raccomandazioni generali: + +### Quale metodo dovrei usare? + +Quando configurate il vostro metodo MFA, tenete presente che è sicuro solo quanto il metodo di autenticazione più debole che utilizzate. Ciò significa che è importante utilizzare solo il miglior metodo MFA disponibile. Ad esempio, se si utilizza già il TOTP, è necessario disattivare l'MFA via e-mail e SMS. Se stai già utilizzando FIDO2/WebAuthn, non dovresti utilizzare Yubico OTP o TOTP sul tuo account. + +### Backups + +Dovresti sempre avere dei backup per il tuo metodo MFA. Le chiavi di sicurezza hardware possono essere perse, rubate o semplicemente smettere di funzionare nel tempo. Si consiglia di avere una coppia delle chiavi di sicurezza hardware con lo stesso accesso agli account, anziché una sola. + +Quando utilizzi il TOTP con un'app di autenticazione, assicurati di eseguire il backup delle chiavi di ripristino o dell'app stessa o di copiare i "segreti condivisi" in un'altra istanza dell'app su un telefono diverso o in un contenitore crittografato (ad esempio [VeraCrypt](../encryption.md#veracrypt)). + +### Configurazione iniziale + +Quando si acquista una chiave di sicurezza, è importante modificare le credenziali predefinite, impostare una password di protezione per la chiave e abilitare la conferma tattile, se supportata. Prodotti come YubiKey dispongono di più interfacce con credenziali separate per ciascuna di esse, pertanto è necessario esaminare ogni interfaccia e impostare la protezione. + +### Email e SMS + +Se dovete usare l'e-mail per l'MFA, assicuratevi che l'account e-mail stesso sia protetto con un metodo MFA adeguato. + +Se si utilizza l'MFA via SMS, è necessario scegliere un operatore che non cambierà il numero di telefono con una nuova carta SIM senza accesso all'account, oppure utilizzare un numero VoIP dedicato di un provider con una sicurezza simile per evitare un attacco [SIM swap](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[Strumenti MFA che consigliamo](../multi-factor-authentication.md ""){.md-button} + +## Altri posti in cui configurare l'MFA + +Oltre a proteggere gli accessi al sito web, l'autenticazione a più fattori può essere utilizzata anche per proteggere gli accessi locali, le chiavi SSH o persino i database delle password. + +### Windows + +Yubico ha un provider di credenziali [dedicato](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) che aggiunge l'autenticazione Challenge-Response al flusso di login con nome utente e password per gli account Windows locali. Se si dispone di una YubiKey con supporto per l'autenticazione Challenge-Response, consultare la guida alla configurazione di [Yubico Login for Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), che consente di impostare l'MFA sul computer Windows. + +### macOS + +macOS ha un [supporto nativo](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) per l'autenticazione con smart card (PIV). Se si dispone di una smartcard o di una chiave di sicurezza hardware che supporta l'interfaccia PIV, come YubiKey, si consiglia di seguire la documentazione del fornitore della smartcard o della chiave di sicurezza hardware e di impostare l'autenticazione a due fattori per il computer macOS. + +Yubico ha una guida [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) che può aiutare a configurare la YubiKey su macOS. + +Dopo aver configurato la smart card o la chiave di sicurezza, si consiglia di eseguire questo comando nel terminale: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +Il comando impedirà a un malintenzionato di aggirare l'MFA all'avvio del computer. + +### Linux + +!!! warning + + Se il nome dell'host del sistema cambia (ad esempio a causa del DHCP), non sarà possibile effettuare il login. È fondamentale impostare un hostname corretto per il computer prima di seguire questa guida. + +Il modulo `pam_u2f` su Linux può fornire l'autenticazione a due fattori per l'accesso alle distribuzioni Linux più popolari. Se si dispone di una chiave di sicurezza hardware che supporta U2F, è possibile impostare l'autenticazione MFA per il login. Yubico ha una guida [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) che dovrebbe funzionare su qualsiasi distribuzione. I comandi del gestore di pacchetti, come `apt-get`, e i nomi dei pacchetti possono tuttavia differire. Questa guida **non si applica** al sistema operativo Qubes. + +### Qubes OS + +Qubes OS supporta l'autenticazione Challenge-Response con YubiKeys. Se si dispone di una YubiKey con supporto per l'autenticazione Challenge-Response, consultare la documentazione di Qubes OS [YubiKey](https://www.qubes-os.org/doc/yubikey/) se si desidera impostare l'MFA su Qubes OS. + +### SSH + +#### Chiavi di sicurezza fisiche + +SSH MFA può essere impostato utilizzando diversi metodi di autenticazione che sono molto diffusi con le chiavi di sicurezza hardware. Ti consigliamo di consultare [la documentazione](https://developers.yubico.com/SSH/) di Yubico su come configurarla. + +#### Time-based One-time Password (TOTP) + +SSH MFA può anche essere impostato utilizzando TOTP. DigitalOcean ha fornito un tutorial [Come impostare l'autenticazione a più fattori per SSH su Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). La maggior parte delle cose dovrebbe essere uguale a prescindere dalla distribuzione, tuttavia i comandi del gestore dei pacchetti - come `apt-get`- e i nomi dei pacchetti possono differire. + +### KeePass (e KeePassXC) + +I database KeePass e KeePassXC possono essere protetti utilizzando Challenge-Response o HOTP come autenticazione di secondo fattore. Yubico ha fornito un documento per KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) e ne esiste uno anche sul sito [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa). diff --git a/i18n/it/basics/passwords-overview.md b/i18n/it/basics/passwords-overview.md new file mode 100644 index 00000000..17358d44 --- /dev/null +++ b/i18n/it/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduzione alle password" +icon: 'material/form-textbox-password' +description: Ecco alcuni suggerimenti e trucchi su come creare le password più forti e mantenere i vostri account al sicuro. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Gestori di password + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/it/basics/threat-modeling.md b/i18n/it/basics/threat-modeling.md new file mode 100644 index 00000000..e102ed30 --- /dev/null +++ b/i18n/it/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Modelli di minaccia" +icon: 'material/target-account' +description: Bilanciare sicurezza, privacy e usabilità è il primo e il più difficile compito che incontrerai durante il tuo viaggio nella privacy. +--- + +Bilanciare sicurezza, privacy e usabilità è il primo e il più difficile compito che incontrerai durante il tuo viaggio nella privacy. Tutto è un compromesso: più qualcosa è sicuro, più è restrittivo o scomodo in generale, ecc. Spesso, le persone scoprono che il problema con gli strumenti che vedono raccomandati è che sono troppo difficili da iniziare a usare! + +Se si vogliono utilizzare gli strumenti **più** sicuri a disposizione, è necessario sacrificare *molto* in termini di usabilità. E, anche allora, ==nulla è mai completamente sicuro.== C'è un alta **sicurezza**, ma mai una completa **sicurezza**. È per questo che i modelli di minaccia sono importanti. + +**Ma quindi, quali sono questi modelli di minaccia?** + +==Un modello di minaccia è un elenco delle minacce più probabili ai tuoi sforzi per la sicurezza e privacy.== Dal momento che è impossibile proteggersi da **ogni** attacco/attaccante, dovresti concentrarti sulle **minacce più probabili**. Nella sicurezza informatica, una minaccia è un evento che potrebbe minare i tuoi sforzi per mantenere la riservatezza e la sicurezza. + +Concentrarsi sulle minacce che contano per te restringe il tuo pensiero sulla protezione di cui hai bisogno, in modo da poter scegliere gli strumenti giusti per il lavoro. + +## Creare il Tuo Modello di Minaccia + +Per identificare cosa potrebbe accadere alle cose che valorizzi e determinare da chi devi proteggerle, dovresti rispondere a queste cinque domande: + +1. Quali sono le cose che voglio proteggere? +2. Da chi le voglio proteggere? +3. Quanto è probabile che io abbia bisogno di proteggerle? +4. Quanto sono catastrofiche le conseguenze se fallisco? +5. Quanti problemi sono disposto ad affrontare per tentare di prevenire le potenziali conseguenze? + +### Quali sono le cose che voglio proteggere? + +Un "asset" (risorsa) è qualcosa a cui si dà valore e che si vuole proteggere. Nel contesto della sicurezza digitale, ==un asset è di solito una sorta di informazione.== Ad esempio, le email, gli elenchi di contatti, i messaggi istantanei, la posizione e i file sono tutti asset possibili. Anche gli stessi dispositivi posso essere degli asset. + +*Stila una lista dei tuoi asset: i dati che conservi, dove li tieni, chi ne ha accesso, e che cosa impedisce agli altri di accedervi.* + +### Da chi le voglio proteggere? + +Per rispondere a questa domanda, è importante identificare chi potrebbe voler prendere di mira te o le tue informazioni. ==Una persona o entità che rappresenta una minaccia per i tuoi beni è un "avversario".== Esempi di potenziali avversari sono il tuo capo, il tuo ex partner, la tua concorrenza commerciale, il tuo governo o un hacker su una rete pubblica. + +*Fai un elenco dei tuoi avversari o di coloro che potrebbero voler entrare in possesso dei tuoi asset. Il tuo elenco può comprendere individui, agenzie governative o società.* + +A seconda di chi sono i tuoi avversari, in alcune circostanze, questo elenco potrebbe essere qualcosa che vuoi distruggere dopo aver completato la pianificazione della sicurezza. + +### Quanto è probabile che io abbia bisogno di proteggerle? + +== Il rischio è la probabilità che una particolare minaccia contro un determinato asset si verifichi effettivamente.== Va di pari passo con la capacità. Nonostante il tuo provider telefonico sia in grado di accedere a tutti i tuoi dati, il rischio che li pubblichi online per danneggiare la tua reputazione è basso. + +È importante distinguere ciò che potrebbe accadere e la probabilità che accada. Per esempio, c'è il rischio che il tuo edificio crolli, ma è molto più probabile che ciò accada a San Francisco (dove i terremoti sono frequenti) rispetto che a Stoccolma (dove non lo sono). + +La valutazione dei rischi è un processo personale e soggettivo. Molte persone trovano alcune minacce inaccettabili, non importa la probabilità che si verifichino, perché la semplice presenza della minaccia non vale il costo. In altri casi, le persone ignorano rischi elevati perché non considerano la minaccia un problema. + +*Scrivi quali minacce prenderai sul serio, e quali sono troppo rare o innocue (o troppo difficili da contrastare) per preoccuparsene.* + +### Quanto sono catastrofiche le conseguenze se fallisco? + +Ci sono molti modi in cui un avversario può accedere ai tuoi dati. Per esempio, un avversario può leggere le tue comunicazioni private mentre attraversano la rete, o può eliminare o corrompere i tuoi dati. + +== Le motivazioni degli avversari sono molto diverse, così come le loro tattiche.== Un governo che cerca di impedire la diffusione di un video che mostra la violenza della polizia può accontentarsi di cancellare o ridurre la disponibilità di quel video. Al contrario, un avversario politico può desiderare di accedere a contenuti segreti e pubblicarli all'insaputa dell'interessato. + +La pianificazione della sicurezza comporta la comprensione di quanto catastrofiche possono essere le conseguenze se un avversario riesce a impossessarsi di uno dei tuoi asset. Per determinare ciò, dovresti prendere in considerazione la capacità del tuo avversario. Ad esempio, il tuo operatore di telefonia mobile ha accesso a tutti i tuoi record telefonici. Un hacker su una rete Wi-Fi aperta può accedere alle tue comunicazioni non criptate. Il tuo governo potrebbe avere capacità maggiori. + +*Scrivi cosa il tuo avversario potrebbe voler fare con i tuoi dati privati.* + +### Quanti problemi sono disposto ad affrontare per tentare di prevenire le potenziali conseguenze? + +== Non esiste un'opzione perfetta per la sicurezza.== Non tutti hanno le stesse priorità, preoccupazioni o accesso alle risorse. La valutazione dei rischi consentirà di pianificare la giusta strategia per te, bilanciando convenienza, costi e privacy. + +Per esempio, un avvocato che rappresenta un cliente in un caso di sicurezza nazionale potrebbe essere disposto a prendere più provvedimenti per proteggere le comunicazioni relative al caso, come ad esempio usando mail criptate, rispetto ad una madre che manda regolarmente email alla figlia con video divertenti di gattini. + +*Scrivi quali opzioni ti sono disponibili per mitigare le tue minacce specifiche. Annota se hai qualche vincolo finanziario, tecnico o sociale.* + +### Prova tu stesso: Proteggere i propri beni + +Queste domande possono essere applicate ad un'ampia varietà di situazioni, online e offline. Come dimostrazione generica di come funzionano queste domande, costruiamo un piano per mantenere la tua casa e i tuoi beni al sicuro. + +**Quali sono le cose che voglio proteggere? (Oppure, *che cosa possiedo che vale la pena di proteggere?*)** +: + +I tuoi beni personali possono includere gioielli, dispositivi elettronici, documenti importanti, o fotografie. + +**Da chi le voglio proteggere?** +: + +I tuoi potenziali avversari possono essere ladri, coinquilini oppure ospiti. + +**Quanto è probabile che io abbia bisogno di proteggerle?** +: + +Nel tuo vicinato ci sono precedenti di furto? Quanto sono affidabili i tuoi coinquilini o ospiti? Quali sono le capacità dei tuoi avversari? Quali sono i rischi che dovresti considerare? + +**Quanto sono catastrofiche le conseguenze se fallisci?** +: + +C'è qualcosa nella tua casa che non puoi sostituire? Hai il tempo o i soldi per rimpiazzare queste cose? Hai un'assicurazione che copre i beni rubati dalla tua casa? + +**Quanti problemi sei disposto ad affrontare per prevenire le conseguenze?** +: + +Sei disposto ad acquistare una cassaforte per i tuoi documenti sensibili? Puoi permetterti di comprare una buona serratura? Hai il tempo di aprire una cassetta di sicurezza presso la tua banca e tenere lì i tuoi oggetti di valore? + +Solo una volta che ti sarai fatto queste domande sarai nella posizione di valutare quali misure adottare. Se i tuoi possedimenti sono di valore, ma la probabilità di un'irruzione è bassa, potresti non voler investire troppo denaro in una serratura. Ma se la probabilità di effrazione è alta, è meglio dotarsi della migliore serratura sul mercato e considerare l'aggiunta di un sistema di sicurezza. + +La stesura di un piano di sicurezza ti aiuterà a comprendere le minacce per te più rilevanti e a valutare le tue risorse, i tuoi avversari e le loro capacità, oltre alla probabilità dei rischi a cui vai incontro. + +## Letture consigliate + +Per le persone che cercano di aumentare la loro privacy e sicurezza online, abbiamo compilato un elenco di minacce comuni che i nostri visitatori affrontano o obiettivi che i nostri visitatori hanno, per darti qualche ispirazione e dimostrare la base dei nostri consigli. + +- [Obiettivi e minacce comuni :material-arrow-right-drop-circle:](common-threats.md) + +## Fonti + +- [EFF Surveillance Self Defense: Your Security Plan (EFF Autodifesa da sorveglianza: il tuo piano di sicurezza)](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/it/basics/vpn-overview.md b/i18n/it/basics/vpn-overview.md new file mode 100644 index 00000000..f5a99c12 --- /dev/null +++ b/i18n/it/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: Panoramica VPN +icon: material/vpn +description: Le reti virtuali private spostano il rischio dal vostro ISP a una terza parte di cui vi fidate. Dovresti tenere a mente questi aspetti. +--- + +Le reti private virtuali sono un modo per estendere l'estremità della vostra rete all'uscita di un'altra parte del mondo. Un ISP può vedere il flusso del traffico Internet che entra ed esce dal dispositivo di terminazione della rete (ad esempio, il modem). + +I protocolli di crittografia come l'HTTPS sono comunemente utilizzati su Internet, quindi potrebbero non essere in grado di vedere esattamente ciò che state postando o leggendo, ma possono farsi un'idea dei domini [che utilizzate](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +Una VPN può essere d'aiuto in quanto può spostare la fiducia su un server in un'altra parte del mondo. Di conseguenza, l'ISP vede solo che sei connesso a una VPN e non vede nulla dell'attività che stai trasmettendo. + +## Dovrei utilizzare una VPN? + +**Sì**, a meno che tu non stia già utilizzando Tor. Una VPN svolge due funzioni: spostare i rischi dall'Internet Service Provider a se stesso e nascondere l'IP da un servizio di terze parti. + +Le VPN non possono criptare i dati al di fuori della connessione tra il dispositivo e il server VPN. I fornitori di VPN possono vedere e modificare il traffico proprio come l'ISP. E non c'è modo di verificare in alcun modo le politiche di "no logging" di un provider VPN. + +Tuttavia, nascondono l'IP reale da un servizio di terze parti, a condizione che non ci siano fughe dell'IP. Aiutano a confonderti con gli altri e ad attenuare il tracciamento basato sull'IP. + +## Quando non dovrei usare una VPN? + +È improbabile che l'uso di una VPN nei casi in cui si utilizza la propria [identità nota](../basics/common-threats.en.md#common-misconceptions) sia utile. + +In questo modo si possono attivare sistemi di spam e di rilevamento delle frodi, come nel caso in cui si acceda al sito web della propria banca. + +## E la crittografia? + +La crittografia offerta dai fornitori di VPN avviene tra i propri dispositivi e i loro server. Garantisce che questo specifico collegamento è sicuro. Si tratta di un passo avanti rispetto all'uso di proxy non criptati, dove un avversario sulla rete può intercettare le comunicazioni tra i propri dispositivi e tali proxy e modificarle. Tuttavia, la crittografia tra le app o i browser e i fornitori di servizi non è gestita da questa crittografia. + +Per garantire la riservatezza e la sicurezza di ciò che si fa sui siti web visitati, è necessario utilizzare il protocollo HTTPS. In questo modo le password, i token di sessione e le query saranno al sicuro dal provider VPN. Considera di abilitare "HTTPS ovunque" nel browser per mitigare gli attacchi di downgrade come [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Dovrei utilizzare un DNS criptato con una VPN? + +A meno che il provider VPN non ospiti i server DNS criptati, **no**. L'utilizzo di DOH/DOT (o di qualsiasi altra forma di DNS crittografato) con server di terze parti aggiungerà semplicemente altre entità di cui fidarsi e non farà **assolutamente nulla** per migliorare la privacy o la sicurezza. Il provider VPN può comunque vedere quali siti web visiti in base agli indirizzi IP e ad altri metodi. Invece di fidarti solo del provider VPN, ora ti fidi sia del provider VPN che del provider DNS. + +Un motivo comune per raccomandare il DNS crittografato è che aiuta a contrastare lo spoofing DNS. Tuttavia, il browser dovrebbe già verificare la presenza di [certificati TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) con **HTTPS** e avvisare l'utente. Se non si utilizza **HTTPS**, un avversario può comunque modificare qualsiasi cosa oltre alle query DNS e il risultato finale sarà poco diverso. + +Inutile dire che **non si dovrebbero usare DNS criptati con Tor**. Questo indirizzerebbe tutte le vostre richieste DNS attraverso un unico circuito e permetterebbe al provider DNS criptato di deanonimizzarvi. + +## Dovrei usare Tor *e* una VPN? + +Utilizzando una VPN con Tor, si crea essenzialmente un nodo di ingresso permanente, spesso con una traccia di denaro. Questo non fornisce alcun vantaggio aggiuntivo all'utente, mentre aumenta drasticamente la superficie di attacco della connessione. Se desideri nascondere l'utilizzo di Tor all'ISP o al governo, Tor ha una soluzione integrata per questo: i Tor bridges. [Per saperne di più sui Tor bridges e sul perché non è necessario utilizzare una VPN](../advanced/tor-overview.md). + +## E se ho bisogno di anonimato? + +Le VPN non possono garantire l'anonimato. Il provider VPN vedrà comunque il vero indirizzo IP e spesso ha una traccia di denaro che può essere collegata direttamente a te. Non si può fare affidamento sulle politiche di "no logging" per proteggere i dati. In tal caso utilizza [Tor](https://www.torproject.org/). + +## E i fornitori di VPN che forniscono nodi Tor? + +Non utilizzare questa funzione. Il punto di forza dell'utilizzo di Tor è che non ti fidt del provider VPN. Attualmente Tor supporta solo il protocollo [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol). [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (utilizzato in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) per la condivisione di voce e video, il nuovo [protocollo HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3), ecc.), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) e altri pacchetti saranno eliminati. Per compensare questa situazione, i fornitori di VPN di solito instradano tutti i pacchetti non-TCP attraverso il loro server VPN (il primo hop). Questo è il caso di [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Inoltre, quando si utilizza questa configurazione di Tor su VPN, non si ha il controllo su altre importanti funzionalità di Tor come [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (utilizzo di un circuito Tor diverso per ogni dominio visitato). + +La funzione deve essere vista come un modo comodo per accedere alla rete Tor, non per rimanere anonimi. Per un corretto anonimato, utilizza Tor Browser, TorSocks o un gateway Tor. + +## Quando sono utili le VPN? + +Una VPN può comunque essere utile in diversi scenari, ad esempio: + +1. Nascondere il proprio traffico **solo** al proprio Internet Service Provider. +1. Nascondere i propri download (come i torrent) al proprio ISP e alle organizzazioni antipirateria. +1. Nascondere il proprio IP da siti e servizi di terze parti, impedendone il tracciamento. + +Per situazioni come queste, o se hai un altro motivo valido, i provider VPN che abbiamo elencato sopra sono quelli che riteniamo più affidabili. Tuttavia, utilizzare un provider VPN significa comunque *fidarsi* del provider. In quasi tutti gli altri scenari si dovrebbe utilizzare uno strumento progettato con la **sicurezza come obiettivo** come Tor. + +## Fonti e approfondimenti + +1. [VPN - a Very Precarious Narrative (VPN - una narrazione molto precaria)](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) di Dennis Schubert +1. [Panoramica della rete Tor](../advanced/tor-overview.md) +1. [Guide alla privacy di IVPN](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?" ("Ho bisogno di una VPN?")](https://www.doineedavpn.com), uno strumento sviluppato da IVPN per sfidare il marketing aggressivo delle VPN, aiutando le persone a decidere se una VPN è adatta a loro. + +## Informazioni correlate + +- [The Trouble with VPN and Privacy Review Sites (Il problema dei siti di recensioni di VPN e privacy)](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation (Indagine sulle app di VPN gratuite)](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies (Svelati i proprietari segreti delle VPN: 101 prodotti per VPN gestiti da sole 23 aziende)](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions (Questa azienda cinese è segretamente dietro 24 app popolari che cercano autorizzazioni pericolose)](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/it/calendar.md b/i18n/it/calendar.md new file mode 100644 index 00000000..2076bd0e --- /dev/null +++ b/i18n/it/calendar.md @@ -0,0 +1,79 @@ +--- +title: "Sincronizzazione di calendario e contatti" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Le caratteristiche includono: E2EE automatico di tutti i dati, funzionalità di condivisione, importazione/esportazione, autenticazione a più fattori e [altre funzionalità](https://tutanota.com/calendar-app-comparison/). + + Calendari multipli e funzionalità di condivisione estese sono limitate agli abbonati a pagamento. + + [:octicons-home-16: Pagina principale](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Le caratteristiche includono: E2EE automatico di tutti i dati, funzioni di condivisione, funzionalità di importazione/esportazione e [altre funzionalità](https://proton.me/support/proton-calendar-guide). Gli utenti gratuiti hanno accesso ad un singolo calendario, mentre gli abbonati a pagamento possono crearne fino a venti. Anche la funzionalità di condivisione estesa è limitata agli abbonati a pagamento. + + [:octicons-home-16: Pagina principale](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="informativa sulla privacy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/it/cloud.md b/i18n/it/cloud.md new file mode 100644 index 00000000..e9c9ee90 --- /dev/null +++ b/i18n/it/cloud.md @@ -0,0 +1,108 @@ +--- +title: "Archiviazione in cloud" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Molti fornitori di spazio di archiviazione cloud richiedono la tua totale fiducia sul fatto che non guarderanno nei tuoi file. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? recommendation + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Cryptee + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Pagina principale](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Requisiti minimi + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- I client dovrebbero essere open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/it/cryptocurrency.md b/i18n/it/cryptocurrency.md new file mode 100644 index 00000000..25e49338 --- /dev/null +++ b/i18n/it/cryptocurrency.md @@ -0,0 +1,62 @@ +--- +title: Criptovaluta +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger "Pericolo" + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/it/data-redaction.md b/i18n/it/data-redaction.md new file mode 100644 index 00000000..c1e905d5 --- /dev/null +++ b/i18n/it/data-redaction.md @@ -0,0 +1,154 @@ +--- +title: "Rimozione di dati e metadati" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +Quando vengono condivisi file, è importante rimuovere i relativi metadata. I file immagine includono comunemente dati [Exif](https://it.wikipedia.org/wiki/Exif). I metadata delle foto, a volte, includono anche le coordinate GPS. + +## Desktop + +### MAT2 + +!!! recommendation + + ![Logo MAT2](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** è un software gratuito che consente di rimuovere i metadati da file immagine, audio, torrent e documenti. Fornisce sia uno strumento a riga di comando che un'interfaccia utente grafica tramite un [estensione per Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), il file manager predefinito di [GNOME](https://www.gnome.org) e [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), il file manager predefinito di [KDE](https://kde.org). + + Su Linux, esiste uno strumento grafico di terze parti [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) basato su MAT2 ed è [disponibile su Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentazione} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![Logo ExifEraser](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** è un'applicazione moderna e senza permessi per la cancellazione dei metadati delle immagini per Android. + + Attualmente supporta file JPEG, PNG e WebP. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +I metadati cancellati dipendono dal tipo di file dell'immagine: + +* **JPEG**: i metadati del profilo ICC, Exif, Photoshop Image Resources e XMP/ExtendedXMP verranno cancellati se esistenti. +* **PNG**: i metadati del profilo ICC, Exif e XMP saranno cancellati se esistenti. +* **WebP**: i metadati del profilo ICC, Exif e XMP verranno cancellati se esistenti. + +Dopo l'elaborazione delle immagini, ExifEraser fornisce un rapporto completo su cosa è stato rimosso esattamente da ogni immagine. + +L'applicazione offre diversi modi per cancellare i metadati dalle immagini. Vale a dire: + +* È possibile condividere un'immagine da un'altra applicazione con ExifEraser. +* Attraverso l'applicazione stessa, è possibile selezionare una singola immagine, più immagini contemporaneamente o persino un'intera directory. +* È dotata di un'opzione "Fotocamera" che utilizza l'app fotocamera del sistema operativo per scattare una foto e poi ne rimuove i metadati. +* Consente di trascinare le foto da un'altra applicazione in ExifEraser quando entrambe sono aperte in modalità split-screen. +* Infine, consente di incollare un'immagine dagli appunti. + +### Metapho (iOS) + +!!! recommendation + + ![Logo Metapho](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** è un visualizzatore semplice e pulito per i metadati delle foto, come data, nome del file, dimensioni, modello di fotocamera, velocità dell'otturatore e posizione. + + [:octicons-home-16: Pagina principale](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Informativa sulla privacy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** è un'applicazione gratuita che consente di sfocare le parti sensibili delle immagini prima di condividerle online. + + [:octicons-home-16: Pagina principale](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + Non si deve **mai** usare la sfocatura per nascondere [il testo nelle immagini] (https://bishopfox.com/blog/unredacter-tool-never-pixelation). Se desideri eliminare il testo di un'immagine, disegna un riquadro sopra il testo. A questo scopo, suggeriamo applicazioni come [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Linea di comando + +### ExifTool + +!!! recommendation + + ![Logo ExifTool](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** è l'originale libreria perl e applicazione a riga di comando per leggere, scrivere e modificare i metadati (Exif, IPTC, XMP e altro) in un'ampia varietà di formati di file (JPEG, TIFF, PNG, PDF, RAW e altro). + + Spesso è usato come un componente di altre applicazioni di rimozione Exif ed è presente nei repository della maggior parte delle distribuzioni Linux. + + [:octicons-home-16: Pagina principale](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Rimozione di metadati dai file di una cartella" + + ```bash + exiftool -all= *.file_extension + ``` + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Le applicazioni sviluppate per sistemi operativi open-source devono essere open-source. +- Le applicazioni devono essere gratuite e non devono includere pubblicità o altre limitazioni. diff --git a/i18n/it/desktop-browsers.md b/i18n/it/desktop-browsers.md new file mode 100644 index 00000000..d73f9653 --- /dev/null +++ b/i18n/it/desktop-browsers.md @@ -0,0 +1,371 @@ +--- +title: "Browser desktop" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Browser privati per desktop consigliati + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +Questi sono i browser e le configurazioni per desktop attualmente consigliati per la navigazione standard/non anonima. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +Se hai bisogno di navigare in Internet in modo anonimo, dovresti invece usare [Tor](tor.md). We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** offre robuste impostazioni di privacy, come la [protezione antitracciamento avanzata](https://support.mozilla.org/it/kb/protezione-antitracciamento-avanzata-firefox-desktop), che aiuta a bloccare varie [tipologie di tracciamento](https://support.mozilla.org/it/kb/protezione-antitracciamento-avanzata-firefox-desktop#w_che-cosa-viene-bloccato-con-la-protezione-antitracciamento-avanzata). + + [:octicons-home-16: Pagina principale](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentazione} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox include un [token di download](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) univoco nella sezione dei download del sito di Mozilla e utilizza la telemetria in Firefox per inviarlo. Il token **non** è incluso nelle versioni rilasciate dall'[FTP di Mozilla](https://ftp.mozilla.org/pub/firefox/releases/). + +### Configurazione consigliata + +Queste opzioni si trovano in :material-menu: → **Impostazioni** → **Privacy e sicurezza**. + +##### Protezione antitracciamento avanzata + +- [x] Seleziona Protezione antitracciamento avanzata **Restrittiva** + +Essa ti protegge bloccando i tracker dei social, script di fingerprinting (nota che questo non ti protegge da *tutte* le forme di fingerprinting), minatori di criptovalute, cookie di tracciamento cross-site e altri contenuti di tracciamento. La Protezione antitracciamento avanzata protegge da molte minacce comuni, ma non blocca tutte le vie di tracciamente, perché progettata per avere minimo o nessun impatto sull'usabilità dei siti. + +##### Sanitizzazione alla chiusura + +Se vuoi mantenere l'accesso per alcuni siti in particolare, puoi consentire le eccezioni in **Cookie e dati dei siti web** → **Gestisci eccezioni...** + +- [x] Seleziona **Elimina cookie e dati dei siti web alla chiusura di Firefox** + +Ciò ti protegge dai cookie persistenti, ma non da quelli acquisiti durante ogni sessione di navigazione. Con questa opzione attiva, è possibile eliminare facilmente i cookie del browser riavviando Firefox. È possibile impostare le eccezioni per ogni sito, ad esempio se desideri mantenere l'accesso ad un sito particolare che frequenti spesso. + +##### Suggerimenti di ricerca + +- [ ] Disabilita **Visualizza suggerimenti di ricerca** + +I suggerimenti di ricerca potrebbero non essere disponibili nella tua zona. + +I suggerimento di ricerca inviano tutto quello che viene scritto nella barra di ricerca al motore di ricerca predefinito, indipendentemente se le stringe vengono inviate o meno. Disabilitare i suggerimenti di ricerca ti permette di controllare più precisamente quali dati invii al motore di ricerca che utilizzi. + +##### Telemetria + +- [ ] Disabilita **Consenti a Firefox di inviare a Mozilla dati tecnici e relativi all’interazione con il browser** +- [ ] Disabilita **Consenti a Firefox di installare e condurre studi** +- [ ] Disabilita **Consenti a Firefox di inviare segnalazioni di arresto anomalo in sospeso** + +> Firefox invia dati relativi alla versione e alla lingua di Firefox, al sistema operativo del dispositivo, alla configurazione hardware, memoria, informazioni basiche sugli arresti anomali ed errori, ai risultati dei processi automatici come gli aggiornamenti, Safebrowsing e l'attivazione a noi. Quando Firefox ci invia dati, il tuo indirizzo IP viene temporaneamente raccolto da parte dei nostri server. + +Inoltre, il servizio Firefox Accounts raccoglie [alcuni dati tecnici](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). Se usi un Account Firefox, puoi disattivare questa funzione: + +1. Apri le [ impostazioni del tuo profilo su accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Deseleziona ** Raccolta e utilizzo dati ** > **Aiutaci a migliorare gli ⁨account Firefox⁩** + +##### Modalità solo HTTPS + +- [x] Seleziona **Attiva in tutte le finestre** + +Questo ti aiuta a prevenire il collegamento non intenzionale ad un sito web in HTTP. Siti web senza l'HTTPS sono piuttosto rari il giorno d'oggi, quindi questa opzione non dovrebbe avere un grosso impatto sulla tua navigazione quotidiana. + +### Firefox Sync + +La [sincronizzazione via Firefox](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) permette ai tuoi dati di navigazione (cronologia, segnalibri, etc.) di essere accessibili su tutti i tuoi dispositivi; i dati vengono protetti mediante E2EE. + +### Arkenfox (avanzato) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +Il progetto [Arkenfox](https://github.com/arkenfox/user.js) fornisce un insieme di opzioni attentamente selezionate per Firefox. Se [decidi](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) di utilizzare Arkenfox, [alcune opzioni](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) sono più stringenti di altri e/o potrebbero causare il malfunzionamento di alcuni siti web - [opzioni che possono essere cambiate facilmente](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) per aderire alle tue necessità. **Consigliamo caldamente** di leggere tutto il loro [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox inoltre abilita il supporto per le [schede contenitore](https://support.mozilla.org/it/kb/containers-schede-contenitore-firefox#per-utenti-avanzati). + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** include un content blocker integrato e [funzionalità di privacy](https://brave.com/privacy-features/), molte delle quali attive in modo predefinito. + + Brave è sviluppato a partire dal progetto del browser web Chromium, quindi dovrebbe risultare familiare e avere problemi minimi di compatibilità con i siti web. + + [:octicons-home-16: Pagina principale](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Codice sorgente" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. Sconsigliamo l'utilizzo della versione Flatpack di Brave, in quanto rimpiazza il sandbox di Chromium con quello di Flatpak, il quale è meno efficace. Inoltre, il pacchetto non è gestito da Brave Software, Inc. + +### Configurazione consigliata + +Queste opzioni possono essere trovare in :material-menu: → **Impostazioni**. + +##### Shields + +Brave include alcune misure contro il fingerprinting nella sua funzionalità [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Consigliamo di configurare queste opzioni [globalmente](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) applicate a tutti i siti che visiti. + +Le funzionalità di Shields possono essere ridotte per ogni sito se necessario; ciò nonostante, raccomandiamo le seguenti impostazioni: + +
+ +- [x] Seleziona **Impedisci il fingerprinting tramite le impostazioni della lingua** +- [x] Seleziona il Blocco di tracker e annunci come **Aggressivo** + + ??? warning "Usa gli elenchi di filtri predefiniti" + Brave ti consente di selezionare ulteriori filtri di contenuti mediante la pagina interna `brave://adblock`. Si consiglia di non utilizzare questa funzione e di mantenere gli elenchi di filtri predefiniti. il loro utilizzo ti distingue dagli altri utenti Brave, e potrebbe inoltre aumentare la superficie di attacco se esiste un exploit nel browser sfruttabile da codice malizioso presente nelle liste stesse. + +- [x] (Opzionale) Seleziona **Blocco degli script** (1) +- [x] Sleziona Blocca il fingerprinting come **Rigido, potrebbe non far funzionare alcuni siti** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Blocco dei social + +- [ ] Deseleziona tutte le opzioni legate ai social + +##### Privacy e sicurezza + +
+ +- [x] Seleziona **Disabilita UDP senza proxy** in [Gestione politica IP WebRTC IP](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Disabilita **Utilizza i servizzi Google per la messaggistica push** +- [ ] Disabilita **Acconsenti all'analisi dei prodotti di tutel della privacy (P3A)** +- [ ] Disabilita **Invia automaticamente un ping di utilizzo giornaliero a Brave** +- [ ] Disabilita **Invia automaticamente i rapporti di diagnostica** +- [x] Seleziona **Utilizza sempre connessioni sicure** nel menu **Sicurezza** +- [ ] Disabilita **Finestra in Incognito con Tor** (1) + + !!! important "Sanitizzazione alla chiusura" + - [x] Seleziona **Cancella cookie e dati dei siti alla chiusura di tutte le finestre** nel menu *Cookie e altri dati dei siti* + + Se desideri rimanere connesso a un particolare sito che si visita spesso, è possibile impostare eccezioni su base individuale nella sezione *Comportamenti personalizzati*. + +
+ +1. Brave **non è** resistente al fingerprinting come il Tor Browser e molte meno persone utilizzano Brave con Tor, facendoti quindi distinguere. Quando [è necessario un forte anonimato](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) utilizzare il [Tor Browser](tor.md#tor-browser). + +##### Estensioni + +Disabilita le estensioni integrate che non utilizzi in **Estensioni** + +- [ ] Disabilita **Hangouts** +- [ ] Disabilita **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Impostazioni aggiuntive + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permette ai dati di navigazione (cronologia, segnalibri, ecc.) di essere accessibili su tutti i dispositivi senza richiedere un account e li protegge con E2EE. + +## Risorse aggiuntive + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** è un popolare blocker di contenuti che aiuta a bloccare pubblicità, tracker e script di fingerprinting. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Altre liste + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Requisiti minimi + +- Deve essere un software open-source. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Qualsiasi modifica necessaria per rendere il browser più rispettoso della privacy non dovrebbe avere un impatto negativo sull'esperienza dell'utente. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Criteri delle estensioni + +- Non deve replicare funzionalità integrate nel browser o del sistema operativo. +- Deve avere un impatto diretto sulla privacy dell'utente, cioè non deve limitarsi a fornire informazioni. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/it/desktop.md b/i18n/it/desktop.md new file mode 100644 index 00000000..9a244412 --- /dev/null +++ b/i18n/it/desktop.md @@ -0,0 +1,190 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Le distribuzioni Linux sono comunemente consigliate per la protezione della privacy e la libertà del software. +--- + +Le distribuzioni Linux sono comunemente consigliate per la protezione della privacy e la libertà del software. Se non utilizzi già Linux, di seguito ti suggeriamo alcune distribuzioni da provare, oltre ad alcuni consigli generali per migliorare la privacy e la sicurezza applicabili a molte distribuzioni Linux. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Distribuzioni tradizionali + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](/assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** è la distribuzione che raccomandiamo per utenti nuovi a Linux. Fedora generalmente adotta tecnologie più recenti prima di altre distribuzioni, ad esempio [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), e presto, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). Queste nuove tecnologie spesso comportano miglioramenti alla sicurezza, privacy e usabilità in generale. + + [:octicons-home-16: Pagina principale](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentazione} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribuisci } + +Fedora has a semi-rolling release cycle. Mentre alcuni pacchetti come [GNOME](https://www.gnome.org) sono congelati fino alla prossima versione di Fedora, la maggior parte dei pacchetti (incluso il kernel) sono aggiornati frequentemente durante il ciclo di vita della versione. Ogni versione di Fedora è supportata per un anno, con una nuova versione rilasciata ogni 6 mesi. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](/assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** è una distribuzione [a rilascio continuo](https://it.wikipedia.org/wiki/Rolling_release) stabile. + + openSUSE Tumbleweed ha un sistema di [aggiornamenti "transazionali"](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) che usa [Btrfs](https://it.wikipedia.org/wiki/Btrfs) e [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) per assicurare che le istantanee possano essere ripristinate in caso di problemi. + + [:octicons-home-16: Pagina principale](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentazione} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribuisci } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. Quando l'utente aggiorna il suo sistema, viene scaricata una nuova istantanea. Ogni istantanea viene sottoposta a una serie di test automatizzati da [openQA](https://openqa.opensuse.org) per garantirne la qualità. + +### Arch Linux + +!!! recommendation + + ![Arch logo](/assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** è una distribuzione leggera, fai-da-te (DIY) che significa che ottieni solo ciò che installi. Per maggiori informazioni visita le loro [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Pagina principale](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentazione} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribuisci } + +Arch Linux ha un ciclo di rilascio continuo. Non c'è un programma di rilascio fisso e i pacchetti vengono aggiornati molto frequentemente. + +Essendo una distribuzione DIY, ci si aspetta che l'utente [imposti e mantenga](#arch-based-distributions) il proprio sistema. Arch ha un [installatore ufficiale](https://wiki.archlinux.org/title/Archinstall) per rendere il processo di installazione un po' più facile. + +Gran parte dei [pacchetti di Arch Linux](https://reproducible.archlinux.org) sono [riproducibili](https://reproducible-builds.org). + +## Distribuzioni immutabili + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](/assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** e **Fedora Kinoite** sono varianti immutabili di Fedora con una forte attenzione al flussi di lavoro basato su contenitori. Silverblue viene fornito con l'ambiente desktop [GNOME](https://www.gnome.org/) mentre Kinoite viene fornito con [KDE](https://kde.org/). Silverblue e Kinoite seguono lo stesso programma di rilascio di Fedora Workstation, beneficiando degli stessi aggiornamenti veloci e rimanendo molto vicini all'upstream. + + [Visita silverblue.fedoraproject.org](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + +Silverblue (e Kinoite) differiscono da Fedora Workstation perché sostituiscono il gestore di pacchetti [DNF](https://fedoraproject.org/wiki/DNF) con un'alternativa molto più avanzata chiamata [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). Il gestore di pacchetti `rpm-ostree` funziona scaricando un'immagine di base per il sistema, quindi sovrapponendo i pacchetti in un albero di commit simile a [git](https://en.wikipedia.org/wiki/Git). Quando il sistema viene aggiornato, viene scaricata una nuova immagine di base e le sovrapposizioni vengono applicate a questa nuova immagine. + +Al termine dell'aggiornamento, il sistema verrà riavviato nella nuova distribuzione. `rpm-ostree` mantiene due distribuzioni del sistema in modo da poter effettuare facilmente il rollback se qualcosa si rompe nella nuova distribuzione. È inoltre possibile aggiungere altre distribuzioni in base alle necessità. + +[Flatpak](https://www.flatpak.org) è il metodo principale di installazione dei pacchetti su queste distribuzioni, in quanto `rpm-ostree` è pensato solo per sovrapporre all'immagine di base i pacchetti che non possono stare all'interno di un contenitore. + +Come alternativa a Flatpaks, c'è l'opzione di [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) per creare contenitori [Podman](https://podman.io) con una cartella home condivisa con il sistema operativo host e imitare un ambiente Fedora tradizionale, che è una [caratteristica utile](https://containertoolbx.org) per lo sviluppatore esigente. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS è una distribuzione indipendente basata sul gestore di pacchetti Nix con una particolare attenzione alla riproducibilità e all'affidabilità. + + [:octicons-home-16: Pagina principale](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentazione} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribuisci } + +Il gestore di pacchetti di NixOS conserva ogni versione di ogni pacchetto in una cartella diversa del **negozio Nix**. Per questo motivo è possibile avere diverse versioni dello stesso pacchetto installate sul sistema. Dopo che il contenuto del pacchetto è stato scritto nella cartella, questa viene resa di sola lettura. + +NixOS fornisce anche aggiornamenti atomici; prima scarica (o costruisce) i pacchetti e i file per la nuova generazione di sistema e poi passa ad essi. Ci sono diversi modi per passare a una nuova generazione: si può dire a NixOS di attivarla dopo il riavvio o si può passare ad essa in fase di esecuzione. È anche possibile *testare* la nuova generazione passando ad essa in fase di esecuzione, ma senza impostarla come generazione corrente del sistema. Se qualcosa nel processo di aggiornamento si interrompe, è possibile riavviare automaticamente e tornare a una versione funzionante del sistema. + +Nix, il gestore di pacchetti, utilizza un linguaggio puramente funzionale, chiamato anch'esso Nix, per definire i pacchetti. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (la fonte principale dei pacchetti) è contenuto in un unico repository GitHub. È anche possibile definire i propri pacchetti nella stesso linguaggio e quindi includerli facilmente nella configurazione. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. Costruisce ogni pacchetto in un ambiente sandbox *puro* , che è il più indipendente possibile dal sistema ospite, rendendo così i binari riproducibili. + +## Distribuzioni incentrate sull'anonimato + +### Whonix + +!!! recommendation + + ![Logo Whonix](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** è basato su [Kicksecure](https://www.whonix.org/wiki/Kicksecure), un fork di Debian focalizzato sulla sicurezza. Mira a fornire privacy, sicurezza e anonimato su internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Pagina principale](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Servizio onion" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentazione} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribuisci } + +Whonix è pensato per essere eseguito come due macchine virtuali: una "Workstation" e un "Gateway" Tor. Tutte le comunicazioni dalla Workstation devono passare attraverso il gateway Tor, e saranno instradate attraverso la rete Tor. Ciò significa che anche se la Workstation venisse compromessa da un malware di qualche tipo, il vero indirizzo IP rimarrebbe nascosto. + +Alcune delle sue caratteristiche includono Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [swap crittografato](https://github.com/Whonix/swap-file-creator), e un allocatore di memoria rinforzato. + +Le versioni future di Whonix probabilmente includeranno [criteri AppArmor di sistema completi](https://github.com/Whonix/apparmor-profile-everything) e un [lanciatore di app sandbox](https://www.whonix.org/wiki/Sandbox-app-launcher) per confinare completamente tutti i processi sul sistema. + +Whonix è utilizzato al meglio [in combinazione con Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** è un sistema operativo live basato su Debian che instrada tutte le comunicazioni attraverso Tor, che può essere avviato su quasi tutti i computer da un'installazione su DVD, chiavetta USB o scheda SD. Utilizza [Tor](tor.md) per preservare la privacy e l'anonimato aggirando la censura e non lascia traccia di sé sul computer su cui viene utilizzato una volta spento. + + [:octicons-home-16: Pagina principale](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentazione} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribuisci } + +Tails è ottimo per la contro-analisi forense grazie all'amnesia (il che significa che non viene scritto nulla sul disco); tuttavia, non è una distribuzione rafforzata come Whonix. Manca di molte funzioni di anonimato e sicurezza che Whonix possiede e viene aggiornato molto meno spesso (solo una volta ogni sei settimane). Un sistema Tails compromesso da malware può potenzialmente aggirare il proxy trasparente, consentendo all'utente di essere deanonimizzato. + +Tails include [uBlock Origin](desktop-browsers.md#ublock-origin) nel Tor Browser per impostazione predefinita, il che può potenzialmente rendere più facile per gli avversari effettuare il fingerprinting degli utenti di Tails. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +Da progettazione, Tails è previsto che si ripristini completamente dopo ogni riavvio. L'archiviazione [cifrata persistente](https://tails.boum.org/doc/first_steps/persistence/index.en.html) può essere configurata per memorizzare alcuni dati tra un ravvio e l'altro. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** è un sistema operativo open-source progettato per fornire una forte sicurezza per i computer desktop. È basato su Xen, sul sistema X Window e su Linux, e può eseguire/utilizzare la maggior parte delle applicazioni/driver di Linux. + + [:octicons-home-16: Pagina principale](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Panoramica](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentazione } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribuisci } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +Il sistema operativo Qubes OS protegge il computer isolando i sottosistemi (ad esempio, rete, USB, ecc.) e le applicazioni in macchine virtuali separate. Se una parte del sistema viene compromessa, è probabile che l'isolamento supplementare protegga il resto del sistema. Per ulteriori dettagli, consulta le [FAQ](https://www.qubes-os.org/faq/) di Qubes. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/it/dns.md b/i18n/it/dns.md new file mode 100644 index 00000000..8dcff6a6 --- /dev/null +++ b/i18n/it/dns.md @@ -0,0 +1,139 @@ +--- +title: "Resolver DNS" +icon: material/dns +description: Questi sono alcuni provider DNS cifrati a cui consigliamo di passare, per sostituire la configurazione predefinita del tuo ISP. +--- + +I DNS cifrati con server di terze parti dovrebbero essere utilizzati solo per aggirare il [blocco DNS](https://en.wikipedia.org/wiki/DNS_blocking) di base quando si può essere certi che non ci saranno conseguenze. Il DNS cifrato non aiuta a nascondere la tua attività di navigazione. + +[Per saperne di più sui DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Provider consigliati + +| Fornitore DNS | Informativa sulla privacy | Protocolli | Logging | ECS | Filtraggio | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | In parte[^1] | No | In base alla scelta del server. L'elenco dei filtri utilizzati è disponibile qui. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | In parte[^2] | No | In base alla scelta del server. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Opzionale[^3] | No | In base alla scelta del server. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | In base alla scelta del server. L'elenco dei filtri utilizzati è disponibile qui. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Opzionale | In base alla scelta del server. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | In parte[^6] | Opzionale | In base alla scelta del server, blocco dei malware di default. | + +## CryptPad + +**Si prega di notare che non siamo affiliati a nessuno dei progetti che raccomandiamo.** Oltre a [i nostri criteri standard](about/criteria.md), abbiamo sviluppato una chiara serie di requisiti per consentirci di fornire raccomandazioni oggettive. Suggeriamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e di condurre le tue ricerche per assicurarti che la scelta sia giusta per te. + +!!! example "Questa sezione è nuova" + + Stiamo lavorando per stabilire criteri definiti per ogni sezione del nostro sito, e ciò potrebbe essere soggetto a modifiche. Se hai domande sui nostri criteri, ti preghiamo di [chiedere sul nostro forum](https://discuss.privacyguides.net/latest) e non dare per scontato che non abbiamo preso in considerazione qualcosa nel formulare le nostre raccomandazioni se non è elencato qui. Sono molti i fattori presi in considerazione e discussi quando raccomandiamo un progetto e documentare ogni singolo fattore è un lavoro in corso. + +- Deve supportare le [DNSSEC](advanced/dns-overview.md#what-is-dnssec) +- [Minimizzazione QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- Consente di disabilitare la [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) +- Preferire il supporto di [anycast](https://it.wikipedia.org/wiki/Anycast) o il supporto di geo-steering + +## Supporto nativo del sistema operativo + +### Android + +Android 9 e successivi supportano il 'DNS over TLS'. Le impostazioni sono disponibili in: **Impostazioni** → **Rete & Internet** → **DNS privato**. + +### Dispositivi Apple + +Le utlime versioni di iOS, iPadOS, tvOS e macOS supportano sia DoT, che DoH. Entrambi i protocolli sono supportati in modo nativo tramite [profili di configurazione](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) o tramite [impostazioni DNS API](https://developer.apple.com/documentation/networkextension/dns_settings). + +Dopo l'installazione di un profilo di configurazione o di un'app che utilizza l'API Impostazioni DNS, è possibile selezionare la configurazione DNS. Se una VPN è attiva, la risoluzione all'interno del tunnel VPN utilizzerà le impostazioni DNS della VPN e non le impostazioni a livello di sistema. + +#### Profili firmati + +Apple non fornisce un'interfaccia nativa per la creazione di profili DNS cifrati. Il '[Secure DNS profile creator](https://dns.notjakob.com/tool.html)' è uno strumento non ufficiale per creare i tuoi profili DNS cifrati, che tuttavia non saranno firmati. I profili firmati sono da preferire; la firma convalida l'origine di un profilo, e aiuta a garantire l'integrità dello stesso. I profili di configurazione firmati sono contrassegnati dall'etichetta verde "Verificato". Per ulteriori informazioni sulla firma del codice, vedere [Informazioni sulla firma del codice](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **I profili firmati** vengono offerti da [AdGuard](https://adguard.com/it/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io) e [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved', che molte distribuzioni Linux usano per fare le ricerche DNS, non supporta ancora [DoH](https://github.com/systemd/systemd/issues/8639). Se vuoi usare DoH, è necessario installare un proxy come [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) e [configurarlo] (https://wiki.archlinux.org/title/Dnscrypt-proxy) per prendere tutte le query DNS dal resolver di sistema e inoltrarle tramite HTTPS. + +## Proxy DNS cifrati + +I software proxy per il DNS cifrato forniscono un proxy locale a cui inoltrare le richieste [DNS non cifrate](advanced/dns-overview.md#unencrypted-dns). In genere viene usato su piattaforme che non supportano nativamente il [DNS cifrato](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![Logo RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![Logo RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** è un client Android open-source che supporta [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) e DNS Proxy oltre a memorizzare nella cache le risposte DNS, registrare localmente le query DNS e può essere usato anche come firewall. + + [:octicons-home-16: Pagina principale](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Informativa sulla Privacy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Codice Sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![logo dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** è un proxy DNS con supporto per [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) e [DNS anonimizzato](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "La funzione DNS anonimizzato [**non**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonimizza il resto del traffico di rete." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Soluzioni self-hosted + +Una soluzione DNS self-hosted è utile per fornire il filtraggio su piattaforme controllate, come Smart TV e altri dispositivi IoT, poiché non è necessario alcun software lato client. + +### AdGuard Home + +!!! recommendation + + ![Logo AdGuard Home](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** è un [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) open-source che utilizza il [filtraggio DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) per bloccare contenuti web indesiderati, come gli annunci pubblicitari. + + AdGuard Home è dotato di un'interfaccia web raffinata per visualizzare gli insight e gestire i contenuti bloccati. + + [:octicons-home-16: Pagina principale](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Informativa sulla Privacy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Codice sorgente" } + +### Pi-hole + +!!! recommendation + + ![Logo Pi-hole](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** è un [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) open-source che utilizza il [filtraggio DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) per bloccare contenuti web indesiderati, come la pubblicità. + + Pi-hole è stato progettato per essere eseguito su un Raspberry Pi, ma non è limitato a tale hardware. Il software dispone di un'interfaccia web intuitiva per visualizzare gli insight e gestire i contenuti bloccati. + + [:octicons-home-16: Pagina principale](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Informativa sulla Privacy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribuisci } + +[^1]: AdGuard memorizza le statistiche aggregate delle prestazioni dei propri server DNS, ovvero il numero di richieste dirette a un particolare server, il numero di richieste bloccate e la velocità di elaborazione di esse. Inoltre, conservano e memorizzano i domini richiesti nelle ultime 24 ore. "Abbiamo bisogno di queste informazioni per identificare e bloccare nuovi tracker e minacce" "Registriamo anche quante volte un tracker viene bloccato. Abbiamo bisogno di queste informazioni per rimuovere le regole obsolete dai nostri filtri" [https://adguard.com/it/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare raccoglie e memorizza solo dati limitati delle stringhe DNS che vengono inviate al resolver 1.1.1.1. Il resolver 1.1.1.1 non registra dati personali, e la maggior parte dei dati di identificazione personali limitati nelle stringhe DNS viene archiviata per solo 25 ore. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D registra solo i resolver Premium con profili DNS personalizzati. I resolver gratuiti non registrano dati. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Il servizio di DNS di Mullvad è disponibile per tutti, abbonati a Mullvad VPN e non. La loro informativa sulla privacy dichiara che non registrano in alcun modo le richieste DNS. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS fornisce funzioni opzionali di approfondimento e di logging. Puoi decidere il tempo di retenzione e la posizione dell'archivio per tutti i dati che decidi di registrare. A meno che non venga specificatamente richiesto, nessun dato viene registrato. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 raccoglie alcuni dati con l'intenzione di monitorare e rispondere a eventuali minacce. Tali dati potrebbero essere poi rimescolati e condivisi, ad esempio ai fini della ricerca sulla sicurezza. Quad9 non colleziona o registra gli indirizzi IP, o qualsiasi altro dato ritenuto d'identificazione personale. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/it/email-clients.md b/i18n/it/email-clients.md new file mode 100644 index 00000000..d5311f3c --- /dev/null +++ b/i18n/it/email-clients.md @@ -0,0 +1,252 @@ +--- +title: "Client Email" +icon: material/email-open +description: Questi client email rispettano la privacy e supportano la crittografia OpenPGP. +--- + +Il nostro elenco di raccomandazioni contiene client di posta elettronica che supportano sia [OpenPGP](encryption.md#openpgp) che l'autenticazione forte come [Open Authorization (OAuth)](https://it.wikipedia.org/wiki/OAuth). OAuth consente di utilizzare l'[autenticazione a più fattori](basics/multi-factor-authentication.md) e di prevenire il furto di account. + +??? attenzione "L'e-mail non fornisce la segretezza dell'inoltro" + + Quando si utilizza una tecnologia di crittografia end-to-end (E2EE) come OpenPGP, le e-mail avranno ancora [alcuni metadati](email.md#email-metadata-overview) non crittografati nell'intestazione dell'e-mail. + + OpenPGP non supporta inoltre la [forward secrecy](https://it.wikipedia.org/wiki/Forward_secrecy), il che significa che se la chiave privata del destinatario o dell'utente viene rubata, tutti i messaggi precedenti crittografati con essa saranno esposti: [come proteggo le mie chiavi private?](basics/email-security.md) Considera l'utilizzo di un mezzo che garantisca la segretezza in avanti (forward secrecy): + + [Comunicazione in tempo reale](real-time-communication.md){ .md-button } + +## Multipiattaforma + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** è un client di posta elettronica, newsgroup, news feed e chat (XMPP, IRC, Twitter) gratuito, open-source e multipiattaforma, sviluppato dalla comunità Thunderbird e precedentemente dalla Mozilla Foundation. + + [:octicons-home-16: Pagina principale](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentazione} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Configurazione consigliata + +Si consiglia di modificare alcune di queste impostazioni per rendere Thunderbird un po' più privato. + +Queste opzioni si trovano in :material-menu: → **Impostazioni** → **Privacy e sicurezza**. + +##### Contenuto Web + +- [ ] Deseleziona **Ricorda siti web e link visitati** +- [ ] Deseleziona **Accetta i cookie dai siti** + +##### Telemetria + +- [ ] Deseleziona **Consenti a Thunderbird di inviare a Mozilla dati tecnici e di interazione** + +#### Thunderbird-user.js (avanzato) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), è un insieme di opzioni di configurazione che mira a disabilitare il maggior numero possibile di funzioni di navigazione web all'interno di Thunderbird, al fine di ridurre la superficie e mantenere la privacy. Alcune modifiche sono state prese dal [progetto Arkenfox](https://github.com/arkenfox/user.js). + +## Specifiche alla piattaforma + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** è incluso in macOS e può essere esteso per avere il supporto OpenPGP con [GPG Suite](encryption.md#gpg-suite), che aggiunge la possibilità di inviare e-mail crittografate. + + [:octicons-home-16: Pagina principale](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentazione} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** è un client di posta elettronica a pagamento progettato per rendere perfetta la crittografia end-to-end con funzioni di sicurezza come il blocco biometrico dell'app. + + [:octicons-home-16: Pagina principale](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentazione} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail ha rilasciato solo di recente un client per Windows e Android, anche se non crediamo che siano stabili come le loro controparti per iOS e Mac. + +Canary Mail è closed-source. Lo consigliamo a causa della scarsa scelta di client di posta elettronica su iOS che supportano la E2EE PGP. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** è un'applicazione di posta elettronica minimale e open-source, che utilizza standard aperti (IMAP, SMTP, OpenPGP) con un basso consumo di dati e batteria. + + [:octicons-home-16: Pagina principale](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** è un'applicazione per la gestione delle informazioni personali che fornisce funzionalità integrate di posta, calendario e rubrica. Evolution dispone di un'ampia [documentazione](https://help.gnome.org/users/evolution/stable/) per aiutarti a iniziare. + + [:octicons-home-16: Pagina principale](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentazione} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** è un'applicazione di posta elettronica indipendente che supporta sia le caselle POP3 che IMAP, ma supporta solo la posta push per IMAP. + + In futuro, K-9 Mail sarà il client [ufficiale](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) di Thunderbird per Android. + + [:octicons-home-16: Pagina principale](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** è un'applicazione di gestione delle informazioni personali (PIM, personal information manager) del progetto [KDE](https://kde.org). Offre un client di posta, una rubrica, un'agenda e un client RSS. + +### Kontact (KDE) + +!!! recommendation + + ![Logo Kontact](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** è un'applicazione di gestione delle informazioni personali (PIM) del progetto [KDE](https://kde.org). [:octicons-home-16: Pagina principale](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Codice sorgente" } + + ??? + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? download + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Logo Mailvelope](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** è un'estensione del browser che consente lo scambio di e-mail crittografate secondo lo standard di crittografia OpenPGP. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? download + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** è un lettore di posta elettronica a riga di comando open-source (or MUA) per Linux e BSD. È un fork di [Mutt](https://it.wikipedia.org/wiki/Mutt) con funzionalità aggiuntive. + + NeoMutt è un client basato sul testo che ha una curva di apprendimento molto ripida. Tuttavia, è molto personalizzabile. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? download + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteri + +**Si noti che non siamo affiliati a nessuno dei progetti che raccomandiamo.** Oltre ai [ nostri criteri standard ](about/criteria.md), abbiamo sviluppato una serie di requisiti chiari che ci consentono di fornire raccomandazioni oggettive. Ti consigliamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e di condurre le tue ricerche per assicurarti che sia la scelta giusta per te. + +!!! esempio "Questa sezione è nuova" + + Stiamo lavorando per stabilire criteri definiti per ogni sezione del nostro sito, e questo potrebbe essere soggetto a modifiche. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Requisiti minimi + +- Le applicazioni sviluppate per sistemi operativi open-source devono essere open-source. +- Non deve raccogliere la telemetria o deve avere un modo semplice per disabilitare tutta la telemetria. +- Deve supportare la crittografia dei messaggi OpenPGP. + +### Criteri Ottimali + +I nostri criteri ottimali rappresentano ciò che vorremmo vedere dal progetto perfetto in questa categoria. Le nostre raccomandazioni potrebbero non includere tutte o alcune di queste funzionalità, ma quelle che le includono potrebbero avere una posizione più alta rispetto ad altre in questa pagina. + +- Dovrebbe essere open-source. +- Dovrebbe essere multipiattaforma. +- Non dovrebbe raccogliere alcuna telemetria per impostazione predefinita. +- Deve supportare OpenPGP in modo nativo, cioè senza estensioni. +- Dovrebbe supportare l'archiviazione locale delle e-mail crittografate OpenPGP. diff --git a/i18n/it/email.md b/i18n/it/email.md new file mode 100644 index 00000000..efd147f1 --- /dev/null +++ b/i18n/it/email.md @@ -0,0 +1,503 @@ +--- +title: "Servizi mail" +icon: material/email +description: Questi provider di posta elettronica offrono un luogo ideale per archiviare le tue mail in modo sicuro e molti offrono la crittografia OpenPGP interoperabile con altri provider. +--- + +L'e-mail è praticamente una necessità per l'utilizzo di qualsiasi servizio online, tuttavia non la consigliamo per le conversazioni personali. Piuttosto che utilizzare l'email per contattare altre persone, considera l'utilizzo di un mezzo di messaggistica istantanea che supporta la forward secrecy. + +[Messaggistica istantanea consigliata](real-time-communication.md ""){.md-button} + +Per tutto il resto, consigliamo una varietà di provider di posta elettronica basati su modelli di business sostenibile e funzioni di sicurezza integrate. + +- [Provider di posta elettronica compatibili con OpenPGP :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Altri provider cifrati :material-arrow-right-drop-circle:](#more-providers) +- [Servizi di aliasing mail :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Opzioni self-hosted :material-arrow-right-drop-circle:](#self-hosting-email) + +## Servizi compatibili con OpenPGP + +Questi provider supportano in modo nativo la cifratura/decifratura OpenPGP e lo standard Web Key Directory (WKD), consentendo la creazione di mail E2EE indipendenti dal provider. Ad esempio, un utente di Proton Mail potrebbe inviare un messaggio E2EE a un utente di Mailbox.org, oppure si potrebbero ricevere notifiche cifrate in OpenPGP dai servizi Internet che lo supportano. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning "Avviso" + + Quando si utilizza tecnologia E2EE, come OpenPGP, alcuni metadata nell'intestazione dei messaggi non vengono crittografati. Per saperne di più sui metadata della [posta elettronica](basics/email-security.md#email-metadata-overview). + + OpenPGP inoltre non supporta la Forward secrecy, il che significa che se la tua chiave privata o quella del destinatario è stata rubata, tutti i messaggi cifrati con esso saranno esposti. [Come proteggo le mie chiavi private?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** è un servizio di posta elettronica incentrato su privacy, crittografia, sicurezza e facilità d'uso. Operano dal **2013**. Proton AG ha sede a Ginevra, Svizzera. Gli account partono da 500MB di spazio di archiviazione con il piano gratuito. + + [:octicons-home-16: Pagina principale](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Informativa sulla Privacy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Gli account gratuiti hanno alcune limitazioni, come non essere in grado di cercare il testo del corpo e non avere accesso a [Proton Mail Bridge](https://proton.me/mail/bridge), che è necessario per utilizzare un [client di posta elettronica desktop raccomandato](email-clients.md) (ad es. Thunderbird). Gli account a pagamento includono funzionalità come Proton Mail Bridge, spazio di archiviazione aggiuntivo e supporto per domini personalizzati. Una [lettera di attestazione](https://proton.me/blog/security-audit-all-proton-apps) è stata fornita per le applicazioni di Proton Mail il 9 novembre 2021 da [Securitum](https://research.securitum.com). + +Se hai il piano Proton Unlimited, Business o Visionary, ottieni anche [SimpleLogin](#simplelogin) Premium gratuitamente. + +Proton Mail ha rapporti interni di crash che **non condividono** con terze parti. Questa funzione può essere disattivata in: **Impostazioni** > **Vai alle impostazioni** > **Account** > **Sicurezza e privacy** > **Invia rapporti sui crash**. + +#### :material-check:{ .pg-green } Domini e alias personalizzati + +Gli abbonati a Proton Mail a pagamento possono utilizzare il proprio dominio con il servizio o un indirizzo [catch-all](https://proton.me/support/catch-all). Proton Mail supporta anche il [sottoindirizzamento ](https://proton.me/support/creating-aliases), utile per chi non vuole acquistare un dominio. + +#### :material-check:{ .pg-green } Metodi di pagamento privati + +Proton Mail [accetta](https://proton.me/support/payment-options) contanti per posta oltre ai normali pagamenti con carta di credito/debito, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc)e PayPal. + +#### :material-check:{ .pg-green } Sicurezza dell'account + +Proton Mail supporta [l'autenticazione a due fattori](https://proton.me/support/two-factor-authentication-2fa) TOTP e le [chiavi di sicurezza hardware](https://proton.me/support/2fa-security-key) utilizzando gli standard FIDO2 o U2F. L'uso di una chiave di sicurezza hardware richiede prima l'impostazione dell'autenticazione a due fattori TOTP. + +#### :material-check:{ .pg-green } Sicurezza dei dati + +Proton Mail ha [crittografia zero-access](https://proton.me/blog/zero-access-encryption) a riposo per le tue mail e [calendari](https://proton.me/news/protoncalendar-security-model). I dati protetti con crittografia ad zero-access sono accessibili solo da te. + +Alcune informazioni memorizzate in [Proton Contacts](https://proton.me/support/proton-contacts), come i nomi visualizzati e gli indirizzi mail, non sono protette da una crittografia zero-access. I campi dei contatti che supportano la crittografia zero-access, come i numeri di telefono, sono indicati con l'icona di un lucchetto. + +#### :material-check:{ .pg-green } Crittografia delle mail + +Proton Mail ha una [crittografia OpenPGP integrata](https://proton.me/support/how-to-use-pgp) nella loro webmail. Le e-mail inviate ad altri account Proton Mail vengono crittografate automaticamente, e la crittografia verso indirizzi non Proton Mail con una chiave OpenPGP può essere abilitata nelle impostazioni dell'account. Consentono inoltre di crittografare [i messaggi inviati a indirizzi non Proton Mail](https://proton.me/support/password-protected-emails) senza che questi debbano iscriversi a un account Proton Mail o utilizzare software come OpenPGP. + +Proton Mail supporta anche la scoperta di chiavi pubbliche tramite HTTP dalla loro [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Questo permette alle persone che non utilizzano Proton Mail di trovare facilmente le chiavi OpenPGP degli account Proton Mail, per un E2EE cross-provider. + + +#### :material-information-outline:{ .pg-blue } Chiusura dell'account + +Se avete un account a pagamento e il tuo [abbonamento non è stata pagato](https://proton.me/support/delinquency) dopo 14 giorni, non potrai accedere ai tuoi dati. Dopo 30 giorni, l'account diventerà delinguente e non riceverà più la posta in arrivo. Durante questo periodo la fattura continuerà ad essere addebitata. + +#### :material-information-outline:{ .pg-blue } Funzionalità aggiuntive + +Proton Mail offre un account "Unlimited" a 9,99 euro/mese, che consente anche l'accesso a Proton VPN oltre a fornire account multipli, domini, alias e 500 GB di spazio di archiviazione. + +Proton Mail non offre una funzione di eredità digitale. + +### Mailbox.org + +!!! recommendation + + ![Logo Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** è un servizio di posta elettronica che si concentra sull'essere sicuro, privo di pubblicità e alimentato privatamente da energia ecologica al 100%. Mailbox.org è opera dal 2014 e ha sede a Berlino, in Germania. Gli account iniziano con 2 GB di spazio di archiviazione, che possono essere aumentati in base alle esigenze. + + [:octicons-home-16: Pagina principale](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentazione} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Domini e alias personalizzati + +Mailbox.org consente di utilizzare il proprio dominio e supporta gli indirizzi [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). Mailbox.org supporta anche il sottoindirizzamento [](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), utile se non si vuole acquistare un dominio. + +#### :material-check:{ .pg-green } Metodi di pagamento privati + +Mailbox.org non accetta criptovalute a causa della sospensione delle attività del suo processore di pagamento BitPay in Germania. Tuttavia, accettano contanti per posta, pagamento in contanti su conto corrente, bonifico bancario, carta di credito, PayPal e un paio di processori specifici per la Germania: paydirekt e Sofortüberweisung. + +#### :material-check:{ .pg-green } Sicurezza dell'account + +Mailbox.org supporta l'[autenticazione a due fattori](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) solo per la loro webmail. È possibile utilizzare TOTP o [Yubikey](https://en.wikipedia.org/wiki/YubiKey) tramite il [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Gli standard Web come [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) non sono ancora supportati. + +#### :material-information-outline:{ .pg-blue } Sicurezza dei dati + +Mailbox.org consente la crittografia della posta in arrivo utilizzando la loro [casella di posta crittografata](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). I nuovi messaggi ricevuti saranno immediatamente crittografati con la tua chiave pubblica. + +Tuttavia, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), la piattaforma software utilizzata da Mailbox.org, [non supporta](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) la crittografia della rubrica e del calendario. Un’opzione [indipendente](calendar.md) può essere più appropriata per tali informazioni. + +#### :material-check:{ .pg-green } Crittografia delle mail + +Mailbox.org ha una [crittografia integrata](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) nella loro webmail, che semplifica l'invio di messaggi a persone con chiavi OpenPGP pubbliche. Permettono inoltre a [destinatari remoti di decrittografare una mail](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) sui server di Mailbox.org. Questa funzione è utile quando il destinatario remoto non dispone di OpenPGP e non può decifrare una copia dell'e-mail nella propria casella di posta elettronica. + +Mailbox.org supporta anche la scoperta di chiavi pubbliche tramite HTTP dalla loro [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Questo permette a persone esterne a Mailbox.org di trovare facilmente le chiavi OpenPGP degli account di Mailbox.org, per un E2EE fra provider diversi. + +#### :material-information-outline:{ .pg-blue } Chiusura dell'account + +Il tuo account verrà impostato su un account utente con restrizioni al termine del contratto, dopo [30 giorni verrà eliminato irrevocabilmente](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Funzionalità aggiuntive + +Puoi accedere al tuo account Mailbox.org tramite IMAP/SMTP utilizzando il loro servizio [.onion](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). Tuttavia, l'interfaccia webmail non è accessibile tramite il servizio .onion e si possono verificare errori di certificato TLS. + +Tutti gli account vengono forniti con uno spazio di archiviazione cloud limitato che [può essere crittografato](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org offre anche l'alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), che impone la crittografia TLS sulla connessione tra i server di posta, altrimenti il messaggio non verrà inviato affatto. Mailbox.org supporta anche [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) oltre ai protocolli di accesso standard come IMAP e POP3. + +Mailbox.org dispone di una funzione di eredità digitale per tutti i piani. Puoi scegliere se vuoi che i dati siano trasmessi agli eredi, a condizione che ne facciano richiesta e forniscano il testamento. In alternativa, è possibile nominare una persona per nome e indirizzo. + +## Altri provider + +Questi provider archiviano le tue e-mail con una crittografia a conoscenza zero, il che li rende ottime opzioni per mantenere sicure le tue e-mail archiviate. Tuttavia, non supportano standard di crittografia interoperabili per le comunicazioni E2EE tra provider. + +
+ +- ![Logo StartMail](assets/img/email/startmail.svg#only-light){ .twemoji }![Logo StartMail](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Logo Tutanota](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![Logo StartMail](assets/img/email/startmail.svg#only-light){ align=right } + ![Logo StartMail](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** è un servizio di posta elettronica incentrato sulla sicurezza e sulla privacy grazie all'uso della crittografia standard OpenPGP. StartMail è attiva dal 2014 e ha sede in Boulevard 11, Zeist, Paesi Bassi. Gli account partono da 10 GB. Viene offerto un periodo di prova di 30 giorni. + + [:octicons-home-16: Pagina principale](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentazione} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Domini e alias personalizzati + +Gli account personali possono utilizzare [alias personalizzati o Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases). Sono disponibili anche [domini personalizzati](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain). + +#### :material-alert-outline:{ .pg-orange } Metodi di pagamento privati + +StartMail accetta Visa, MasterCard, American Express e PayPal. StartMail ha anche altre [opzioni di pagamento](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) come [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (attualmente solo per i conti personali) e l'addebito diretto SEPA per account più vecchi di un anno. + +#### :material-check:{ .pg-green } Sicurezza dell'account + +StartMail supporta l'autenticazione a due fattori TOTP [solo per webmail](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). Non consentono l'autenticazione con chiave di sicurezza U2F. + +#### :material-information-outline:{ .pg-blue } Sicurezza dei dati + +StartMail utilizza una [crittografia zero-access a riposo](https://www.startmail.com/en/whitepaper/#_Toc458527835), utilizzando il loro sistema "user vault". Quando accedi, la cassaforte viene aperta e l'e-mail viene spostata dalla coda e inserita, dove viene decifrata dalla corrispondente chiave privata. + +StartMail supporta l'importazione di [contatti](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts), tuttavia, sono accessibili solo nella webmail e non attraverso protocolli come [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Inoltre, i contatti non vengono memorizzati utilizzando la crittografia a "conoscenza zero", quindi potrebbe essere più appropriata un'opzione \[autonoma\](calendar-contacts.md). + +#### :material-check:{ .pg-green } Crittografia delle mail + +StartMail utilizza una [crittografia integrata](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) nella loro webmail, che semplifica l'invio di messaggi crittografati con chiavi OpenPGP pubbliche. Tuttavia, non supportano lo standard Web Key Directory, rendendo la scoperta della chiave pubblica di una casella postale Startmail più impegnativa per altri provider o client di posta elettronica. + +#### :material-information-outline:{ .pg-blue } Chiusura dell'account + +Alla scadenza dell'account, StartMail eliminerà definitivamente il tuo account dopo [6 mesi in 3 fasi](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Funzionalità aggiuntive + +StartMail consente il proxy delle immagini all'interno dei messaggi di posta elettronica. Se consenti il caricamento dell'immagine remota, il mittente non saprà quale sia il tuo indirizzo IP. + +StartMail non offre una funzione di eredità digitale. + +### Tutanota + +!!! recommendation + + ![Logo Tutanota](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** è un servizio di posta elettronica incentrato sulla sicurezza e sulla privacy attraverso l'uso della crittografia. Tutanota è operativa dal **2011** e ha sede ad Hannover, in Germania. Gli account iniziano con 1 GB di spazio di archiviazione con il piano gratuito. + + [:octicons-home-16: Pagina principale](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota non supporta il [protocollo IMAP](https://tutanota.com/faq/#imap) o l'uso di client [di posta elettronica di terze parti](email-clients.md)e non sarà nemmeno possibile aggiungere [account di posta elettronica esterni](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) all'app Tutanota. Al momento non sono supportate né [Importazione e-mail](https://github.com/tutao/tutanota/issues/630) né [sottocartelle](https://github.com/tutao/tutanota/issues/927) , anche se questo [dovrebbe essere modificato](https://tutanota.com/blog/posts/kickoff-import). Le e-mail possono essere esportate [singolarmente o per selezione in blocco](https://tutanota.com/howto#generalMail) per cartella, il che può essere scomodo se si dispone di molte cartelle. + +#### :material-check:{ .pg-green } Domini e alias personalizzati + +Gli account Tutanota a pagamento possono utilizzare fino a 5 [alias](https://tutanota.com/faq#alias) e [domini personalizzati](https://tutanota.com/faq#custom-domain). Tutanota non consente il [sottoindirizzamento (più indirizzi)](https://tutanota.com/faq#plus), ma è possibile utilizzare un [catch-all](https://tutanota.com/howto#settings-global) con un dominio personalizzato. + +#### :material-information-outline:{ .pg-blue } Metodi di pagamento privati + +Tutanota accetta solo direttamente carte di credito e PayPal, tuttavia è possibile utilizzare [criptovalute](cryptocurrency.md) per acquistare carte regalo tramite la loro [partnership](https://tutanota.com/faq/#cryptocurrency) con Proxystore. + +#### :material-check:{ .pg-green } Sicurezza dell'account + +Tutanota supporta l'autenticazione [a due fattori](https://tutanota.com/faq#2fa) con TOTP o U2F. + +#### :material-check:{ .pg-green } Sicurezza dei dati + +Tutanota utilizza una [crittografia zero-access a riposo](https://tutanota.com/faq#what-encrypted) per le tue mail, [contatti della rubrica](https://tutanota.com/faq#encrypted-address-book)e [calendari](https://tutanota.com/faq#calendar). Ciò significa che i messaggi e gli altri dati memorizzati nel tuo account sono leggibili solo a te. + +#### :material-information-outline:{ .pg-blue } Crittografia delle mail + +Tutanota [non utilizza OpenPGP](https://www.tutanota.com/faq/#pgp). Gli account Tutanota possono ricevere email cifrate da account di posta elettronica non Tutanota solo se inviate tramite una [casella di posta temporanea Tutanota](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Chiusura dell'account + +Tutanota eliminerà [account gratuiti inattivi](https://tutanota.com/faq#inactive-accounts) dopo sei mesi. È possibile riutilizzare un account gratuito disattivato se si paga. + +#### :material-information-outline:{ .pg-blue } Funzionalità aggiuntive + +Tutanota offre la versione business di [Tutanota alle organizzazioni no-profit](https://tutanota.com/blog/posts/secure-email-for-non-profit) gratuitamente o con un forte sconto. + +Tutanota ha anche una funzione aziendale chiamata [Secure Connect](https://tutanota.com/secure-connect/). Ciò garantisce che il contatto del cliente con l'azienda utilizzi E2EE. La funzione costa 240€ all'anno. + +Tutanota non offre una funzione di eredità digitale. + +## Servizi di alias per email + +Un servizio di aliasing email consente di generare facilmente un nuovo indirizzo email per ogni sito web a cui ci si registra. Gli alias email generati vengono quindi inoltrati a un indirizzo email di tua scelta, nascondendo sia il tuo indirizzo e-mail "principale" che l'identità del tuo provider di posta elettronica. Il vero aliasing di posta elettronica è meglio dell'indirizzo plus comunemente usato e supportato da molti provider, che ti consente di creare alias come tuonome+[qualsiasicosa]@example.com, perché siti Web, inserzionisti e reti di tracciamento possono banalmente rimuovere qualsiasi cosa dopo il segno + per conoscere il tuo vero indirizzo email. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +L'aliasing e-mail può funzionare da salvaguardia nel caso in cui il tuo provider di posta elettronica cessi di operare. In questo caso, è possibile reindirizzare facilmente gli alias a un nuovo indirizzo email. A sua volta, tuttavia, si sta mettendo fiducia nel servizio di aliasing che continui a funzionare. + +L'utilizzo di un servizio di aliasing email dedicato presenta una serie di vantaggi rispetto a un alias generico su un dominio personalizzato: + +- Gli alias possono essere attivati e disattivati singolarmente quando se ne ha bisogno, evitando che i siti web inviino e-mail a caso. +- Le risposte vengono inviate dall'indirizzo alias, nascondendo il tuo vero indirizzo email. + +Inoltre, presentano una serie di vantaggi rispetto ai servizi di "posta elettronica temporanea": + +- Gli alias sono permanenti e possono essere riattivati nel caso in cui sia necessario ricevere qualcosa come la reimpostazione della password. +- Le mail vengono inviate alla tua casella di posta elettronica di fiducia, anziché essere archiviate dal provider di alias. +- I servizi di posta elettronica temporanea hanno in genere caselle di posta pubbliche a cui può accedere chiunque conosca l'indirizzo, mentre gli alias sono privati. + +Le nostre raccomandazioni di aliasing mail sono fornitori che ti consentono di creare alias su domini che controllano, nonché i tuoi domini personalizzati a un costo annuale modesto. Possono anche essere self-hosted se si desidera il massimo controllo. Tuttavia, l'utilizzo di un dominio personalizzato può avere svantaggi relativi alla privacy: se sei l'unica persona che utilizza il tuo dominio personalizzato, le tue azioni possono essere facilmente tracciate su siti web semplicemente guardando il nome di dominio nell'indirizzo e-mail e ignorando tutto prima del simbolo della @. + +L'utilizzo di un servizio di aliasing richiede la fiducia del provider di posta elettronica e del provider di aliasing per i messaggi non cifrati. Alcuni provider mitigano leggermente questo problema con la crittografia PGP automatica, che riduce il numero di parti di cui è necessario fidarsi da due a una crittografando le mail in arrivo prima che vengano consegnate al provider della casella di posta finale. + +### AnonAddy + +!!! recommendation + + ![Logo AnonAddy](assets/img/email/anonaddy.svg#only-light){ align=right } + ![Logo AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** consente di creare gratuitamente 20 alias di dominio su un dominio condiviso, oppure alias "standard" illimitati, meno anonimi. + + [:octicons-home-16: Pagina principale](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Informativa sulla Privacy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribuisci} + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +Il numero di alias condivisi (che terminano in un dominio condiviso come @anonaddy.me) che puoi creare è limitato a 20 sul piano gratuito di AnonAddy e 50 sul loro piano di $12/anno. Puoi creare alias standard illimitati (che terminano in un dominio come @[username].anonaddy.com o un dominio personalizzato su piani a pagamento), tuttavia, come accennato in precedenza, questo può essere dannoso per la privacy perché le persone possono banalmente collegare i tuoi alias standard in base al solo nome di dominio. Alias condivisi illimitati sono disponibili per $36/anno. + +Funzionalità gratuite degne di nota: + +- [x] 20 alias condivisi +- [x] Alias standard illimitati +- [ ] Non sono possibili le risposte in uscita +- [x] 2 caselle di posta destinatario +- [x] Crittografia automatica PGP + +### SimpleLogin + +!!! recommendation + + ![Logo Simplelogin](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** è un servizio gratuito che fornisce alias di posta elettronica su una varietà di nomi di dominio condivisi e, facoltativamente, fornisce funzionalità a pagamento come alias illimitati e domini personalizzati. + + [:octicons-home-16: Pagina principale](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Informativa sulla Privacy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin è stata [acquistata da Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) l'8 aprile del 2022. Se utilizzi Proton Mail come tua casella di posta principale, SimpleLogin è un'ottima scelta. Poiché entrambi i prodotti sono ora di proprietà della stessa azienda, è sufficiente fidarsi di un'unica entità. Prevediamo inoltre in futuro che SimpleLogin sarà maggiormente integrato con le offerte di Proton. SimpleLogin continua a supportare l'inoltro a qualsiasi provider di posta elettronica di tua scelta. Securitum [ha revisionato](https://simplelogin.io/blog/security-audit/) SimpleLogin all'inizio del 2022 e tutti i problemi [sono stati risolti](https://simplelogin.io/audit2022/web.pdf). + +Puoi collegare il tuo account SimpleLogin con l'account Proton nelle impostazioni. Se hai il piano Proton Unlimited, Business o Visionary, avrai SimpleLogin Premium gratuitamente. + +Caratteristiche gratuite degne di nota: + +- [x] 10 alias condivisi +- [x] Risposte illimitate +- [x] 1 casella di posta destinatario + +## Email self-hosting + +Gli amministratori di sistema avanzati possono prendere in considerazione la possibilità di creare un proprio server di posta elettronica. I server di posta elettronica richiedono attenzione e manutenzione continua per mantenere la sicurezza e l'affidabilità della consegna delle email. + +### Soluzioni software combinate + +!!! recommendation + + ![Logo Mailcow](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** è un server di posta più avanzato, perfetto per chi ha un po' più di esperienza con Linux. Ha tutto il necessario in un container Docker: un server di posta con supporto DKIM, monitoraggio antivirus e spam, webmail e ActiveSync con SOGo e amministrazione basata sul web con supporto 2FA. + + [:octicons-home-16: Pagina principale](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribuisci } + +!!! recommendation + + ![Logo Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** è uno script di configurazione automatica per la distribuzione di un server di posta su Ubuntu. Il suo obiettivo è quello di rendere più semplice la creazione di un proprio server di posta. + + [:octicons-home-16: Pagina principale](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Codice sorgente" } + +Per un approccio più manuale, abbiamo scelto questi due articoli: + +- [Impostare un server di posta elettronica con OpenSMTPD, Dovecot e Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [Come gestire il propio server di posta elettronica](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteri + +**Si prega di notare che non siamo affiliati con nessuno dei provider che consigliamo.** Oltre a [nostri criteri standard](about/criteria.md), abbiamo sviluppato una chiara serie di requisiti per qualsiasi provider di posta elettronica che desideri essere raccomandato, tra cui l'implementazione delle migliori pratiche del settore, la tecnologia moderna e altro ancora. Ti consigliamo di familiarizzare con questo elenco prima di scegliere un provider di posta elettronica e condurre le tue ricerche per assicurarti che il provider di posta elettronica che scegli sia la scelta giusta per te. + +### Tecnologia + +Consideriamo queste caratteristiche importanti per fornire un servizio sicuro e ottimale. Dovresti valutare se il fornitore ha le funzionalità che desideri. + +**Requisiti minimi:** + +- Crittografia dei dati degli account email a riposo con crittografia zero-access. +- Possibilità di esportazione come [Mbox](https://en.wikipedia.org/wiki/Mbox) o singoli .eml con lo standard [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) . +- Consentire agli utenti di utilizzare il proprio [nome di dominio](https://en.wikipedia.org/wiki/Domain_name). I nomi di dominio personalizzati sono importanti per gli utenti perché consentono loro di mantenere la propria autonomia dal servizio, se dovesse diventare negativa o essere acquisita da un'altra società che non dà priorità alla privacy. +- Opera su un'infrastruttura di proprietà, ovvero non si appoggia a provider di servizi e-mail di terze parti. + +**Caso migliore:** + +- Crittografia di tutti i dati dell'account (contatti, calendari ecc.) a riposo con crittografia ad zero-access. +- Crittografia webmail integrata E2EE/PGP fornita per comodità. +- Supporto per [WKD](https://wiki.gnupg.org/WKD) per permettere una migliore individuazione delle chiavi OpenPGP pubbliche via HTTP. Gli utenti di GnuPG possono ottenere una chiave digitando: `gpg --locate-key example_user@example.com` +- Supporto per una casella di posta temporanea per utenti esterni. Ciò è utile quando vuoi inviare una mail crittografata, senza inviare una copia effettiva al destinatario. Queste mail hanno di solito un tempo di vita limitato e vengono automaticamente eliminate. Non richiedono, inoltre, di configurare alcuna crittografia, come OpenPGP. +- Disponibilità dei servizi del provider e-mail mediante un [servizio onion](https://en.wikipedia.org/wiki/.onion). +- Supporto del [subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- Funzionalità catch-all o alias per chi possiede un dominio proprio. +- Utilizzo dei protocolli standard di accesso, come IMAP, SMTP o [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Questi protocolli assicurano ai clienti la possibilità di scaricare facilmente tutte le loro e-mail, in caso volessero cambiare provider. + +### Privacy + +Preferiamo che i provider da noi consigliati raccolgano il minor numero di dati possibile. + +**Requisiti minimi:** + +- Protezione dell'indirizzo IP del mittente. Filtrare la visualizzazione nell'header d'intestazione `ricevuto`. +- Non richiedere informazioni d'identificazione personale, oltre a un nome utente e una password. +- Un'informativa sulla privacy che soddisfa i requisiti definiti dal GDPR +- Non deve essere hostato negli Stati Uniti a causa del [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism), il quale dev'essere [ancora riformato](https://epic.org/ecpa/). + +**Caso migliore:** + +- Accetta [opzioni di pagamento anonime](advanced/payments.md) ([criptovalute](cryptocurrency.md), contanti, carte regalo, ecc.) + +### Sicurezza + +I server di posta elettronica gestiscono molti dati estremamente sensibili. Ci aspettiamo che i provider adottino le migliori pratiche del settore per proteggere i loro membri. + +**Requisiti minimi:** + +- Protezione della webmail con 2FA, ad esempio TOTP. +- Crittografia zero-access, basata sulla crittografia a riposo. Il provider non deve disporre delle chiavi di decrittazione dei dati in loro possesso. Questo previene che dipendenti disonesti possano trapelare i dati sensibili, o che un avversario remoto possa rilasciarli, dopo averli rubati, ottenendo un accesso non autorizzato al server. +- Supporto [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). +- Nessun [errore o vulnerabilità del TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) quando profilato da strumenti come [Hardenize](https://www.hardenize.com), [testssl.sh](https://testssl.sh) o [Qualys SSL Labs](https://www.ssllabs.com/ssltest); questi includono errori relativi ai certificati, suite di cifrari scarse o deboli, parametri DH deboli come quelli che portarono al [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- Una policy [MTA-STS](https://tools.ietf.org/html/rfc8461) e [TLS-RPT](https://tools.ietf.org/html/rfc8460) valida. +- Record [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) validi. +- Record [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) e [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) validi. +- Record [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) e [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) validi. +- Disporre di un record e di una politica [DMARC](https://en.wikipedia.org/wiki/DMARC) adeguati o utilizzare [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) per l'autenticazione. Se si utilizza l'autenticazione DMARC, la politica deve essere impostata su `rifiuta` o `quarantena`. +- Preferenza per una suite di server TLS 1.2 o successiva e un piano per [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [Invio SMTPS](https://en.wikipedia.org/wiki/SMTPS) , supponendo che venga utilizzato SMTP. +- Standard di sicurezza del sito web come: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Integrità Subresource](https://en.wikipedia.org/wiki/Subresource_Integrity) se si caricano oggetti da domini esterni. +- Deve supportare la visualizzazione di [intestazioni di messaggi](https://en.wikipedia.org/wiki/Email#Message_header), in quanto è una funzione forense cruciale per determinare se un'e-mail è un tentativo di phishing. + +**Caso migliore:** + +- Supporto per l'autenticazione hardware, come U2F e [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F e WebAuthn sono più sicuri, in quanto utilizzano una chiave privata memorizzata nel client su un dispositivo hardware per autenticare le persone, rispetto a un segreto condiviso che viene memorizzato sul server web e sul client quando si utilizza TOTP. Inoltre, U2F e WebAuthn sono più resistenti al phishing in quanto la loro risposta di autenticazione si basa sul [nome di dominio](https://en.wikipedia.org/wiki/Domain_name) autenticato. Inoltre, U2F e WebAuthn sono più resistenti al phishing in quanto la loro risposta di autenticazione si basa sul [nome di dominio](https://en.wikipedia.org/wiki/Domain_name) autenticato. +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844), oltre al supporto DANE. +- Implementazione della [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), utile per chi posta su liste [RFC8617](https://tools.ietf.org/html/rfc8617) di mailing. +- Programmi di bug-bounty e/o un processo coordinato di divulgazione delle vulnerabilità. +- Standard di sicurezza del sito web come: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Fiducia + +Non affideresti le tue finanze a qualcuno con un'identità falsa, quindi perché dovresti affidargli la tua e-mail? Richiediamo che i provider da noi consigliati rendano pubbliche la loro dirigenza o proprietà. Vorremmo anche vedere frequenti rapporti di trasparenza, soprattutto per quanto riguarda il modo in cui vengono gestite le richieste del governo. + +**Requisiti minimi:** + +- Dirigenza o proprietà pubblica. + +**Caso migliore:** + +- Dirigenza pubblica. +- Rapporti di trasparenza frequenti. + +### Marketing + +Con i provider di posta elettronica che consigliamo, ci piacerebbe vedere un marketing responsabile. + +**Requisiti minimi:** + +- Deve ospitare localmente i sistemi di analitica (no Google Analytics, Adobe Analytics, ecc.). Il sito del fornitore deve inoltre rispettare il [No not track (DNT)](https://it.wikipedia.org/wiki/Do_Not_Track) per chi desidera rinunciare. + +Non deve avere alcun marketing ritenuto irresponsabile: + +- Dichiarazioni di "crittografia infrangibile". La crittografia deve essere utilizzata con l'intenzione che nel futuro esisterà la tecnologia per decifrarla. +- Garantire al 100% la protezione dell'anonimato. Quando qualcuno afferma che qualcosa è al 100% significa che non esiste fallimento. Sappiamo che le persone possono deanonimizzarsi facilmente in vari modi, ad es.: + +- Riutilizzare informazioni personali (p.e., account e-mail, pseudonimi unici ecc.) con cui hanno eseguito accessi senza software di anonimizzazione (Tor, VPN, ecc.) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Caso migliore:** + +- Documentazione chiara e di facile lettura. Questo include cose come l'impostazione di 2FA, dei client di posta elettronica, di OpenPGP, ecc. + +### Funzionalità aggiuntive + +Anche se non strettamente necessari, ci sono altri fattori di convenienza o di privacy che abbiamo preso in considerazione per determinare i provider da consigliare. diff --git a/i18n/it/encryption.md b/i18n/it/encryption.md new file mode 100644 index 00000000..a9d671f3 --- /dev/null +++ b/i18n/it/encryption.md @@ -0,0 +1,366 @@ +--- +title: "Software di crittografia" +icon: material/file-lock +description: La crittografia dei dati è l'unico modo per controllare chi può accedervi. These tools allow you to encrypt your emails and any other files. +--- + +La crittografia dei dati è l'unico modo per controllare chi può accedervi. Se al momento non stai utilizzando software per la crittografia del tuo hard disk, delle email, o dei file, dovresti scegliere una delle seguenti opzioni. + +## Multipiattaforma + +Le opzioni qui elencate sono multipiattaforma e ottime per la creazione di backup crittografati dei tuoi dati. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** è una soluzione per la crittografia progettata per salvare privatamente i file di qualsiasi provider cloud. Ti permette di creare cassaforti che sono memorizzate su un'unità di archiviazione virtuale, il cui contenuto è crittografato e sincronizzato con i tuoi provider di cloud storage. + + [:octicons-home-16: Pagina principale](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator utilizza la crittografia AES-256 per criptare sia i file che i nomi dei file. Cryptomator non è in grado di criptare metadati come i timestamp di accesso, modifica e creazione, né il numero e la dimensione di file e cartelle. + +Alcune librerie crittografiche di Cryptomator sono state [revisionate](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) da Cure53. Alcune delle librerie sottoposte a verifica sono: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) e [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). Non è stata controllata [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), che è una libreria usata da Cryptomator per iOS. + +La documentazione di Cryptomator descrive più nel dettaglio [i suoi obiettivi di sicurezza](https://docs.cryptomator.org/en/latest/security/security-target/), [l'architettura di sicurezza](https://docs.cryptomator.org/en/latest/security/architecture/), e [le migliori pratiche](https://docs.cryptomator.org/en/latest/security/best-practices/) per l'utilizzo. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** è un strumento semplice e di piccole dimensioni che fornisce tecniche di crittografia moderna. Utilizza il cifrario sicuro XChaCha20 e la funzione di derivazione delle chiavi Argon2id per garantire un alto livello di sicurezza. Utilizza inoltre i moduli standard x/crypto di Go per le sue funzionalità di crittografia. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disco) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** è un software di utilità gratuito, disponibile in formato sorgente, utilizzato per crittografare al volo. Permette di creare un disco virtuale crittografato all'interno di un file, crittografare una partizione o interi dispositivi di archiviazione con autenticazione pre-avvio. + + [:octicons-home-16: Pagina principale](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt è un fork del progetto abbandonato TrueCrypt. A detta degli sviluppatori, sono stati implementati miglioramenti sulla sicurezza e i problemi sollevati dalla inziale verifica di TrueCrypt sono stati affrontati. + +Quando utilizzi la crittografia di VeraCrypt, hai la possibilità di scegliere tra diverse [funzioni di hash](https://it.wikipedia.org/wiki/Funzione_di_hash). Suggeriamo di selezionare **unicamente** [SHA-512](https://it.wikipedia.org/wiki/Secure_Hash_Algorithm) e il cifrario a blocchi [AES](https://it.wikipedia.org/wiki/Advanced_Encryption_Standard). + +TrueCrypt è stato [sottoposto ad audit un certo numero di volte](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits); anche VeraCrypt è stato [verificato separatamente](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Crittografia dell'intero disco del sistema operativo + +I sistemi operativi moderni includono la [FDE](https://en.wikipedia.org/wiki/Disk_encryption) e utilizzeranno un [cryptoprocessor sicuro](https://it.wikipedia.org/wiki/Cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** è il programma di crittografia completa del volume integrato a Microsoft Windows. Il principale motivo per cui lo consigliamo è il suo [uso del TPM Trusted Platform Module)](https://docs.microsoft.com/it-it/windows/security/information-protection/tpm/how-windows-uses-the-tpm). La società di analisi forense [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft) ne ha scritto al riguardo in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentazione} + +BitLocker è [supportato solo](https://support.microsoft.com/it-it/windows/abilitare-la-crittografia-dei-dispositivi-0c453637-bc88-5f74-5105-741561aae838) sulle edizioni Pro, Enterprise ed Education di Windows. Può essere attivato sulle edizioni Home, a condizione che soddisfino i prerequisiti. + +??? example "Attivare BitLocker su Windows Home" + + Per abilitare BitLocker sull'edizione "Home" di Windows è necessario che le partizioni siano formattate con una [Tabella di Partizione GUID](https://en.wikipedia.org/wiki/GUID_Partition_Table) e che abbiano un modulo TPM (v1.2, 2.0+) dedicato. + + 1. Aprire un prompt dei comandi e verificare il formato della tabella delle partizioni dell'unità con il seguente comando. Dovreste vedere "**GPT**" elencato sotto "Stile partizione": + + ``` + powershell Get-Disk + ``` + + 2. Esegui questo comando (in un prompt dei comandi di amministrazione) per verificare la versione del TPM. Dovresti vedere `2.0` o `1.2` elencati accanto a `SpecVersion`: + + ``` + powershell Get-Disk 0 | findstr GPT && echo This is a GPT system disk! + ``` + + 3. Accedi alle [Opzioni di Avvio Avanzate](https://support.microsoft.com/it-it/windows/opzioni-di-avvio-avanzate-inclusa-la-modalit%C3%A0-provvisoria-b90e7808-80b5-a291-d4b8-1a1af602b617). È necessario riavviare il sistema premendo il tasto F8 prima dell'avvio di Windows ed entrare nel *prompt dei comandi* in **Risoluzione dei problemi** → **Opzioni avanzate** → **Prompt dei comandi**. + + 4. Accedi con il tuo account admin e digita questo nel prompt dei comandi per avviare la cifratura: + + ``` + manage-bde -on c: -used + ``` + + 5. Chiudi il prompt dei comandi e continua l'avvio di Windows normalmente. + + 6. Apri il prompt dei comandi con privilegio di amministratore ed esegui i seguenti comandi: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! important + + Esegui il backup di `BitLocker-Recovery-Key.txt` sul desktop in un dispositivo di archiviazione separato. La perdita di questo codice di recupero può comportare la perdita dei dati. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** è la soluzione per la crittografia di volumi on-the-fly integrata in macOS. FileVault è consigliata perché [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) le funzionalità di sicurezza hardware presenti su un SoC in silicio o un T2 Security Chip di Apple. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentazione} + +Consigliamo di memorizzare una chiave di ripristino locale in un luogo sicuro, anziché utilizzare l'account iCloud per il ripristino. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** è il metodo di FDE (full-disk encryption) predefinito per Linux. Può essere usato per cifrare volumi completi, partizioni o creare container crittografati. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentazione} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Codice Sorgente" } + +??? example "Creazione e apertura di container criptati" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Apertura di contenitori criptati + Consigliamo di aprire container e volumi con `udisksctl` poiché utilizza [Polkit](https://it.wikipedia.org/wiki/PolicyKit). La maggior parte dei file manager, tra cui quelli inclusi negli ambienti desktop maggiormente diffusi, posso sbloccare file crittografati. Strumenti come [udiskie](https://github.com/coldfix/udiskie) possono essere eseguiti nella barra delle applicazioni e forniscono un'utile interfaccia utente. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Ricorda di eseguire il backup delle intestazioni dei volumi" + + Consigliamo di eseguire sempre il [back up delle intestazioni LUKS](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in caso di guasto parziale dell'unità. Ciò può essere fatto con: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Basati sul browser + +La crittografia browser-based può essere utile quando è necessario cifrare un file ma non è possibile installare un software o delle applicazioni sul dispositivo. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** è una web application che fornisce una crittografia dei file lato client nel browser. Può anche essere self-hosted ed è utile se è necessario crittografare un file ma non è possibile installare un software sul dispositivo a causa delle politiche organizzative. + + [:octicons-globe-16: Sito web](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Codice Sorgente" } + :octicons-heart-16:{ .card-link title="Le modalità per le donazioni possono essere trovate al fondo del sito" } + +## Linea di comando + +Gli strumenti con interfacce a riga di comando sono utili per integrare [script di shells](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** è uno strumenti gratuito e open-source per la crittografia e la firma dei file che utilizza algoritmi di cifratura moderni e sicuri. Punta a essere una versione migliorata di[age](https://github.com/FiloSottile/age) e [Minisign](https://jedisct1.github.io/minisign/) per fornire un'alternativa semplice a GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** è un wrapper di shell a riga di comando per LUKS. Supporta la steganografia tramite [strumenti di terze parti](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Pagina principale](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribuisci } + +## OpenPGP + +OpenPGP è talvolta necessario per compiti specifici, come la firma digitale e la crittografia delle e-mail. PGP ha molte funzionalità ed è [complesso](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html)visto che è in circolazione da molto tempo. Per task come firmare o criptare i file, suggeriamo le opzioni di cui sopra. + +Quando cripti con PGP, puoi configurare diverse opzioni nel file `gpg.conf`. Raccomandiamo di attenersi alle opzioni standard specificate nella [FAQ per utenti di GnuPG](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Utilizzare future-default quando si genera una chiave" + + Quando si [generano le chiavi](https://www.gnupg.org/gph/en/manual/c14.html) suggeriamo di usare il comando 'future-default', che indica a GnuPG di usare metodi di crittografia moderna come [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) e [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** è un'alternativa con licenza GPL alla suite PGP per software crittografici. GnuPG è compliant a [RFC 4880](https://tools.ietf.org/html/rfc4880), che è l'attuale specifica IETF di OpenPGP. Il progetto GnuPG ha lavorato a una [bozza aggiornata](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) nel tentativo di modernizzare OpenPGP. GnuPG fa parte del progetto software Free Software Foundation di GNU ed ha ricevuto un'importante [finanziamento](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) dal governo tedesco. + + [:octicons-home-16: Pagina principale](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** è un pacchetto per Windows di [Intevation e g10 Code](https://gpg4win.org/impressum.html). Comprende [diversi strumenti](https://gpg4win.org/about.html) che possono aiutare nell'utilizzo di GPG su Microsoft Windows. Il progetto è stato avviato e in origine [finanziato dal](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Federal Office per l'Information Security (BSI) tedesco nel 2005. + + [:octicons-home-16: Pagina principale](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + Suggeriamo [Canary Mail](email-clients.md#canary-mail) per utilizzare PGP con le email su dispositivi iOS. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** fornisce il supporto OpenPGP per [Apple Mail](email-clients.md#apple-mail) e macOS. + + Si consiglia di dare un'occhiata ai [primi passi](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) e alle [conoscenze di base](https://gpgtools.tenderapp.com/kb) come supporto. + + [:octicons-home-16: Pagina principale](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** è un'implementazione Android di GnuPG. È comunementa richiesta da client mail come [K-9 Mail](email-clients.md#k-9-mail) e [FairEmail](email-clients.md#fairemail) e da alltre applicazioni Android per fornire supporto alla crittografia. Cure53 ha completato un'[ispezione di sicurezza](https://www.openkeychain.org/openkeychain-3-6) di OpenKeychain 3.6 nell'ottobre 2015. Dettagli tecnici riguardo all'audit e alle soluzioni di OpenKeychain possono essere trovate [qui](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Pagina principale](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Codice Sorgente" } + :octicons-heart-16:{ .card-link title="Le donazioni possono essere fatte nell'app" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Minimum Qualifications + +- Le applicazioni di crittografia multipiattaforma devono essere open-source. +- Le app di crittografia dei file devono supportare la decodifica su Linux, macOS e Windows. +- Le applicazioni per la crittografia dei dischi esterni devono supportare la decodifica su Linux, macOS e Windows. +- Le applicazioni di crittografia del disco interno (OS) devono essere multipiattaforma o integrate nel sistema operativo in modo nativo. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Le applicazioni di crittografia del sistema operativo (FDE) dovrebbero utilizzare una protezione hardware come TPM o Secure Enclave. +- Le applicazioni per la crittografia dei file devono avere un supporto di primo o terzo livello per le piattaforme mobili. diff --git a/i18n/it/file-sharing.md b/i18n/it/file-sharing.md new file mode 100644 index 00000000..1c216cb4 --- /dev/null +++ b/i18n/it/file-sharing.md @@ -0,0 +1,164 @@ +--- +title: "Condivisione e sincronizzazione dei file" +icon: material/share-variant +description: Scopri come condividere privatamente i tuoi file tra i tuoi dispositivi, con i tuoi amici e familirai, o in modo anonimo online. +--- + +Scopri come condividere privatamente i tuoi file tra i tuoi dispositivi, con i tuoi amici e familirai, o in modo anonimo online. + +## Condivisione di file + +### Send + +!!! recommendation + + ![Logo Send](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** è un fork del servizio Firefox Send di Mozilla, ormai dismesso, che consente di inviare file ad altri con un link. I file vengono crittografati sul dispositivo in modo da non poter essere letti dal server e possono essere protetti da password. Il manutentore di Send ospita una [istanza pubblica](https://send.vis.ee/). È possibile utilizzare altre istanze pubbliche o ospitare Send autonomamente. + + [:octicons-home-16: Pagina principale](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribuisci } + +Send può essere utilizzato tramite la sua interfaccia web o tramite la CLI [ffsend](https://github.com/timvisee/ffsend). Se hai familiarità con la riga di comando e invii spesso file, consigliamo di utilizzare il client CLI per evitare la crittografia basata su JavaScript. È possibile specificare il flag `--host` per utilizzare un server specifico: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![Logo di OnionShare](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** è uno strumento open-source che consente di condividere in modo sicuro e anonimo file di qualsiasi dimensione. Funziona avviando un server web accessibile come servizio Tor onion, con un URL inesplicabile che si può condividere con i destinatari per scaricare o inviare file. + + [:octicons-home-16: Pagina principale](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Servizio Onion" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Must not store decrypted data on a remote server. +- Deve essere un software open-source. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![Logo Syncthing](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** è un'utility open-source di sincronizzazione continua dei file peer-to-peer. Viene utilizzato per sincronizzare i file tra due o più dispositivi sulla rete locale o su Internet. + + Syncthing non utilizza un server centralizzato, ma il [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) per trasferire i dati tra i dispositivi. + +## Sincronizzazione dei file + +### Nextcloud (Client-Server) + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** è una suite per ufficio gratis, open-source e ricca di funzionalità. + + [:octicons-home-16: Pagina principale](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentazione} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +!!! danger "Pericolo" + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** è una suite di ufficio basata sul cloud gratuita, open-source e ricca di funzionalità, come l'integrazione con Nextcloud. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. Tutti i dati sono criptati usando TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +#### Requisiti minimi + +- Must not require a third-party remote/cloud server. +- Deve essere un software open-source. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/it/financial-services.md b/i18n/it/financial-services.md new file mode 100644 index 00000000..d8b2ae25 --- /dev/null +++ b/i18n/it/financial-services.md @@ -0,0 +1,112 @@ +--- +title: Servizi finanziari +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Servizi di mascheramento dei pagamenti + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/it/frontends.md b/i18n/it/frontends.md new file mode 100644 index 00000000..ab8b7bcb --- /dev/null +++ b/i18n/it/frontends.md @@ -0,0 +1,276 @@ +--- +title: "Frontend" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +A volte i servizi tentano di costringerti ad iscriverti ad un account bloccando l'accesso ai contenuti con fastidiosi popup. Potrebbero anche cessare di funzionare correttamente senza l'abilitazione di JavaScript. Questi frontend possono consentire di aggirare queste restrizioni. + +## Client + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** è un frontend gratuito e open-source per [Odysee](https://odysee.com/) (LBRY) che permette anche il self-hosting. + + Esistono diverse istanze pubbliche, alcune delle quali supportano i servizi onion di [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Codice sorgente" } + +!!! warning + + Librarian non fa da proxy dei video in modo predefinito. I video guardati attraverso Librarian continueranno a collegarsi direttamente ai server di Odysee (ad esempio, `odycdn.com`); tuttavia, alcune istanze possono abilitare il proxying, che sarà descritto in dettaglio nell'informativa sulla privacy dell'istanza. + +!!! important + + Librarian è utile se si desidera guardare contenuti LBRY sul cellulare senza telemetria obbligatoria e se si desidera disabilitare JavaScript nel browser, come nel caso di [Tor Browser](https://www.torproject.org/) sul livello di sicurezza Molto Sicuro. + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come si ospita Librarian, poiché l'utilizzo da parte di altre persone sarà collegato al tuo hosting. + +Quando si utilizza un'istanza di Librarian, assicurati di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze di Librarian possono essere modificate dai loro proprietari e quindi potrebbero non rispecchiare la politica predefinita. Le istanze di Librarian presentano una "etichetta nutrizionale sulla privacy" per fornire una panoramica della loro politica. Alcune istanze hanno indirizzi Tor .onion che possono garantire una certa privacy, a patto che le stringhe di ricerca non contengano PII (Personally Identifiable Information, Informazioni di Identificazione Personale). + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** è un frontend gratuito e open-source per [Twitter](https://twitter.com) che permette anche il self-hosting. + + Esistono diverse istanze pubbliche, alcune delle quali supportano i servizi onion di [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="istanze pubbliche"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribuisci} + +!!! important + + Nitter è utile se si desidera navigare tra i contenuti di Twitter senza dover effettuare il login e se si desidera disabilitare JavaScript nel browser, come nel caso di [Tor Browser](https://www.torproject.org/) al livello di sicurezza Molto Sicuro. Permette anche di [creare feed RSS per Twitter] (news-aggregators.md#twitter). + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come si ospita Nitter, poiché l'utilizzo da parte di altre persone sarà collegato al tuo hosting. + +Quando utilizzi un'istanza di Nitter, assicurati di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze Nitter possono essere modificate dai loro proprietari e quindi potrebbero non riflettere la politica predefinita. Alcune istanze hanno indirizzi Tor .onion che possono garantire una certa privacy, a patto che le stringhe di ricerca non contengano PII (Personally Identifiable Information, Informazioni di Identificazione Personale). + +## TikTok + +### ProxiTok + +!!! recommendation + + ![Logo ProxiTok](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** è un frontend open source per il sito web [TikTok](https://www.tiktok.com) che permette il self-hosting. + + Esistono diverse istanze pubbliche, alcune delle quali supportano i servizi onion di [Tor](https://www.torproject.org). + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Codice sorgente" } + +!!! important + + ProxiTok è utile se desideri disabilitare JavaScript nel browser, come ad esempio con [Tor Browser](https://www.torproject.org/) sul livello di sicurezza Molto Sicuro. + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come ospiti ProxiTok, poiché l'utilizzo da parte di altre persone sarà collegato al proprio hosting. + +Quando utilizza un'istanza di ProxiTok, assicurati di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze di ProxiTok possono essere modificate dai loro proprietari e pertanto potrebbero non riflettere l'informativa sulla privacy associata. Alcune istanze hanno indirizzi Tor .onion che possono garantire una certa privacy, a patto che le stringhe di ricerca non contengano PII (Personally Identifiable Information, Informazioni di Identificazione Personale). + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** è un'applicazione desktop gratuita e open-source per [YouTube](https://youtube.com). Quando si utilizza FreeTube, l'elenco delle iscrizioni e le playlist vengono salvate localmente sul dispositivo. + + Per impostazione predefinita, FreeTube blocca tutti gli annunci pubblicitari di YouTube. Inoltre, è possibile integrare [SponsorBlock](https://sponsor.ajay.app) per saltare i segmenti sponsorizzati dei video. + + [:octicons-home-16: Pagina principale](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + Quando utilizzi FreeTube, l'indirizzo IP potrebbe essere ancora noto a YouTube, [Invidious](https://instances.invidious.io) o [SponsorBlock](https://sponsor.ajay.app/) a seconda della configurazione. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** è un'applicazione Android gratuita e open-source per [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com) e [PeerTube](https://joinpeertube.org/) (1). + + L'elenco delle iscrizioni e delle playlist viene salvato localmente sul dispositivo Android. + + [:octicons-home-16: Pagina principale](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. L'istanza predefinita è [FramaTube](https://framatube.org/), ma se ne possono aggiungere altre tramite **Impostazioni** → **Contenuti** → **Istanze di PeerTube** + +!!! Warning + + Quando utilizzi NewPipe, il tuo indirizzo IP sarà visibile ai fornitori di video utilizzati. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** è un frontend gratuito e open-source per [YouTube](https://youtube.com) che permette anche il self-hosting. + + Esistono diverse istanze pubbliche, alcune delle quali supportano i servizi onion di [Tor](https://www.torproject.org). + + [:octicons-home-16: Pagina principale](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribuisci } + +!!! warning + + Invidious non esegue il proxy dei video in modo predefinito. I video guardati attraverso Invidious continueranno a collegarsi direttamente ai server di Google (ad esempio, `googlevideo.com`); tuttavia, alcune istanze supportano il proxy video: è sufficiente attivare *Proxy video* nelle impostazioni dell'istanza o aggiungere `&local=true` all'URL. + +!!! important + + Invidious è utile se si desidera disabilitare JavaScript nel browser, ad esempio [Tor Browser](https://www.torproject.org/) al livello di sicurezza Molto Sicuro. Non garantisce di per sé la privacy e non consigliamo di accedere ad alcun account. + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come si ospita Invidious, poiché l'utilizzo da parte di altre persone sarà collegato al proprio hosting. + +Quando si utilizza un'istanza di Invidious, assicurarsi di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze di Invidious possono essere modificate dai loro proprietari e pertanto potrebbero non riflettere la politica sulla privacy ad esse associata. Alcune istanze hanno indirizzi Tor .onion che possono garantire una certa privacy, a patto che le stringhe di ricerca non contengano PII (Personally Identifiable Information, Informazioni di Identificazione Personale). + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** è un frontend gratuito e open-source per [YouTube](https://youtube.com) che permette anche il self-hosting. + + Piped richiede JavaScript per funzionare e ci sono diverse istanze pubbliche. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Istanze pubbliche"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribuisci } + +!!! important + + Piped è utile se si vuole utilizzare [SponsorBlock](https://sponsor.ajay.app) senza installare un'estensione o se si vuole accedere a contenuti con limiti d'età senza un account. Non garantisce di per sé la privacy e non consigliamo di accedere ad alcun account. + +In caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza per poterti confondere tra di loro. È necessario prestare attenzione a dove e come si ospita Piped, poiché l'utilizzo da parte di altre persone sarà collegato al tuo hosting. + +Quando si utilizza un'istanza Piped, assicurarsi di leggere l'informativa sulla privacy di quella specifica istanza. Le istanze Piped possono essere modificate dai loro proprietari e pertanto potrebbero non riflettere l'informativa sulla privacy ad esse associata. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +Recommended frontends... + +- Deve essere un software open-source. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/it/index.md b/i18n/it/index.md new file mode 100644 index 00000000..4176832d --- /dev/null +++ b/i18n/it/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.it.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Perché dovrebbe importarmi? + +##### “Non ho nulla da nascondere. Perché dovrei preoccuparmi della mia privacy?" + +Proprio come il diritto al matrimonio interrazziale, il suffragio della donna, la libertà di parola e molti altri, il nostro diritto alla privacy non è sempre stato sostenuto. In diverse dittature non lo è ancora. Le generazioni precedenti alla nostra hanno combattuto per il nostro diritto alla privacy. ==La privacy è un diritto umano inerente a tutti noi== che ci spetta (senza discriminazione). + +Non bisogna confondere la privacy con la segretezza. Sappiamo cosa succede in bagno, ma chiudi lo stesso la porta. Questo perché vuoi la privacy, non la segretezza. **Tutti** hanno qualcosa da proteggere. La privacy è qualcosa che ci rende umani. + +[:material-target-account: Minacce comuni di Internet](basics/common-threats.md ""){.md-button.md-button--primary} + +## Cosa dovrei fare? + +##### Per prima cosa, devi avere un piano + +Cercare di proteggere tutti i dati da tutti, in ogni momento, è poco pratico, costoso ed estenuante. Ma non preoccuparti! La sicurezza è un processo e, pensando in anticipo, puoi mettere a punto un piano adatto a te. La sicurezza non riguarda solo gli strumenti utilizzati o il software scaricato. Piuttosto, inizia con la comprensione delle minacce personali che devi affrontare e di come puoi mitigarle. + +==Questo processo d'identificazione delle minacce e di definizione delle contromisure si chiama **threat modeling**== e costituisce la base di ogni buon piano di sicurezza e privacy. + +[:material-book-outline: Per saperne di più sul Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Abbiamo bisogno di te! Ecco come puoi partecipare: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Partecipa al nostro Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Seguici su Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribuisci al sito web" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Aiuta a tradurre il sito web" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chatta con noi su Matrix" } +[:material-information-outline:](about/index.md){ title="Scopri di più su di noi" } +[:material-hand-coin-outline:](about/donate.md){ title="Sostieni il progetto" } + +È importante che un sito web come Privacy Guide rimanga sempre aggiornato. Abbiamo bisogno che il nostro pubblico tenga d'occhio gli aggiornamenti software per le applicazioni elencate sul nostro sito e segua le notizie recenti sui provider che raccomandiamo. È difficile stare al passo con il ritmo veloce di internet, ma facciamo del nostro meglio. Se noti un errore, pensi che un provider non dovrebbe essere elencato, noti che manca un provider qualificato, credi che un plug-in del browser non sia più la scelta migliore o scopri qualsiasi altro problema, faccelo sapere. diff --git a/i18n/it/kb-archive.md b/i18n/it/kb-archive.md new file mode 100644 index 00000000..94e2e503 --- /dev/null +++ b/i18n/it/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: Archivio conoscenze di base +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pagine spostate nel blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Hardening di Signal](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Hardening del sistema](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Sandboxing delle applicazioni](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Cancellazione sicura dei dati](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrazione della rimozioni di metadata](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [Guida alla configurazione di iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/it/meta/brand.md b/i18n/it/meta/brand.md new file mode 100644 index 00000000..4641ba84 --- /dev/null +++ b/i18n/it/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +Il nome del subreddit è **r/PrivacyGuides** o ** the Privacy Guides Subreddit **. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Marchio Registrato + +"Privacy Guides" e il logo dello scudo sono marchi di proprietà di Jonah Aragon, l'uso illimitato è concesso al progetto Privacy Guides. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. Se si è a conoscenza di tali utilizzi, si prega di contattare Jonah Aragon all'indirizzo jonah@privacyguides.org. In caso di domande, consultate il vostro legale. diff --git a/i18n/it/meta/git-recommendations.md b/i18n/it/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/it/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/it/meta/uploading-images.md b/i18n/it/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/it/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/it/meta/writing-style.md b/i18n/it/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/it/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/it/mobile-browsers.md b/i18n/it/mobile-browsers.md new file mode 100644 index 00000000..3f8d87df --- /dev/null +++ b/i18n/it/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Browser mobile" +icon: octicons/device-mobile-16 +description: Questi browser sono quelli che attualmente consigliamo per la navigazione Internet standard/non anonima sul tuo telefono. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +Questi sono i browser e le configurazioni attualmente consigliati per la navigazione standard/non anonima. Se hai bisogno di navigare in Internet in modo anonimo, dovresti invece usare [Tor](tor.md). In generale, consigliamo di tenere il numero di estensioni al minimo: hanno accesso privilegiato all'interno del browser, richiedono di fidarsi dello sviluppatore, possono farti [risaltare](https://it.wikipedia.org/wiki/Device_fingerprint) e [indeboliscono](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) l'isolamento dei siti. + +## Android + +Per Android, Firefox è meno sicuro delle alternative basate su Chromium: il motore di Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), non supporta ancora [l'isolamento dei siti](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) e non ha abilitato [l'isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** include un content blocker integrato e [funzionalità di privacy](https://brave.com/privacy-features/), molte delle quali attive in modo predefinito. + + Brave è sviluppato a partire dal progetto del browser web Chromium, quindi dovrebbe risultare familiare e avere problemi minimi di compatibilità con i siti web. + + [:octicons-home-16: Pagina principale](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Codice sorgente" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Configurazione consigliata + +Il Tor Browser è l'unico che veramente permette di navigare Internet anonimamente. Quando usi Brave, consigliamo di cambiare le seguenti impostazioni per proteggere la tua privacy da terze parti, ma tutti i browser eccetto il [Tor Browser](tor.md#tor-browser) sono tracciabili da *qualcuno* in qualche modo. + +Queste opzioni si trovano in :material-menu: → **Impostazioni** → **Brave Shields & privacy** + +##### Shields + +Brave include alcune misure contro il fingerprinting nella sua funzionalità [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Consigliamo di configurare queste opzioni [globalmente](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) applicate a tutti i siti che visiti. + +##### Valori predefiniti globali di Brave Shields + +Le funzionalità di Shields possono essere ridotte per ogni sito se necessario; ciò nonostante, raccomandiamo le seguenti impostazioni: + +
+ +- [x] Seleziona **Aggressivo** sotto Blocca tracker & pubblicità + +???? warning "Usa gli elenchi di filtri predefiniti" + Brave ti consente di selezionare ulteriori filtri di contenuti mediante la pagina interna `brave://adblock`. Si consiglia di non utilizzare questa funzione e di mantenere gli elenchi di filtri predefiniti. il loro utilizzo ti distingue dagli altri utenti Brave, e potrebbe inoltre aumentare la superficie di attacco se esiste un exploit nel browser sfruttabile da codice malizioso presente nelle liste stesse. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Svuota dati di navigazione + +- [x] Seleziona **Cancellare i dati all'uscita** + +##### Blocco dei social media + +- [ ] Deseleziona tutte le opzioni legate ai social + +##### Altre impostazioni sulla privacy + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) permette ai dati di navigazione (cronologia, segnalibri, ecc.) di essere accessibili su tutti i dispositivi senza richiedere un account e li protegge con E2EE. + +## iOS + +Per iOS, ogni app che può navigare il web è [costretta](https://developer.apple.com/app-store/review/guidelines) ad usare il framework [WebKit](https://developer.apple.com/documentation/webkit) di Apple, perciò non ci sono molti motivi per usare un browser di terze parti. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** è il browser web predefinito di iOS. Include [funzionalità di privacy](https://support.apple.com/it-it/guide/iphone/iphb01fc3c85/15.0/ios/15.0) come l'anti-tracciamento intelligente, il resoconto sulla privacy, l'isolamento dei pannelli in navigazione privata, Relay privato di iCloud e aggiornamenti automatici all'HTTPS. + + [:octicons-home-16: Pagina principale](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentazione} + +#### Configurazione consigliata + +Queste opzioni si trovano in :gear: **Impostazioni** → **Safari** → **Privacy e sicurezza**. + +##### Prevenzione del cross-site tracking + +- [x] Attiva **Blocca cross-site tracking** + +Questa opzione attiva la [Protezione intelligente dal tracciamento](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp) di WebKit. La funzione aiuta a proteggere dal tracciamento indesiderato utilizzando l'apprendimento automatico sul dispositivo per bloccare i tracker. La PIT protegge dalla maggior parte dei pericoli comuni, ma non blocca tutte le vie di tracciamento, essendo progettato per non interferire con l'usabilità dei siti web. + +##### Resoconto sulla privacy + +Il resoconto sulla privacy fornisce un'istantanea dei tracker cross-site attualmente bloccati, impedendo loro di creare un tuo profilo sul sito web che stai visitando. Inoltre, fornisce un resoconto settimanale che mostra quali tracker sono stati bloccati. + +Il resoconto sulla privacy è accessibile dal menu impostazioni pagina. + +##### Misurazione pubblicità che tutela la privacy + +- [ ] Disattiva **Misurazione pubblicità che tutela la privacy** + +Tradizionalmente, la misurazione dei click pubblicitari usa tecnologia di tracciamento che viola la privacy dell'utente. La [Misurazione dei click privata](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) è una funzionalità di WebKit che propone uno standard web mirato, che consenta agli inserzionisti di misurare l'efficacia delle campagne web senza compromettere la privacy dell'utente. + +Questa funzionalità non è molto preoccupante dal punto di vista della privacy di per sè, ma consideriamo che è automaticamente disabilitata duarante la navigazione privata come segnale per non utilizzarla. + +##### Navigazione privata sempre attiva + +Apri Safari e premi il pulsante Schede posto in basso a destra. Poi espandi la lista dei gruppi di schede. + +- [x] Seleziona **Privata** + +La modalità di navigazione privata di Safari offre ulteriori protezioni sulla privacy. La navigazione privata utilizza una nuova sessione [effimera](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) per ogni scheda, isolandole una dall'altra. La navigazione privata offre anche altri piccoli vantaggi in termini di privacy, come la possibilità di non inviare l'indirizzo di una pagina web ad Apple quando si usa la funzione di traduzione di Safari. + +Nota che la navigazione privata non salva i cookie e i dati dei siti, quindi non sarà possibile mantenere l'accesso nei siti. Ciò può essere sconveniente. + +##### Sincronizzazione iCloud + +La sincronizzazione della cronologia di Safari, dei gruppi di schede, delle schede iCloud e delle password salvate è E2EE. Tuttavia, i segnalibri [non](https://support.apple.com/it-it/HT202303) lo sono in modo predefinito. Apple può decifrarli e accedervi in conformità con la sua [politica sulla privacy](https://www.apple.com/legal/privacy/it/). + +Puoi abilitare la E2EE per i segnalibri e i download di Safari attivando la [Protezione avanzata dei dati](https://support.apple.com/it-it/HT212520). Vai al tuo **nome ID Apple → iCloud → Protezione avanzata dei dati**. + +- [x] Attiva **Protezione avanzata dei dati** + +Se usi iCloud con la Protezione avanzata dei dati, consigliamo anche di controllare che la posizione di download predefinita di Safari sia impostata localmente sul tuo dispositivo. Questa opzione si trova in :gear: **Impostazioni** → **Safari** → **Generale** → **Download**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard per iOS** è un'estensione per il blocco dei contenuti gratuita ed open-source per Safari che utilizza la [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker) integrata. + + AdGuard per iOS ha alcune funzionalità premium, ma il blocco di contenuti standard di Safari è gratuito. + + [:octicons-home-16: Pagina principale](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Liste di filtri aggiuntive possono intaccare le prestazioni ed aumentare la superficie di attacco, quindi utilizza solo il necessario. + +## Criteri + +**Si noti che non siamo affiliati a nessuno dei progetti che consigliamo.** Oltre a [i nostri criteri standard](about/criteria.md), abbiamo sviluppato una chiara serie di requisiti che ci permettono di fornire raccomandazioni obiettive. Ti consigliamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e condurre le tue ricerche per assicurarti che sia la scelta giusta per te. + +!!! example "Questa sezione è nuova" + + Stiamo lavorando per stabilire criteri definiti per ogni sezione del nostro sito, e questo potrebbe essere soggetto a modifiche. Se hai domande sui nostri criteri, [chiedi sul nostro forum](https://discuss.privacyguides.net/latest) e non dare per scontato che non abbiamo preso in considerazione qualcosa quando formuliamo i nostri consigli se non è elencato qui. Sono molti i fattori presi in considerazione e discussi quando raccomandiamo un progetto e documentare ogni singolo fattore è un lavoro in corso. + +### Requisiti minimi + +- Deve supportare gli aggiornamenti automatici. +- Deve ricevere gli aggiornamenti del motore in 0-1 giorni dalla pubblicazione upstream. +- Qualsiasi modifica necessaria per rendere il browser più rispettoso della privacy non dovrebbe avere un impatto negativo sull'esperienza dell'utente. +- I browser Android devono usare il motore Chromium. + - Purtroppo, Mozilla GeckoView per ora è meno sicuro di Chromium su Android. + - I browser iOS sono limitati a WebKit. + +### Criteri delle estensioni + +- Non deve replicare funzionalità integrate nel browser o del sistema operativo. +- Deve avere un impatto diretto sulla privacy dell'utente, cioè non deve limitarsi a fornire informazioni. diff --git a/i18n/it/multi-factor-authentication.md b/i18n/it/multi-factor-authentication.md new file mode 100644 index 00000000..ceaaf4b5 --- /dev/null +++ b/i18n/it/multi-factor-authentication.md @@ -0,0 +1,157 @@ +--- +title: "Autenticatori a più fattori" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Chiavi di sicurezza fisiche + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + Le **YubiKey** sono tra le chiavi di sicurezza più diffuse. Alcuni modelli di YubiKey dispongono di un'ampia gamma di funzionalità come: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 e WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP e HOTP](https://developers.yubico.com/OATH). + + Uno dei vantaggi di YubiKey è che una chiave può fare quasi tutto ciò che ci si aspetta da una chiave di sicurezza fisica (YubiKey 5). Invitiamo a svolgere il [quiz](https://www.yubico.com/quiz/) per essere sicuri di fare il giusto acquisto. + + [:octicons-home-16: Pagina principale](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentazione} + +La [tabella di confronto](https://www.yubico.com/store/compare/) mostra le caratteristiche e le differenze tra le YubiKey. Consigliamo vivamente di scegliere le chiavi della Serie 5. + +Le YubiKey possono essere programmate utilizzando [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) o [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). Per la gestione dei codici TOTP, è possibile utilizzare il [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). Tutti i client di Yubico sono open source. + +Per i modelli che supportano HOTP e TOTP, ci sono 2 slot nell'interfaccia OTP che possono essere utilizzati per HOTP e 32 slot per memorizzare i segreti TOTP. Questi segreti vengono memorizzati in modo criptato sulla chiave e non vengono mai esposti ai dispositivi a cui sono collegati. Una volta fornito un seme (segreto condiviso) al Yubico Authenticator, questo fornirà solo codici a sei cifre, ma mai il seme. Questo modello di sicurezza contribuisce a limitare le possibilità di un aggressore che comprometta uno dei dispositivi che eseguono il Yubico Authenticatore, rendendo la YubiKey resistente a un aggressione fisica. + +!!! warning + Il firmware delle YubiKeys non è open-source, né aggiornabile. Se desideri avere le funzionalità presenti in versioni più nuove del firmware, o se è presente una vulnerabilità nella tua versione corrente, è necessario comprare una nuova chiavetta. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** ha una chiave di sicurezza che supporta [FIDO2 e WebAuthn] (basics/multi-factor-authentication.md#fido-fast-identity-online), chiamata **Nitrokey FIDO2**. Per il supporto PGP, è necessario un'altra delle loro chiavi, come la **Nitrokey Start**, la **Nitrokey Pro 2** o la **Nitrokey Storage 2**. + + [:octicons-home-16: Pagina principale](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentazione} + +La [tabella di confronto](https://www.nitrokey.com/#comparison) mostra le caratteristiche e le differenze tra le chiavette Nitrokey. La **Nitrokey 3** elencata ha un insieme di funzioni combinate. + +I modelli Nitrokey possono essere configurati utilizzando l'applicazione [Nitrokey](https://www.nitrokey.com/download). + +Per i modelli che supportano HOTP e TOTP, ci sono 3 slot per HOTP e 15 per TOTP. Alcune Nitrokey possono fungere da gestori di password. Possono memorizzare fino a 16 credenziali diverse, criptandole con la stessa password dell'interfaccia OpenPGP. + +!!! warning + + Sebbene le Nitrokey non rilascino i segreti HOTP/TOTP al dispositivo a cui sono collegati, la memoria HOTP e TOTP non è crittografata ed è vulnerabile agli attacchi fisici. Se desideri memorizzare i segreti HOTP o TOTP, consigliamo caldamente di utilizzare una Yubikey. + +!!! warning + + Reimpostare l'interfaccia OpenPGP su una Nitrokey rende il database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Il firmware di Nitrokey è open-source, a differenza di YubiKey. Il firmware dei modelli NitroKey moderni (tranne che per **NitroKey Pro 2**) è aggiornabile. + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +#### Requisiti minimi + +- Must use high quality, tamper resistant hardware security modules. +- Deve supportare le ultime specifiche FIDO2. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Applicazioni di autenticazione + +Le applicazioni di autenticazione implementano lo standard di sicurezza daottato dalla Internet Engineering Task Force (IETF) chaiamto **'Time-based One-time Passwords'**, o **'TOTP'**. È un metodo in cui i siti web condividono un segreto con l'utente, il quale viene utilizzato dall'applicazione di autenticazione per generare, solitamente, un codice a sei cifre basato sull'ora corrente, che viene inserita durante l'accesso al sito web da controllare. Tipicamente questi codici vengono rigenerati ogni 30 secondi; quando ne viene generato uno nuovo, quello vecchio diventa inutile. Anche se un hacker fosse in grado di ottenere il codice a sei cifre, non ha modo di invertire il codice per ottenere il segreto originale, né di prevedere quali potrebbero essere i codici futuri. + +Consigliamo vivamente di utilizare applicazioni TOTP per dispositivi mobili invece delle alternative desktop; questo perché Android e iOS offrono una migliore sicurezza e isolazione delle applicazioni, rispetto alla maggior parte dei sistemi operativi per desktop. + +### Raivo OTP + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** è un'applicazione gratuita, sicura e open-source per gestire i token di verifica dei due passaggi per i vostri servizi online. + + [:octicons-home-16: Pagina principale](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** è un client per password su iOS nativo, leggero e sicuro, basato sul tempo (TOTP) & sul contatore (HOTP). Ravio OTP offre la sincronizzazione & il backup opzionali via iCloud. È inoltre disponibile per macOS come applicazione nella barra di stato, ma non funzione indipendentemente dall'applicazione su iOS. + + [:octicons-home-16: Pagina principale](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/it/news-aggregators.md b/i18n/it/news-aggregators.md new file mode 100644 index 00000000..5e846863 --- /dev/null +++ b/i18n/it/news-aggregators.md @@ -0,0 +1,181 @@ +--- +title: "Aggregatori di notizie" +icon: octicons/rss-24 +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Client aggregatori + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** è un aggregatore di notizie, parte del progetto [KDE](https://kde.org). È dotato di ricerca rapida, funzionalità avanzate di archivio e un browser interno per leggere semplicemente le notizie. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** è un moderno client RSS per android con numerose [features](https://gitlab.com/spacecowboy/Feeder#features) e una buona coesione con le cartelle di feed RSS. Supporta [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) e [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Logo di Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** è un aggregatore di notizie sicuro e multipiattaforma, dotato di utili funzioni per la privacy come la cancellazione dei cookie all'uscita, di rigorose [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) e del supporto proxy, che consente di utilizzarlo su [Tor](tor.md). + + [:octicons-home-16: Pagina principale](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** è un aggregatore di notizie [RSS](https://en.wikipedia.org/wiki/RSS) e [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) per [GNOME](https://www.gnome.org). Ha un'interfaccia semplice ed è piuttosto veloce. + + [:octicons-home-16: Pagina principale](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** è un aggregatore di notizie basato sul web; è possibile il self-hosting. Supporta [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) e [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Pagina principale](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribuisci } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** è un lettore di feed gratuito ed open-source per macOS e iOS, con un focus su design e funzionalità native. Supporta il tipico format feed, oltre al supporto integrato per i feed di Twitter e Reddit. + + [:octicons-home-16: Pagina principale](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** è un lettore feed RSS/Atom per la console di testo. È un fork attivamente mantenuto di [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). È molto leggero, e ideale per l'utilizzo attraverso [Secure Shell](https://it.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Pagina principale](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Codice sorgente" } + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Deve essere un software open-source. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Usando una qualsiasi [istanza](https://github.com/zedeus/nitter/wiki/Instances) di Nitter, è possibile iscriversi mediante RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Puoi iscriverti ai canali YouTube senza accedere e senza associare le informazioni di utilizzo al proprio account Google. + +!!! example + 1. Scegli un istanza e imposta `istanza_nitter`. + 2. Sostituisci `account_twitter` con il nome dell'account che desideri seguire. + + ```text + https://{{ istanza_nitter }}/{{ account_twitter }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/it/notebooks.md b/i18n/it/notebooks.md new file mode 100644 index 00000000..19b483ba --- /dev/null +++ b/i18n/it/notebooks.md @@ -0,0 +1,118 @@ +--- +title: "Blocchi note" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Tieni traccia delle tue note e diari senza doverli dare a una terza parte. + +Se stai attualmente utilizzando un'applicazione come Evernote, Google Keep o Microsoft OneNote, ti suggeriamo di scegliere una delle seguenti alernative che supportano E2EE. + +## Cloud + +### Joplin + +!!! recommendation + + ![Logo Joplin](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** è un'applicazione gratuita, open-source e dotata di tutte le funzionalità per prendere appunti e per le attività da svolgere, in grado di gestire un gran numero di note markdown organizzate in taccuini e tag. Offre E2EE e può sincronizzarsi con Nextcloud, Dropbox e altro ancora. Offre anche la possibilità di importare facilmente note da Evernote e note in testo semplice. + + [:octicons-home-16: Pagina principale](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin non supporta la protezione con password/PIN per [l'applicazione stessa o per i singoli appunti e taccuini](https://github.com/laurent22/joplin/issues/289). Tuttavia, i dati vengono comunque crittografati durante il transito e nella posizione di sincronizzazione utilizzando la chiave master. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Logo Standard Notes](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** è un'applicazione per appunti semplice e privata che rende i tuoi appunti facili e disponibili ovunque tu sia. È dotato di E2EE su ogni piattaforma e di una potente esperienza desktop con temi ed editor personalizzati. È stato anche [sottoposto a ispezione indipendente (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Pagina principale](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Org-mode + +!!! recommendation + + ![Logo Org-mode](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** è una [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) per GNU Emacs. Org-mode serve per prendere appunti, mantenere elenchi TODO, pianificare progetti e scrivere documenti con un sistema di testo semplice rapido ed efficace. + + La sincronizzazione è possibile con gli strumenti di [sincronizzazione dei file](file-sharing.md#file-sync). [:octicons-home-16: Pagina principale](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribuisci } + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Locali + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- La funzionalità di backup/sincronizzazione locale dovrebbe supportare la crittografia. +- Le piattaforme basate sul cloud dovrebbero supportare la condivisione dei documenti. diff --git a/i18n/it/os/android-overview.md b/i18n/it/os/android-overview.md new file mode 100644 index 00000000..4db10e24 --- /dev/null +++ b/i18n/it/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Panoramica Android +icon: fontawesome/brands/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android è un sistema operativo sicuro, dotato di [sandboxing delle app](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB) e di un robusto sistema di controllo delle [autorizzazioni](https://developer.android.com/guide/topics/permissions/overview). + +## Scegliere una distribuzione di Android + +Quando acquisti un telefono Android, il sistema operativo predefinito del dispositivo è spesso dotato di un'integrazione invasiva con applicazioni e servizi che non fanno parte di [Android Open-Source Project](https://source.android.com/). Un esempio è Google Play Services, che ha privilegi irrevocabili di accesso ai file, alla memoria dei contatti, ai registri delle chiamate, ai messaggi SMS, alla posizione, alla fotocamera, al microfono, agli identificatori hardware e così via. Queste applicazioni e servizi aumentano la superficie di attacco del dispositivo e sono all'origine di vari problemi di privacy con Android. + +Questo problema potrebbe essere risolto utilizzando una distribuzione modificata di Android che non preveda un'integrazione così invasiva. Purtroppo, molte distribuzioni di Android personalizzate spesso violano il modello di sicurezza di Android, non supportando funzioni di sicurezza critiche come AVB, protezione rollback, aggiornamenti del firmware e così via. Alcune distribuzioni forniscono anche build [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) che espongono root tramite [ADB](https://developer.android.com/studio/command-line/adb) e richiedono politiche SELinux [più permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) per ospitare le funzionalità di debug, con conseguente ulteriore aumento della superficie di attacco e indebolimento del modello di sicurezza. + +Idealmente, quando si sceglie una distribuzione modificata di Android, bisogna assicurarsi che rispetti il modello di sicurezza Android. Come minimo, la distribuzione dovrebbe avere build di produzione, supporto per AVB, protezione dal rollback, aggiornamenti tempestivi del firmware e del sistema operativo e SELinux in [modalità enforcing](https://source.android.com/security/selinux/concepts#enforcement_levels). Tutte le distribuzioni di Android da noi consigliate soddisfano questi criteri. + +[Le nostre raccomandazioni per il sistema Android :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Evitare il rooting + +Il [rooting](https://it.wikipedia.org/wiki/Rooting) dei telefoni Android può diminuire notevolmente la sicurezza in quanto indebolisce nel complesso il [modello di sicurezza di Android](https://it.wikipedia.org/wiki/Android#Privacy_e_sicurezza). Questo può ridurre la privacy nel caso in cui si verifichi un exploit favorito dalla riduzione della sicurezza. I metodi di rooting più comuni prevedono la manomissione diretta della partizione di avvio, rendendo impossibile l'esecuzione di un Verified Boot. Le applicazioni che richiedono il root modificheranno anche la partizione di sistema, il che significa che Verified Boot dovrà rimanere disabilitato. L'esposizione di root direttamente nell'interfaccia utente aumenta inoltre la [superficie di attacco](https://it.wikipedia.org/wiki/Superficie_di_attacco) del dispositivo e può favorire [l'escalation dei privilegi](https://it.wikipedia.org/wiki/Privilege_escalation) e l'aggiramento delle politiche di SELinux. + +Gli adblocker che modificano il [file hosts](https://it.wikipedia.org/wiki/Hosts) (AdAway) e i firewall (AFWall+) che richiedono l'accesso root in modo persistente sono pericolosi e non dovrebbero essere utilizzati. Inoltre, non sono il modo corretto per risolvere i loro scopi. Se vuoi bloccare le pubblicità suggeriamo invece l'uso di [DNS](../dns.md) criptati o di [VPN](../vpn.md) con questa funzione. RethinkDNS, TrackerControl e AdAway in modalità non-root occuperanno lo slot VPN (utilizzando un loopback VPN locale) impedendovi di utilizzare servizi di miglioramento della privacy come Orbot o un vero server VPN. + +AFWall+ funziona in base all'approccio del [filtraggio dei pacchetti](https://it.wikipedia.org/wiki/Firewall#Filtraggio_dei_pacchetti/contenuti) e può essere bypassato in alcune situazioni. + +Non crediamo che i sacrifici in termini di sicurezza fatti con il rooting di un telefono valgano i discutibili vantaggi per la di privacy di queste applicazioni. + +## Verified Boot + +Il [Verified Boot](https://source.android.com/security/verifiedboot) (avvio verificato) è una parte importante del modello di sicurezza di Android. Fornisce protezione contro gli attacchi [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack), la persistenza del malware e garantisce che gli aggiornamenti di sicurezza non possano essere declassati con la protezione da [rollback](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +A partire da Android 10 si è passati dalla crittografia dell'intero disco alla più flessibile [crittografia basata sui file](https://source.android.com/security/encryption/file-based). I dati vengono crittografati utilizzando chiavi di crittografia uniche, mentre i file del sistema operativo vengono lasciati in chiaro. + +Il Verified Boot garantisce l'integrità dei file del sistema operativo, impedendo così a un avversario con accesso fisico di manomettere o installare malware sul dispositivo. Nel caso improbabile che il malware sia in grado di sfruttare altre parti del sistema e ottenere un accesso privilegiato superiore, Verified Boot impedisce e ripristina le modifiche alla partizione di sistema al riavvio del dispositivo. + +Sfortunatamente, gli OEM sono obbligati a supportare il Verified Boot solo sulla loro distribuzione stock di Android. Solo alcuni OEM, come Google, supportano la registrazione personalizzata della chiave AVB sui loro dispositivi. Inoltre, alcuni derivati di AOSP come LineageOS o /e/ OS non supportano il Verified Boot anche su hardware con supporto per il Verified Boot per sistemi operativi di terze parti. Si consiglia di verificare il supporto **prima** di acquistare un nuovo dispositivo. I derivati di AOSP che non supportano il Verified Boot **non** sono consigliati. + +Molti OEM hanno anche implementazioni non funzionanti del Verified Boot di cui bisogna essere consapevoli al di là del loro marketing. Ad esempio, i Fairphone 3 e 4 non sono sicuri per impostazione predefinita, poiché il bootloader stock di [si affida alla chiave di firma AVB pubblica](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). Ciò invalida l'avvio verificato su un dispositivo Fairphone stock, in quanto il sistema avvierà sistemi operativi Android alternativi come (ad esempio /e/) [senza alcun avviso](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) sull'utilizzo del sistema operativo modificato. + +## Aggiornamenti del firmware + +Gli aggiornamenti del firmware sono fondamentali per mantenere la sicurezza e senza di essi il dispositivo non può essere sicuro. Gli OEM stipulano accordi di supporto con i loro partner per fornire i componenti closed-source per un periodo di supporto limitato. Questi sono riportati mesilmente in [Android Security Bulletins](https://source.android.com/security/bulletin) (bollettini di sicurezza di Android). + +Poiché i componenti del telefono, come il processore e le tecnologie radio, si basano su componenti closed-source, gli aggiornamenti devono essere forniti dai rispettivi produttori. Pertanto, è importante acquistare un dispositivo all'interno di un ciclo di assistenza attivo. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) e [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) supportano i loro dispositivi per 4 anni, mentre i prodotti più economici hanno spesso cicli di supporto più brevi. Con l'introduzione di [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google produce ora il proprio SoC e fornirà un supporto di almeno 5 anni. + +I dispositivi EOL che non sono più supportati dal produttore del SoC non possono ricevere aggiornamenti del firmware dai fornitori OEM o dai distributori Android after market. Ciò significa che i problemi di sicurezza di questi dispositivi non saranno risolti. + +Fairphone, ad esempio, commercializza i propri dispositivi con 6 anni di assistenza. Tuttavia, il SoC (Qualcomm Snapdragon 750G sul Fairphone 4) ha una data di scadenza molto più breve. Ciò significa che gli aggiornamenti di sicurezza del firmware di Qualcomm per il Fairphone 4 termineranno nel settembre 2023, indipendentemente dal fatto che Fairphone continui a rilasciare aggiornamenti di sicurezza del software. + +## Versioni di Android + +È importante non utilizzare una versione di Android a [fine vita](https://endoflife.date/android). Le nuove versioni di Android non ricevono solo aggiornamenti di sicurezza per il sistema operativo, ma anche importanti aggiornamenti per migliorare la privacy. Ad esempio, [prima di Android 10](https://developer.android.com/about/versions/10/privacy/changes), qualsiasi app con l'autorizzazione [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) poteva accedere a numeri di serie sensibili e unici del telefono, come [IMEI](https://it.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier) e [IMSI](https://it.wikipedia.org/wiki/IMSI) della carta SIM, mentre ora devono essere app di sistema per farlo. Le applicazioni di sistema sono fornite solo dagli OEM o dalla distribuzione di Android. + +## Autorizzazioni di Android + +[Le autorizzazioni su Android](https://developer.android.com/guide/topics/permissions/overview) consentono di controllare ciò a cui le applicazioni hanno accesso. Google apporta regolarmente [miglioramenti](https://developer.android.com/about/versions/11/privacy/permissions) al sistema delle autorizzazioni in ogni nuova versione. Tutte le applicazioni installate sono rigorosamente [confinate in una sandbox](https://source.android.com/security/app-sandbox), pertanto non è necessario installare alcuna applicazione come antivirus. + +Uno smartphone con l'ultima versione di Android sarà sempre più sicuro di un vecchio smartphone con un antivirus a pagamento. È meglio non pagare il software antivirus e risparmiare per acquistare un nuovo smartphone come il Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Le applicazioni che rispettano la privacy come [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) possono mostrare alcuni tracker come [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Accesso ai media + +Molte applicazioni consentono di "condividere" un file per il caricamento dei media. Se desideri, ad esempio, caricare una foto su Twitter, non concedere a Twitter l'accesso a "media e foto", perché in questo modo avrà accesso a tutte le immagini. Invece, apri il gestore di file (documentsUI), tieni premuta l'immagine, quindi condividila con Twitter. + +## Profili utente + +I profili utente multipli si trovano in **Impostazioni** → **Sistema** → **Utenti multipli** e sono il modo più semplice per isolare in Android. + +Con i profili utente, è possibile imporre restrizioni a un profilo specifico, come ad esempio: effettuare chiamate, utilizzare SMS o installare applicazioni sul dispositivo. Ogni profilo è crittografato con la propria chiave di crittografia e non può accedere ai dati di altri profili. Anche il proprietario del dispositivo non può visualizzare i dati di altri profili senza conoscere la loro password. I profili utente multipli sono un metodo di isolamento più sicuro. + +## Profilo di lavoro + +I [Profili di lavoro](https://support.google.com/work/android/answer/6191949) sono un altro modo per isolare le singole app e può essere più comodo dei profili utente separati. + +Per creare un profilo di lavoro senza un MDM aziendale è necessaria un'applicazione come **controllore del dispositivo**, come [Shelter](#recommended-apps), a meno che tu non utilizzi un sistema operativo Android modificato che ne include uno. + +Il profilo di lavoro dipende da un controllore del dispositivo per funzionare. Funzionalità come *File Shuttle* e *blocco della ricerca dei contatti* o qualsiasi tipo di funzionalità di isolamento devono essere implementate dal controllore. È inoltre necessario fidarsi completamente dell'app di controllo del dispositivo, che ha pieno accesso ai dati dell'utente all'interno del profilo di lavoro. + +Questo metodo è generalmente meno sicuro di un profilo utente secondario; tuttavia, consente di eseguire contemporaneamente le applicazioni nel profilo di lavoro e in quello personale. + +## Killswitch per VPN + +Android 7 e successivi supporta un killswitch per VPN ed è disponibile senza la necessità di installare applicazioni di terze parti. Questa funzione può prevenire la fuga di dati in caso di disconnessione della VPN. Si trova in :gear: **Impostazioni** → **Rete e Internet** → **VPN** → :gear: → **Blocca connessioni senza VPN**. + +## Interruttori globali + +I dispositivi Android moderni dispongono di interruttori globali per disattivare il Bluetooth e i servizi di localizzazione. Android 12 ha introdotto gli interruttori per la fotocamera e il microfono. Quando non vengono utilizzate, si consiglia di disabilitare queste funzioni. Le applicazioni non possono utilizzare le funzioni disabilitate (anche se hanno ottenuto un'autorizzazione individuale) finché non vengono riattivate. + +## Google + +Se utilizzi un dispositivo con i servizi di Google, sia con il sistema operativo di serie sia con un sistema operativo che mette in sicurezza i Google Play Services, come GrapheneOS, è possibile apportare una serie di modifiche aggiuntive per migliorare la privacy. Si consiglia comunque di evitare del tutto i servizi di Google o di limitare i servizi di Google Play a un profilo specifico utente o di lavoro, combinando un controller di dispositivo come *Shelter* con Sandboxed Google Play di GrapheneOS. + +### Programma di protezione avanzata + +Se disponi di un account Google, consigliamo di iscriversi al https://landing.google.com/intl/it/advancedprotection/programma di protezione avanzata. È disponibile gratuitamente per chiunque possieda due o più chiavi di sicurezza hardware con supporto a [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online). + +Il programma di protezione avanzata offre un monitoraggio avanzato delle minacce e consente: + +- Autenticazione a due fattori più rigorosa; ad esempio, [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **deve** essere utilizzato e non è consentito l'uso di [SMS OTP](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) e [OAuth](https://it.wikipedia.org/wiki/OAuth) +- Solo Google e le app di terze parti verificate possono accedere ai dati dell'account +- Scansione delle email in arrivo sugli account Gmail per i tentativi di [phishing ](https://en.wikipedia.org/wiki/Phishing#Email_phishing) +- [Scansione sicura del browser](https://www.google.com/chrome/privacy/whitepaper.html#malware) più rigorosa con Google Chrome +- Processo di recupero più rigoroso per gli account con credenziali perdute + + Se utilizzi Google Play Services senza sandbox (comuni sui sistemi operativi stock), il programma di protezione avanzata viene fornito anche con [vantaggi aggiuntivi](https://support.google.com/accounts/answer/9764949?hl=it) quali: + +- Non permettere l'installazione di app al di fuori del Google Play Store, dell'app store del fornitore del sistema operativo o tramite [`adb`](https://it.wikipedia.org/wiki/Android_Debug_Bridge) +- Scansione automatica obbligatoria del dispositivo con [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=it#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Avviso sulle applicazioni non verificate + +### Aggiornamenti dei servizi di sistema di Google + +In passato, gli aggiornamenti di sicurezza di Android dovevano essere forniti dal fornitore del sistema operativo. Android è diventato più modulare a partire da Android 10 e Google può inviare aggiornamenti di sicurezza per **alcuni componenti del sistema** tramite i Play Services privilegiati. + +Se disponi di un dispositivo EOL con Android 10 o superiore e non sei in grado di installare uno dei nostri sistemi operativi consigliati sul dispositivo, è probabile che sia meglio attenersi alla distribuzione di Android dell'OEM (rispetto a un sistema operativo non elencato qui, come LineageOS o /e/ OS). Questo ti permetterà di ricevere **alcune** correzioni di sicurezza da parte di Google, senza però violare il modello di sicurezza Android utilizzando un derivato di Android insicuro e aumentando la superficie di attacco. Consigliamo comunque di passare a un dispositivo supportato il prima possibile. + +### ID pubblicità + +Tutti i dispositivi con Google Play Services installato generano automaticamente un [ID pubblicità](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) utilizzato per la pubblicità mirata. Disattiva questa funzione per limitare i dati raccolti su di te. + +Sulle distribuzioni Android con [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), vai su :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, e selezionare *Delete advertising ID*. + +Sulle distribuzioni di Android con Google Play Services privilegiato (come i sistemi operativi stock), l'impostazione può trovarsi in una delle diverse posizioni. Controlla + +- :gear: **Impostazioni** → **Google** → **Annunci** +- :gear: **Impostazioni** → **Privacy** → **Annunci** + +Ti verrà data la possibilità di eliminare l'ID pubblicità o di *rinunciare agli annunci basati sugli interessi*, questo varia tra le distribuzioni OEM di Android. È raccomandato eliminare l'ID pubblicità se viene data la possibilità. In caso contrario, assicurati di disattivare e reimpostare l'ID pubblicità. + +### SafetyNet e API Play Integrity + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) e le API [Play Integrity](https://developer.android.com/google/play/integrity) sono generalmente utilizzate per [le app bancarie](https://grapheneos.org/usage#banking-apps). Molte applicazioni bancarie funzionano bene in GrapheneOS con i servizi Play in sandbox, ma alcune applicazioni non finanziarie hanno i loro meccanismi anti-manomissione che potrebbero fallire. GrapheneOS supera il controllo `basicIntegrity`, ma non il controllo di certificazione `ctsProfileMatch`. I dispositivi con Android 8 o successivi dispongono di un supporto di attestazione hardware che non può essere aggirato senza chiavi trapelate o gravi vulnerabilità. + +Per quanto riguarda Google Wallet, lo sconsigliamo a causa dell'[informativa sulla privacy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), che prevede l'opt-out se non si desidera che il proprio rating creditizio e i propri dati personali vengano condivisi con i servizi di marketing affiliati. diff --git a/i18n/it/os/linux-overview.md b/i18n/it/os/linux-overview.md new file mode 100644 index 00000000..8ed0db1b --- /dev/null +++ b/i18n/it/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Panoramica di Linux +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### Distribuzioni "Incentrate sulla sicurezza" + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Consigli generali + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Aggiornamenti + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Modifiche alla privacy + +### Randomizzazione dell'indirizzo MAC + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/it/os/qubes-overview.md b/i18n/it/os/qubes-overview.md new file mode 100644 index 00000000..b945bdec --- /dev/null +++ b/i18n/it/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Panoramica di Qubes" +icon: pg/qubes-os +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) è un sistema operativo che utilizza l'hypervisor [Xen](https://en.wikipedia.org/wiki/Xen) per fornire una forte sicurezza per il desktop computing attraverso macchine virtuali isolate. Ogni macchina virtuale è chiamata *Qube* e si può assegnare a ogni Qube un livello di fiducia in base al suo scopo. Poiché il sistema operativo Qubes garantisce la sicurezza utilizzando l'isolamento e consentendo azioni solo su base individuale, è l'opposto dell'[enumerazione delle minacce](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Come funziona Qubes OS? + +Qubes utilizza la [compartimentazione](https://www.qubes-os.org/intro/) per mantenere il sistema sicuro. I Qubes sono creati da modelli, predefiniti per Fedora, Debian e [Whonix](../desktop.md#whonix). Qubes OS consente anche di creare macchine virtuali [monouso](https://www.qubes-os.org/doc/how-to-use-disposables/). + +![Architettura Qubes](../assets/img/qubes/qubes-trust-level-architecture.png) +
Architettura di Qubes, da "What is Qubes OS Introduction"
+ +Ogni applicazione Qubes ha un [bordo colorato](https://www.qubes-os.org/screenshots/) che può aiutare a tenere traccia della macchina virtuale in cui è in esecuzione. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Bordo colorato](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Perché dovrei usare Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copiare e incollare il testo + +Puoi [copiare e incollare il testo](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) utilizzando `qvm-copy-to-vm` o le istruzioni seguenti: + +1. Premi **Ctrl+C** per comunicare alla macchina virtuale in cui ti trovi che vuoi copiare qualcosa. +2. Premi **Ctrl+Shift+C** per comunicare alla macchina virtuale di rendere disponibile questo buffer negli appunti globali. +3. Premi **Ctrl+Shift+V** nella macchina virtuale di destinazione per rendere disponibili gli appunti globali. +4. Premi **Ctrl+V** nella macchina virtuale di destinazione per incollare il contenuto nel buffer. + +### Scambio di file + +Per copiare e incollare file e directory (cartelle) da una macchina virtuale all'altra, si può usare l'opzione **Copy to Other AppVM...** o **Move to Other AppVM...**. La differenza è che l'opzione **Move** elimina il file originale. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Risorse aggiuntive + +Per ulteriori informazioni si consiglia di consultare le ampie pagine di documentazione di Qubes OS presenti sul [sito web di Qubes OS](https://www.qubes-os.org/doc/). Le copie offline possono essere scaricate dal [repository della documentazione](https://github.com/QubesOS/qubes-doc) di Qubes OS. + +- Open Technology Fund: [*Arguably the world's most secure operating system (Probabilmente il sistema operativo più sicuro al mondo)*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation (Compartimentazione del software vs. separazione fisica)*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains (Suddividere la mia vita digitale in domini di sicurezza)*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Articoli correlati*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/it/passwords.md b/i18n/it/passwords.md new file mode 100644 index 00000000..33d33abf --- /dev/null +++ b/i18n/it/passwords.md @@ -0,0 +1,360 @@ +--- +title: "Gestori di password" +icon: material/form-textbox-password +description: I gestori delle password permettono di archiviare e gestire con sicurezza le password e altre credenziali. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Gestore di password + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Gestore di password + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Gestore di password + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX (Android) + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Gestore di password + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Gestore di password + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Gestore di password + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Gestore di password + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +I gestori di password consentono di archiviare e gestire in modo sicuro le password e altre credenziali con l'uso di una password principale. + +[Introduzione alle password :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + I gestori di password integrati nei software, come i browser e i sistemi operativi, a volte non sono all'altezza di un software di gestione delle password dedicato. Il vantaggio di un gestore di password integrato è la buona integrazione con il software, ma spesso può essere molto semplice e privo di caratteristiche di privacy e sicurezza che le offerte autonome offrono. + + Ad esempio, il gestore di password di Microsoft Edge non offre affatto E2EE. Il gestore di password di Google ha E2EE [facoltativo](https://support.google.com/accounts/answer/11350823), e [Apple](https://support.apple.com/en-us/HT202303) offre E2EE di default. + +## Cloud + +Questi gestori di password sincronizzano le password su un server cloud per facilitarne l'accesso da tutti i dispositivi e per garantire la sicurezza contro la perdita del dispositivo. + +### Bitwarden + +!!! recommendation + + ![Logo di Bitwarden](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** è un gestore di password gratuito e open-source. L'obiettivo è quello di risolvere i problemi di gestione delle password per individui, team e organizzazioni aziendali. Bitwarden è una delle soluzioni migliori e più sicure per memorizzare tutti i vostri login e password, mantenendoli comodamente sincronizzati tra tutti i vostri dispositivi. + + [:octicons-home-16: Pagina principale](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden dispone anche di [Bitwarden Send](https://bitwarden.com/products/send/), che consente di condividere testi e file in modo sicuro con [crittografia end-to-end](https://bitwarden.com/help/send-encryption). Una password [](https://bitwarden.com/help/send-privacy/#send-passwords) può essere richiesta insieme al link di invio. Bitwarden Send dispone anche di [cancellazione automatica](https://bitwarden.com/help/send-lifespan). + +Per poter condividere i file è necessario il [piano Premium](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans). Il piano gratuito consente solo la condivisione del testo. + +Il codice lato server di Bitwarden è [open-source](https://github.com/bitwarden/server), quindi se non vuoi usare il cloud Bitwarden, puoi facilmente ospitare il proprio server di sincronizzazione Bitwarden. + +**Vaultwarden** è un'implementazione alternativa del server di sincronizzazione di Bitwarden scritta in Rust e compatibile con i client ufficiali di Bitwarden, perfetta per l'implementazione self-hosted quando l'esecuzione del servizio ufficiale, che richiede molte risorse, non è ideale. Se desideri ospitare Bitwarden sul proprio server, è quasi certamente preferibile utilizzare Vaultwarden al codice server ufficiale di Bitwarden. + +[:octicons-repo-16: Repository di Vaultwarden](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentazione} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Codice sorgente" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribuisci } + +### 1Password + +!!! recommendation + + ![logo 1Password](assets/img/password-management/1password.svg){ align=right } + + **1Password** è un gestore di password con una forte attenzione alla sicurezza e alla facilità d'uso, che consente di archiviare password, carte di credito, licenze software e qualsiasi altra informazione sensibile in una cassaforte digitale sicura. Il caveau personale è ospitato sui server di 1Password per una [tariffa mensile](https://1password.com/sign-up/). 1Password è [ispezionato](https://support.1password.com/security-assessments/) su base regolare e fornisce un'assistenza clienti eccezionale. 1Password è closed source; tuttavia, la sicurezza del prodotto è documentata in modo esauriente nel suo [white paper sulla sicurezza](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Pagina principale](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentazione} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Tradizionalmente, **1Password** ha offerto la migliore esperienza d'uso del gestore di password per chi utilizza macOS e iOS; tuttavia, ora ha raggiunto la parità di funzionalità su tutte le piattaforme. Vanta molte caratteristiche orientate alle famiglie e alle persone meno tecniche, oltre a funzionalità avanzate. + +Il caveau personale di 1Password è protetto sia dalla password principale che da una chiave di sicurezza randomizzata di 34 caratteri per criptare i vostri dati sui loro server. Questa chiave di sicurezza aggiunge un livello di protezione ai dati, perché i dati sono protetti da un'elevata entropia, indipendentemente dalla password principale. Molte altre soluzioni di gestione delle password si affidano interamente alla forza della password principale per proteggere i dati. + +Un vantaggio di 1Password rispetto a Bitwarden è il supporto di prima classe per i client nativi. Mentre Bitwarden relega molte funzioni, in particolare quelle di gestione dell'account, all'interfaccia del suo vault web, 1Password rende disponibili quasi tutte le funzioni all'interno dei suoi client nativi per dispositivi mobili o desktop. I client di 1Password hanno anche un'interfaccia utente più intuitiva, che li rende più facili da usare e da navigare. + +### Psono + +!!! recommendation + + ![Logo Psono](assets/img/password-management/psono.svg){ align=right } + + **Psono** è un gestore di password gratuito e open-source sviluppato in Germania, con particolare attenzione alla gestione delle password per i team. Psono supporta la condivisione sicura di password, file, segnalibri ed email. download + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + + [:octicons-home-16: Pagina principale](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentazione} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono fornisce un'ampia documentazione sul proprio prodotto. Il web-client di Psono può essere auto-ospitato; in alternativa, è possibile scegliere la Community Edition completa o l'Enterprise Edition con funzionalità aggiuntive. + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +#### Requisiti minimi + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- Tutta la telemetria non essenziale deve essere facoltativa. +- Must not collect more PII than is necessary for billing purposes. + +#### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Archiviazione locale + +Queste opzioni ti consentono di gestire localmente un database di password criptato. + +### KeePassDX (Android) + +!!! recommendation + + ![Logo KeePassDX](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** è un leggero gestore di password per Android, che consente di modificare i dati crittografati in un unico file in formato KeePass e di compilare i moduli in modo sicuro. + + [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) permette di sbloccare contenuti cosmetici e funzioni del protocollo non standard, ma soprattutto aiuta e incoraggia lo sviluppo. [:octicons-home-16: Pagina principale](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribuisci } + + ??? + +Inoltre, è disponibile una versione solo offline: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Questa versione è stata ridotta nel tentativo di ridurre la superficie di attacco. We advise you check each record manually. + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Logo Strongbox](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** è un gestore di password nativo e open-source per iOS e macOS. Supportando entrambi i formati KeePass e Password Safe, Strongbox può essere utilizzato in tandem con altri gestori di password, come KeePassXC, su piattaforme non Apple. + + Utilizzando un [modello freemium] (https://strongboxsafe.com/pricing/), Strongbox offre la maggior parte delle funzionalità nel suo livello gratuito, mentre quelle più convenienti [features](https://strongboxsafe.com/comparison/), come l'autenticazione biometrica, sono bloccate dietro un abbonamento o una licenza perpetua. [:octicons-home-16: Pagina principale](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribuisci } + + ??? + +### gopass + +!!! recommendation + + ![logo gopass](assets/img/password-management/gopass.svg){ align=right } + + **gopass** è un gestore di password per la riga di comando scritto in Go. Funziona su tutti i principali sistemi operativi desktop e server (Linux, macOS, BSD, Windows). [:octicons-home-16: Pagina principale](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribuisci } + + ??? + + downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Linea di comando + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Deve essere multi-piattaforma. diff --git a/i18n/it/productivity.md b/i18n/it/productivity.md new file mode 100644 index 00000000..4adbb272 --- /dev/null +++ b/i18n/it/productivity.md @@ -0,0 +1,180 @@ +--- +title: "Strumenti di produttività" +icon: material/file-sign +description: La maggior parte delle suite per ufficio online non supportano la crittografia end-to-end, il che significa che il provider del cloud ha accesso a tutto ciò che fai. +--- + +La maggior parte delle suite per ufficio online non supportano la crittografia end-to-end, il che significa che il provider del cloud ha accesso a tutto ciò che fai. L'informativa sulla privacy potrebbe proteggere legalmente i tuoi diritti, ma non fornisce vincoli tecnici di accesso. + +## Suite per ufficio + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** è una suite per ufficio gratis, open-source e ricca di funzionalità. + + [:octicons-home-16: Pagina principale](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentazione} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +!!! danger "Pericolo" + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** è una suite di ufficio basata sul cloud gratuita, open-source e ricca di funzionalità, come l'integrazione con Nextcloud. [:octicons-home-16: Pagina principale](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Codice sorgente" } + + ??? + +### OnlyOffice + +!!! recommendation + + ![Logo CryptPad](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** è un'alternativa privata e di design ai più diffusi strumenti per l'ufficio. Tutti i contenuti di questo servizio web sono criptati end-to-end e possono essere condivisi facilmente con altri utenti. + + [:octicons-home-16: Pagina principale](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribuisci } + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Servizi di paste + +### PrivateBin + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Deve essere multi-piattaforma. +- Deve essere un software open-source. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/it/real-time-communication.md b/i18n/it/real-time-communication.md new file mode 100644 index 00000000..9553c095 --- /dev/null +++ b/i18n/it/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Comunicazione in tempo reale" +icon: material/chat-processing +description: Altre app di messaggistica istantanea rendono disponibili tutte le tue conversazioni private alla società che le gestisce. +--- + +Questi sono i nostri consigli per comunicazioni crittografate in tempo reale. + +[Tipi di reti di comunicazione :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Messenger crittografati + +Questi messenger sono ideali per proteggere le tue comunicazioni sensibili. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** è un'app per dispositivi mobili sviluppata da Signal Messenger LLC. L'app offre messaggistica istantanea, oltre che chiamate e videochiamate. + + Tutte le comunicazioni sono E2EE. Le liste di contatti è crittografata usando il tuo PIN Signal e il server non può accedervi. Anche i profili personali sono crittografati e condivisi solo con i contatti con cui parli. + + [:octicons-home-16: Pagina principale](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supporta i [gruppi privati](https://signal.org/blog/signal-private-group-system/). Il server non registra le appartenenze, i titoli, gli avatar o gli attributi dei gruppi. Signal ha metadati minimi quando [Mittente sigillato](https://signal.org/blog/sealed-sender/) è attivo. L'indirizzo del mittente viene crittografato insieme al corpo del messaggio e solo l'indirizzo del destinatario è visibile al server. Mittente sigillato è attivo solo per le persone presenti nell'elenco dei contatti, ma può essere attivato per tutti i destinatari, con un rischio maggiore di ricevere spam. Signal richiede il numero di telefono come identificativo personale. + +Il protocollo è stato [verificato](https://eprint.iacr.org/2016/1013.pdf) indipendentemente nel 2016. Le specifiche del protocollo Signal possono essere trovate nella sua [documentazione](https://signal.org/docs/). + +Abbiamo alcuni suggerimenti aggiuntivi per configurare e rendere più sicuro Signal: + +[Configurazione e messa in sicurezza di Signal :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat è un'app di messaggistica istantanea decentralizzata che non dipende da alcun identificatore univoco, come numeri di telefono o nomi utente. Gli utenti di SimpleX Chat possono scansionare un codice QR o cliccare un link di invito per partecipare alle conversazioni di gruppo. + + [:octicons-home-16: Pagina principale](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){.card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){.card-link title=Documentazione} + [:octicons-code-16:](https://github.com/simplex-chat){.card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [è stato verificato](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) da Trail of Bits nell'ottobre 2022. + +Attualmente SimpleX Chat fornisce solo un client per Android e iOS. Sono supportate le funzionalità di base delle chat di gruppo, i messaggi diretti, la modifica dei messaggi e il markdown. Sono supportate anche le chiamate e le videochiamate E2EE. + +I dati possono essere esportati e importati su un altro dispositivo, poiché non esistono server centrali in cui viene eseguito il backup. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** è un'app di messaggistica istantanea crittografata che si [connette](https://briarproject.org/how-it-works/) agli altri client usando la rete Tor. Briar può anche connettersi via Wi-Fi o Bluetooth quando si trova nelle vicinanze. La modalità mesh locale di Briar può essere utile quando la connessione a Internet è problematica. + + [:octicons-home-16: Pagina principale](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentazione} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Le opzioni di donazione sono elencate in fondo alla pagina" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +Per aggiungere un contatto su Briar, è necessario prima aggiungersi a vicenda. Puoi sia scambiare i link `briar://` o scansionare il codice QR di un contatto, se è vicino. + +Il software per il client è stato [verificato](https://briarproject.org/news/2017-beta-released-security-audit/) indipendentemente, così come il protocollo anonimo di trasmissione che utilizza la rete Tor. + +Le specifiche di Briar sono [completamente pubbliche](https://code.briarproject.org/briar/briar-spec). + +Briar supporta la Perfect Forward Secrecy usando l'[Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) Bramble e il protocollo [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md). + +## Altre alternative + +!!! warning + + Questi messenger non hanno la Perfect [Forward Secrecy](https://it.wikipedia.org/wiki/Forward_secrecy) (PFS) e, pur soddisfacendo alcune esigenze che le nostre precedenti raccomandazioni potrebbero non fare, non li consigliamo per comunicazioni a lungo termine o sensibili. Qualsiasi compromissione di chiavi tra i destinatari del messaggio inciderebbe sulla riservatezza di **tutte** le comunicazioni passate. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** è il client di riferimento per il protocollo [Matrix](https://matrix.org/docs/guides/introduction), uno [standard aperto](https://matrix.org/docs/spec) per comunicazioni decentralizzate sicure in tempo reale. + + I messaggi e i file condivisi nelle stanze private (quelle che richiedono un invito) sono E2EE in modo predefinito, così come le chiamate e videochiamate tra due persone. + + [:octicons-home-16: Pagina principale](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Le immagini del profilo, le reazioni e i nickname non vengono crittografati. + +Le chiamate e videochiamate di gruppo [non](https://github.com/vector-im/element-web/issues/12878) sono E2EE e utilizzano Jitsi, ma ciò dovrebbe cambiare con il [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Le chiamate di gruppo non hanno [alcuna autenticazione](https://github.com/vector-im/element-web/issues/13074) attualmente, il che significa che non appartenenti alla stanza possono unirsi alle chiamate. Consigliamo di non usare questa funzione per riunioni private. + +Lo stesso protocollo Matrix [supporta teoricamente il PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), tuttavia [non è attualmente supportato in Element](https://github.com/vector-im/element-web/issues/7101) perché rovina alcuni aspetti dell'esperienza utente, come il backup delle chiavi e la cronologia dei messaggi condivisi. + +Il protocollo è stato [verificato](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) indipendentemente nel 2016. Le specifiche del protocollo Matrix possono essere trovate nella sua [documentazione](https://spec.matrix.org/latest/). L'algoritmto crittografico [Olm](https://matrix.org/docs/projects/other/olm) usato da Matrix è un'implementazione dell'[algoritmo Double Ratchet](https://signal.org/docs/specifications/doubleratchet/) di Signal. + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** è un messenger decentralizzato incentrato su comunicazioni private, sicure e anonime. Session supporta i messaggi diretti, le chat di gruppo e le chiamate vocali. + + Session usa la rete decentralizzata [Oxen Service Node Network](https://oxen.io/) per memorizzare e instradare i messaggi. Ogni messaggio crittografato viene instradato attraverso tre nodi della rete di nodi di servizio Oxen, rendendo virtualmente impossibile per i nodi compilare informazioni significative su coloro che utilizzano la rete. + + [:octicons-home-16: Pagina principale](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session consente E2EE per chat individuali o in gruppi chiusi che possono ospitare fino a 100 membri. I gruppi aperti non hanno limitazioni sul numero di membri, ma sono aperti per scelta. + +Session [non](https://getsession.org/blog/session-protocol-technical-information) supporta la PFS, ovvero quando un sistema di crittografia cambia automaticamente e frequentemente le chiavi utilizzate per crittografare e decifrare le informazioni, in modo tale che anche se la chiave più recente venisse compromessa, verrebbe esposta una porzione minore di informazioni sensibili. + +Oxen ha richiesto una verifica indipendente per Session a marzo 2020. La verifica [è stata conclusa](https://getsession.org/session-code-audit) nell'aprile del 2021, "Il livello di sicurezza complessivo di questa applicazione è buono e la rende utilizzabile per individui interessati alla propria privacy." + +Session ha un [libro bianco](https://arxiv.org/pdf/2002.04609.pdf) che descrive le caratteristiche tecniche dell'app e del protocollo. + +## Criteri + +**Si noti che non siamo affiliati a nessuno dei progetti che consigliamo.** Oltre a [i nostri criteri standard](about/criteria.md), abbiamo sviluppato una chiara serie di requisiti che ci permettono di fornire raccomandazioni obiettive. Ti consigliamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e condurre le tue ricerche per assicurarti che sia la scelta giusta per te. + +!!! example "Questa sezione è nuova" + + Stiamo lavorando per stabilire criteri definiti per ogni sezione del nostro sito, e ciò potrebbe essere soggetto a modifiche. Se hai domande sui nostri criteri, [chiedi sul nostro forum](https://discuss.privacyguides.net/latest) e non dare per scontato che non abbiamo preso in considerazione qualcosa quando formuliamo i nostri consigli se non è elencato qui. Sono molti i fattori presi in considerazione e discussi quando raccomandiamo un progetto e documentare ogni singolo fattore è un lavoro in corso. + +- Deve avere dei client open source. +- Deve usare E2EE per i messaggi privati in modo predefinito. +- Deve supportare E2EE per tutti i messaggi. +- Deve essere stato verificato in modo indipendente. + +### Caso migliore + +I nostri criteri ottimali rappresentano ciò che vorremmo vedere dal progetto perfetto in questa categoria. Le nostre raccomandazioni potrebbero non includere tutte o alcune di queste funzionalità, ma quelle che le includono potrebbero avere una posizione più alta rispetto ad altre in questa pagina. + +- Deve avere la Perfect Forward Secrecy. +- Deve avere server open source. +- Deve essere decentralizzato, cioè federato o P2P. +- Deve usare E2EE per tutti i messaggi in modo predefinito. +- Deve supportare Linux, macOS, Windows, Android e iOS. diff --git a/i18n/it/router.md b/i18n/it/router.md new file mode 100644 index 00000000..5b140406 --- /dev/null +++ b/i18n/it/router.md @@ -0,0 +1,59 @@ +--- +title: "Firmware Router" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Di seguito sono elencati alcuni sistemi operativi alternativi che possono essere usati su router, punti di accesso Wi-Fi, ecc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** è un sistema operativo basato su Linux, usato principalmente su dispositivi embedded per instradare il traffico di rete. Include util-linux, uClibc e BusyBox. Tutti i componenti sono stati ottimizzati per i router domestici. + + [:octicons-home-16: Pagina principale](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Codice Sorgente" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribuisci } + +È possibile consultare la [tabella degli hardware](https://openwrt.org/toh/start) di OpenWrt per verificare se il tuo dispositivo è supportato. + +## OPNsense + +!!! recommendation + + ![pfSense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** è una piattaforma open source di firewall e routing basata su FreeBSD che incorpora molte funzionalità avanzate come il traffic shaping, il bilanciamento del carico e le funzionalità VPN, con molte altre funzionalità disponibili sotto forma di plugin. OPNsense viene comunemente utilizzato come firewall perimetrale, router, punto di accesso wireless, server DHCP, server DNS ed endpoint VPN. + + [:octicons-home-16: Pagina principale](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Codice Sorgente" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribuisci} + +OPNsense è stato originariamente sviluppato come fork di [pfSense](https://en.wikipedia.org/wiki/PfSense), ed entrambi i progetti sono noti per essere distribuzioni di firewall gratuite e affidabili che offrono funzionalità spesso presenti solo in costosi firewall commerciali. Lanciato nel 2015, gli sviluppatori di OPNsense [hanno citato](https://docs.opnsense.org/history/thefork.html) una serie di problemi di sicurezza e di qualità del codice di pfSense che, a loro avviso, rendevano necessario un fork del progetto, oltre a preoccupazioni sull'acquisizione della maggioranza di pfSense da parte di Netgate e sulla futura direzione del progetto pfSense. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Deve essere open source. +- Deve ricevere aggiornamenti regolari. +- Must support a wide variety of hardware. diff --git a/i18n/it/search-engines.md b/i18n/it/search-engines.md new file mode 100644 index 00000000..b77a2fd7 --- /dev/null +++ b/i18n/it/search-engines.md @@ -0,0 +1,117 @@ +--- +title: "Motori di ricerca" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Utilizza un motore di ricerca che non crei un profilo pubblicitario basato sulle tue ricerche. + +Le raccomandazioni riportate si basano sui meriti delle privacy policy di ciascun servizio. Non c'è **alcuna garanzia** che queste vengano rispettate. + +Considera l'utilizzo di un [VPN](vpn.md) o di [Tor](https://www.torproject.org/) se il tuo modello di minaccia richiede di nascondere l'indirizzo IP al provider di ricerca. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** è sviluppato da Brave e fornisce principalmente risultati dal proprio indice indipendente, il quale è ottimizzato rispetto a Google Search, potendo quindi fornire risultati più contestualmente accurati, rispetto alle altre alternative. + + Brave Search comprende funzionalità uniche come 'Discussions', che mette in evidenza risultati incentrati su conversazioni, come i post dei forum. + + Suggeriamo di disabilitare l'opzione [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) nelle impostazioni, che è attiva di default. + + [:octicons-home-16: Pagina principale](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentazione} + +Brave Search ha sede negli Stati Uniti. La loro[informativa sulla privacy](https://search.brave.com/help/privacy-policy) dichiara che raccolgono dati aggregati, i quali includono il sistema operativo e il browser in utilizzo, ma nessuna informazione d'identificazione personale. Gli indirizzi IP sono temporaneamente processati, ma non conservati. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** è uno dei motori di ricerca privati più conosciuto. Tra le funzionalità di ricerca di DukDuckGo vi sono i [bangs](https://duckduckgo.com/bang) e molte [risposte istantanee](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). Il motore di ricerca si basa su un'API commerciale di Bing per fornire la maggior parte di risultati, ma utilizza numerose [altre fonti](https://help.duckduckgo.com/results/sources/) per le risposte istantanee e risultati secondari. + + DuckDuckGo è il motore di ricerca predefinito del Tor Browser ed è una delle poche opzioni disponibili sul browser Safari di Apple. + + [:octicons-home-16: Pagina principale](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Servizio Onion" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentazione} + +DuckDuckGo ha sede negli Stati Uniti. La loro[informativa della privacy](https://duckduckgo.com/privacy) dichiara che **raccolgono** le tue ricerche per migliorare il prodotto, ma non registrano il tuo indirizzo IP o qualsiasi altra informazione d'identificazione personale. + +DuckDuckGo offre altre [due versioni](https://help.duckduckgo.com/features/non-javascript/) del proprio motore di ricerca, entrambe le quali non richiedono JavaScript. Tuttavia, queste versioni mancano di funzionalità. Possono essere inoltre essere utilizzate in congiunzione con il loro [indirizzo onion Tor](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/), aggiungendo [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) o [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) rispettivamente. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** è un meta-motore di ricerca open source e self-hostable, che aggrega risultati di altri motore di ricerca, ma senza raccogliere alcuna informazione a sua volta. È un fork attivamente mantenuto di [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Pagina principale](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Istanze pubbliche"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Codice sorgente" } + +SearXNG è un proxy tra l'utente e i motori di ricerca che aggrega. Le tue stringhe di ricerca vengono inviate a tutti i motori dai quali SearXNG ottiene i suoi risultati. + +Nel caso di self-hosting, è importante che anche altre persone utilizzino la tua istanza, in modo che le stringhe di ricerca si confondino tra di loro. Rimani attento a dove e come esegui il self-hosting, in quanto utenti che ricercano contenuti illegali mediante la tua istanza potrebbero attirare l'attenzione indesiderata delle autorità. + +Quando utilizzi una istanza di SearXNG, ricordati di leggere la rispettiva informativa della privacy. Dato che le istanze possono essere modificate dai corrispettivi proprietari, non necessariamente riflettono la propria informativa sulla privacy. Alcune istante vengono eseguite come servizio nascosto Tor, il che può garantire più privacy, a patto che le tue stringhe di ricerca non contengano PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** è un motore di ricerca privato noto per riportare risultati di ricerca di Google. Il fiore all'occhiello di Startpage è la [Anonymous View](https://www.startpage.com/en/anonymous-view/), che si sforza di standardizzare l'attività degli utenti in modo da rendere più difficile l'identificazione univoca. Questa funzione può essere utile per nascondere [alcune](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) caratteristiche della rete e del browser. A differenza di quanto suggerisce il nome, non ci si deve affidare a questa funzione per ottenere l'anonimato. Se cerchi l'anonimato, utilizzate invece il [Tor Browser](tor.md#tor-browser). + + [:octicons-home-16: Pagina principale](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentazione} + +!!! warning + + Startpage limita regolarmente l'accesso ai suori servizi a determinati indirizzi IP, come quelli riservati per i VPN e Tor. [DuckDuckGo](#duckduckgo) e [Brave Search](#brave-search) sono opzioni più amichevoli se il tuo Threat Model richiede di nascondere il tuo indirizzo IP al provider di ricerca. + +Startpage ha sede nei Paesi Bassi. Secondo la loro [informativa sulla privacy](https://www.startpage.com/en/privacy-policy/), registrano dettagli quali: sistema operativo, tipo di browser e lingua. Non registrano l'indirizzo IP, le stringhe di ricerca o altre informazioni d'identificazione personale. + +L'azionista di maggioranza di Startpage è System1, un'azienda di tecnologie pubblicitarie. Non riteniamo ciò essere un problema, visto che seguono una distinta e separata [informativa sulla privacy](https://system1.com/terms/privacy-policy). Il team di Privacy Guides contattò Startpage [ nel 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) per chiarire le preoccupazioni legate al considerevole investimento da parte si System1 nel servizio; siamo stati soddisfatti dalle risposte ricevute. + +## CryptPad + +**Si noti che non siamo affiliati a nessuno dei progetti che consigliamo.** Oltre a [i nostri criteri standard](about/criteria.md), abbiamo sviluppato una chiara serie di requisiti che ci permettono di fornire raccomandazioni obiettive. Ti consigliamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e condurre le tue ricerche per assicurarti che sia la scelta giusta per te. + +!!! esempio "Questa sezione è nuova" + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +### Requisiti minimi + +- Non devono raccogliere informazioni di identificazione personale secondo la loro informativa sulla privacy. +- Non devono permettere agli utenti di creare un account con loro. + +### Caso migliore + +KeePassXC memorizza i suoi dati di esportazione come file [CSV](https://en.wikipedia.org/wiki/Comma-separated_values). Ciò può comportare la perdita di dati se si importa questo file in un altro gestore di password. + +- Dovrebbe essere basato su software open-source. +- Non dovrebbe bloccare gli indirizzi IP dei nodi di uscita di Tor. diff --git a/i18n/it/tools.md b/i18n/it/tools.md new file mode 100644 index 00000000..fc7559f3 --- /dev/null +++ b/i18n/it/tools.md @@ -0,0 +1,473 @@ +--- +title: "Strumenti per la privacy" +icon: material/tools +hide: + - toc +description: Privacy Guides è il sito web più trasparente e affidabile per trovare software, applicazioni e servizi che proteggono i vostri dati personali dai programmi di sorveglianza di massa e da altre minacce d'internet. +--- + +Se stai cercando una soluzione specifica per qualcosa, questi sono gli strumenti hardware e software che ti consigliamo in una varietà di categorie. I nostri strumenti di privacy consigliati sono scelti principalmente in base alle funzionalità di sicurezza, con maggiore enfasi sugli strumenti decentralizzati e open-source. Sono applicabili a una varietà di modelli di minaccia che vanno dalla protezione contro i programmi di sorveglianza di massa globali e evitare le grandi aziende tecnologiche alla mitigazione degli attacchi, ma solo tu puoi determinare cosa funzionerà meglio per le tue esigenze. + +Se vuoi assistenza per capire i migliori strumenti per la privacy e programmi alternativi più adatti alle tue esigenze, inizia una discussione sul nostro forum [](https://discuss.privacyguides.net/) o sulla nostra community [Matrix](https://matrix.to/#/#privacyguides:matrix.org)! + +Per maggiori dettagli su ogni progetto, sul motivo per cui è stato scelto e su ulteriori suggerimenti o trucchi che consigliamo, clicca il link "Maggiori informazioni" in ogni sezione, oppure clicca il suggerimento stesso per essere indirizzato a quella specifica sezione della pagina. + +## Rete Tor + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake non aumenta la privacy, ma permette di contribuire facilmente alla rete Tor e di aiutare le persone in reti soggette a censura a ottenere una privacy migliore. + +[Maggiori informazioni :material-arrow-right-drop-circle:](tor.md) + +## Browser web desktop + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Risorse aggiuntive + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Browser web mobile + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Risorse aggiuntive + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Sistemi operativi + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](android.md) + +#### Applicazioni Android + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](desktop.md) + +### Firmware Router + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](router.md) + +## Fornitori di servizi + +### Archiviazione in cloud + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### Fornitori DNS + +[Raccomandiamo](dns.md#recommended-providers) una serie di server DNS criptati basati su una serie di criteri, come [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) e [Quad9](https://quad9.net/) tra gli altri. Ti consigliamo di leggere le nostre pagine sui DNS prima di scegliere un fornitore. In molti casi, l'utilizzo di un fornitore DNS alternativo non è consigliato. + +[Maggiori informazioni :material-arrow-right-drop-circle:](dns.md) + +#### Self-hosting + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Soluzioni self-hosted + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](email.md) + +#### Email installabili in locale + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### I nostri criteri + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Servizi finanziari + +#### Servizi di mascheramento dei pagamenti + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Marketplace di Gift Card Online + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Motori di ricerca + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](search-engines.md) + +### Fornitori di VPN + +??? danger "Le VPN non forniscono anonimato" + + L'utilizzo di una VPN **non** manterrà anonime le tue abitudini di navigazione, né aggiungerà ulteriore sicurezza al traffico non sicuro (HTTP). + + Se stai cercando **anonimato**, dovresti usare il Tor Browser **invece** di una VPN. + + Se stai cercando maggiore **sicurezza**, dovresti sempre assicurarti di connetterti a siti Web usando HTTPS. Una VPN non è un sostituto per buone pratiche di sicurezza. + + [Maggiori informazioni :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Sincronizzazione di calendario e contatti + +
+ +- ![Tutanota logo](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota](calendar-contacts.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar-contacts.md#proton-calendar) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](calendar.md) + +### Criptovaluta + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Rimozione di dati e metadati + +
+ +- ![ExifCleaner logo](assets/img/data-redaction/exifcleaner.svg){ .twemoji } [ExifCleaner](data-redaction.md#exifcleaner) +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](data-redaction.md) + +### Condivisione di file + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](email-clients.md) + +### Software di crittografia + +??? info "Crittografia del disco del sistema operativo" + + Per crittografare il disco del sistema operativo, in genere si consiglia di utilizzare lo strumento di crittografia fornito dal sistema operativo, che sia **BitLocker** su Windows, **FileVault** su macOS o **LUKS** su Linux. Questi strumenti sono inclusi nel sistema operativo e in genere utilizzano elementi di crittografia hardware come un TPM che altri software di crittografia full-disk come VeraCrypt non fanno. VeraCrypt è comunque adatto a dischi senza sistema operativo come le unità esterne, in particolare quelle a cui si può accedere da più sistemi operativi. + + [Maggiori informazioni :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](encryption.md) + +#### Client OpenPGP + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Condivisione e sincronizzazione dei file + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontend + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](frontends.md) + +### Strumenti di autenticazione a più fattori + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Aggregatori di notizie + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](news-aggregators.md) + +### Blocchi note + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](notebooks.md) + +### Gestori di password + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](passwords.md) + +### Strumenti di produttività + +
+ +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](productivity.md) + +### Comunicazione in tempo reale + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar-android) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](real-time-communication.md) + +### Client di streaming video + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Maggiori informazioni :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/it/tor.md b/i18n/it/tor.md new file mode 100644 index 00000000..55f435ef --- /dev/null +++ b/i18n/it/tor.md @@ -0,0 +1,119 @@ +--- +title: "Rete Tor" +icon: simple/torproject +description: Proteggi la tua navigazione internet da occhi indiscreti utilizzando la rete Tor, una rete sicura che elude la censura. +--- + +![Logo Tor](assets/img/self-contained-networks/tor.svg){ align=right } + +La rete **Tor** è un gruppo di server gestiti da volontari che permette di connettersi gratuitamente e migliorare la propria privacy e sicurezza su Internet. Individui e organizzazioni possono anche condividere informazioni attraverso la rete Tor con i "servizi nascosti .onion" senza compromettere la loro privacy. Poiché il traffico Tor è difficile da bloccare e tracciare, Tor è un efficace strumento di elusione della censura. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title="Pagina principale" } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Servizio Onion" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentazione} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Codice sorgente" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuisci } + +Tor funziona instradando il traffico internet attraverso questi server gestiti da volontari, invece di effettuare una connessione diretta al sito che si sta cercando di visitare. In questo modo si offusca la provenienza del traffico e nessun server nel percorso di connessione è in grado di vedere il percorso completo del traffico proveniente e diretto, il che significa che nemmeno i server utilizzati per connettersi possono violare l'anonimato. + +[Panoramica dettagliata di Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connessione a Tor + +Esistono diversi modi per connettersi alla rete Tor dal proprio dispositivo, il più comunemente usato è il **Tor Browser**, un fork di Firefox progettato per la navigazione anonima per computer desktop e Android. Oltre alle applicazioni elencate di seguito, esistono anche sistemi operativi progettati appositamente per connettersi alla rete Tor, come [Whonix](desktop.md#whonix) su [Qubes OS](desktop.md#qubes-os), che offrono una sicurezza e una protezione ancora maggiori rispetto al Tor Browser standard. + +### Tor Browser + +!!! recommendation + + ![logo di Tor Browser](assets/img/browsers/tor.svg){ align=right } + + Il **Tor Browser** è la scelta ideale per chi ha bisogno di anonimato, in quanto fornisce l'accesso alla rete e ai ponti Tor e include impostazioni predefinite ed estensioni configurate automaticamente in base ai livelli di sicurezza predefiniti: *Standard*, *Sicuro* e *Il più sicuro*. + + [:octicons-home-16: Pagina principale](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Servizio Onion" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentazione } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuisce } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger "Pericolo" + + Non si devono **mai** installare estensioni aggiuntive su Tor Browser o modificare le impostazioni `about:config`, comprese quelle suggerite per Firefox. Le estensioni del browser e impostazioni non standard ti rendono distinguibile dagli altri utenti della rete Tor, aumentando così il [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting) del tuo browser. + +Tor Browser è progettato per evitare il fingerprinting o l'identificazione dell'utente attraverso la configurazione del browser. Pertanto, è indispensabile **non** modificare il browser oltre i livelli di sicurezza [predefiniti](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Logo Orbot](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** è una VPN Tor gratuita per smartphone che instrada il traffico da qualsiasi app sul dispositivo attraverso la rete Tor. + + [:octicons-home-16: Pagina principale](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentazione} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +In precedenza avevamo consigliato di attivare la preferenza *Isolate Destination Address* nelle impostazioni di Orbot. Sebbene questa impostazione possa teoricamente migliorare la privacy, imponendo l'uso di un circuito diverso per ogni indirizzo IP a cui ci si connette, non fornisce un vantaggio pratico per la maggior parte delle applicazioni (in particolare la navigazione web), può comportare una significativa riduzione delle prestazioni e aumenta il carico sulla rete Tor. Non è più consigliabile modificare questa impostazione dal valore predefinito, a meno che non si conosca la necessità.[^1] + +!!! tip "Suggerimenti per Android" + + Orbot può eseguire il proxy di singole applicazioni se queste supportano il proxy SOCKS o HTTP. Può anche effettuare il proxy di tutte le connessioni di rete utilizzando [VpnService](https://developer.android.com/reference/android/net/VpnService) e può essere utilizzato con il killswitch VPN in :gear: **Impostazioni** → **Rete & Internet** → **VPN** → :gear: → **Blocca connessioni senza VPN**. + + Orbot è spesso obsoleto sul [repository di F-Droid](https://guardianproject.info/fdroid) e [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) del Guardian Project, per cui si consiglia di scaricarlo direttamente dal [repository di GitHub](https://github.com/guardianproject/orbot/releases). + + Tutte le versioni sono firmate utilizzando la stessa firma, quindi dovrebbero essere compatibili tra loro. + +## Relay e Bridge + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** ti permette di donare larghezza di banda al Tor Project, operando i cosiddetti "Snowflake proxy" all'interno del tuo browser. + + Individui sottoposti a censura possono utilizzare questi proxy per connettersi alla rete Tor. Snowflake è un ottimo modo per contribuire alla rete Tor, senza la necessità di avere il know-how tecnico per gestire un relay o ponte Tor. + + [:octicons-home-16: Pagina principale](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentazione} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Codice sorgente" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribuisci } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Snowflake incorporato" + + Puoi abilitare Snowflake nel tuo browser cliccando il pulsante sottostante e ==lasciando questa pagina aperta==. Puoi inoltre installare Snowflake come un'estensione del browser per poter sempre utilizzarlo quando navighi su Internet, ma, come già detto in precedenza, questo può aumentare la tua superficie di attacco. + +
+ Se l'incorporamento non appare, assicurati di non star bloccando il frame di terza parte da 'torproject.org'. Alternativamente, visita [questa pagina](https://snowflake.torproject.org/embed.html). + +Snowflake non aumenta in alcun modo la tua privacy e non viene utilizzato per connettersi alla rete Tor all'interno del tuo browser personale. Tuttavia, se la tua connessione a Internet non è censurata, dovresti prendere in considerazione la possibilità di utilizzarlo per aiutare le persone che si trovano in reti censurate a ottenere una migliore privacy. Non c'è bisogno di preoccuparsi dei siti web a cui le persone accedono attraverso il tuo proxy: il loro indirizzo IP di navigazione visibile corrisponderà al loro nodo di uscita Tor, non al tuo. + +La gestione di un proxy Snowflake è a basso rischio, anche più della gestione di un relay o bridge di Tor, che già non sono attività particolarmente rischiose. Tuttavia, il traffico viene comunque instradato attraverso la tua rete, il che può avere un certo impatto, soprattutto se la tua rete ha una larghezza di banda limitata. Assicurati di comprendere [come Snowflake funziona](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) prima di decidere se gestire un proxy. + +[^1]: L'impostazione `IsolateDestAddr` è discussa nella [mailing list Tor](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) e nella [documentazione Whonix's Stream Isolation](https://www.whonix.org/wiki/Stream_Isolation), dove entrambi i progetti suggeriscono che di solito non è un buon approccio per la maggior parte delle persone. diff --git a/i18n/it/video-streaming.md b/i18n/it/video-streaming.md new file mode 100644 index 00000000..d5445f8d --- /dev/null +++ b/i18n/it/video-streaming.md @@ -0,0 +1,60 @@ +--- +title: "Streaming video" +icon: material/video-wireless +description: Queste reti ti consentono lo streaming di contenuti internet senza creare un profilo pubblicitario basato sui propri interessi. +--- + +Il rischio principale quando si usa una piattaforma di streaming video è che le tue abitudini e iscrizioni possano essere usate per profilarti. Suggeriamo di utilizzare questi strumenti accompagnati da un [VPN](vpn.md) o [Tor](https://www.torproject.org/) in modo da rendere più difficile la profilazione. + +## Client + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **La rete LBRY** è una rete di condivisione video decentralizzata. Utilizza una rete simile a [BitTorrent](https://it.wikipedia.org/wiki/BitTorrent) per memorizzare i contenuti video e una [blockchain](https://it.wikipedia.org/wiki/Blockchain) per memorizzare gli indici di tali video. Il vantaggio principale di questo design è la resistenza alla censura. + + **Il client desktop di LBRY** consente lo streaming di video dalla rete LBRY e memorizza l'elenco delle iscrizioni nel proprio portafoglio LBRY. + + [:octicons-home-16: Pagina principale](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Si raccomanda solo il **client desktop LBRY**, poiché il sito web [Odysee](https://odysee.com) e i client LBRY in F-Droid, Play Store e App Store hanno la sincronizzazione e la telemetria obbligatorie. + +!!! warning + + Durante la visione e l'hosting dei video, il tuo indirizzo IP è visibile alla rete LBRY. Considera l'uso di [VPN](vpn.md) o [Tor](https://www.torproject.org) se il [modello di minaccia](basics/threat-modeling.md) richiede di nascondere l'indirizzo IP. + +Raccomandiamo di **non sincronizzare** il portafoglio con LBRY Inc. poiché la sincronizzazione dei portafogli crittografati non è ancora supportata. Se sincronizzi il tuoportafoglio con LBRY Inc. devi fidarti del fatto che non guarderanno la tua lista delle iscrizioni, i fondi di [LBC](https://lbry.com/faq/earn-credits) o prenderanno il controllo del tuo canale. + +È possibile disattivare l'opzione *Save hosting data to help the LBRY network* in :gear: **Settings** → **Advanced Settings**, per evitare di esporre il proprio indirizzo IP e i video guardati quando si utilizza LBRY per un periodo di tempo prolungato. + +## CryptPad + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. recommendation + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** è un pastebin online minimalista e open-source in cui il server non ha alcuna conoscenza dei dati incollati. Infatti, vengono criptati/decriptati nel tuo browser utilizzando AES a 256 bit. downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +- Non deve richiedere un account centralizzato per visualizzare i video. + - L'autenticazione decentralizzata, ad esempio tramite la chiave privata di un wallet mobile, è accettabile. diff --git a/i18n/it/vpn.md b/i18n/it/vpn.md new file mode 100644 index 00000000..938bc519 --- /dev/null +++ b/i18n/it/vpn.md @@ -0,0 +1,327 @@ +--- +title: "Servizi VPN" +icon: material/vpn +description: Questi sono i migliori servizi VPN per proteggere la tua privacy e sicurezza online. Trovate un fornitore che non ti spii. +--- + +Se stai cercando ulteriore **privacy** dal tuo ISP, su una rete Wi-Fi pubblica o durante il torrenting di file, una VPN potrebbe essere la soluzione per te purché tu comprenda i rischi coinvolti. Riteniamo che questi provider siano una spanna sopra gli altri: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "Le VPN non forniscono anonimato" + + L'utilizzo di una VPN **non** manterrà anonime le tue abitudini di navigazione, né aggiungerà ulteriore sicurezza al traffico non sicuro (HTTP). + + Se stai cercando **anonimato**, dovresti usare il Tor Browser **invece** di una VPN. + + Se stai cercando maggiore **sicurezza**, dovresti sempre assicurarti di connetterti a siti Web usando HTTPS. Una VPN non è un sostituto per buone pratiche di sicurezza. + + [Scarica Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](basics/tor-overview.md){ .md-button } + +[Panoramica dettagliata della VPN :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Provider consigliati + +I fornitori che consigliamo utilizzano la crittografia, accettano Monero, supportano WireGuard & OpenVPN e applicano una politica di non registrazione del traffico. Leggi la nostra [lista completa di criteri](#criteria) per maggiori informazioni. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** è un altro provider VPN premium, il quale opera dal 2009. IVPN ha sede a Gibilterra. + + [:octicons-home-16: Pagina principale](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Codice sorgente" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Paesi + +IVPN ha [server in 35 paesi](https://www.ivpn.net/server-locations).(1) Scegliere un provider VPN con un server più vicino a te ridurrà la latenza del traffico di rete che invii. Ciò è dovuto al fatto che il percorso verso la destinazione è più breve (meno hop). +{ .annotate } + +1. Ultimo controllo: 16-09-2022 + +Riteniamo inoltre che sia meglio per la sicurezza delle chiavi private del provider VPN utilizzare [server dedicati](https://en.wikipedia.org/wiki/Dedicated_hosting_service), invece di soluzioni condivise più economiche (con altri clienti) come [server privati virtuali](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Audit indipendente + +IVPN è stata sottoposta a un [audit no-logging da parte di Cure53](https://cure53.de/audit-report_ivpn.pdf) che si è concluso in favore della dichiarazione di no-logging di IVPN. IVPN ha inoltre completato un [esauriente rapporto pentest Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) nel gennaio 2020. IVPN ha inoltre dichiarato di avere in programma [rapporti annuali](https://www.ivpn.net/blog/independent-security-audit-concluded) in futuro. Un'ulteriore revisione è stata condotta [nell'aprile 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) ed è stata prodotta da Cure53 [sul loro sito web](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Client Open-Source + +A partire da febbraio 2020 [le applicazioni IVPN sono ora open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Il codice sorgente può essere ottenuto dalla loro organizzazione [GitHub](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accetta contanti e Monero + +Oltre ad accettare carte di credito/debito e PayPal, IVPN accetta Bitcoin, **Monero** e **contanti/valuta locale** (sui piani annuali) come forme anonime di pagamento. + +#### :material-check:{ .pg-green } Supporto WireGuard + +IVPN supporta il protocollo WireGuard®. [WireGuard](https://www.wireguard.com) è un protocollo più recente che utilizza una crittografia [all'avanguardia](https://www.wireguard.com/protocol/). Inoltre, WireGuard mira a essere più semplice e performante. + +IVPN [raccomanda](https://www.ivpn.net/wireguard/) l'uso di WireGuard con il proprio servizio e, pertanto, il protocollo è quello predefinito in tutte le applicazioni di IVPN. IVPN offre anche un generatore di configurazione WireGuard da utilizzare con le [app](https://www.wireguard.com/install/) ufficiali WireGuard. + +#### :material-check:{ .pg-green } Port Forwarding remoto + +Il port forwarding remoto [](https://en.wikipedia.org/wiki/Port_forwarding) è possibile con un piano Pro. Il port forwarding [può essere attivato](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) tramite l'area client. Il port forwarding è disponibile su IVPN solo quando si utilizzano protocolli WireGuard o OpenVPN ed è [disabilitato sui server statunitensi](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Client Mobile + +Oltre a fornire file di configurazione OpenVPN standard, IVPN ha client mobili per [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client)e [GitHub](https://github.com/ivpn/android-app/releases) che consentono facili connessioni ai loro server. + +#### :material-information-outline:{ .pg-blue } Funzionalità aggiuntive + +I client IVPN supportano l'autenticazione a due fattori (i client Mullvad no). IVPN offre anche la funzionalità "[AntiTracker](https://www.ivpn.net/antitracker)", che blocca le reti pubblicitarie e i tracker a livello di rete. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** è una VPN veloce ed economica con una grande attenzione alla trasparenza e alla sicurezza. Sono operativi dal **2009**. Mullvad ha sede in Svezia e non dispone di una prova gratuita. + + [:octicons-home-16: Pagina principale](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Paesi + +Mullvad ha [server in 41 paesi](https://mullvad.net/servers/).(1) Scegliere un provider VPN con un server più vicino a te ridurrà la latenza del traffico di rete che invii. Ciò è dovuto al fatto che il percorso verso la destinazione è più breve (meno hop). +{ .annotate } + +1. Ultimo controllo: 19-01-2023 + +Riteniamo inoltre che sia meglio per la sicurezza delle chiavi private del provider VPN utilizzare [server dedicati](https://en.wikipedia.org/wiki/Dedicated_hosting_service), invece di soluzioni condivise più economiche (con altri clienti) come [server privati virtuali](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Audit indipendente + +I client VPN di Mullvad sono stati verificati da Cure53 e Assured AB in un rapporto pentest [pubblicato su cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). I ricercatori di sicurezza hanno concluso: + +> Cure53 e Assured AB sono soddisfatti dei risultati dell'audit e il software lascia un'impressione complessivamente positiva. Con la dedizione alla sicurezza del team interno al complesso Mullvad VPN, i tester non hanno dubbi riguardo alla giusta direzione del progetto da un punto di vista della sicurezza. + +Nel 2020 [ è stato annunciato](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) un secondo audit e il [rapporto di audit finale](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) è stato reso disponibile sul sito web di Cure53: + +> I risultati di questo progetto di maggio-giugno 2020 rivolto al complesso di Mullvad sono piuttosto positivi. [...] L'ecosistema applicativo complessivo utilizzato da Mullvad lascia un'impressione solida e strutturata. La struttura complessiva dell'applicazione rende facile l'introduzione di patch e correzioni in modo strutturato. Più di ogni altra cosa, i risultati individuati da Cure53 mostrano l'importanza di controllare e rivalutare costantemente gli attuali vettori di fuga, al fine di garantire sempre la privacy degli utenti finali. Detto questo, Mullvad fa un ottimo lavoro nel proteggere l'utente finale dalle comuni perdite di informazioni d'identificazione personale e i relativi rischi legati alla privacy. + +Nel 2021 [è stato annunciato](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) un audit dell'infrastruttura e il [rapporto di audit finale](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) è stato reso disponibile sul sito web di Cure53. Un altro rapporto è stato commissionato [nel giugno 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) ed è disponibile sul sito Web di [Assured](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Client Open-Source + +Mullvad fornisce il codice sorgente per i loro client desktop e mobili nella loro organizzazione [GitHub](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accetta contanti e Monero + +Mullvad, oltre ad accettare carte di credito/debito e PayPal, accetta Bitcoin, Bitcoin Cash, **Monero** e **contanti/valuta locale** come forme anonime di pagamento. Accettano inoltre Swish e bonifici bancari. + +#### :material-check:{ .pg-green } Supporto WireGuard + +Mullvad supporta il protocollo WireGuard®. [WireGuard](https://www.wireguard.com) è un protocollo più recente che utilizza una crittografia [all'avanguardia](https://www.wireguard.com/protocol/). Inoltre, WireGuard mira a essere più semplice e performante. + +Mullvad [raccomanda a](https://mullvad.net/en/help/why-wireguard/) l'uso di WireGuard con il proprio servizio. È il protocollo predefinito o l'unico sulle app Mullvad per Android, iOS, macOS e Linux, ma su Windows è necessario [abilitare manualmente](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad offre anche un generatore di configurazione WireGuard da utilizzare con le [app](https://www.wireguard.com/install/) ufficiali WireGuard. + +#### :material-check:{ .pg-green } Supporto IPv6 + +Mullvad supporta il futuro del networking [IPv6](https://en.wikipedia.org/wiki/IPv6). La loro rete consente di accedere a [servizi ospitati su IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) a differenza di altri provider che bloccano le connessioni IPv6. + +#### :material-check:{ .pg-green } Port Forwarding remoto + +Il [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) remoto è consentito per chi effettua pagamenti una tantum, ma non per gli account con metodo di pagamento ricorrente/sottoscrizione. Questo per evitare che Mullvad possa identificarti in base all'utilizzo della porta e alle informazioni di abbonamento memorizzate. Per ulteriori informazioni, controlla [Port forwarding con Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/). + +#### :material-check:{ .pg-green } Client Mobile + +Mullvad ha pubblicato i client [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) e [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), entrambi hanno un'interfaccia facile da usare anziché richiedere di configurare manualmente la connessione WireGuard. Il client Android è disponibile anche su [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Funzionalità aggiuntive + +Mullvad è molto trasparente su quali nodi [possiede o fitta](https://mullvad.net/en/servers/). Utilizzano [ShadowSocks](https://shadowsocks.org/) nella loro configurazione ShadowSocks + OpenVPN, rendendoli più resistenti ai firewall con [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) che cercano di bloccare le VPN. Presumibilmente, la [Cina deve utilizzare un metodo diverso per bloccare i server ShadowSocks](https://github.com/net4people/bbs/issues/22). Il sito web di Mullvad è accessibile anche tramite Tor presso [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** è un forte concorrente nello spazio VPN ed è attivo dal 2016. Proton AG ha sede in Svizzera e offre un livello gratuito limitato, così come un'opzione premium più ricca di funzioni. + + **Gratuito** — **Piano Plus da 71,88€ all'anno** (1) + + [:octicons-home-16: Pagina principale](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Informativa sulla privacy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentazione} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Codice sorgente" } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Paesi + +Proton VPN ha [server in 67 paesi](https://protonvpn.com/vpn-servers).(1) Scegliere un provider VPN con un server più vicino a te ridurrà la latenza del traffico di rete che invii. Ciò è dovuto al fatto che il percorso verso la destinazione è più breve (meno hop). +{ .annotate } + +1. Ultimo controllo: 16-09-2022 + +Riteniamo inoltre che sia meglio per la sicurezza delle chiavi private del provider VPN se utilizzano [server dedicati](https://en.wikipedia.org/wiki/Dedicated_hosting_service), invece di soluzioni condivise più economiche (con altri clienti) come [server privati virtuali](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Audit indipendente + +Nel mese di gennaio del 2020, Proton VPN è stato sottoposto ad un audit indipendente da parte di SEC Consult. SEC Consult ha riscontrato alcune vulnerabilità di basso e medio rischio nelle applicazioni di Windows, Android e iOS, le quali sono state "adeguatamente risolte" da Proton VPN prima della pubblicazione dei rapporti. Nessuno dei problemi identificati avrebbe potuto garantire a un hacker di accedere da remoto al tuo dispositivo o al tuo traffico. Puoi visualizzare i singoli report per ciascuna piattaforma su [protonvpn.com](https://protonvpn.com/blog/open-source/). Nell'aprile 2022 Proton VPN ha riceuto [un altro audit](https://protonvpn.com/blog/no-logs-audit/) e il rapporto è stato [prodotto da Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). Una [lettera di attestazione](https://proton.me/blog/security-audit-all-proton-apps) è stata fornita per le applicazioni di Proton VPN il 9 novembre 2021 da [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Client Open-Source + +Proton VPN fornisce il codice sorgente per i loro client desktop e mobile nella loro organizzazione [GitHub](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accetta contanti + +Proton VPN, oltre ad accettare carte di credito/debito, PayPal e [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), accetta anche **contanti/valuta locale** come forma anonima di pagamento. + +#### :material-check:{ .pg-green } Supporto WireGuard + +Proton VPN supporta principalmente il protocollo WireGuard®. [WireGuard](https://www.wireguard.com) è un protocollo più recente che utilizza una crittografia [all'avanguardia](https://www.wireguard.com/protocol/). Inoltre, WireGuard mira a essere più semplice e performante. + +Proton VPN [consiglia](https://protonvpn.com/blog/wireguard/) l'uso di WireGuard con il loro servizio. Sulle app Proton VPN per Windows, macOS, iOS, Android, ChromeOS e Android TV, WireGuard è il protocollo predefinito; tuttavia, il supporto [](https://protonvpn.com/support/how-to-change-vpn-protocols/) per il protocollo non è presente nella loro app Linux. + +#### :material-alert-outline:{ .pg-orange } Port Forwarding remoto + +Proton VPN attualmente supporta solo il [port forwarding](https://protonvpn.com/support/port-forwarding/) remoto su Windows, il che potrebbe influire su alcune applicazioni. In particolare le applicazioni Peer-to-peer come i client Torrent. + +#### :material-check:{ .pg-green } Client mobile + +Oltre a fornire file di configurazione OpenVPN standard, Proton VPN ha client mobile per [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US)e [GitHub](https://github.com/ProtonVPN/android-app/releases) che consentono facili connessioni ai loro server. + +#### :material-information-outline:{ .pg-blue } Funzionalità aggiuntive + +I client Proton VPN supportano l'autenticazione a due fattori su tutte le piattaforme, ad eccezione di Linux, al momento. Proton VPN ha i propri server e datacenter in Svizzera, Islanda e Svezia. Offrono il blocco delle pubblicità e dei domini malware noti mediante il loro servizio DNS. Inoltre, Proton VPN offre anche server "Tor" che consentono di connettersi facilmente ai siti onion, ma consigliamo comunque di utilizzare [il browser Tor ufficiale](https://www.torproject.org/) per questo scopo. + +#### :material-alert-outline:{ .pg-orange } La funzione Killswitch non funziona sui Mac basati su Intel + +Arresti anomali del sistema [possono verificarsi](https://protonvpn.com/support/macos-t2-chip-kill-switch/) sui Mac basati su Intel quando si utilizza la funzionalità killswitch VPN. Se hai bisogno di questa funzione e utilizzi un Mac con chipset Intel, dovresti considerare l'utilizzo di un altro servizio VPN. + +## CryptPad + +!!! danger "Pericolo" + + È importante notare che l'utilizzo di una VPN non ti rende anonimo, ma può migliorare la tua privacy in alcune situazioni. Una VPN non è uno strumento per attività illegali. Non affidarti ad una politica "no log". + +**Si prega di notare che non siamo affiliati a nessuno dei fornitori che raccomandiamo. Questo ci permette di fornire raccomandazioni completamente oggettive.** Abbiamo sviluppato un insieme di requisti chiari per ogni provider di VPN, tra cui una forte crittografia, controlli sulla sicurezza indipendenti, tecnologia moderna e altro. Ti suggeriamo di familiarizzare con questa lista prima di scegliere un provider VPN e di condurre la propria ricerca per assicurarsi che il provider scelto sia il più affidabile possibile. + +### Tecnologia + +Richiediamo a tutti i provider VPN da noi consigliati di fornire file di configurazione OpenVPN da utilizzare in qualsiasi client. **Se** una VPN fornisce il proprio client personalizzato, richiediamo un killswitch per bloccare le fughe di dati di rete quando si è disconnessi. + +**Requisiti minimi:** + +- Supporto per protocolli forti come WireGuard & OpenVPN. +- Killswitch integrato nei client. +- Supporto multihop. Il multihopping è importante per mantenere i dati privati nel caso in cui un nodo venisse compromesso. +- Se vengono forniti client VPN, devono essere [open-source](https://en.wikipedia.org/wiki/Open_source), come il software VPN che generalmente hanno incorporato. Crediamo che la disponibilità del [codice sorgente](https://en.wikipedia.org/wiki/Source_code) fornisca grande trasparenza riguardo ciò che il tuo dispositivo sta effettivamente facendo. + +**Caso migliore:** + +- Supporto per WireGuard e OpenVPN. +- Killswitch con opzioni altamente configurabili (abilitazione/disabilitazione su determinate reti, all'avvio, ecc.) +- Client VPN facili da usare +- Supporto per [IPv6](https://en.wikipedia.org/wiki/IPv6). Ci aspettiamo che i server accettino connessioni in arrivo via IPv6 e che ti permettano di accedere a servizi su indirizzi IPv6. +- La capacità di [port forwarding remoto](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) aiuta a creare connessioni quando si utilizza software per la condivisione file P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)), o nell'hosting di un server (es. Mumble). + +### Privacy + +Preferiamo che i provider da noi consigliati raccolgano il minor numero di dati possibile. È necessario non raccogliere informazioni personali al momento della registrazione e accettare forme di pagamento anonime. + +**Requisiti minimi:** + +- [Criptovaluta anonima](cryptocurrency.md) **o** opzione di pagamento in contanti. +- Nessuna informazione personale richiesta per registrarsi: solo nome utente, password ed e-mail al massimo. + +**Caso migliore:** + +- Accetta più [opzioni di pagamento anonime](advanced/payments.md). +- Non sono accettate informazioni personali (nome utente autogenerato, nessuna mail richiesta, ecc.). + +### Sicurezza + +Una VPN è inutile se non è nemmeno in grado di fornire una sicurezza adeguata. Richiediamo a tutti i nostri provider consigliati di rispettare gli standard di sicurezza attuali per le loro connessioni OpenVPN. L'ideale sarebbe utilizzare schemi di crittografia a prova di futuro per impostazione predefinita. Richiediamo inoltre che una terza parte indipendente verifichi la sicurezza del fornitore, idealmente in modo molto completo e su base ripetuta (annuale). + +**Requisiti minimi:** + +- Schemi di crittografia forti: OpenVPN con autenticazione SHA-256; handshake RSA-2048 o migliore; crittografia dei dati AES-256-GCM o AES-256-CBC. +- Perfect Forward Secrecy (PFS). +- Audit sulla sicurezza pubblicati da un'azienda terza affidabile. + +**Caso migliore:** + +- Crittografia più forte: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Audit sulla sicurezza completi pubblicati da un'azienda terza affidabile. +- Programmi di bug-bounty e/o un processo coordinato di divulgazione delle vulnerabilità. + +### Fiducia + +Non affideresti le tue finanze a qualcuno con un'identità falsa, quindi perché dovresti affidargli i tuoi dati internet? Richiediamo che i provider da noi consigliati rendano pubbliche la loro dirigenza o proprietà. Vorremmo anche vedere frequenti rapporti di trasparenza, soprattutto per quanto riguarda il modo in cui vengono gestite le richieste del governo. + +**Requisiti minimi:** + +- Dirigenza o proprietà pubblica. + +**Caso migliore:** + +- Dirigenza pubblica. +- Rapporti di trasparenza frequenti. + +### Marketing + +Con i fornitori di VPN che raccomandiamo ci piace vedere un marketing responsabile. + +**Requisiti minimi:** + +- Deve utilizzare sistemi di analisi dei dati propri (es. no Google Analytics). Il sito del provider deve inoltre rispettare [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) per le persone che desiderano rinunciare. + +Non deve avere alcun marketing ritenuto irresponsabile: + +- Garantire al 100% la protezione dell'anonimato. Quando qualcuno afferma che qualcosa è al 100% significa che non esiste fallimento. Sappiamo che le persone possono deanonimizzarsi facilmente in vari modi, ad es.: + - Riutilizzare informazioni personali (es., account e-mail, pseudonimi unici ecc.) con cui hanno eseguito accessi senza software di anonimizzazione (Tor, VPN, ecc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Sostenere che un singolo circuito VPN è più "anonimo di Tor", il quale è un circuito con 3 o più hop che cambiano regolarmente. +- Utilizzare linguaggio responsabile: per esempio, è accettabile dire che la VPN è "disconnessa" o "non connessa", tuttavia affermare che un utente è "esposto", "vulnerabile" o "compromesso" può creare allarmismi incorretti e inutili. Per esempio, quella persona potrebbe semplicemente star usando un'altra VPN o Tor. + +**Caso migliore:** + +Il marketing responsabile, che è sia educativo che utile per il consumatore, potrebbe includere: + +- Un confronto accurato con quando si dovrebbe usare [Tor](tor.md). +- Disponibilità del sito web del provider VPN su un [servizio .onion](https://en.wikipedia.org/wiki/.onion) + +### Funzionalità aggiuntive + +Anche se non requisiti rigidi, ci sono alcuni fattori che abbiamo considerato nel determinare quali servizi consigliare. Tra questi ci sono funzionalità di blocco dei tracker e delle pubblicità, canarini di garanzia, connessioni multihop, eccellenza nell'assistenza clienti, numero di connessioni simultanee consentite, ecc. diff --git a/i18n/ko/404.md b/i18n/ko/404.md new file mode 100644 index 00000000..ac35a3b1 --- /dev/null +++ b/i18n/ko/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - 페이지를 찾을 수 없습니다 + +찾고 계신 페이지를 찾을 수 없습니다! 혹시 이 중 하나를 찾고 계셨나요? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides 포럼](https://discuss.privacyguides.net) +- [Privacy Guides 블로그](https://blog.privacyguides.org) diff --git a/i18n/ko/CODE_OF_CONDUCT.md b/i18n/ko/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/ko/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/ko/about/criteria.md b/i18n/ko/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/ko/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/ko/about/donate.md b/i18n/ko/about/donate.md new file mode 100644 index 00000000..8accd67a --- /dev/null +++ b/i18n/ko/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/ko/about/index.md b/i18n/ko/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/ko/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/ko/about/notices.md b/i18n/ko/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/ko/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/ko/about/privacy-policy.md b/i18n/ko/about/privacy-policy.md new file mode 100644 index 00000000..26c668d1 --- /dev/null +++ b/i18n/ko/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/ko/about/privacytools.md b/i18n/ko/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/ko/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/ko/about/services.md b/i18n/ko/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/ko/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/ko/about/statistics.md b/i18n/ko/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/ko/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/ko/advanced/communication-network-types.md b/i18n/ko/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/ko/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/ko/advanced/dns-overview.md b/i18n/ko/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/ko/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/ko/advanced/payments.md b/i18n/ko/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/ko/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/ko/advanced/tor-overview.md b/i18n/ko/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/ko/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/ko/android.md b/i18n/ko/android.md new file mode 100644 index 00000000..481bad8a --- /dev/null +++ b/i18n/ko/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/ko/assets/img/account-deletion/exposed_passwords.png b/i18n/ko/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/ko/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/ko/assets/img/android/rss-apk-dark.png b/i18n/ko/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/ko/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/ko/assets/img/android/rss-apk-light.png b/i18n/ko/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/ko/assets/img/android/rss-apk-light.png differ diff --git a/i18n/ko/assets/img/android/rss-changes-dark.png b/i18n/ko/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/ko/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/ko/assets/img/android/rss-changes-light.png b/i18n/ko/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/ko/assets/img/android/rss-changes-light.png differ diff --git a/i18n/ko/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/ko/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/ko/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ko/assets/img/how-tor-works/tor-encryption.svg b/i18n/ko/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/ko/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ko/assets/img/how-tor-works/tor-path-dark.svg b/i18n/ko/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/ko/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ko/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/ko/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/ko/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/ko/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/ko/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/ko/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/ko/assets/img/how-tor-works/tor-path.svg b/i18n/ko/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/ko/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ko/assets/img/multi-factor-authentication/fido.png b/i18n/ko/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/ko/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/ko/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/ko/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/ko/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/ko/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/ko/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/ko/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/ko/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/ko/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/ko/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/ko/basics/account-creation.md b/i18n/ko/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/ko/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/ko/basics/account-deletion.md b/i18n/ko/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/ko/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/ko/basics/common-misconceptions.md b/i18n/ko/basics/common-misconceptions.md new file mode 100644 index 00000000..ac1a1f12 --- /dev/null +++ b/i18n/ko/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "일반적인 오해" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/ko/basics/common-threats.md b/i18n/ko/basics/common-threats.md new file mode 100644 index 00000000..f9190911 --- /dev/null +++ b/i18n/ko/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "일반적인 위협" +icon: 'material/eye-outline' +description: 위협 모델은 개개인마다 다르지만, 이 사이트의 방문자 대부분이 관심을 가질 사항입니다. +--- + +전반적으로, Privacy Guides의 권장 목록은 대부분의 사람들에게 적용되는 [위협](threat-modeling.md) 혹은 목표로 분류됩니다. 여러분이 사용하는 툴 및 서비스는 여러분의 목표에 따라 달라지며, ==이러한 위협 가능성에 대한 관심도는 사람마다 다를 수 있습니다.== You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: 익명성 - 온라인 활동에서 실제 신원을 보호하여, *여러분의* 신원을 밝혀내려는 사람들로부터 여러분을 보호합니다. +- :material-target-account: 표적 공격 - *당신의* 데이터나 기기에 세부적으로 접근하려는 해커 및 그 외 악의적인 상대로부터 보호합니다. +- :material-bug-outline: 소극적 공격 - 멀웨어, 데이터 유출 등 다수의 사람을 한꺼번에 대상으로 삼는 공격으로부터 보호합니다. +- :material-server-network: 서비스 제공자 - (여러분의 데이터를 서버에서 읽을 수 없도록 하는 E2EE 등을 이용하여) 서비스 제공자로부터 여러분의 데이터를 보호합니다. +- :material-eye-outline: 대중 감시 - 여러분의 활동을 추적하기 위해 협력하는 정부 기관, 단체, 웹사이트, 서비스로부터 보호합니다. +- :material-account-cash: 감시 자본주의 - Google, Facebook 등의 거대 광고 네트워크 및 기타 수많은 제3자 데이터 수집 업체로부터 여러분을 보호합니다. +- :material-account-search: 공개 노출 - 여러분에 대한 정보를 (검색 엔진이나 일반 대중이) 온라인에서 접근하는 것을 제한합니다. +- :material-close-outline: 검열 - 정보 접근을 제한하는 검열을 회피하고, 온라인상에서 자신의 주장이 검열되는 것을 방지합니다. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## 익명성 vs 프라이버시 + +:material-incognito: 익명성 + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/ko/basics/email-security.md b/i18n/ko/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/ko/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/ko/basics/multi-factor-authentication.md b/i18n/ko/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ae57848d --- /dev/null +++ b/i18n/ko/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/ko/basics/passwords-overview.md b/i18n/ko/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/ko/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/ko/basics/threat-modeling.md b/i18n/ko/basics/threat-modeling.md new file mode 100644 index 00000000..135aff0f --- /dev/null +++ b/i18n/ko/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "위협 모델링" +icon: 'material/target-account' +description: 보안, 개인정보 보호, 사용성 간의 균형 조절은 개인정보 보호 여정에서 가장 먼저 직면하게 될 가장 어려운 과제 중 하나입니다. +--- + +보안, 개인정보 보호, 사용성 간의 균형 조절은 개인정보 보호 여정에서 제일 먼저 직면하게 될 가장 어려운 과제 중 하나입니다. 무엇이든 장단점이 있습니다. '더 뛰어난 보안'은 일반적으로 '더 많은 제약이나 불편함'을 의미합니다. 사람들로부터 권장 툴의 문제점으로 자주 지적되는 것은, "사용하기 너무 어렵다"라는 점입니다. + +**가장 안전한** 보안 툴을 사용하고자 한다면, 사용성을 **대폭 희생**해야 합니다. 게다가 ==완벽한 보안은 존재하지 않습니다.== **높은** 보안은 존재하지만 **완벽한** 보안은 존재하지 않습니다. 그렇기에 위협 모델링이 중요한 것입니다. + +**그래서, 위협 모델이 대체 뭘까요?** + +==위협 모델은 보안과 개인정보 보호를 위해 가장 신경 써야 할 위험 요소들의 목록입니다.== **모든** 공격 및 공격자로부터 스스로를 보호하는 것은 불가능하므로, **가장 가능성 높은** 위협에 초점을 맞춰야 합니다. 컴퓨터 보안 분야에서 '위협'이란 개인 정보와 보안을 보호하고 유지함에 방해가 되는 이벤트를 의미합니다. + +자신의 상황에 적합한 툴을 제대로 선택하기 위해선 중대한 위협에 집중하여 고민 요소를 줄여야 합니다. + +## 위협 모델 만들기 + +발생할 수 있는 위협이 무엇인지, 누구로부터 지켜야 하는지를 제대로 인식하려면 다음 5가지 질문을 따져 보아야 합니다. + +1. 무엇을 보호해야 하나요? +2. 누구로부터 보호해야 하나요? +3. 실제 위협이 발생할 가능성이 얼마나 되나요? +4. 만약 보호하지 못할 경우 얼마나 치명적인가요? +5. 일어날지도 모르는 문제를 방지하기 위해, 얼마나 많은 노력을 기울일 의향이 있나요? + +### 무엇을 보호해야 하나요? + +'자산'이란, 여러분이 소중히 여기고 보호하는 무언가를 의미합니다. 디지털 보안 분야에서 =='자산'은 일반적으로 일종의 정보를 의미합니다.== 이메일, 연락처, 메신저 내용, 위치, 파일 등은 모두 자산이라 할 수 있습니다. 여러분이 사용하는 기기 자체도 자산이 될 수 있습니다. + +*여러분의 자산 목록을 정리하세요. 어떤 데이터를 보관하고 있는지, 어디에 보관하고 있는지, 누가 접근할 수 있는지, 남이 접근해서는 안 되는 데이터는 무엇인지 등을 말입니다.* + +### 누구로부터 보호해야 하나요? + +먼저, 여러분 개인 및 여러분의 정보를 목표삼을 만한 상대가 누구인지 인지하는 것이 중요합니다. ==자산에 위협을 가하는 사람이나 단체를 '공격자'라고 합니다.== 잠재적 공격자의 예로는 상사, 전 파트너, 비즈니스 경쟁사, 국가의 정부, 공용 네트워크의 해커 등이 있습니다. + +*공격자 또는 여러분의 자산을 손에 넣으려는 사람들의 목록을 정리하세요. 목록에는 개인, 정부 기관, 법인 등이 포함될 수 있습니다.* + +공격자가 누구인지, 그리고 상황에 따라 이 목록은 보안 계획을 세우고 나면 삭제해야 하는 항목일 수도 있습니다. + +### 실제 위협이 발생할 가능성이 얼마나 되나요? + +=='위험'은 특정 자산에 대한 특정 위협이 실제로 발생할 가능성입니다.== 이는 공격자의 역량과 밀접한 관련이 있습니다. 휴대폰 제공 업체는 여러분의 모든 데이터에 접근하는 것이 가능하지만, 여러분의 개인 정보를 온라인에 게시하여 사용자의 평판을 해칠 위험은 낮습니다. + +'일어날 수 있는 일'과 '일이 일어날 확률'을 구분하는 것이 중요합니다. 예를 들어, 건물이 무너질 위험은 어디든 존재합니다. 하지만 샌프란시스코(지진이 잦은 지역)는 스톡홀름(지진이 드문 지역)보다 위험성이 훨씬 높습니다. + +위험성 평가는 개인적이고 주관적인 과정입니다. 많은 사람들은 어떤 위협이 발생할 가능성이 아무리 낮더라도, 해당 위협이 발생할 경우 감당해야 하는 비용이 막대하다고 생각하면, 그 위협을 절대로 용납할 수 없습니다. 반면, 어떤 위협의 가능성이 높더라도 해당 위협을 딱히 문제라고 생각하지 않는다면 그냥 무시하는 경우도 있습니다. + +*심각하게 받아들여야 하는 위협은 무엇인지, 가능성이 너무 낮거나 발생하더라도 위험성이 낮아(혹은 반대로 대처가 불가능에 가까워) 실질적으로 걱정할 필요 없는 위협은 무엇인지 정리해 보세요.* + +### 만약 보호하지 못할 경우 얼마나 치명적인가요? + +공격자가 여러분의 데이터에 접근하는 방법은 여러 가지가 있습니다. 예를 들어, 공격자는 네트워크를 지나가는 개인 통신을 읽거나, 여러분의 데이터를 삭제/손상시킬 수 있습니다. + +==공격자의 동기는 전술과 마찬가지로 매우 다양합니다.== 경찰의 폭력을 폭로하는 동영상 확산을 막으려는 정부는 해당 동영상을 단순히 삭제하거나 제한하는 게 목적일 겁니다. 반면, 정치적 반대 세력은 사용자 몰래 해당 비밀 콘텐츠에 접근하여 공개적으로 게시하려고 들 수 있습니다. + +보안 계획에는 공격자가 자산 중 하나에 접근하는 데 성공할 경우 얼마나 심각한 결과를 초래할 수 있는지 이해하는 것이 포함됩니다. 이를 결정하려면 공격자의 역량을 고려해야 합니다. 예를 들어, 휴대폰 제공업체는 여러분의 모든 휴대폰 기록에 접근할 수 있습니다. 개방형 Wi-Fi 네트워크의 해커는 암호화되지 않은 통신에 접근할 수 있습니다. 여러분이 사는 국가의 정부는 더 강력한 역량을 가지고 있을 수 있습니다. + +*공격자가 여러분의 개인 데이터를 이용해 할 법한 일은 무엇인지 정리해보세요.* + +### 일어날지도 모르는 문제를 방지하기 위해, 얼마나 많은 노력을 기울일 의향이 있나요? + +==보안을 위한 완벽한 선택지는 없습니다.== 모든 사람들이 동일한 우선 순위, 우려 사항, 자원에 대한 접근 권한을 가지고 있지는 않습니다. 위험성 평가를 통해 편의성, 비용, 프라이버시의 균형을 맞추면서 자신에게 적합한 전략을 계획할 수 있습니다. + +예를 들어, 국가 안보 사건에서 의뢰인을 대리하는 변호사는 해당 사건 관련 대화를 보호하기 위해 암호화된 이메일을 사용하는 등 더 많은 노력을 기울일 수 있습니다. 반면, 재미있는 고양이 영상을 딸에게 정기적으로 메일로 보내는 어머니는 그럴 필요가 적습니다. + +*고유한 위협을 완화하는 데 사용할 수 있는 옵션이 무엇인지 정리해보세요. 재정적, 기술적, 사회적 제약이 있는지 여부도 확인하세요.* + +### 직접 해봅시다: 재산 보호하기 + +이러한 질문은 온라인/오프라인의 다양한 상황에 적용될 수 있습니다. 실제 과정을 알아보기 위한 보편적인 예시로, 집과 재산을 안전하게 보호하는 계획을 세워 보겠습니다. + +**무엇을 보호해야 하나요? (보호할 가치가 있는 것은 무엇인가요?)** +: + +여러분의 자산에는 귀금속, 전자기기, 중요 문서, 추억 사진 등이 포함될 수 있습니다. + +**누구로부터 보호해야 하나요?** +: + +공격자는 도둑, 룸메이트, 손님 등이 포함될 수 있습니다. + +**실제 위협이 발생할 가능성이 얼마나 되나요?** +: + +주변 동네에 절도 사건이 발생한 적이 있나요? 룸메이트, 손님은 얼마나 믿을만한가요? 공격자의 역량은 어느 정도인가요? 고려해야 할 위험 요소는 무엇인가요? + +**만약 보호하지 못할 경우 얼마나 치명적인가요?** +: + +집에 대체할 수 없는 물건이 있나요? 그런 물건을 대체하는데 필요한 시간, 돈은 충분한가요? 도난보험을 가입해두셨나요? + +**일어날지도 모르는 문제를 방지하기 위해, 얼마나 많은 노력을 기울일 의향이 있나요?** +: + +중요 문서 보관용 금고를 구매할 의향이 있으신가요? 품질이 뛰어난 잠금장치를 살 여유가 충분한가요? 주변 은행의 대여금고를 이용해 귀중품을 보관할 시간적 여유는 있으신가요? + +이런 질문의 답을 모두 생각해 본 후에야 어떤 조치를 취할지 판단할 수 있습니다. 귀중품이 있더라도 누군가 침입할 가능성이 낮다면, 잠금장치에 돈을 투자할 필요성은 적습니다. 하지만 침입 가능성이 높다면, 가능한 한 좋은 잠금장치를 설치하고 보안 시스템 강화를 고려해야할 겁니다. + +고유한 위협을 파악하고 자산, 공격자, 공격자의 역량, 위험성을 평가하는 데에는 보안 계획을 세우는 것이 유용합니다. + +## 더 읽을거리 + +온라인 프라이버시 및 보안을 강화하려는 분들께 도움이 되고자, 우리 사이트 방문자들이 자주 마주할 수 있는 일반적인 위협과 그에 따른 목표를 정리하였습니다. 이를 통해 여러분의 참고가 되고자 하며, 사이트 권장 목록의 기준을 소개해 드립니다. + +- [일반적인 목표 및 위협 :material-arrow-right-drop-circle:](common-threats.md) + +## 출처 + +- [EFF 감시 자기방어: 보안 계획](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/ko/basics/vpn-overview.md b/i18n/ko/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/ko/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/ko/calendar.md b/i18n/ko/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/ko/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/ko/cloud.md b/i18n/ko/cloud.md new file mode 100644 index 00000000..47a7367d --- /dev/null +++ b/i18n/ko/cloud.md @@ -0,0 +1,99 @@ +--- +title: "클라우드 스토리지" +icon: material/file-cloud +description: 대부분의 클라우드 스토리지 제공 업체는, 업체가 사용자의 파일을 보지 않을 것이라는 믿음이 필수적입니다. 프라이버시 보호 대체제를 소개합니다! +--- + +대부분의 클라우드 스토리지 서비스에서, 사용자는 그저 '제공 업체가 사용자의 파일을 함부로 열람하지 않을 것'이라고 전적으로 신뢰해야 할 뿐입니다. 아래에 제시된 대안은 E2EE 보안을 구현하여 '신뢰'의 필요성을 처음부터 제거합니다. + +이러한 대안들이 여러분의 요구에 맞지 않는 경우, 다른 클라우드 제공 업체를 [Cryptomator](encryption.md#cryptomator-cloud) 등의 암호화 소프트웨어와 함께 사용할 것을 권장합니다. **어떤** 클라우드 제공 업체든(본 목록 포함), Cryptomator를 함께 사용함으로써 제공 업체의 기본 클라이언트에서 발생할 수 있는 암호화 결함 위험성을 낮출 수 있습니다. + +??? question "Nextcloud를 찾고 계신가요?" + + Nextcloud는 자체 호스팅 파일 관리 제품군으로 [권장 목록에 존재](productivity.md)하고 있습니다. 하지만, 현재로서 Privacy Guides는 제3자 Nextcloud 스토리지 제공 업체를 권장하지 않습니다. Nextcloud 내장 E2EE 기능을 일반 사용자에게 [권장하지 않기 때문](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29)입니다. + +## Proton Drive + +!!! recommendation + + ![Proton Drive 로고](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive**는 유명한 스위스의 암호화 이메일 서비스 제공 업체인 [Proton Mail](email.md#proton-mail)의 암호화 클라우드 스토리지 서비스입니다. + + [:octicons-home-16: 홈페이지](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="프라이버시 정책" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=문서} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="소스 코드" } + + ??? downloads "다운로드" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive 웹 어플리케이션은 [2021년에](https://proton.me/blog/security-audit-all-proton-apps) Securitum으로부터 독립적으로 감사를 받았습니다. 세부 내용은 제공되지 않았지만, Securitum 인증서에 따르면 다음과 같습니다: + +> 감사자는 중요도가 낮은 취약점을 2개 발견했습니다. 또한, 일반 권장 사항이 5개 보고되었습니다. 동시에, 침투 테스트 중에 중요한 보안 문제가 발견되지 않았음을 확인했습니다. + +Proton Drive의 새로운 모바일 클라이언트는 아직 제3자에 의해 공개적으로 감사를 받지 않았습니다. + +## Tresorit + +!!! recommendation + + ![Tresorit 로고](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit**은 2011년에 설립된 헝가리의 암호화 클라우드 스토리지 제공 업체입니다. Tresorit은 스위스 국영 우편 서비스인 스위스 포스트(스위스 우체국)가 소유하고 있습니다. + + [:octicons-home-16: 홈페이지](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="프라이버시 정책" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=문서} + + ??? downloads "다운로드" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit은 독립적인 보안 감사를 여러 차례 받았습니다. + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): TÜV Rheinland InterCert Kft ISO/IEC 27001:2013[^1] 준수 [인증](https://www.certipedia.com/quality_marks/9108644476) +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Computest 모의 침투 테스트 + - 해당 검토에서는 Tresorit 웹 클라이언트, Android/Windows 앱 및 관련 인프라 보안을 평가했습니다. + - Computest는 취약점을 2개 발견했으며, 이 취약점은 해결되었습니다. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Ernst & Young 모의 침투 테스트 + - 해당 검토에서는 Tresorit의 전체 소스 코드를 분석하여, Tresorit [백서](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf)에서 설명한 개념과 구현이 일치하는지 검증했습니다. + - Ernst & Young은 추가로 웹, 모바일, 데스크톱 클라이언트를 검사했습니다. "검사 결과, Tresorit이 주장하는 데이터 기밀성과 차이가 없는 것으로 나타났습니다." + +추가적으로, [스위스 디지털 이니셔티브(Swiss Digital Initiative)](https://www.swiss-digital-initiative.org/digital-trust-label/)의 보안, 프라이버시, 신뢰성 관련 [35개 평가 기준](https://digitaltrust-label.swiss/criteria/)을 통과해야 하는 Digital Trust Label 인증을 받았습니다. + +## 평가 기준 + +**Privacy Guides는 권장 목록의 어떠한 프로젝트와도 제휴를 맺지 않았습니다.** 객관적인 권장 목록을 제공하기 위해, [일반적인 평가 기준](about/criteria.md)에 더해 명확한 요구 사항을 정립하였습니다. 어떠한 프로젝트를 선택해 사용하기 전에, 이러한 요구 사항들을 숙지하고 여러분 스스로 조사하는 과정을 거쳐 적절한 선택을 하시기 바랍니다. + +!!! example "이 단락은 최근에 만들어졌습니다" + + Privacy Guides 팀은 사이트의 모든 항목마다 명확한 평가 기준을 정립하는 중이며, 따라서 세부 내용은 변경될 수 있습니다. 평가 기준에 대해서 질문이 있다면 [포럼에서 문의](https://discuss.privacyguides.net/latest)하시기 바랍니다. (무언가가 목록에 존재하지 않다고 해서 권장 목록을 작성할 때 고려한 적이 없을 것으로 단정 짓지 마세요.) 권장 목록에 어떤 프로젝트를 추가할 때 고려하고 논의해야 할 요소는 매우 많으며, 모든 요소를 문서화하는 것은 현재 진행 중인 작업입니다. + +### 최소 요구 사항 + +- 종단 간 암호화가 적용되어야 합니다. +- 테스트용 무료 요금제/체험판 기간을 제공해야 합니다. +- TOTP/FIDO2 다중 요소 인증 혹은 Passkey 로그인을 지원해야 합니다. +- 기본적인 파일 관리 기능을 지원하는 웹 인터페이스를 제공해야 합니다. +- 모든 파일/문서를 쉽게 내보낼 수 있어야 합니다. +- 감사받은 표준 암호화를 사용해야 합니다. + +### 우대 사항 + +평가 기준에서 '우대 사항'은 해당 부문에서 완벽한 프로젝트에 기대하는 바를 나타냅니다. 다음의 우대 사항에 해당하지 않더라도 권장 목록에 포함될 수 있습니다. 단, 우대 사항에 해당할수록 이 페이지의 다른 항목보다 높은 순위를 갖습니다. + +- 클라이언트는 오픈 소스여야 합니다. +- 클라이언트는 독립적인 제3자로부터 전체 감사를 받아야 합니다. +- Linux, Android, Windows, macOS, iOS 네이티브 클라이언트를 제공해야 합니다. + - 클라이언트는 운영체제에서 기본으로 제공하는 클라우드 스토리지 서비스용 툴과 통합되어야 합니다. 예시: iOS '파일' 앱 연동, Android DocumentsProvider 기능 등 +- 다른 사용자와의 간편한 파일 공유를 지원해야 합니다. +- 웹 인터페이스에서 최소한 기본적인 파일 미리보기 및 편집 기능을 제공해야 합니다. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 준수는 회사의 [정보 보안 관리 시스템](https://en.wikipedia.org/wiki/Information_security_management)과 연관되며 클라우드 서비스의 판매, 개발, 유지 관리 및 지원에 적용됩니다. diff --git a/i18n/ko/cryptocurrency.md b/i18n/ko/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/ko/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/ko/data-redaction.md b/i18n/ko/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/ko/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/ko/desktop-browsers.md b/i18n/ko/desktop-browsers.md new file mode 100644 index 00000000..ee0af473 --- /dev/null +++ b/i18n/ko/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "데스크톱 브라우저" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: 비공개 탐색 데스크톱 브라우저 권장 목록 + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### 권장 설정 + +이러한 옵션은 :material-menu: → **설정** → **개인 정보 및 보안**에서 확인할 수 있습니다 + +##### 향상된 추적 방지 기능 + +- [x] 향상된 추적 방지 기능에서 **엄격** 활성화 + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +특정 사이트의 로그인을 유지하려면 **쿠키 및 사이트 데이터** → **예외 관리...**에서 예외를 허용할 수 있습니다. + +- [x] **Firefox를 닫을 때 쿠키와 사이트 데이터를 삭제** 활성화 + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### 검색 제안 + +- [ ] **검색 제안 사용** 비활성화 + +여러분의 지역에 따라 검색 제안 기능을 사용하지 못할 수도 있습니다. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] **Firefox가 기술과 상호 작용 정보를 Mozilla에 전송하도록 허용** 비활성화 +- [ ] **Firefox가 연구를 설치하고 실행하도록 허용** 비활성화 +- [ ] **Firefox가 사용자를 대신하여 백로그된 충돌 보고서를 보내도록 허용** 비활성화 + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +또한 Firefox 계정 서비스는 [일부 기술 데이터](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts)를 수집합니다. If you use a Firefox Account you can opt-out: + +1. [accounts.firefox.com 프로필 설정](https://accounts.firefox.com/settings#data-collection) 열기 +2. **데이터 수집 및 사용** > **Firefox 계정 개선에 참여** 비활성화 + +##### HTTPS 전용 모드 + +- [x] **모든 창에서 HTTPS 전용 모드 사용** 활성화 + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox 동기화 + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (고급) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## 평가 기준 + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/ko/desktop.md b/i18n/ko/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/ko/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/ko/dns.md b/i18n/ko/dns.md new file mode 100644 index 00000000..a8cc21da --- /dev/null +++ b/i18n/ko/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/ko/email-clients.md b/i18n/ko/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/ko/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/ko/email.md b/i18n/ko/email.md new file mode 100644 index 00000000..62156fdd --- /dev/null +++ b/i18n/ko/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/ko/encryption.md b/i18n/ko/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/ko/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/ko/file-sharing.md b/i18n/ko/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/ko/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/ko/financial-services.md b/i18n/ko/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/ko/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/ko/frontends.md b/i18n/ko/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/ko/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/ko/index.md b/i18n/ko/index.md new file mode 100644 index 00000000..bc1298d1 --- /dev/null +++ b/i18n/ko/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.ko.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## 왜 신경 써야 하나요? + +##### "전 숨길 게 없어요. 프라이버시를 신경 써야 할 이유가 있나요?" + +다문화 가정, 성평등, 표현의 자유 등 여타 기본권과 마찬가지로, 우리의 사생활은 언제나 보장받아야 하지만 때론 그렇지 못한 것이 사실입니다. 여러 독재 정권 국가에서는 더더욱 그렇습니다. 사생활의 자유는 앞선 세대들이 싸워 쟁취해낸 권리입니다. =='사생활의 비밀과 자유'는 인간이라면 누구나 보장받아야 하며== 차별받거나 침해받아선 안 됩니다. + +'무언가를 숨기거나 감추는 것'과 '사생활 보호'를 혼동하면 안 됩니다. 여러분이 화장실에서 뭘 하는지는 명백함에도 불구하고, 여러분은 항상 화장실 문을 닫아둡니다. 이는 여러분이 무언가를 감추고자 한 것이 아닌, 사생활을 보호하고자 한 것이죠. **누구나** 보호해야 할 것이 있습니다. 우리가 사람답게 살기 위해서는 프라이버시가 필요합니다. + +[:material-target-account: 일반적인 인터넷 위협](basics/common-threats.md ""){.md-button.md-button--primary} + +## 무엇을 해야 하나요? + +##### 먼저 계획을 세워야 합니다. + +여러분의 모든 데이터를 모든 상대로부터 항상 보호하는 것은 비현실적이고, 비용도 많이 들며, 지치는 일입니다. 하지만 걱정 마세요! 보안은 하나의 과정이며, 미리 생각하면 자신에게 맞는 계획을 세울 수 있습니다. 특정 툴 사용이나 프로그램 설치가 보안의 전부는 아닙니다. 여러분이 어떤 위협에 직면하고 있는지, 위협을 완화할 수 있는 방법을 무엇인지를 이해하는 것부터 시작해야 합니다. + +==위협을 식별하고, 대응책을 정의하는 과정을 **위협 모델링**==이라 합니다. 훌륭한 보안, 개인정보 보호 계획이라면 언제나 그 근간에는 위협 모델링이 존재합니다. + +[:material-book-outline: 위협 모델링에 대해 자세히 알아보기](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## 여러분의 도움이 필요합니다! 참여 방법은 다음과 같습니다: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="포럼 참여" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Mastodon 팔로우" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="사이트 기여하기" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="사이트 번역 돕기" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Matrix 채팅 참여하기" } +[:material-information-outline:](about/index.md){ title="Privacy Guides에 대해 알아보기" } +[:material-hand-coin-outline:](about/donate.md){ title="프로젝트 후원하기" } + +Privacy Guides와 같은 사이트는 언제나 최신 정보를 제공하는 것이 중요합니다. 사이트에서 안내된 프로그램의 업데이트를 주시하고, 추천한 제공 업체 관련 최신 뉴스를 따라가기 위해서는 여러분들의 집단 지성이 필요합니다. 인터넷의 빠른 변화를 따라잡기는 쉽지 않지만, 우린 최선을 다하고 있습니다. 사이트에서 오류를 발견하셨거나, 특정 제공 업체가 목록에서 제외되어야 한다고 생각하시거나, 혹은 적절한 제공업체가 누락되었거나, 브라우저 플러그인이 더 이상 훌륭한 선택이 아니라고 생각하시는 등 각종 문제를 발견한 경우 알려주시기 바랍니다. diff --git a/i18n/ko/kb-archive.md b/i18n/ko/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/ko/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/ko/meta/brand.md b/i18n/ko/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/ko/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/ko/meta/git-recommendations.md b/i18n/ko/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/ko/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/ko/meta/uploading-images.md b/i18n/ko/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/ko/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/ko/meta/writing-style.md b/i18n/ko/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/ko/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/ko/mobile-browsers.md b/i18n/ko/mobile-browsers.md new file mode 100644 index 00000000..c6be3a37 --- /dev/null +++ b/i18n/ko/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/ko/multi-factor-authentication.md b/i18n/ko/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/ko/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/ko/news-aggregators.md b/i18n/ko/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/ko/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/ko/notebooks.md b/i18n/ko/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/ko/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/ko/os/android-overview.md b/i18n/ko/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/ko/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/ko/os/linux-overview.md b/i18n/ko/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/ko/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/ko/os/qubes-overview.md b/i18n/ko/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/ko/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/ko/passwords.md b/i18n/ko/passwords.md new file mode 100644 index 00000000..e361e3c6 --- /dev/null +++ b/i18n/ko/passwords.md @@ -0,0 +1,341 @@ +--- +title: "비밀번호 관리자" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/ko/productivity.md b/i18n/ko/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/ko/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/ko/real-time-communication.md b/i18n/ko/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/ko/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/ko/router.md b/i18n/ko/router.md new file mode 100644 index 00000000..a494c017 --- /dev/null +++ b/i18n/ko/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/ko/search-engines.md b/i18n/ko/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/ko/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/ko/tools.md b/i18n/ko/tools.md new file mode 100644 index 00000000..d9e57d9b --- /dev/null +++ b/i18n/ko/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/ko/tor.md b/i18n/ko/tor.md new file mode 100644 index 00000000..b1f2afbf --- /dev/null +++ b/i18n/ko/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/ko/video-streaming.md b/i18n/ko/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/ko/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/ko/vpn.md b/i18n/ko/vpn.md new file mode 100644 index 00000000..6bba2546 --- /dev/null +++ b/i18n/ko/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/ku-IQ/404.md b/i18n/ku-IQ/404.md new file mode 100644 index 00000000..cf4aed02 --- /dev/null +++ b/i18n/ku-IQ/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - نەدۆزرایەوە + +نەمانتوانی ئەو پەڕەیە بدۆزینەوە کە بەدوایدا دەگەڕایت! لەوانەیە تۆ بەدوای یەکێک لەمانەدا بگەڕێیت؟ + +- [پێشەکی بۆ مۆدێلی هەڕەشە](basics/threat-modeling.md) +- [دابینکەرانی DNSـی پێشنیارکراو](dns.md) +- [باشترین وێبگەڕانی کۆمپیوتەر](desktop-browsers.md) +- [باشترین دابینکەرانی VPN](vpn.md) +- [سەکۆی Privacy Guides](https://discuss.privacyguides.net) +- [بڵۆگەکەنان](https://blog.privacyguides.org) diff --git a/i18n/ku-IQ/CODE_OF_CONDUCT.md b/i18n/ku-IQ/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/ku-IQ/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/ku-IQ/about/criteria.md b/i18n/ku-IQ/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/ku-IQ/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/ku-IQ/about/donate.md b/i18n/ku-IQ/about/donate.md new file mode 100644 index 00000000..8accd67a --- /dev/null +++ b/i18n/ku-IQ/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/ku-IQ/about/index.md b/i18n/ku-IQ/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/ku-IQ/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/ku-IQ/about/notices.md b/i18n/ku-IQ/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/ku-IQ/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/ku-IQ/about/privacy-policy.md b/i18n/ku-IQ/about/privacy-policy.md new file mode 100644 index 00000000..f83197fa --- /dev/null +++ b/i18n/ku-IQ/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "سیاسەتی تایبەتێتـی" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/ku-IQ/about/privacytools.md b/i18n/ku-IQ/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/ku-IQ/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/ku-IQ/about/services.md b/i18n/ku-IQ/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/ku-IQ/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/ku-IQ/about/statistics.md b/i18n/ku-IQ/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/ku-IQ/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/ku-IQ/advanced/communication-network-types.md b/i18n/ku-IQ/advanced/communication-network-types.md new file mode 100644 index 00000000..f5a12c21 --- /dev/null +++ b/i18n/ku-IQ/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[نامەبەرە دەستبەجێیە پێشنیارکراوەکان](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/ku-IQ/advanced/dns-overview.md b/i18n/ku-IQ/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/ku-IQ/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/ku-IQ/advanced/payments.md b/i18n/ku-IQ/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/ku-IQ/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/ku-IQ/advanced/tor-overview.md b/i18n/ku-IQ/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/ku-IQ/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/ku-IQ/android.md b/i18n/ku-IQ/android.md new file mode 100644 index 00000000..57de5696 --- /dev/null +++ b/i18n/ku-IQ/android.md @@ -0,0 +1,426 @@ +--- +title: "ئەندرۆید" +icon: 'simple/android' +description: 'دەتوانیت سیستەمی کارپێکردن سەر تەلەفۆنی ئەندرۆیدەکەت بگۆڕیت بۆ ئەم جێگرەوانەی، کە پارێزراو و ڕێزگرن لە تایبەتمەندێتی.' +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +**پڕۆژەی ئەندرۆیدی سەرچاوەکراوە** سیستەمی سەرچاوەکراوەی کارپێکردنی مۆبایلە کە لە لایەن گووگڵەوە بەڕێوەدەبرێت, کە زۆربەی ئامێرەکانی مۆبایل لە جیهاندا بەکاردێت. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/ku-IQ/assets/img/account-deletion/exposed_passwords.png b/i18n/ku-IQ/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/ku-IQ/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/ku-IQ/assets/img/android/rss-apk-dark.png b/i18n/ku-IQ/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/ku-IQ/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/ku-IQ/assets/img/android/rss-apk-light.png b/i18n/ku-IQ/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/ku-IQ/assets/img/android/rss-apk-light.png differ diff --git a/i18n/ku-IQ/assets/img/android/rss-changes-dark.png b/i18n/ku-IQ/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/ku-IQ/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/ku-IQ/assets/img/android/rss-changes-light.png b/i18n/ku-IQ/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/ku-IQ/assets/img/android/rss-changes-light.png differ diff --git a/i18n/ku-IQ/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/ku-IQ/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/ku-IQ/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ku-IQ/assets/img/how-tor-works/tor-encryption.svg b/i18n/ku-IQ/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/ku-IQ/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ku-IQ/assets/img/how-tor-works/tor-path-dark.svg b/i18n/ku-IQ/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/ku-IQ/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ku-IQ/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/ku-IQ/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/ku-IQ/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/ku-IQ/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/ku-IQ/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/ku-IQ/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/ku-IQ/assets/img/how-tor-works/tor-path.svg b/i18n/ku-IQ/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/ku-IQ/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ku-IQ/assets/img/multi-factor-authentication/fido.png b/i18n/ku-IQ/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/ku-IQ/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/ku-IQ/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/ku-IQ/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/ku-IQ/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/ku-IQ/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/ku-IQ/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/ku-IQ/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/ku-IQ/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/ku-IQ/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/ku-IQ/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/ku-IQ/basics/account-creation.md b/i18n/ku-IQ/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/ku-IQ/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/ku-IQ/basics/account-deletion.md b/i18n/ku-IQ/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/ku-IQ/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/ku-IQ/basics/common-misconceptions.md b/i18n/ku-IQ/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/ku-IQ/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/ku-IQ/basics/common-threats.md b/i18n/ku-IQ/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/ku-IQ/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/ku-IQ/basics/email-security.md b/i18n/ku-IQ/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/ku-IQ/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/ku-IQ/basics/multi-factor-authentication.md b/i18n/ku-IQ/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ae57848d --- /dev/null +++ b/i18n/ku-IQ/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/ku-IQ/basics/passwords-overview.md b/i18n/ku-IQ/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/ku-IQ/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/ku-IQ/basics/threat-modeling.md b/i18n/ku-IQ/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/ku-IQ/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/ku-IQ/basics/vpn-overview.md b/i18n/ku-IQ/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/ku-IQ/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/ku-IQ/calendar.md b/i18n/ku-IQ/calendar.md new file mode 100644 index 00000000..bbcb033a --- /dev/null +++ b/i18n/ku-IQ/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/ku-IQ/cloud.md b/i18n/ku-IQ/cloud.md new file mode 100644 index 00000000..e375d093 --- /dev/null +++ b/i18n/ku-IQ/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/ku-IQ/cryptocurrency.md b/i18n/ku-IQ/cryptocurrency.md new file mode 100644 index 00000000..ba06ba1e --- /dev/null +++ b/i18n/ku-IQ/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/ku-IQ/data-redaction.md b/i18n/ku-IQ/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/ku-IQ/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/ku-IQ/desktop-browsers.md b/i18n/ku-IQ/desktop-browsers.md new file mode 100644 index 00000000..85ee0d78 --- /dev/null +++ b/i18n/ku-IQ/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/ku-IQ/desktop.md b/i18n/ku-IQ/desktop.md new file mode 100644 index 00000000..2db4d119 --- /dev/null +++ b/i18n/ku-IQ/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/ku-IQ/dns.md b/i18n/ku-IQ/dns.md new file mode 100644 index 00000000..becfd4b9 --- /dev/null +++ b/i18n/ku-IQ/dns.md @@ -0,0 +1,139 @@ +--- +title: "چارەسەرکەرانی DNS" +icon: material/dns +description: ئەمانە هەندێک لە دابینکەرانی DNSـی شفرکراون، کە پێشنیاری بەکارهێنانیان دەکەین. بۆ ڕزگارت بوون لە شێوەپێدراوە بنەڕەتیکانی ISPـیەکەت. +--- + +DNSـی شفرکراو تەنها دەبێت بەکار بهێنرێت لەگەڵ ڕاژەکاری لایەنی سێیەم بۆ تێپەڕاندنی [قەدەغەکردنێکی DNSـی](https://en.wikipedia.org/wiki/DNS_blocking) سادە. کاتێک دڵنیا دەبیت کە هیچ دەرئەنجامێک نابێت. DNSـی شفرکراو یارمەتیت نادات لە شاردنەوەی هیچ یەکێک لە چالاکیەکانی گەڕانت. + +[دەربارەی DNS زیاتر فێربە:material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## دابینکەرانی پێشنیارکراو + +| دابینکەری DNS | سیاسەتی تایبەتێتـی | پڕۆتۆکۆڵەکان | هەڵگرتنی تۆمار | ECS | پاڵاوتن | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------------ | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | هەندێک[^1] | نەخێر | لەسەر بنەمای هەڵبژاردنی ڕاژەیە. لیستی پاڵاوتنی بەکارهێنراو لێرە دەدۆزرێتەوە. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH
DoT | هەندێک[^2] | نەخێر | لەسەر بنەمای هەڵبژاردنی ڕاژەیە. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | ئارەزوومەندانە[^3] | نەخێر | لەسەر بنەمای هەڵبژاردنی ڕاژەیە. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | نەخێر[^4] | نەخێر | لەسەر بنەمای هەڵبژاردنی ڕاژەیە. لیستی پاڵاوتنی بەکارهێنراو لێرە دەدۆزرێتەوە. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH
DoT | ئارەزوومەندانە[^5] | ئارەزوومەندانە | لەسەر بنەمای هەڵبژاردنی ڕاژەیە. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | هەندێک[^6] | ئارەزوومەندانە | لەسەر بنەمای هەڵبژاردنی ڕاژەیە، لەبنەڕەتەوە بەربەستی زیانەواڵەیە. | + +## پێوەرەکان + +**تکایە تێبینی ئەوە بکە کە ئێمە سەر بە هیچ کام لەو پرۆژانە نین کە پێشنیاری دەکەین.** وە جگە لە [ پێوەرە بنچینەییەکانمان](about/criteria.md), ئێمە کۆمەڵێک مەرجی ڕوونمان دامەزراندووە بۆ ئەوەی ڕێگەمان پێبدات پێشنیاری ڕاست بکەین. ئێمە پێشنیاری ئەوە دەکەین کە تۆ خۆت ئاشنا بکەیت لەگەڵ ئەم لیستە پێش هەڵبژاردن و بەکارهێنانی دابینکەرەکە وە لێکۆڵینەوەی خۆت بکەیت بۆ دڵنیابوون لەوەی، کە ئەمە هەڵبژاردنێکی گونجاوە بۆ تۆ. + +!!! نموونە "ئەم بەشە نوێیە" + + ئێمە کار لەسەر دانانی پێوەرە پێناسەکراوەکان دەکەین بۆ هەموو بەشێکی ماڵپەڕەکەمان, وە ئەمە لەوانەیە بگۆڕدرێت. ئەگەر هیچ پرسیارێکت هەیە سەبارەت بە پێوەرەکانی ئێمە. ئەوا تکایە [لە سەکۆکەمان پرسیار بکە](https://discuss.privacyguides.net/latest). وە وادامەنێ کە ئێمە هیچ شتێکمان لەبەرچاو نەگرتوە لە کاتی دروستکردنی پێشنیارەکانمان ئەگەر لە لیستەکە نەبێت. چەندین هۆکار هەن کە لەبەرچاو دەگرین و گفتوگۆیان لەسەر دەکرێت کاتێک پێشنیاری پرۆژەیەک دەکەین. وە تۆمارکردنی هەریەکەیان کارێکی بەردەوامە. + +- پێویستە بشتگیری [DNSSEC](advanced/dns-overview.md#what-is-dnssec) بکات. +- [بچووکردنەوەی QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- ڕێگە بە ناچالاک کردنی [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) بدات. +- پەسند کردنی [Anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) یان پشتگیری "ئاڕاستەی-جوگرافی". + +## پشتگیری لە سیستەمی کارپێکەری بنەچەیی + +### ئەندرۆید + +ئەندرۆید 9 و سەرووتر پشتگیری DNS دەکەن لە ڕێگەی TLS. ڕێکخستنەکان دەتوانرێ بدۆزرێتەوە لە: **Settings**→**Network & Internet**→**Private DNS**. + +### ئامێرەکانی Apple + +کۆتا وەشەنەکان لە tvOS، iPadOS، iOS لەگەڵ macOS هەموویان پشتگیری لە DoT و DoH دەکەن. هەردوو پرۆتۆکۆلەکە بە شێوەیەکی ڕەسەن پشتگیری دەکرێن لە ڕێگەی [شێوەپێدانی پڕؤفایلەکان](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) یان لە ڕێگەی [ڕێکخستنەکانیDNS API](https://developer.apple.com/documentation/networkextension/dns_settings). + +دوای دامەزراندنی شێوەپێدانێکی پڕۆفایل یان کاربەرنامەیەک کە ڕێکخستنەکانی DNS API بەکاردێنێ، دەتوانیت شێوەپێدانی DNS دیاریبکەیت. ئەگەر VPN چالاک بێت، چارەسەری ناو تونێلی VPNـەکە ڕێکخستەنەکانی DNSـی VPNـەکە بەکاردێنیت. نەک ڕێکخستەنە فراوانەکەی سیستەمەکەت. + +#### پرۆفایلە واژۆکراوەکان + +Apple ڕووکارێکی بنەچەیی دابین ناکات بۆ دروستکردنی پرۆفایلی DNSـی شفرەکراو. [ دروستکەری پرۆفایلی DNSـی پارێزراو](https://dns.notjakob.com/tool.html) ئامرازێکی نافەرمییە بۆ دروستکردنی پرۆفایلی DNSـی شفرەکراوی تایبەت بەخۆت، بەڵام هەرچۆنێک بێت ئەوان واژۆ ناکرێن. پرۆڤایلی واژۆکراو پەسندن؛ واژۆکە سەرچاوەی پرۆفایلەکە ڕوون دەکاتەوە و یارمەتیدەرە بۆ دڵنیابوون لە ڕاستی پرۆفایلەکان. نیشانەیەکی "پشتڕاستکراو" بە ڕەنگی سەوز دراوە بە پرۆفایلی شێوەپێدانی واژۆکراو. بۆ زانیاری زیاتر لەسەر هێمای واژۆکان، [ دەربارەی هێمای واژۆکان](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html) ببینە. ** پرۆفایلە واژۆکراوەکان ** پێشکەشکراون لەلایەن [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html)،[NextDNS](https://apple.nextdns.io)، لەگەڵ [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! زانیاری + + `systemd-resolved`، کە زۆربەی دابەشکراوانی لینوکس بەکاری دێنن بۆ ئەنجامدانی گەرانی DNSـەکەیان. تاوەکو ئێستا [پشتگیری لە DoH ناکات](https://github.com/systemd/systemd/issues/8639). ئەگەر دەتەوێت DoH بەکاربێنی، ئەوا پێویستت بە دابەزاندی چارەسەرکەرێک هەیە وەک [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) هەیە وە [دەستکاری کردنی](https://wiki.archlinux.org/title/Dnscrypt-proxy) بۆ ئەوەی هەموو داواکاریەکانی DNSـەکەت کە لەلایەن سیستەمی چارەسەرکەرەکەت دێت بنێرێدرێت لەڕێگای HTTPSـەوە. + +## بریکارانی DNSـی شفرکراو + +نەرمەواڵەی بریکارانی DNSـی شفرکراو، بریکارێکی ناوخۆیی دابین دەکەن بۆ ئەوەی [چارەسەرکەری DNSـی شفر نەکراو](advanced/dns-overview.md#unencrypted-dns) ڕووی تێ بکات. بەشێوەیەکی گشتی بەکاردەهێنرێت لەسەر ئەو ئامێرانەی، کە لە بنچینەوە پشتگیری لە [DNSـی شفرکراو](advanced/dns-overview.md#what-is-encrypted-dns) ناکەن. + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** ڕاژەیەکی سەرچاوە - کراوەی ئەندرۆیدە، کە پشتگیری لە [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh)، [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot)، [DNSCrypt](advanced/dns-overview.md#dnscrypt) و بریکاری DNS دەکات، لەگەڵ کۆکردنەەی وەڵامدانەوەکانی DNS بە شێوەیەکی کاتی، وە تۆمارکردنی داواکاریەکانی DNS. هەروەها دەتوانرێت وەک ئاگرەدیوار بەرکار بهێندرێت. + + [:octicons-home-16: پەڕەی سەرەکی](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="سیاسەتی تاێبەتێتی" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=دۆکیمێنتەکان} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="سەرچاوەی کۆد" } + + ??? داگرتنەکان + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** بریکارێکی DNSـە پشتگیری دەکات لە [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), وە [DNSـی نەناسراو](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! ئاگاداری "تایبەتمەندی DNSـی نەناسراو، جۆرەکانی تری [چالاکی سەر ئینتەرنێت **نا** شارێتەوە](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns)". + + [:octicons-repo-16: کۆگا](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=دۆکیمێنتەکان} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="سەرچاوەی کۆد" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=هاوبەشی کردن } + + ??? داگرتنەکان + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## چارەسەری سەرپەرشتی-خودی + +سەرپەرشتیکردنی-خودی DNS چارەسەرێکی بەسوودە بۆ دابینکردنی پاڵاوتن بۆ ئامێرە سەرپەرشتی کراوەکانی وەک تەلەڤزیۆنی زیرەک و ئامێرە زیرەکەکانی تر، چونکە پێویستی بە هیچ نەرمەواڵەیەکی ڕاژەخواز نیە. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home**سەرچاوە-کراوەیەکی [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole)ـە، کە [پاڵاوکەری DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) بەکار دێنی بۆ قەدەغەکردنی ناوەڕۆکەکانی ماڵپەڕی نەخوازراو، وەک ڕیکلامەکان. + + AdGuard Home ڕووکارێکی ڕێک و پێک دەبەخشێتە ماڵپەرەکەی بۆ بینینی تێگەیشتنەکان و بەڕێوەنردنی ناوەڕۆکە قەدەغەکراوەکان. + + [:octicons-home-16: پەڕەی سەرەکی](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="سیاسەتی تایبەتێتی" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=دۆکیمێنتەکان} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="سەرچاوەی کۆد" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** سەرچاوە-کراوەیەکی [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole)ـە، کە [DNS پاڵاوکەری](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) بەکاردێنێ بۆ قەدەغەکردنی ناوەڕۆکەکانی ماڵپەڕی نەخوازراو، وەک ڕیکلامەکان. + + Pi-hole وا دروست کراوە کە لەسەر Rasberry Pi سەرپەرشتی بکرێت ، بەڵام سنووردار نییە بۆ ئەم ڕەقەواڵەیە بە تەنها. نەرمەواڵەکە ڕووکارێکی ڕێک و پێک و ئاسان لە بەکارهێان دەبەخشێت بۆ بینینی تێگەیشتنەکان و بەڕێوەبردنی ناوەڕۆکە قەدەغەکراوەکان. + + [:octicons-home-16: پەڕەی سەرەکی](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="سیاسەتی تایبەتێتی" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=دۆکیمێنتەکان} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="سەرچاوەی کۆد" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=هاوبەشیکردن } + +[^1]: AdGuard توانای ئەرک بەجێهێنانی ڕاژەی DNSـەکانیان کۆ دەکەنەوە، بەتایبەتی ژمارەی داواکاریە تەواوەکان بۆ ڕاژەیەکی دیاریکراو، ژمارەی داواکاریە قەدەغەکراوەکان، و خێرایی وەڵامدانەوەی داواکاریەکان. هەروەها ئەوان ئەو بنکە داتایانە هەڵدەگرن و کۆیدەکەنەوە، کە دۆمەینەکانی لێوە داواکراوە لە ماوەی 24 کاتژمێری ڕابردوو. "پێویستمان بەم زانیاریە هەیە بۆ ناسینەوە و ڕاگرتنی شوێنگران و هەڕەشە نوێیەکان" "هەروەها ئێمە تۆماری دەکەین کە چەند جار ئەم یان ئەو شوێنگرە ڕێگری لێکراوە. ئێمە پێویستمان بەم زانیاریە هەیە بۆ سڕینەوەی یاسای بەرسەرچوو لە پاڵاوتنەکانمان." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare تەنها ئەو داتایە سنووردارە کۆدەکاتەوە و هەڵیدەگرێت، کە نێردراون لایەن DNS بۆ چارەسەرکەری 1.1.1.1. خزمەتگوزاری چارەسەرکەری 1.1.1.1 داتای کەسی تۆمار ناکات، وە ئەو بەشە داتایە سنووردارە نا-کەسیە ناسراوانە تەنها بۆ ماوەی 25 کاتژمێر هەڵدەگیرێن دەکرێت. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D تەنها داتای ناسینەوە بۆ ئەو کەسانە تۆمار دەکات کە بەژداربووی چارەسەرکانیانن، وە پرۆفایلی DNSـی تایبەتیان هەیە. چارەسەرکەرە بەخۆڕایەکان داتا تۆمار ناکەن. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: خزمەتگوزاری DNSـی Mullvad بەردەستە بۆ هەردووک لە بەکارهێنەری بەرژداربوو و نابەژداربوو. سیاسەتی تایبەتێتی ئەوان بە ڕوونی بانگەشەی ئەوە دەکات، کە بە هیچ شێوازێک داواکاریەکانی DNSـەکانیان تۆمار ناکەن. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS دەتوانێت زانیاری و تایبەتمەندیەکانی تۆمارکردن دابین بکات لەسەر بنەمای هەڵبژاردنی خۆت. دەتوانی ماوەی هێشتنەوە هەڵبژێریت و ئەو شوێنی هەڵگرتنی تۆمارەکان دیاری بکەیت بۆ هەر جۆرێکی تۆمارەکە کە هەڵیدەبژێریت بۆ هێشتنەوە. ئەگەر بە تایبەتی داوانەکرابێت، هیچ داتایەک تۆمار ناکرێت. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 هەندێک داتا کۆ دەکاتەوە بۆ مەبەستی ئاگاداربوون لە هەڕەشە و وەڵامدانەوە. ئەو داتایە لەوانەیە دواتر دووبارە ببەسترێتەوە و هاوبەشی پێ بکرێت، بۆ مەبەستی لێکۆڵینەوەی ئاسایشی. Quad9 ناونیشانی IP یان ئەو داتایانەی تر کۆناکاتەوە و تۆماریان ناکات، کە بە داتای ناسینەوەی کەسی دادەنێرن. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/ku-IQ/email-clients.md b/i18n/ku-IQ/email-clients.md new file mode 100644 index 00000000..eec0e292 --- /dev/null +++ b/i18n/ku-IQ/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/ku-IQ/email.md b/i18n/ku-IQ/email.md new file mode 100644 index 00000000..a7a2a1e0 --- /dev/null +++ b/i18n/ku-IQ/email.md @@ -0,0 +1,503 @@ +--- +title: "خزمەتگوزاری پۆستەی ئەلکتڕۆنی" +icon: material/email +description: ئەم دابینکەرانەی پۆستەی ئەلکتڕۆنی شوێنێکی نایاب پێشکەش دەکەن بۆ کۆکردنەوەی پۆستەکان بە پارێزراوی. +--- + +پۆستەی ئەلکتڕۆنی بەتایبەتی گرنگە بۆ بەکارهێنانی هەر خزمەتگوزاریەکی سەرهێڵ، بەڵام ئێمە پێشنیاری ناکەین بۆ گفتوفۆی دوو کەسی. لەجیاتی بەکارهێنانی پۆستەی ئەلکتڕۆنی بۆ پەیوەندی کردن بە کەسانی تر، ڕەچاوی بەکارهێنانی ئامرازێکی نامەبەری دەستبەجێ بکە، کە پشتگیری لە نهێنیکردنی بەردەوام دەکات. + +[نامەبەرە دەستبەجێیە پێشنیارکراوەکان](real-time-communication.md ""){.md-button} + +بۆ هەموو شتێکی تر، ئێمە دابینکەری پۆستەی ئەلکتڕۆنی جۆراوجۆر پێشنیاردەکەین لەسەر بنەمای شێوازی بازرگانی پشتپێبەستراو و تایبەتمەندیەکانی پاراستن و تایبەتێێی. + +- [دابینکەرانی پۆستەی ئەلکتڕۆنی گونجاو لەگەڵOpenPGP :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [دابینکەرانی تری شفرکراو:material-arrow-right-drop-circle:](#more-providers) +- [خزمەتگوزاریەکانی نازناو بۆ پۆستەی ئەلکتڕۆنی:material-arrow-right-drop-circle:](#email-aliasing-services) +- [هەڵبژاردنەکانی سەرپەرشتی-خودی :material-arrow-right-drop-circle:](#self-hosting-email) + +## خزمەتگوزاریەکانی گونجاون لەگەڵ OpenPGP + +ئەم دابینکەرانە لە بنچینەوە پشتگیری دەکەن لە OpenPGP شفرەکردن/شفرەلابردن و Web Key Directory (WKD) باو، کە ڕێگە بە دابینەکارنی تری پۆستەی ئەلکتڕۆنی ناباوەڕ بە E2EE دەدات. بۆ نموونە: بەکارهێنەرێکی Proton Mail دەتوانێت پەیامێکی E2EE بنێرێت بۆ بەکارهێنەرێکی Mailbox.org، یان دەتوانیت ئاگادارکردنەوەی OpenPGP-شفرکراوت پێ بگات لەڕێی ئەو خزمەتگوزاریانەی پشتگیری دەکەن. + +
+ +- ![هێمای Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![هێمای Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! ئاگاداری + + لە کاتی بەکارهێنانی تەکنەلۆجیای E2EE وەک OpenPGP، پۆستەی ئەلکتڕۆنی هێشتا هەندێک زانیاری پەیوەندیدار هەیە، کە شفر نەکراون و لە سەرەپەڕەی پۆستە ئەلکتڕۆنیەکەدان. زیاتر بخوێنەوە لەسەر [زانیاری پەیوەندیداری پۆستەی ئەلکتڕۆنی](basics/email-security.md#email-metadata-overview). + + هەروەها OpenPGP پشتگیری ناکات نهێنیکردنی بەردەوام، واتا ئەگەر کلیلی تایبەتی تۆ یان وەرگر بدزرێت، ئەوا هەموو نامەکانی پێشوو کە شفرکراون دەتوانرێت ئاشکرا بکرێن. [چۆن کلیلە تایبەتەکانم بپارێزم؟](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![لۆگۆی Proton Mail](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** خزمەتگوزاریەکی پۆستەی ئەلکتڕۆنیە، کە سەرنجی هەبوونی تایبەتێتی، شفرکردن، پارێزراوی، وە ئاسان لە بەکارهێنان دروست کراوە. ئەوان لە **2013**ـەوە لە کاردان. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: پەڕەی سەرەکی](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="خزمەتگوزاری ئۆنیەن" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="سیاسەتی تایبەتێتی" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=دۆکیمێنتەکان} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="سەرچاوەی کۆد" } + + ??? داگرتنەکان + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +هەژمارە بەخۆڕایەکان هەندێک سنووریان هەیە، وەک نەتوانینی گەڕان لەناو دەقی نامە و مافی نەبوونی بەکارهێنانی [Proton Mail Bridge](https://proton.me/mail/bridge)، کە پێویستە بۆ بەکارهێنانی[ ڕاژەخوازە پێشنیارکراوەکانی سەر کۆمپیوتەر](email-clients.md) (نـم. Thunderbird). هەژمارە پارەدراوەکان هەندێک تایبەتمەندی لەخۆدەگرن وەک Proton Mail Bridge، کۆگای زیادە، و پشتگیری دۆمەینە تایبەتەکان. [نامەیەکی تاقیکردنەوە](https://proton.me/blog/security-audit-all-proton-apps) بە مەبەستی لایەنگری بۆ کاربەرنامەکانی Proton Mail پێشکەشکرا لە 9ـی تشرینی دووەمی(نۆڤێمبەری) ساڵی 2021 لەلایەن [Securitum](https://research.securitum.com). + +ئەگەر پلانی Business, Proton Unlimited یان پلانی Visionary هەبێت، ئەوا بەخۆڕایی بەژداربوون لە [SimpleLogin](#simplelogin) وەردەگریت. + +Proton Mail ڕاپۆرتی تێکچوونە ناوخۆییەکانی هەیە، کە ئەوان هاوبەشی **ناکەن** لەگەڵ لایەنە سێیەمەکان. ئەمە دەتوانێ لە ناچالاک بکرێت لە: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } دۆمەینە تایبەتیەکان و نازناوەکان + +بەژداربووانی Proton Mail دەتوانن دۆمەینی خۆیان بەکاربێنن لەگەل خزمەتگوزاریەکە یان هەموو نامەیەک بگرنەوە. هەروەها Proton Mail پشتگیری دەکات لە [ناونیشانی دووەمی](https://proton.me/support/creating-aliases)، کە بەسوودە بۆ ئەو کەسانەی نایانەوێت دۆمەین بکڕن. + +#### :material-check:{ .pg-green }شێوازی پارەدانی نهێنی + +Proton Mail پارەی نەخت [وەردەگرێت](https://proton.me/support/payment-options) لەڕێگای پۆستە, لەگەڵ شێوازە باوەکانی تری پارەدان وەک [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc)، credit/debit card، و Paypal. + +#### :material-check:{ .pg-green }پارێزراوێتی هەژمار + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green }پارێزراوێتی زانیاری + +Proton Mail تەکنەلۆژیای [شفرکردن و تێپەڕبوونی-ئەستەمی](https://proton.me/blog/zero-access-encryption) بەکاردێنێت بۆ پۆستە ئەلکتڕۆنیەکان و [ڕۆژ ژمێرەکانت](https://proton.me/news/protoncalendar-security-model). زانیارەکانی، کە بە تەکنەلۆژیای شفرەکردن و تێپەربوونی-ئەستەمی پارێزگاریان لێکراوە تەنهیا تۆو دەستت پێیان دەگات. + +هەندێک زانیاری کە هەڵگیراون لەناو [ Proton Contacts](https://proton.me/support/proton-contacts)، وەک ناوە پیشاندراوەکان و ناونیشانی پۆستە ئەلکتڕۆنیەکان، ئەوائەوانە پارێزگاریان لێ نەکراوە بە تەکنەلۆژیای شفرکردن و تێپەڕبوونی-ئەستەمی. ئەو خانانەی Contacts کە پشتگیری لە شفرکردن و تێپەڕبوونی-ئەستەمی دەکەن، بەشێوەی وێنەیەکی بچووکراوەی قفڵ نیشان دەدرێن. + +#### :material-check:{ .pg-green } شفرکردنی پۆستەی ئەلکتڕۆنی + +Proton Mail [شفرکردنی OpenPGP زیادکردووە](https://proton.me/support/how-to-use-pgp) بۆ ماڵپەری پۆستەی ئەلکتڕۆنییەکەیان. پۆستەی ئەلکتڕۆنی نێوان هەژمارەکانی Proton Mail خۆکارانە شفرکراوە، بەڵام شفرکردن لە نێوان Proton Mail و پۆستەی ئەلکتڕۆنی تر شفردەکرێن بە ئاسانی لەڕێگەی کلیلی OpenPGP، کە لە ڕێکخستنەکانی هەژمارەکەت هەیە. هەروەها ئەوان ڕێگەت پێدەدەن بە[شفرکردنی نامەکان کە دەینێریت بۆ پۆستە ئەلکتڕۆنیە نـا Proton Mailـەکان](https://proton.me/support/password-protected-emails) بەبێ ئەوەی پێویست بکات ئەوان ناونووسین بۆ هەژمارێکی Proton Mail بکەن یان نەرمەواڵەیەکی وەک OpenPGP بەکاربێنن. + +هەروەها Proton Mail پشتگیری دۆزینەوەی کلیلە گشتیەکان دەکات لە HTTPــەوە لە ڕێگای [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). ئەمەڕێگە ئەو کەسانە دەدات کە Proton Mail بەکار ناهێنن بۆئەوەی کلیکە گشتیەکانی هەژماری Proton Mail بە ئاسانی بدۆزنەوە. تا ببێتە هۆی گونجاندن لەگەڵ دابینکەرانی تری E2EE. + + +#### :material-information-outline:{ .pg-blue } لەناوبردنی هەژمار + +ئەگەر هەژمارێکی پارەدراوت هەبێت وە [پارەی پسوولەکەت نەدابێت](https://proton.me/support/delinquency) دوای 14 ڕۆژ، ئەوا ناتوانیت دەستت بگات بە زانیاریەکانت. دوای 30 ڕۆژ، هەژمارەکەت دەبێتە نایاسایی و هیچ نامایەکی ترت بۆ نایەت. لەم ماوەیەدا بەردەوام دەبیت لە وەرگرتنی پسوولە. + +#### :material-information-outline:{ .pg-blue } کرداری زیادە + +Proton Mail هەژمارێکی "Unlimited" پێشکەش دەکات لەبەرامبەر €9.99 بۆ یەک مانگ، کە توانای بەکارهێنانی Proton VPN چالاک دەکات جگە لە پێشکەشکردنی زیاتر لە هەژمارێک، دۆمەینێک، نازناوێک، وە 500G بۆ کۆکردنەوە. + +Poton Mail کرداری میراتی دیجیتاڵی پێشکەش ناکات. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox** خزمەتگوزاریەکی پۆستەی ئەلکتڕۆنیە کە جەخت لە هەبوونی سەلامەتی و بێ بەرامبەری تایبەتێتی و کارکردن بە وزەیەکی %100ـی هاوڕێی ژینگە. ئەوان لە **2014**ـەوە لە کاردان. Mailbox.org دەکەوێتە بەرلین، لە ئەڵمانیا. هەژمارەکان دەستپێدەکەن لە 2GB بۆ هەڵگرتن، کە دەتوانرێت زیاد بکرێت بەپێی پێویست. + + [:octicons-home-16: ماڵپەڕی سەرەکی](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="سیاسەتی تایبەتێتی" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=دۆکیمێنتەکان} + + ??? داگرتنەکان + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } دۆمەینە تایبەتیەکان و نازناوەکان + +Mailbox.org ڕێگەت پێ دەدات دۆمەینی خۆت خۆت بەکاربێنی، وە پشتگیری لە [گرتنەوەی هەموو نامەکان](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) دەکات. هەروەها Mailbox.org پشتگیری دەکات لە [ناونیشانی دووەمی](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it)، کە بەسوودە ئەگەر ناتەوێت دۆمەین بکڕیت. + +#### :material-check:{ .pg-green }شێوازی پارەدانی نهێنی + +Mailbox.org هیچ جۆرە دراوێکی دیجیتاڵی قبوڵ ناکات بەهۆی ڕاگرتنی کارەکانی شێوازی پارەدانەکەیان BitPay لە ئەڵمانیا. هەرچۆنێک بێت، ئەوان پارە وەردەگرن لە ڕێگەی نەخت بە پۆستە یان لە ڕێی هەژماری بانکی، گواستنەوەی بانک، کرێدیت کارت، PayPal لەگەڵ دوو شێوازی تایبەت بە ئەڵمانیا: paydirekt و Sofortüberweisung. + +#### :material-check:{ .pg-green }پارێزراوێتی هەژمار + +Mailbox.org تەنها پشتگیری لە [سەلماندنی دووانی](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) بۆ ماڵپەری پۆستەی ئەلکتڕۆنییەکەیان دەکات. دەتوانیت TOTP بەکاربێنیت یان [Yubikey](https://en.wikipedia.org/wiki/YubiKey) لەڕێگای [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). شیوازە باوەکانی وەک [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) هێشتا پشتگیری نەکراون. + +#### :material-information-outline:{ .pg-blue }پارێزراوێتی زانیاری + +Mailbox.org ڕیگ دەدات بە شفرکردنی پۆستە هاتتووەکان بە بەکارهێنانی [سندوقی پۆستەی شفراوی](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox) ئەوان. نامە نوێکانی کە تۆ وەریدەگری ڕاستەوخۆ بە کلیلی گشتیت شفر دەکرێن. + +هەرچۆنێك بێت، [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange)، ئەو نەرمەواڵەی لەلایەن Mailbox.org بەکاردەهێندرێت, [پشتگیری ناکات](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) لە شفرەکردنی پەرتووکی ناونیشانەکانت و ڕۆژژمێرەکەت. [بژاردەیەکی سەربەخۆ](calendar.md) لەوانەیە گونجاوتر بێت بۆ ئەم زانیاریە. + +#### :material-check:{ .pg-green } شفرکردنی پۆستەی ئەلکتڕۆنی + +Mailbox.org [شفرکردنی OpenPGP زیادکردووە](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) لە ماڵپەری پۆستەی ئەلکتڕۆنییەکەیان، کە ناردنی نامەکان ئاسان دەکات بۆ ئەو کەسانەی کلیلی گشتی OpenPGPـیـان هەیە. هەروەها [وەرگرەکان دەتوانن لە دوورەوە شفری پۆستە ئەلکتڕۆنێیەک لەببەن](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP)، کە لەسەر ڕاژەکارەکانی Mailbox.org. ئەم تایبەتمەندیە بەسوودە کاتێک وەرگر لە دوورەوە OpenPGPـی نییە و ناتوانێت شفرەکە لەسەر لەبەرگیراوەیەکی پۆستەکە لاببات لە سندووقی پۆستەکانی خۆیدا. + +هەروەها Mailbox.org پشتگیری دۆزینەوەی کلیلە گشتیەکان دەکات لە HTTPــەوە لە ڕێگای [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). ئەمە ڕێگە بە کەسانی دەرەوەی Mailbox.org دەدات کە کلیلەکانی OpenPGP بۆ هەژمارەکانی Mailbox.org بە ئاسانی بدۆزنەوە، تا ببێتە هۆی گونجاندن لەگەڵ دابینکەرانی تری E2EE. + +#### :material-information-outline:{ .pg-blue } لەناوبردنی هەژمار + +کاتێک گرێبەستەکەت تەواودەبێت هەژمارەکەت دەگۆڕدرێت بۆ هەژمارێکی سنووردار، [دوای 30 ڕۆژ لە نەگەڕانەوەت ئەوا هەژمارەکەت دەسڕدرێتەوە](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } کرداری زیادە + +دەتوانیت هەژمێرەکەی Mailbox.org بەکاربێنی لەڕێگەی IMAP/SMTP بە بەکارهێنانی [خزمەتگوزاری ](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org)onian. هەرچۆنێک بێت، ناتوانیت لە ڕێگەی ڕووکاری ماڵپەڕی پۆستەی ئەلکتڕۆنییەکەیان خزمەتگوزاری .onian بەکاربهێنیت وە لەوانەیە ڕووبەڕووی هەڵەی بڕوانامەی TLS ببیتەوە. + +هەموو هەژمارەکانی کە هەورە کۆگایەکی سنوورداریان هەیە، [دەتوانرێت شفر بکرێن](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } دۆمەینە تایبەتیەکان و نازناوەکان + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green }پارێزراوێتی هەژمار + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue }پارێزراوێتی زانیاری + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } شفرکردنی پۆستەی ئەلکتڕۆنی + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } لەناوبردنی هەژمار + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } دۆمەینە تایبەتیەکان و نازناوەکان + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green }پارێزراوێتی هەژمار + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green }پارێزراوێتی زانیاری + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } لەناوبردنی هەژمار + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/ku-IQ/encryption.md b/i18n/ku-IQ/encryption.md new file mode 100644 index 00000000..ded8533b --- /dev/null +++ b/i18n/ku-IQ/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/ku-IQ/file-sharing.md b/i18n/ku-IQ/file-sharing.md new file mode 100644 index 00000000..3e79d791 --- /dev/null +++ b/i18n/ku-IQ/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/ku-IQ/financial-services.md b/i18n/ku-IQ/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/ku-IQ/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/ku-IQ/frontends.md b/i18n/ku-IQ/frontends.md new file mode 100644 index 00000000..7f245f41 --- /dev/null +++ b/i18n/ku-IQ/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/ku-IQ/index.md b/i18n/ku-IQ/index.md new file mode 100644 index 00000000..67525cea --- /dev/null +++ b/i18n/ku-IQ/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.en.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/ku-IQ/kb-archive.md b/i18n/ku-IQ/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/ku-IQ/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/ku-IQ/meta/brand.md b/i18n/ku-IQ/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/ku-IQ/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/ku-IQ/meta/git-recommendations.md b/i18n/ku-IQ/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/ku-IQ/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/ku-IQ/meta/uploading-images.md b/i18n/ku-IQ/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/ku-IQ/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/ku-IQ/meta/writing-style.md b/i18n/ku-IQ/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/ku-IQ/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/ku-IQ/mobile-browsers.md b/i18n/ku-IQ/mobile-browsers.md new file mode 100644 index 00000000..c6be3a37 --- /dev/null +++ b/i18n/ku-IQ/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/ku-IQ/multi-factor-authentication.md b/i18n/ku-IQ/multi-factor-authentication.md new file mode 100644 index 00000000..def33276 --- /dev/null +++ b/i18n/ku-IQ/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/ku-IQ/news-aggregators.md b/i18n/ku-IQ/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/ku-IQ/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/ku-IQ/notebooks.md b/i18n/ku-IQ/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/ku-IQ/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/ku-IQ/os/android-overview.md b/i18n/ku-IQ/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/ku-IQ/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/ku-IQ/os/linux-overview.md b/i18n/ku-IQ/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/ku-IQ/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/ku-IQ/os/qubes-overview.md b/i18n/ku-IQ/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/ku-IQ/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/ku-IQ/passwords.md b/i18n/ku-IQ/passwords.md new file mode 100644 index 00000000..59579402 --- /dev/null +++ b/i18n/ku-IQ/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/ku-IQ/productivity.md b/i18n/ku-IQ/productivity.md new file mode 100644 index 00000000..4490325d --- /dev/null +++ b/i18n/ku-IQ/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/ku-IQ/real-time-communication.md b/i18n/ku-IQ/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/ku-IQ/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/ku-IQ/router.md b/i18n/ku-IQ/router.md new file mode 100644 index 00000000..a494c017 --- /dev/null +++ b/i18n/ku-IQ/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/ku-IQ/search-engines.md b/i18n/ku-IQ/search-engines.md new file mode 100644 index 00000000..911525d7 --- /dev/null +++ b/i18n/ku-IQ/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/ku-IQ/tools.md b/i18n/ku-IQ/tools.md new file mode 100644 index 00000000..d9e57d9b --- /dev/null +++ b/i18n/ku-IQ/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/ku-IQ/tor.md b/i18n/ku-IQ/tor.md new file mode 100644 index 00000000..b1f2afbf --- /dev/null +++ b/i18n/ku-IQ/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/ku-IQ/video-streaming.md b/i18n/ku-IQ/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/ku-IQ/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/ku-IQ/vpn.md b/i18n/ku-IQ/vpn.md new file mode 100644 index 00000000..a8839363 --- /dev/null +++ b/i18n/ku-IQ/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## دابینکەرانی پێشنیارکراو + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/nl/404.md b/i18n/nl/404.md new file mode 100644 index 00000000..fc9b878f --- /dev/null +++ b/i18n/nl/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Niet gevonden + +We konden de pagina die je zoekt niet vinden! Misschien was je op zoek naar een van deze? + +- [Inleiding tot dreigingsmodellering](basics/threat-modeling.md) +- [Aanbevolen DNS-providers](dns.md) +- [Beste desktop webbrowsers](desktop-browsers.md) +- [Beste VPN-providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Onze Blog](https://blog.privacyguides.org) diff --git a/i18n/nl/CODE_OF_CONDUCT.md b/i18n/nl/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..888b1d6b --- /dev/null +++ b/i18n/nl/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Gedragscode van de Gemeenschap + +**Wij beloven** om van onze gemeenschap een intimidatievrije ervaring te maken voor iedereen. + +**Wij streven naar** om een positieve omgeving te creëren, door uitnodigende en inclusieve taal te gebruiken en respect te tonen voor de standpunten van anderen. + +**Wij staan geen** ongepast of anderszins onaanvaardbaar gedrag toe, zoals geseksualiseerd taalgebruik, trollen en beledigende opmerkingen, of het anderszins bevorderen van onverdraagzaamheid of intimidatie. + +## Gemeenschap normen + +Wat we verwachten van leden van onze community: + +1. **Verspreid geen verkeerde informatie** + + Wij creëren een op feiten gebaseerde onderwijsgemeenschap rond informatieprivacy en -beveiliging, geen huis voor complottheorieën. Als u bijvoorbeeld beweert dat een bepaald stuk software kwaadaardig is of dat bepaalde telemetriegegevens inbreuk maken op de privacy, leg dan in detail uit wat er wordt verzameld en hoe dat gebeurt. Dergelijke beweringen moeten met technische bewijzen worden gestaafd. + +1. **Maak geen misbruik van onze bereidheid om te helpen** + + Onze gemeenschapsleden zijn niet uw gratis technische ondersteuning. Wij helpen je graag met specifieke stappen op jouw privacyreis als je bereid bent er zelf moeite voor te doen. Wij zijn niet bereid eindeloos herhaalde vragen te beantwoorden over algemene computerproblemen die je zelf had kunnen beantwoorden met een 30 seconden durende zoektocht op internet. Wees geen [help vampier](https://slash7.com/2006/12/22/vampires/). + +1. **Gedraag je op een positieve en constructieve manier** + + Voorbeelden van gedrag dat bijdraagt aan een positieve omgeving voor onze gemeenschap zijn: + + - Empathie en vriendelijkheid tonen ten opzichte van andere mensen + - Respect hebben voor verschillende meningen, standpunten en ervaringen + - Op een elegante manier constructieve feedback geven en accepteren + - Verantwoordelijkheid nemen en excuses aanbieden aan degenen die getroffen zijn door onze fouten, en leren van de ervaring + - Focussen op wat het beste is, niet alleen voor ons als individuen, maar voor de hele gemeenschap + +### Onaanvaardbaar gedrag + +De volgende gedragingen worden beschouwd als intimidatie en zijn onaanvaardbaar binnen onze gemeenschap: + +- Het gebruik van geseksualiseerde taal of beelden, en seksuele aandacht of vooruitgang van welke aard dan ook +- Trollen, beledigen of denigrerende opmerkingen, en persoonlijke of politieke aanvallen +- Openbare of particuliere intimidatie +- Publiceren van persoonlijke informatie van anderen, zoals een fysiek of e-mailadres, zonder hun uitdrukkelijke toestemming +- Ander gedrag dat redelijkerwijs als ongepast kan worden beschouwd in een professionele omgeving + +## Toepassingsgebied + +Onze Gedragscode is van toepassing binnen alle projectruimten, evenals wanneer een persoon het project Privacy Guides in andere gemeenschappen vertegenwoordigt. + +Wij zijn verantwoordelijk voor het verduidelijken van de normen van onze community en hebben het recht om de opmerkingen van degenen die deelnemen aan onze community te verwijderen of te wijzigen, indien nodig en naar eigen goeddunken. + +### Contact + +Als u een probleem opmerkt op een platform zoals Matrix of Reddit, neem dan contact op met onze moderators op dat platform in de chat, via DM of via een aangewezen "Modmail" -systeem. + +Als je ergens anders een probleem hebt of een probleem dat onze communitymoderators niet kunnen oplossen, neem dan contact op met `jonah@privacyguides.org` en/of `dngray@privacyguides.org`. + +Alle gemeenschapsleiders zijn verplicht om de privacy en veiligheid van de melder van een incident te respecteren. diff --git a/i18n/nl/about/criteria.md b/i18n/nl/about/criteria.md new file mode 100644 index 00000000..a35f5f32 --- /dev/null +++ b/i18n/nl/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Algemene criteria +--- + +!!! example "Werk in uitvoering" + + De volgende pagina is een werk in uitvoering, en geeft op dit moment niet de volledige criteria voor onze aanbevelingen weer. Eerdere discussie over dit onderwerp: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Hieronder staan enkele zaken die moeten gelden voor alle inzendingen aan Privacy Guides. Aan elke categorie worden aanvullende eisen gesteld. + +## Financiële informatie + +We verdienen geen geld met het aanbevelen van bepaalde producten, we gebruiken geen affiliate links en we geven geen speciale aandacht aan projectdonoren. + +## Algemene richtlijnen + +We passen deze prioriteiten toe bij het overwegen van nieuwe aanbevelingen: + +- **Secure**: Tools moeten de beste beveiligingspraktijken volgen, waar van toepassing. +- **Bronbeschikbaarheid**: Open source projecten hebben over het algemeen de voorkeur boven gelijkwaardige merkalternatieven. +- **Cross-Platform**: We geven er meestal de voorkeur aan dat aanbevelingen cross-platform zijn, om lock-in van leveranciers te voorkomen. +- **Actieve ontwikkeling**: De hulpmiddelen die wij aanbevelen moeten actief worden ontwikkeld, niet-onderhouden projecten zullen in de meeste gevallen worden verwijderd. +- **Bruikbaarheid**: Tools moeten toegankelijk zijn voor de meeste computergebruikers, een al te technische achtergrond is niet vereist. +- **Gedocumenteerd**: Tools moeten duidelijke en uitgebreide documentatie hebben voor gebruik. + +## Zelfinzendingen van ontwikkelaars + +Wij stellen deze eisen aan ontwikkelaars die hun project of software in overweging willen geven. + +- Je moet jouw banden bekendmaken, d.w.z. jouw positie binnen het ingediende project. + +- Moet een security whitepaper hebben als het een project is waarbij gevoelige informatie wordt verwerkt, zoals een messenger, password manager, versleutelde cloudopslag etc. + - Auditstatus van derden. We willen weten of je er een hebt, of gepland hebt. Vermeld indien mogelijk wie de controle zal uitvoeren. + +- Moet uitleggen wat het project te bieden heeft op het gebied van privacy. + - Lost het een nieuw probleem op? + - Waarom zou iemand het gebruiken boven de alternatieven? + +- Moeten aangeven wat het exacte dreigingsmodel is van hun project. + - Het moet voor potentiële gebruikers duidelijk zijn wat het project kan bieden, en wat niet. diff --git a/i18n/nl/about/donate.md b/i18n/nl/about/donate.md new file mode 100644 index 00000000..a61bbbdb --- /dev/null +++ b/i18n/nl/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Ons steunen +--- + + +Het vergt veel [mensen](https://github.com/privacyguides/privacyguides.org/graphs/contributors) en [werk](https://github.com/privacyguides/privacyguides.org/pulse/monthly) om Privacy Guides up-to-date te houden en het woord te verspreiden over privacy en massabewaking. Als je het leuk vindt wat we doen, overweeg dan om mee te doen door [de site](https://github.com/privacyguides/privacyguides.org) te bewerken of aan de [vertalingen bij te dragen](https://crowdin.com/project/privacyguides). + +Als je ons financieel wilt steunen, is de handigste methode voor ons om bij te dragen via Open Collective, een website die wordt beheerd door onze fiscale gastheer. Open Collective accepteert betalingen via creditcards, PayPal en bankoverschrijvingen. + +[Doneer op OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donaties rechtstreeks aan ons Open Collective zijn in het algemeen aftrekbaar van de belasting in de VS, omdat onze fiscale gastheer (de Open Collective Foundation) een geregistreerde 501(c)3 organisatie is. Na jouw donatie ontvangt je een ontvangstbewijs van de Open Collective Foundation. Privacy Guides geeft geen financieel advies, en je dient contact op te nemen met uw belastingadviseur om na te gaan of dit op je van toepassing is. + +Als je al gebruik maakt van GitHub sponsoring, kun je onze organisatie daar ook sponsoren. + +[Sponsor ons op GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +Een speciaal woord van dank aan allen die onze missie steunen! :heart: + +*Let op: Dit onderdeel laadt een widget rechtstreeks vanuit Open Collective. Dit gedeelte geeft geen donaties weer die buiten Open Collective om zijn gedaan, en wij hebben geen controle over de specifieke donoren die in dit gedeelte worden vermeld.* + + + +## Hoe we donaties gebruiken + +Privacy Guides is een **non-profit** organisatie. Wij gebruiken donaties voor verschillende doeleinden, waaronder: + +**Domein registraties** +: + +Wij hebben een paar domeinnamen zoals `privacyguides.org` die ons ongeveer $10 per jaar kosten om hun registratie te behouden. + +**Web Hosting** +: + +Het verkeer naar deze website verbruikt honderden gigabytes aan gegevens per maand, wij maken gebruik van verschillende dienstverleners om dit verkeer bij te houden. + +**Online diensten** +: + +Wij hosten [internetdiensten](https://privacyguides.net) voor het testen en tonen van verschillende privacy-producten die wij leuk vinden en [aanbevelen](../tools.md). Sommige daarvan worden publiekelijk beschikbaar gesteld voor gebruik door onze gemeenschap (SearXNG, Tor, enz.), en sommige worden ter beschikking gesteld aan onze teamleden (e-mail, enz.). + +**Aankopen van producten** +: + +Wij kopen af en toe producten en diensten aan om onze [aanbevolen instrumenten te testen](../tools.md). + +We werken nog steeds samen met onze fiscale host (de Open Collective Foundation) om donaties in cryptogeld te ontvangen, op dit moment is de boekhouding onhaalbaar voor veel kleinere transacties, maar dit zou in de toekomst moeten veranderen. In de tussentijd, als je een aanzienlijke (> $100) crypto donatie wilt doen, neem dan contact op met [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/nl/about/index.md b/i18n/nl/about/index.md new file mode 100644 index 00000000..9693b647 --- /dev/null +++ b/i18n/nl/about/index.md @@ -0,0 +1,102 @@ +--- +title: "Over Privacy Guides" +description: Privacy Guides is een sociaal gemotiveerde website die informatie biedt voor de bescherming van jouw gegevens en privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is een sociaal gemotiveerde website die [informatie biedt](/kb) voor de bescherming van jouw gegevens en privacy. Onze missie is om het publiek te informeren over de waarde van digitale privacy, en wereldwijde overheidsinitiatieven die erop gericht zijn jouw online activiteiten te controleren. Wij zijn een non-profit collectief dat volledig wordt beheerd door vrijwillige [teamleden](https://discuss.privacyguides.net/g/team) en bijdragers. Onze website is vrij van advertenties en niet geaffilieerd met andere aanbieders in de lijst. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Broncide" } +[:octicons-heart-16:](donate.md){ .card-link title=Bijdrage leveren } + +> Om [privacygerichte alternatieve] apps te vinden, kunt je kijken op sites als Good Reports en **Privacy Guides**, waar privacygerichte apps in verschillende categorieën worden genoemd, waaronder e-mailproviders (meestal tegen betaling) die niet worden beheerd door de grote techbedrijven. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> Als je op zoek bent naar een nieuwe vpn, kun je terecht bij de kortingscode van zowat iedere willekeurige podcast. Als je op zoek bent naar een **goéde** vpn, heb je professionele hulp nodig. Hetzelfde geldt voor e-mailclients, browsers, besturingssystemen en wachtwoordmanagers. Hoe weet je welke daarvan de beste, privacyvriendelijkste optie is? Daarvoor is er **Privacy Guides**, een platform waarop een aantal vrijwilligers dag in, dag uit zoekt naar de beste privacyvriendelijke tools om internet mee op te gaan. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) + +Ook verschenen op: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), en [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## Geschiedenis + +Privacy Guides werd gelanceerd in september 2021 als voortzetting van het [verouderde](privacytools.md) "PrivacyTools" open-source onderwijsproject. We erkenden het belang van onafhankelijke, criteriagerichte productaanbevelingen en algemene kennis op het gebied van privacy, en daarom moesten we het werk dat sinds 2015 door zo veel medewerkers was gecreëerd bewaren en ervoor zorgen dat die informatie voor onbepaalde tijd een stabiel thuis op het web had. + +In 2022 hebben we de overgang van ons belangrijkste websiteframework van Jekyll naar MkDocs voltooid, met behulp van de `mkdocs-material` documentatiesoftware. Deze wijziging maakte open-sourcebijdragen aan onze site aanzienlijk eenvoudiger voor buitenstaanders, omdat in plaats van ingewikkelde syntaxis te moeten kennen om berichten effectief te kunnen schrijven, bijdragen nu net zo eenvoudig is als het schrijven van een standaard Markdown-document. + +Daarnaast lanceerden we ons nieuwe discussieforum op [discuss.privacyguides.net](https://discuss.privacyguides.net/) als een gemeenschapsplatform om ideeën te delen en vragen te stellen over onze missie. Dit vergroot onze bestaande community op Matrix, en vervangt ons vorige GitHub Discussieplatform, waardoor we minder afhankelijk worden van discussieplatformen van derden. + +Tot nu toe hebben we in 2023 internationale vertalingen van onze website gelanceerd in [Frans](/fr/), [Hebreeuws](/he/), en [Nederlands](/nl/), met meer talen op komst, mogelijk gemaakt door ons uitstekende vertaalteam op [Crowdin](https://crowdin.com/project/privacyguides). We zijn van plan onze missie van voorlichting en educatie voort te zetten en manieren te vinden om de gevaren van een gebrek aan privacybewustzijn in het moderne digitale tijdperk en de prevalentie en schade van beveiligingsinbreuken in de technologie-industrie duidelijker te benadrukken. + +## Ons Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: E-mail](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: E-mail](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Bovendien hebben [veel mensen](https://github.com/privacyguides/privacyguides.org/graphs/contributors) bijgedragen aan het project. Jij kunt dat ook, we zijn open source op GitHub, en accepteren vertaalsuggesties op [Crowdin](https://crowdin.com/project/privacyguides). + +Onze teamleden bekijken alle wijzigingen aan de website en nemen administratieve taken op zich zoals webhosting en financiën, maar zij profiteren niet persoonlijk van bijdragen aan deze site. Onze financiën worden transparant gehost door de Open Collective Foundation 501(c)(3) op [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Giften aan Privacy Guides zijn in het algemeen aftrekbaar van de belasting in de Verenigde Staten. + +## Site Licentie + +!!! danger "" + + Het volgende is een menselijk leesbare samenvatting van (en geen vervanging voor) de licentie). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Tenzij anders vermeld, wordt de oorspronkelijke inhoud van deze website beschikbaar gesteld onder de [Creative Commons Naamsvermelding-Niet-afgeleide producten 4.0 Internationale Openbare Licentie](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). Dit betekent dat u vrij bent om het materiaal te kopiëren en opnieuw te verspreiden in elk medium of formaat voor elk doel, zelfs commercieel; zolang u gepaste eer geeft aan `Privacy Guides (www.privacyguides.org)` en een link geeft naar de licentie. U **mag de Privacy Guides branding niet** gebruiken in uw eigen project zonder uitdrukkelijke toestemming van dit project. Als u de inhoud van deze website remixt, transformeert of erop voortbouwt, mag u het gewijzigde materiaal niet verspreiden. + +Deze licentie is er om te voorkomen dat mensen ons werk delen zonder de juiste credits te geven, en om te voorkomen dat mensen ons werk aanpassen op een manier die gebruikt kan worden om mensen te misleiden. Als u de voorwaarden van deze licentie te beperkend vindt voor het project waaraan u werkt, neem dan contact met ons op via `jonah@privacyguides.org`. Wij bieden graag alternatieve licentiemogelijkheden voor goedbedoelde projecten op het gebied van privacy! diff --git a/i18n/nl/about/notices.md b/i18n/nl/about/notices.md new file mode 100644 index 00000000..d3ff0ad2 --- /dev/null +++ b/i18n/nl/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Mededelingen en vrijwaringsclausules" +--- + +## Wettelijke aansprakelijkheid + +Privacy Guides is geen advocatenkantoor. Als zodanig geven de Privacy Gidsen website en hun medewerkers geen juridisch advies. Het materiaal en de aanbevelingen in onze website en gidsen vormen geen juridisch advies, noch schept het bijdragen aan de website of het communiceren met Privacy Guides of andere bijdragers over onze website een advocaat-cliënt relatie. + +Het runnen van deze website brengt, zoals elke menselijke inspanning, onzekerheid en afwegingen met zich mee. Wij hopen dat deze website helpt, maar er kunnen fouten in staan en niet elke situatie kan worden behandeld. Als je vragen hebt over jouw situatie, moedigen wij je aan jouw eigen onderzoek te doen, andere deskundigen te raadplegen en deel te nemen aan discussies met de Privacy Guides-gemeenschap. Indien je juridische vragen hebt, dien je jouw eigen juridisch adviseur te raadplegen alvorens verder te gaan. + +Privacy Guides is een open source-project waaraan wordt bijgedragen onder licenties die voorwaarden bevatten die, ter bescherming van de website en de bijdragers, duidelijk maken dat het Privacy Guides-project en de website "as-is" worden aangeboden, zonder garantie, en waarin aansprakelijkheid wordt afgewezen voor schade die voortvloeit uit het gebruik van de website of de aanbevelingen die erin zijn opgenomen. Privacy Guides geeft geen garantie en doet geen uitspraken over de nauwkeurigheid, de waarschijnlijke resultaten, of de betrouwbaarheid van het gebruik van de materialen op de website of anderszins met betrekking tot dergelijke materialen op de website of op sites van derden die zijn gekoppeld aan deze site. + +Privacy Guides garandeert evenmin dat deze website voortdurend beschikbaar zal zijn, of helemaal niet beschikbaar zal zijn. + +## Licentieoverzicht + +!!! danger "" + + Het volgende is een menselijk leesbare samenvatting van (en geen vervanging voor) de licentie). + +Tenzij anders vermeld, wordt alle **inhoud** op deze website beschikbaar gesteld onder de voorwaarden van de [Creative Commons Naamsvermelding-GeenAfgeleideWerken 4.0 Internationale Openbare Licentie](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). De onderliggende **broncode** gebruikt om deze website te genereren en die inhoud weer te geven is vrijgegeven onder de [MIT Licentie](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Dit geldt niet voor code van derden die in dit archief is opgenomen, of code waar een vervangende licentie anderszins is aangegeven. Hieronder volgen enkele belangrijke voorbeelden, maar deze lijst is wellicht niet volledig: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is gelicenseerd onder de [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* Het [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is gelicenseerd onder de [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* Het lettertype [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) dat voor de meeste tekst op de site wordt gebruikt, heeft een licentie onder de hier beschreven voorwaarden [](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* Het lettertype [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) dat gebruikt wordt voor de tekst in monospaced letters op de site is gelicenseerd onder de [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Dit betekent dat je de menselijk leesbare inhoud in deze repository kunt gebruiken voor je eigen project, volgens de voorwaarden in de CC0 1.0 Universele tekst. U **mag de Privacy Guides branding niet** gebruiken in uw eigen project zonder uitdrukkelijke toestemming van dit project. De handelsmerken van Privacy Guides omvatten het woordmerk "Privacy Guides" en het schildlogo. De handelsmerken van Privacy Guides omvatten het woordmerk "Privacy Guides" en het schildlogo. + +Wij zijn van mening dat de logo's en andere afbeeldingen in `activa` verkregen van derde leveranciers ofwel in het publieke domein zijn of **eerlijk gebruik**. In een notendop staat de juridische [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) het gebruik toe van auteursrechtelijk beschermde afbeeldingen om het onderwerp aan te duiden met het oog op openbaar commentaar. Deze logo's en andere afbeeldingen kunnen echter nog steeds onderworpen zijn aan het merkenrecht in een of meer rechtsgebieden. Alvorens deze inhoud te gebruiken, dien je zich ervan te vergewissen dat de entiteit of organisatie die eigenaar is van het handelsmerk wordt geïdentificeerd en dat je het recht hebt het te gebruiken volgens de wetten die van toepassing zijn in de omstandigheden van het door je beoogde gebruik. *Wanneer je inhoud van deze website kopieert, bent je er als enige verantwoordelijk voor dat je geen inbreuk maakt op het handelsmerk of auteursrecht van iemand anders.* + +Wanneer je bijdraagt aan onze website doe je dit onder de bovenstaande licenties, en verleen je Privacy Guides een eeuwigdurende, wereldwijde, niet-exclusieve, overdraagbare, royaltyvrije, onherroepelijke licentie met het recht om dergelijke rechten in sublicentie te geven via meerdere lagen van sublicentiehouders, om jouw bijdrage te reproduceren, te wijzigen, weer te geven, uit te voeren en te distribueren als onderdeel van ons project. + +## Aanvaardbaar gebruik + +Je mag deze website niet gebruiken op een manier die schade toebrengt of kan toebrengen aan de website of de beschikbaarheid of toegankelijkheid van Privacy Guides aantast, of op een manier die onwettig, illegaal, frauduleus of schadelijk is, of in verband met een onwettig, illegaal, frauduleus of schadelijk doel of activiteit. + +Je mag geen systematische of geautomatiseerde gegevensverzamelingsactiviteiten uitvoeren op of met betrekking tot deze website zonder uitdrukkelijke schriftelijke toestemming van Aragon Ventures Llc, inclusief: + +* Buitensporige geautomatiseerde scans +* Ontzegging van dienst aanvallen +* Schrapen +* Datamining +* 'Framing' (IFrames) + +--- + +*Delen van deze mededeling zelf zijn overgenomen van [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) op GitHub. Die bron en deze pagina zelf zijn vrijgegeven onder [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/nl/about/privacy-policy.md b/i18n/nl/about/privacy-policy.md new file mode 100644 index 00000000..00321048 --- /dev/null +++ b/i18n/nl/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Privacybeleid" +--- + +Privacy Guides is een gemeenschapsproject dat door een aantal actieve vrijwilligers wordt uitgevoerd. De openbare lijst van teamleden [is te vinden op GitHub](https://github.com/orgs/privacyguides/people). + +## Gegevens die wij van bezoekers verzamelen + +De privacy van onze websitebezoekers is belangrijk voor ons, dus we volgen geen individuele personen. Als bezoeker van onze website: + +- Er wordt geen persoonlijke informatie verzameld +- Er wordt geen informatie, zoals cookies, opgeslagen in de browser +- Er wordt geen informatie gedeeld met, verstuurd naar of verkocht aan derden +- Er wordt geen informatie gedeeld met reclamebedrijven +- Er wordt geen informatie gemijnd en geoogst voor persoonlijke en gedragstrends +- Geen informatie wordt te gelde gemaakt + +Je kunt de gegevens die wij verzamelen bekijken op onze pagina [statistieken](statistics.md). + +Wij draaien een zelf gehoste installatie van [Plausible Analytics](https://plausible.io) om enkele anonieme gebruiksgegevens voor statistische doeleinden te verzamelen. Het doel is om algemene trends in ons websiteverkeer te volgen, niet om individuele bezoekers te volgen. Alle gegevens zijn alleen in geaggregeerde vorm. Er worden geen persoonsgegevens verzameld. + +De verzamelde gegevens omvatten verwijzingsbronnen, toppagina's, duur van het bezoek, informatie over de apparaten (apparaattype, besturingssysteem, land en browser) die tijdens het bezoek werden gebruikt en meer. Je kunt meer te weten komen over hoe Plausible werkt en informatie verzamelt op een privacy- respecterende manier [hier](https://plausible.io/data-policy). + +## Gegevens die wij van account houders verzamelen + +Op sommige websites en diensten die wij aanbieden, kan voor veel functies een account vereist zijn. Een account kan bijvoorbeeld vereist zijn om onderwerpen te posten en te beantwoorden op een forumplatform. + +Om je voor de meeste accounts aan te melden, verzamelen wij een naam, gebruikersnaam, e-mail en wachtwoord. Indien een website meer informatie vereist dan alleen die gegevens, zal dat duidelijk worden aangegeven en vermeld in een afzonderlijke privacyverklaring per site. + +Wij gebruiken uw accountgegevens om je te identificeren op de website en om pagina's te creëren die specifiek voor je zijn, zoals jouw profielpagina. Wij zullen jouw accountgegevens ook gebruiken om een openbaar profiel voor je op onze diensten te publiceren. + +Wij gebruiken jouw e-mail om: + +- Je op de hoogte te brengen van berichten en andere activiteiten op de websites of diensten. +- Reset jouw wachtwoord en help jouw account veilig te houden. +- Contact met je op te nemen in bijzondere omstandigheden die verband houden met jouw rekening. +- Contact met je op te nemen over wettelijke verzoeken, zoals DMCA takedown verzoeken. + +Op sommige websites en diensten kunt je aanvullende informatie verstrekken voor jouw account, zoals een korte biografie, avatar, jouw locatie of jouw verjaardag. Wij maken die informatie beschikbaar voor iedereen die toegang heeft tot de website of de dienst in kwestie. Deze informatie is niet vereist om van onze diensten gebruik te maken en kan op elk moment worden gewist. + +Wij bewaren jouw account gegevens zolang jouw account open blijft. Na het sluiten van een account kunnen wij sommige of al uw accountgegevens bewaren in de vorm van back-ups of archieven gedurende maximaal 90 dagen. + +## Contact met ons opnemen + +Het Privacy Guides-team heeft in het algemeen geen toegang tot persoonsgegevens, afgezien van beperkte toegang die via sommige moderatiepanelen wordt verleend. Vragen over uw persoonlijke gegevens moeten rechtstreeks worden gericht aan: + +```text +Jonah Aragon +Dienstenadministrateur +jonah@privacyguides.org +``` + +Voor alle andere vragen kunt je contact opnemen met elk lid van ons team. + +Voor meer algemene klachten in het kader van de GDPR kun je terecht bij jouw lokale toezichthoudende autoriteiten voor gegevensbescherming. In Frankrijk is het de Commission Nationale de l'Informatique et des Libertés die de klachten behandelt. Ze bieden een [sjabloon van de klachtenbrief](https://www.cnil.fr/en/plaintes) aan om te kunnen gebruiken. + +## Over dit beleid + +Eventuele nieuwe versies van deze verklaring [zullen wij hier](privacy-policy.md)plaatsen. Wij kunnen de wijze waarop wij wijzigingen aankondigen in toekomstige versies van dit document wijzigen. In de tussentijd kunnen wij onze contactgegevens te allen tijde bijwerken zonder een wijziging aan te kondigen. Raadpleeg het [Privacybeleid](privacy-policy.md) voor de meest recente contactinformatie op elk moment. + +Een volledige revisie [geschiedenis](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) van deze pagina is te vinden op GitHub. diff --git a/i18n/nl/about/privacytools.md b/i18n/nl/about/privacytools.md new file mode 100644 index 00000000..0dea09d7 --- /dev/null +++ b/i18n/nl/about/privacytools.md @@ -0,0 +1,143 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Waarom we zijn overgestapt van PrivacyTools + +In september 2021 hebben alle actieve medewerkers unaniem ingestemd om van PrivacyTools over te stappen naar deze site: Privacy Guides. Deze beslissing werd genomen omdat de oprichter van PrivacyTools en beheerder van de domeinnaam voor langere tijd was verdwenen en niet kon worden gecontacteerd. + +Aangezien PrivacyTools.io een gerenommeerde site en een reeks diensten had opgebouwd, baarde dit grote zorgen voor de toekomst van PrivacyTools, aangezien elke toekomstige verstoring de hele organisatie zou kunnen wegvagen zonder herstelmethode. Deze overgang werd vele maanden van tevoren aan de PrivacyTools-gemeenschap meegedeeld via verschillende kanalen, waaronder de blog, Twitter, Reddit en Mastodon, om ervoor te zorgen dat het hele proces zo soepel mogelijk zou verlopen. We deden dit om ervoor te zorgen dat niemand in het ongewisse werd gelaten, wat onze modus operandi is geweest sinds de oprichting van ons team, en om ervoor te zorgen dat Privacy Guides werd herkend als dezelfde betrouwbare organisatie die PrivacyTools was voor de overgang. + +Na de organisatorische verhuizing keerde de oprichter van PrivacyTools terug en begon verkeerde informatie over het Privacy Guides-project te verspreiden. Ze gaan door met het verspreiden van verkeerde informatie en exploiteren daarnaast een betaalde linkfarm op het PrivacyTools-domein. We maken deze pagina om misvattingen uit de weg te ruimen. + +## Wat is PrivacyTools? + +PrivacyTools werd in 2015 opgericht door "BurungHantu", die een bron van informatie over privacy wilde maken - nuttige hulpmiddelen na de onthullingen van Snowden. De site groeide uit tot een bloeiend open-sourceproject met [veel bijdragers](https://github.com/privacytools/privacytools.io/graphs/contributors), waarvan sommigen uiteindelijk verschillende organisatorische verantwoordelijkheden kregen, zoals het beheren van online diensten als Matrix en Mastodon, het beheren en beoordelen van wijzigingen aan de site op GitHub, het vinden van sponsors voor het project, het schrijven van blogberichten en het beheren van platforms voor sociale media zoals Twitter, enz. + +Vanaf 2019 nam BurungHantu steeds meer afstand van de actieve ontwikkeling van de website en de gemeenschappen, en begon hij betalingen uit te stellen waarvoor hij verantwoordelijk was in verband met de servers die we beheerden. Om te voorkomen dat onze systeembeheerder de serverkosten uit eigen zak moet betalen, hebben we de donatiemethoden die op de site staan veranderd van BurungHantu's persoonlijke PayPal- en cryptorekeningen naar een nieuwe OpenCollective-pagina op [31 oktober 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). Dit had het bijkomende voordeel dat het onze financiën volledig transparant maakte, een waarde waarin wij sterk geloven, en fiscaal aftrekbaarheid in de Verenigde Staten, omdat ze werden beheerd door de Open Collective Foundation 501(c)3. Deze wijziging werd unaniem goedgekeurd door het team en werd niet betwist. + +## Waarom we verder zijn gegaan + +In 2020 werd de afwezigheid van BurungHantu veel opvallender. Op een gegeven moment moesten de naamservers van het domein worden gewijzigd in naamservers die worden beheerd door onze systeembeheerder om toekomstige verstoringen te voorkomen, en deze wijziging werd pas meer dan een maand na de eerste aanvraag voltooid. Hij verdween maandenlang uit de openbare chat en de privé chatrooms van het team op Matrix. Af en toe kwam hij even langs om wat kleine feedback te geven of beloofde hij actiever te worden, voordat hij weer verdween. + +In oktober 2020 verliet de systeembeheerder van PrivacyTools (Jonah) [het project](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) vanwege deze moeilijkheden, waarbij de controle werd overgedragen aan een andere vrijwilliger die al lange tijd meewerkt. Jonah had bijna elke PrivacyTools dienst beheerd en fungeerde als de *de facto* projectleider voor website ontwikkeling in BurungHantu's afwezigheid, dus zijn vertrek was een belangrijke verandering voor de organisatie. Vanwege deze belangrijke organisatorische veranderingen beloofde BurungHantu destijds aan het overblijvende team dat hij zou terugkeren om de leiding van het project over te nemen. ==Het PrivacyTools-team heeft in de daaropvolgende maanden via verschillende communicatiemethoden contact opgenomen, maar geen reactie ontvangen.== + +## Afhankelijkheid van domeinnaam + +Begin 2021 maakte het PrivacyTools-team zich zorgen over de toekomst van het project, omdat de domeinnaam op 1 maart 2021 zou verlopen. Het domein werd uiteindelijk verlengd door BurungHantu zonder commentaar. + +De zorgen van het team werden niet weggenomen, en we realiseerden ons dat dit elk jaar een probleem zou zijn: Als het domein zou verlopen, zou het kunnen worden gestolen door krakers of spammers, waardoor de reputatie van de organisatie zou worden geruïneerd. We zouden ook moeite hebben gehad de gemeenschap te bereiken om hen te informeren over wat er is gebeurd. + +Zonder enig contact te hebben met BurungHantu, besloten we dat het het beste zou zijn om naar een nieuwe domeinnaam te verhuizen terwijl we nog gegarandeerde controle over de oude domeinnaam hadden, ergens voor maart 2022. Op deze manier kunnen we alle PrivacyTools-resources netjes omleiden naar de nieuwe site zonder enige onderbreking van de dienstverlening. Deze beslissing werd vele maanden van tevoren genomen en aan het hele team meegedeeld in de hoop dat BurungHantu zijn steun aan het project zou toezeggen, want met een herkenbare merknaam en grote gemeenschappen online, was het weggaan van "PrivacyTools" de minst wenselijke uitkomst. + +Medio 2021 nam het PrivacyTools team contact op met Jonah, die ermee instemde zich weer bij het team aan te sluiten om te helpen bij de overgang. + +## Gemeenschaps oproep tot actie + + Eind juli 2021 hebben we +de PrivacyTools gemeenschap op de hoogte gebracht van ons voornemen om een nieuwe naam te kiezen en het project voort te zetten op een nieuw domein, dat [gekozen zal worden](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) op 2 augustus 2022. Uiteindelijk werd "Privacy Guides" gekozen, met het domein `privacyguides.org` dat Jonah al bezat voor een zijproject uit 2020 dat onontwikkeld bleef.

+ + + +## Controle over r/privacytoolsIO + +Gelijktijdig met de lopende website problemen bij privacytools.io, werd het r/privacytoolsIO moderatieteam geconfronteerd met uitdagingen bij het beheer van de subreddit. De subreddit werd altijd grotendeels onafhankelijk van de ontwikkeling van de website beheerd, maar BurungHantu was ook de primaire moderator van de subreddit, en hij was de enige moderator die "Volledige controle"-rechten kreeg. u/trai_dep was op dat moment de enige actieve moderator, en [plaatste op 28 juni 2021 een verzoek aan de beheerders van Reddit](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) met het verzoek om de primaire moderatorpositie en volledige controleprivileges te krijgen, om zo de nodige wijzigingen in de Subreddit aan te brengen. + +Reddit vereist dat subreddits actieve moderatoren hebben. Indien de eerste moderator gedurende een lange periode (bijvoorbeeld een jaar) inactief is, kan de positie van eerste moderator opnieuw worden toegewezen aan de volgende moderator in de rij. Om dit verzoek in te willigen, moest BurungHantu volledig afwezig zijn geweest bij alle Reddit-activiteiten gedurende een lange periode, wat consistent was met zijn gedrag op andere platforms. + + + +> Als je als moderator van een subreddit werd verwijderd via een Reddit-verzoek is dat omdat je gebrek aan reactie en gebrek aan activiteit de subreddit kwalificeerde voor een r/redditrequest-overplaatsing. +> +> r/redditrequest is Reddit's manier om ervoor te zorgen dat gemeenschappen actieve moderators hebben en maakt deel uit van de [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + + + +## Begin van de transitie + +Op 14 september 2021 hebben we [](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) het begin van onze migratie naar dit nieuwe domein aangekondigd: + + + +> [...] wij vonden het nodig deze omschakeling eerder vroeger dan later te maken om ervoor te zorgen dat de mensen zo snel mogelijk van deze overgang op de hoogte zouden zijn. Dit geeft ons voldoende tijd om de domeinnaam, die momenteel doorverwijst naar www.privacyguides.org, te veranderen en hopelijk geeft het iedereen genoeg tijd om de verandering op te merken, bladwijzers en websites bij te werken, enz. + +Deze verandering [hield in:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- www.privacytools.io omleiden naar [www.privacyguides.org](https://www.privacyguides.org). +- Het archiveren van de broncode op GitHub om ons werk uit het verleden en de issue tracker te bewaren, die we bleven gebruiken voor maanden van toekomstige ontwikkeling van deze site. +- Aankondigingen plaatsen op onze subreddit en diverse andere gemeenschappen om mensen te informeren over de officiële verandering. +- Formeel sluiten van privacytools.io-diensten, zoals Matrix en Mastodon, en bestaande gebruikers aanmoedigen om zo snel mogelijk te migreren. + +Alles leek soepel te verlopen, en het grootste deel van onze actieve gemeenschap maakte de overstap naar ons nieuwe project, precies zoals we hoopten. + + + +## Volgende gebeurtenissen + +Ongeveer een week na de overgang kwam BurungHantu voor het eerst in bijna een jaar weer online, maar niemand van ons team wilde terugkeren naar PrivacyTools vanwege zijn historische onbetrouwbaarheid. In plaats van zich te verontschuldigen voor zijn langdurige afwezigheid, ging hij onmiddellijk in de aanval en positioneerde de overgang naar Privacy Guides als een aanval op hem en zijn project. Vervolgens heeft hij [veel van deze berichten verwijderd](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) toen de gemeenschap hem erop wees dat hij afwezig was geweest en het project had verlaten. + +Op dit punt beweerde BurungHantu dat hij alleen verder wilde werken aan privacytools.io en vroeg ons de redirect van www.privacytools.io naar [www.privacyguides.org](https://www.privacyguides.org)te verwijderen. We hebben hem gevraagd de subdomeinen voor Matrix, Mastodon en PeerTube ten minste een paar maanden actief te houden als openbare dienst voor onze gemeenschap, zodat gebruikers op deze platforms gemakkelijk naar andere accounts kunnen migreren. Door de gefedereerde aard van de diensten die wij leverden, waren deze gebonden aan specifieke domeinnamen waardoor het zeer moeilijk (en in sommige gevallen onmogelijk) was om te migreren. + +Helaas, omdat de controle over de r/privacytoolsIO-subreddit niet werd teruggegeven aan BurungHantu op zijn verzoek (meer informatie hieronder), werden die subdomeinen [begin oktober afgesneden van](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/), waardoor alle migratiemogelijkheden voor gebruikers die deze diensten nog gebruikten, werden beëindigd. + +Hierna heeft BurungHantu valse beschuldigingen geuit over het stelen van donaties van het project door Jonah. BurungHantu had meer dan een jaar na het vermeende incident, en toch heeft hij nooit iemand op de hoogte gebracht tot na de migratie van de Privacy Guides. BurungHantu is herhaaldelijk door het team [en de gemeenschap](https://twitter.com/TommyTran732/status/1526153536962281474)gevraagd om bewijzen en om commentaar op de reden voor zijn stilzwijgen, maar heeft dat niet gedaan. + +BurungHantu maakte ook een [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) bewerend dat een "advocaat" hem had bereikt op Twitter en advies gaf, in een andere poging om ons te intimideren om hem de controle over onze subreddit te geven, en als onderdeel van zijn lastercampagne om het water rond de lancering van Privacy Guides te vertroebelen terwijl hij zich voordoet als een slachtoffer. + + + +## PrivacyTools.io Nu + +Vanaf 25 september 2022 zien we de algemene plannen van BurungHantu in vervulling gaan op privacytools.io, en dat is precies de reden waarom we besloten hebben vandaag deze verklarende pagina te maken. De website die hij exploiteert lijkt een zwaar SEO-geoptimaliseerde versie te zijn van de site die hulpmiddelen aanbeveelt in ruil voor financiële compensatie. Zeer recentelijk zijn IVPN en Mullvad, twee VPN-providers die door de privacygemeenschap bijna universeel [worden aanbevolen](../vpn.md) en die bekend staan om hun stellingname tegen affiliate programma's, uit PrivacyTools verwijderd. In hun plaats? NordVPN, Surfshark, ExpressVPN, en hide.me; Gigantische VPN bedrijven met onbetrouwbare platforms en zakelijke praktijken, berucht om hun agressieve marketing en affiliate programma's. + +==**PrivacyTools is precies het type site geworden waar we [voor waarschuwden](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) op de PrivacyTools blog in 2019.**== We hebben geprobeerd om sinds de overgang afstand te houden van PrivacyTools, maar hun voortdurende pesterijen jegens ons project en nu hun absurde misbruik van de geloofwaardigheid die hun merk in 6 jaar van open source bijdragen heeft verworven, is voor ons uiterst verontrustend. Degenen onder ons die daadwerkelijk voor privacy vechten, vechten niet tegen elkaar en krijgen hun advies niet van de hoogste bieder. + + + +## privacyTools. io Nu + + Na de lancering van [r/PrivacyGuides](https://www.reddit.com/r/privacyguides)was het onpraktisch voor u/trai_dep om beide subreddits te blijven modereren, en met de gemeenschap aan boord van de overgang, werd r/privacytoolsIO een beperkt subreddit gemaakt in een post op 1 november 2021:

+ + + +> [...] De groei van deze Sub was het resultaat van grote inspanningen, gedurende meerdere jaren, door het PrivacyGuides.org team. En door ieder van jullie. +> +> Een Subreddit is veel werk om te beheren en te modereren. Net als een tuin vereist het geduldig onderhoud en dagelijkse zorg. Het is geen taak voor dilettantes of vrijblijvende mensen. Het kan niet gedijen onder een tuinman die het enkele jaren in de steek laat en dan de oogst van dit jaar als eerbetoon eist. Het is oneerlijk tegenover het team dat jaren geleden werd gevormd. Het is niet eerlijk tegenover jou. [...] + +Subreddits zijn van niemand, en al helemaal niet van merkhouders. Ze horen bij hun gemeenschap, en de gemeenschap en haar moderatoren hebben besloten de verhuizing naar r/PrivacyGuides te steunen. + +In de maanden daarna heeft BurungHantu gedreigd en gesmeekt om de controle over de subreddit terug te geven aan zijn account in [schending](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) van Reddit regels: + + + +> Vergelding door een moderator met betrekking tot verwijderingsverzoeken is niet toegestaan. + +Voor een gemeenschap met vele duizenden resterende abonnees, vinden we dat het ongelooflijk respectloos zou zijn om de controle over dat enorme platform terug te geven aan de persoon die het meer dan een jaar heeft verlaten en die nu een website beheert waarvan we denken dat deze informatie van zeer lage kwaliteit biedt. Het behoud van de jaren van eerdere discussies in die gemeenschap is belangrijker voor ons, en dus hebben u/trai_dep en de rest van het subreddit moderatieteam de beslissing genomen om r/privacytoolsIO as-is te houden. + + + +## OpenCollective Nu + +Ons fondsenwervingsplatform, OpenCollective, is een andere bron van onenigheid. Ons standpunt is dat OpenCollective door ons team is opgezet en door ons team wordt beheerd om diensten te financieren die wij momenteel exploiteren en wat PrivacyTools niet langer doet. [Wij bereikten](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) al onze donateurs over onze overstap naar Privacy Guides, en we werden unaniem gesteund door onze sponsors en gemeenschap. + +De fondsen in OpenCollective behoren dus toe aan Privacy Guides, ze zijn gegeven aan ons project, en niet aan de eigenaar van een bekende domeinnaam. In de aankondiging aan donateurs op 17 september 2021 boden wij donateurs die het niet eens zijn met ons standpunt een terugbetaling aan, maar niemand is op dit aanbod ingegaan: + + + +> Als sponsors of donateurs het niet eens zijn met of zich misleid voelen door deze recente gebeurtenissen en een terugbetaling willen aanvragen gezien deze hoogst ongebruikelijke omstandigheden, neem dan contact op met onze projectbeheerder door een e-mail te sturen naar jonah@triplebit.net. + + + +## Meer lezen + +Dit onderwerp is uitgebreid besproken binnen onze gemeenschappen op verschillende plaatsen, en het lijkt waarschijnlijk dat de meeste mensen die deze pagina lezen al bekend zijn met de gebeurtenissen die hebben geleid tot de overgang naar Privacy Guides. Sommige van onze eerdere berichten over deze kwestie hebben mogelijk extra details die we hier voor de beknoptheid hebben weggelaten. Voor de volledigheid zijn ze hieronder gelinkt. + +- [28 juni 2021 verzoek om controle van r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [27 juli 2021 aankondiging van onze intenties om te verhuizen op de PrivacyTools blog, geschreven door het team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [13 september 2021 aankondiging van het begin van onze overgang naar privacyguides op r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [17 sept 2021 aankondiging op OpenCollective van Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [30 september 2021 Twitter-draad met details over de meeste gebeurtenissen die nu op deze pagina worden beschreven](https://twitter.com/privacy_guides/status/1443633412800225280) +- [1 okt 2021 bericht door u/dng99 met vermelding van subdomeinfout](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2 apr 2022 reactie van u/dng99 op beschuldigende blogpost van PrivacyTools](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [16 mei 2022 reactie door @TommyTran732 op Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post op Techlore's forum door @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/nl/about/services.md b/i18n/nl/about/services.md new file mode 100644 index 00000000..d542b52a --- /dev/null +++ b/i18n/nl/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Diensten + +We draaien een aantal webdiensten om functies te testen en coole gedecentraliseerde, gefedereerde en/of open-source projecten te promoten. Veel van deze diensten zijn beschikbaar voor het publiek en worden hieronder beschreven. + +[:material-comment-alert: Een probleem melden](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domein: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Beschikbaarheid: Openbaar +- Bron: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domein: [code.privacyguides.dev](https://code.privacyguides.dev) +- Beschikbaarheid: Alleen op uitnodiging + Toegang kan op verzoek worden verleend aan elk team dat werkt aan *Privacy Guides*-gerelateerde ontwikkeling of inhoud. +- Bron: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domein: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Beschikbaarheid: Alleen op uitnodiging + Toegang kan op verzoek worden verleend aan leden van het Privacy Guides-team, Matrix-moderators, Matrix-communitybeheerders van derden, Matrix-botbeheerders en andere personen die een betrouwbare Matrix-aanwezigheid nodig hebben. +- Bron: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domein: [search.privacyguides.net](https://search.privacyguides.net) +- Beschikbaarheid: Openbaar +- Bron: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domein: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Beschikbaarheid: Semi-Openbaar + Wij hosten Invidious voornamelijk om ingesloten YouTube-video's op onze website weer te geven, deze instantie is niet bedoeld voor algemeen gebruik en kan op elk moment worden beperkt. +- Bron: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/nl/about/statistics.md b/i18n/nl/about/statistics.md new file mode 100644 index 00000000..8973be93 --- /dev/null +++ b/i18n/nl/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Verkeersstatistieken +--- + +## Website statistieken + + +
Statistieken mogelijk gemaakt door Plausible Analytics
+ + + + +## Blog Statistieken + + +
Statistieken mogelijk gemaakt door Plausible Analytics
+ + + diff --git a/i18n/nl/advanced/communication-network-types.md b/i18n/nl/advanced/communication-network-types.md new file mode 100644 index 00000000..7f0ee06f --- /dev/null +++ b/i18n/nl/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Soorten communicatienetwerken" +icon: 'material/transit-connection-variant' +description: Een overzicht van verschillende netwerkarchitecturen die vaak door instant messaging toepassingen worden gebruikt. +--- + +Er zijn verschillende netwerkarchitecturen die gewoonlijk worden gebruikt om berichten tussen mensen door te geven. Deze netwerken kunnen verschillende privacygaranties bieden, en daarom is het de moeite waard jouw [bedreigingsmodel](../basics/threat-modeling.md) in overweging te nemen bij de beslissing welke app je gaat gebruiken. + +[Aanbevolen Instant Messengers](../real-time-communication.md ""){.md-button} + +## Gecentraliseerde netwerken + +![Diagram gecentraliseerde netwerken](../assets/img/layout/network-centralized.svg){ align=left } + +Gecentraliseerde berichten diensten zijn die waarbij alle deelnemers zich op dezelfde server of hetzelfde netwerk van servers bevinden die door dezelfde organisatie worden gecontroleerd. + +Bij sommige zelf gehoste berichten diensten kun je je eigen server opzetten. Zelf-hosting kan extra privacywaarborgen bieden, zoals geen gebruikslogs of beperkte toegang tot metadata (gegevens over wie met wie praat). Zelf gehoste gecentraliseerde berichten diensten zijn geïsoleerd en iedereen moet op dezelfde server zijn om te kunnen communiceren. + +**Voordelen:** + +- Nieuwe functies en veranderingen kunnen sneller worden doorgevoerd. +- Gemakkelijker om mee te beginnen en om contacten te vinden. +- De meeste volwassen en stabiele functies, ecosystemen, omdat ze gemakkelijker te programmeren zijn in een gecentraliseerde software. +- Privacyproblemen kunnen worden verminderd wanneer je vertrouwt op een server die je zelf host. + +**Nadelen:** + +- Kan [beperkte controle of toegang](https://drewdevault.com/2018/08/08/Signal.html)omvatten. Dit kan dingen inhouden zoals: +- Het is [verboden om clients van derden](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) aan te sluiten op het gecentraliseerde netwerk, wat zou kunnen zorgen voor meer maatwerk of een betere ervaring. Vaak gedefinieerd in de gebruiksvoorwaarden. +- Slechte of geen documentatie voor externe ontwikkelaars. +- De [eigendom](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), het privacybeleid en de verrichtingen van de dienst kunnen gemakkelijk veranderen wanneer één enkele entiteit de dienst controleert, waardoor de dienst later in gevaar kan worden gebracht. +- Zelf-hosting vergt inspanning en kennis van het opzetten van een dienst. + +## Gefedereerde netwerken + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Bij gefedereerde berichten diensten worden meerdere, onafhankelijke, gedecentraliseerde servers gebruikt die met elkaar kunnen praten (e-mail is een voorbeeld van een gefedereerde dienst). Federatie stelt systeembeheerders in staat hun eigen server te beheren en toch deel uit te maken van het grotere communicatienetwerk. + +Bij zelf-hosting kunnen leden van een federatieve server leden van andere servers ontdekken en met hen communiceren, hoewel sommige servers ervoor kunnen kiezen privé te blijven door niet-federated te zijn (bv. een werk team server). + +**Voordelen:** + +- Maakt een grotere controle over jouw eigen gegevens mogelijk wanneer je jouw eigen server gebruikt. +- Hiermee kunt je kiezen aan wie je jouw gegevens toevertrouwt door te kiezen tussen meerdere "openbare" servers. +- Staat vaak clients van derden toe die een meer native, aangepaste of toegankelijke ervaring kunnen bieden. +- Bij serversoftware kan worden nagegaan of deze overeenkomt met de openbare broncode, ervan uitgaande dat je toegang hebt tot de server of dat je de persoon die dat heeft (bijvoorbeeld een familielid) vertrouwt. + +**Nadelen:** + +- Het toevoegen van nieuwe functies is ingewikkelder, omdat deze functies moeten worden gestandaardiseerd en getest om ervoor te zorgen dat ze werken met alle servers op het netwerk. +- Door het vorige punt kunnen functies ontbreken, of onvolledig zijn of op onverwachte manieren werken in vergelijking met gecentraliseerde platforms, zoals het doorgeven van berichten wanneer zij offline zijn of het verwijderen van berichten. +- Sommige metadata kunnen beschikbaar zijn (bv. informatie zoals "wie praat met wie", maar niet de eigenlijke berichtinhoud indien E2EE wordt gebruikt). +- Voor federatieve servers is het over het algemeen nodig de beheerder van uw server te vertrouwen. Ze kunnen een hobbyist zijn of anderszins geen "beveiligingsprofessional", en dienen misschien geen standaarddocumenten in zoals een privacybeleid of servicevoorwaarden waarin staat hoe jouw gegevens worden gebruikt. +- Serverbeheerders kiezen er soms voor andere servers te blokkeren, die een bron van ongemodereerd misbruik zijn of algemene regels van aanvaard gedrag overtreden. Dit zal jouw vermogen om te communiceren met leden van die servers belemmeren. + +## Peer-to-Peer netwerken + +![P2P-diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P berichten diensten maken verbinding met een [gedistribueerd netwerk](https://en.wikipedia.org/wiki/Distributed_networking) van knooppunten om een bericht door te geven aan de ontvanger zonder een server van derden. + +Cliënten (peers) vinden elkaar meestal via een [gedistribueerd computernetwerk](https://en.wikipedia.org/wiki/Distributed_computing). Voorbeelden hiervan zijn [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), gebruikt door [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) en [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) bijvoorbeeld. Een andere benadering is op nabijheid gebaseerde netwerken, waarbij een verbinding tot stand wordt gebracht via WiFi of Bluetooth (bijvoorbeeld Briar of het [Scuttlebutt](https://www.scuttlebutt.nz) sociale netwerkprotocol). + +Zodra een peer via een van deze methoden een route naar zijn contactpersoon heeft gevonden, wordt een rechtstreekse verbinding tussen hen tot stand gebracht. Hoewel berichten meestal versleuteld zijn, kan een waarnemer toch de locatie en de identiteit van de verzender en de ontvanger afleiden. + +P2P-netwerken maken geen gebruik van servers, aangezien peers rechtstreeks met elkaar communiceren en dus niet zelf gehost kunnen worden. Sommige aanvullende diensten kunnen echter afhankelijk zijn van gecentraliseerde servers, zoals het ontdekken van gebruikers of het doorgeven van offline berichten, die baat kunnen hebben bij zelfhosting. + +**Voordelen:** + +- Er wordt zo min mogelijk informatie aan derden verstrekt. +- Moderne P2P-platforms implementeren standaard E2EE. Er zijn geen servers die jouw transmissies kunnen onderscheppen en ontsleutelen, in tegenstelling tot gecentraliseerde en gefedereerde netwerken. + +**Nadelen:** + +- Beperkte functies: +- Berichten kunnen alleen worden verzonden als beide peers online zijn, maar jouw cliënt kan berichten lokaal opslaan om te wachten tot de contactpersoon weer online is. +- Verhoogt in het algemeen het batterijverbruik op mobiele toestellen, omdat de client verbonden moet blijven met het gedistribueerde netwerk om te weten te komen wie online is. +- Sommige veelgebruikte messenger-functies zijn mogelijk niet of onvolledig geïmplementeerd, zoals het verwijderen van berichten. +- Uw IP-adres en dat van de contacten waarmee je communiceert kunnen worden blootgesteld als je de software niet gebruikt in combinatie met een [VPN](../vpn.md) of [Tor](../tor.md). Veel landen kennen een vorm van massasurveillance en/of het bewaren van metadata. + +## Anonieme routering + +![Anoniem routeringsschema](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Een berichten diensten die gebruik maakt van [anonieme routering](https://doi.org/10.1007/978-1-4419-5906-5_628) verbergt de identiteit van de verzender, de ontvanger of het bewijs dat zij hebben gecommuniceerd. Idealiter zou een berichten diensten alle drie moeten verbergen. + +Er zijn [veel](https://doi.org/10.1145/3182658) verschillende manieren om anonieme routering te implementeren. Een van de bekendste is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (d.w.z. [Tor](tor-overview.md)), waarbij versleutelde berichten worden gecommuniceerd via een virtueel [overlay netwerk](https://en.wikipedia.org/wiki/Overlay_network) dat de locatie van elk knooppunt en de ontvanger en verzender van elk bericht verbergt. De verzender en de ontvanger hebben nooit rechtstreeks contact en ontmoeten elkaar alleen via een geheim rendez-vousknooppunt, zodat er geen IP-adressen of fysieke locatie uitlekken. Knooppunten kunnen berichten niet ontcijferen, noch de eindbestemming; alleen de ontvanger kan dat. Elk tussenliggend knooppunt kan slechts een deel decoderen dat aangeeft waar het nog versleutelde bericht naartoe moet, totdat het aankomt bij de ontvanger die het volledig kan decoderen, vandaar de "ui-lagen" + +Het zelf hosten van een knooppunt in een anoniem routenetwerk biedt de hoster geen extra privacyvoordelen, maar draagt bij tot de weerbaarheid van het hele netwerk tegen identificatieaanvallen, wat in ieders voordeel is. + +**Voordelen:** + +- Minimale tot geen informatie wordt blootgesteld aan andere partijen. +- Berichten kunnen op gedecentraliseerde wijze worden doorgegeven, zelfs als een van de partijen offline is. + +**Nadelen:** + +- Trage verspreiding van berichten. +- Vaak beperkt tot minder mediatypen, meestal tekst, omdat het netwerk traag is. +- Minder betrouwbaar als de knooppunten worden geselecteerd door gerandomiseerde routering, kunnen sommige knooppunten zeer ver van de verzender en de ontvanger verwijderd zijn, waardoor vertraging optreedt of zelfs berichten niet worden verzonden als een van de knooppunten offline gaat. +- Ingewikkelder om mee te beginnen omdat de creatie en beveiligde backup van een cryptografische private sleutel vereist is. +- Net als bij andere gedecentraliseerde platforms is het toevoegen van functies ingewikkelder voor ontwikkelaars dan op een gecentraliseerd platform. Daarom kunnen functies ontbreken of onvolledig zijn geïmplementeerd, zoals het offline doorgeven van berichten of het verwijderen van berichten. diff --git a/i18n/nl/advanced/dns-overview.md b/i18n/nl/advanced/dns-overview.md new file mode 100644 index 00000000..4ec883a7 --- /dev/null +++ b/i18n/nl/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "Inleiding tot DNS" +icon: material/dns +description: Het Domain Name System is het "telefoonboek van het internet", dat jouw browser helpt de website te vinden die hij zoekt. +--- + +Het [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is het "telefoonboek van het internet". DNS vertaalt domeinnamen naar IP-adressen zodat browsers en andere diensten internetbronnen kunnen laden, via een gedecentraliseerd netwerk van servers. + +## Wat is DNS? + +Wanneer je een website bezoekt, wordt een numeriek adres teruggezonden. Wanneer je bijvoorbeeld `privacyguides.org`bezoekt, wordt het adres `192.98.54.105` teruggezonden. + +DNS bestaat al sinds de [begindagen](https://en.wikipedia.org/wiki/Domain_Name_System#History) van het internet. DNS-verzoeken aan en van DNS-servers zijn **niet** over het algemeen versleuteld. In een residentiële omgeving krijgt een klant servers van de ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Onversleutelde DNS-verzoeken kunnen onderweg gemakkelijk worden **gesurveilleerd** en **gewijzigd**. In sommige delen van de wereld worden ISP's opgedragen primitieve [DNS-filters te gebruiken](https://en.wikipedia.org/wiki/DNS_blocking). Wanneer je het IP-adres opvraagt van een domein dat is geblokkeerd, antwoordt de server mogelijk niet of met een ander IP-adres. Aangezien het DNS-protocol niet versleuteld is, kan de ISP (of om het even welke netwerkexploitant) [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) gebruiken om verzoeken te controleren. ISP's kunnen ook verzoeken blokkeren op basis van gemeenschappelijke kenmerken, ongeacht welke DNS-server wordt gebruikt. Onversleutelde DNS gebruikt altijd [poort](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 en gebruikt altijd UDP. + +Hieronder bespreken we en geven we een tutorial om te bewijzen wat een externe waarnemer kan zien met gewone onversleutelde DNS en [versleutelde DNS](#what-is-encrypted-dns). + +### Onversleutelde DNS + +1. Met [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (onderdeel van het [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) kunnen we de internet packet flow monitoren en opnemen. Dit commando registreert pakketten die aan de gespecificeerde regels voldoen: + + ```bash + tshark -w /tmp/dns.pcap udp poort 53 en host 1.1.1.1 of host 8.8.8.8 + ``` + +2. We kunnen dan [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) of [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) gebruiken om de DNS lookup naar beide servers te sturen. Software zoals webbrowsers doen deze lookups automatisch, tenzij zij geconfigureerd zijn om gecodeerde DNS te gebruiken. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Vervolgens willen wij [analyseren](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) de resultaten: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Als je het bovenstaande Wireshark-commando uitvoert, toont het bovenste deelvenster de "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", en het onderste deelvenster toont alle gegevens over het geselecteerde frame. Oplossingen voor bedrijfsfiltering en -monitoring (zoals die welke door overheden worden aangeschaft) kunnen dit proces automatisch uitvoeren, zonder menselijke tussenkomst, en kunnen deze frames samenvoegen tot statistische gegevens die nuttig zijn voor de netwerkwaarnemer. + +| Nee. | Tijd | Bron | Bestemming | Protocol | Lengte | Info | +| ---- | -------- | --------- | ---------- | -------- | ------ | ----------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standaard zoekopdracht 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standaard vraag antwoord 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standaard zoekopdracht 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standaard query-antwoord 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Een waarnemer kan elk van deze pakketten wijzigen. + +## Wat is "versleutelde DNS"? + +Versleutelde DNS kan verwijzen naar een van een aantal protocollen, waarvan de meest voorkomende zijn: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was een van de eerste methoden om DNS-query's te versleutelen. DNSCrypt werkt op poort 443 en werkt met zowel de TCP- als de UDP-transportprotocollen. DNSCrypt is nooit ingediend bij de [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) en is ook nooit door het [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) proces gegaan, dus is het buiten een paar [implementaties nog niet op grote schaal gebruikt](https://dnscrypt.info/implementations). Als gevolg daarvan is het grotendeels vervangen door het meer populaire [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is een andere methode voor het versleutelen van DNS-communicatie die is gedefinieerd in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Ondersteuning werd voor het eerst geïmplementeerd in Android 9, iOS 14, en op Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in versie 237. De laatste jaren is de voorkeur in de sector verschoven van DoT naar DoH, omdat DoT een [complex protocol is](https://dnscrypt.info/faq/) en de naleving van de RFC in de bestaande implementaties varieert. DoT werkt ook op een speciale poort 853 die gemakkelijk kan worden geblokkeerd door restrictieve firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) zoals gedefinieerd in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) verpakt query's in het [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol en biedt beveiliging met HTTPS. Ondersteuning werd voor het eerst toegevoegd in webbrowsers zoals Firefox 60 en Chrome 83. + +Native implementatie van DoH dook op in iOS 14, macOS 11, Microsoft Windows, en Android 13 (het zal echter niet standaard worden ingeschakeld [](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). Algemene Linux desktop ondersteuning wacht op de systemd [implementatie](https://github.com/systemd/systemd/issues/8639) dus [het installeren van third-party software is nog steeds vereist](../dns.md#linux). + +## Wat kan een buitenstaander zien? + +In dit voorbeeld zullen we vastleggen wat er gebeurt als we een DoH-verzoek doen: + +1. Start eerst `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Ten tweede, doe een aanvraag met `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Na het verzoek te hebben gedaan, kunnen we de packet capture stoppen met CTRL + C. + +4. Analyseer de resultaten in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We zien de [verbinding tot stand brengen](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) en [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) die bij elke versleutelde verbinding optreedt. Als we kijken naar de "toepassings gegevens" pakketten die volgen, bevat geen van hen het domein dat we hebben aangevraagd of het IP adres dat wordt teruggestuurd. + +## Waarom **zou ik geen** versleutelde DNS gebruiken? + +Op plaatsen waar internet wordt gefilterd (of gecensureerd), kan het bezoeken van verboden bronnen eigen gevolgen hebben waarmee je rekening moet houden in jouw [bedreigingsmodel](../basics/threat-modeling.md). Wij **niet** suggereren het gebruik van gecodeerde DNS voor dit doel. Gebruik in plaats daarvan [Tor](https://torproject.org) of een [VPN](../vpn.md). Als je een VPN gebruikt, moet je de DNS-servers van jouw VPN gebruiken. Wanneer je een VPN gebruikt, vertrouwt je hen al jouw netwerkactiviteiten toe. + +Wanneer we een DNS lookup doen, is dat meestal omdat we toegang willen tot een bron. Hieronder bespreken we enkele van de methoden die jouw surf-activiteiten kunnen onthullen, zelfs wanneer je versleutelde DNS gebruikt: + +### IP-adres + +De eenvoudigste manier om de surfactiviteit vast te stellen, is te kijken naar de IP-adressen waartoe jouw apparaten toegang hebben. Als de waarnemer bijvoorbeeld weet dat `privacyguides.org` op `198.98.54.105`staat, en jouw apparaat gegevens opvraagt van `198.98.54.105`, is de kans groot dat je Privacy Guides bezoekt. + +Deze methode is alleen nuttig wanneer het IP-adres toebehoort aan een server die slechts enkele websites host. Het is ook niet erg nuttig als de site wordt gehost op een gedeeld platform (bijv. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, enz). Het is ook niet erg nuttig als de server gehost wordt achter een [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), wat heel gebruikelijk is op het moderne Internet. + +### Server Naam Aanwijzing (SNA) + +Server Name Indication wordt meestal gebruikt wanneer een IP-adres veel websites host. Dit kan een dienst als Cloudflare zijn, of een andere [Denial-of-service-aanval](https://en.wikipedia.org/wiki/Denial-of-service_attack) bescherming. + +1. Begin opnieuw te vangen met `tshark`. We hebben een filter toegevoegd met ons IP adres zodat je niet veel pakketten opvangt: + + ```bash + tshark -w /tmp/pg.pcap poort 443 en host 198.98.54.105 + ``` + +2. Dan gaan we naar [https://privacyguides.org](https://privacyguides.org). + +3. Na het bezoek aan de website, willen we de packet capture stoppen met CTRL + C. + +4. Vervolgens willen we de resultaten analyseren: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We zullen de verbinding tot stand zien komen, gevolgd door de TLS handshake voor de Privacy Gidsen website. Rond frame 5. zie je een "Client Hello". + +5. Vouw de driehoek ▸ uit naast elk veld: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Uitbreiding: server_name (len=22) + ▸ Uitbreiding servernaam-aanduiding + ``` + +6. Wij kunnen de SNI-waarde zien die aangeeft welke website wij bezoeken. Het `tshark` commando kan je de waarde rechtstreeks geven voor alle pakketten die een SNI waarde bevatten: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Dit betekent dat zelfs als we "Encrypted DNS" servers gebruiken, het domein waarschijnlijk zal worden onthuld via SNI. Het [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brengt het [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/) met zich mee, dat dit soort lekken voorkomt. + +Regeringen, met name [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) en [Rusland](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), zijn al begonnen [met het blokkeren van](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) of hebben de wens geuit dit te doen. Onlangs is Rusland [begonnen met het blokkeren van buitenlandse websites](https://github.com/net4people/bbs/issues/108) die gebruik maken van de [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) norm. Dit komt doordat het [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol dat deel uitmaakt van HTTP/3 vereist dat `ClientHello` ook gecodeerd wordt. + +### Protocol voor onlinecertificaatstatus (PVOC/OCSP) + +Een andere manier waarop jouw browser jouw surfactiviteiten kan onthullen is met het [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Wanneer je een HTTPS-website bezoekt, kan de browser controleren of het [-certificaat](https://en.wikipedia.org/wiki/Public_key_certificate) van de website is ingetrokken. Dit gebeurt over het algemeen via het HTTP-protocol, wat betekent dat het **niet** versleuteld is. + +Het OCSP-verzoek bevat het certificaat "[serienummer](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", dat uniek is. Het wordt naar de "OCSP responder" gezonden om de status ervan te controleren. + +We kunnen simuleren wat een browser zou doen met het [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) commando. + +1. Haal het server certificaat op en gebruik [`sed`](https://en.wikipedia.org/wiki/Sed) om alleen het belangrijke deel te bewaren en schrijf het uit naar een bestand: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Haal het tussenliggende certificaat op. [Certificaatautoriteiten (CA)](https://en.wikipedia.org/wiki/Certificate_authority) ondertekenen een certificaat gewoonlijk niet rechtstreeks; zij gebruiken een zogeheten "intermediair" certificaat. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. Het eerste certificaat in `pg_and_intermediate.cert` is eigenlijk het servercertificaat uit stap 1. We kunnen `sed` opnieuw gebruiken om te wissen tot de eerste instantie van END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Haal de OCSP responder voor het server certificaat op: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Ons certificaat toont de Lets Encrypt certificaat responder. Als we alle details van het certificaat willen zien, kunnen we gebruik maken van: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start de pakketopname: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Doe het OCSP-verzoek: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open de opname: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + Er komen twee pakketten met het "OCSP"-protocol: een "Request" en een "Response". Voor de "Aanvraag" kunnen we het "serienummer" zien door het driehoekje ▸ naast elk veld uit te vouwen: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Verzoek + ▸ reqCert + serialNumber + ``` + + Voor de "Response" kunnen we ook het "serienummer" zien: + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ antwoorden: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Of gebruik `tshark` om de pakketten te filteren op het Serienummer: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Als de netwerkwaarnemer het publieke certificaat heeft, dat publiekelijk beschikbaar is, kunnen zij het serienummer met dat certificaat vergelijken en op basis daarvan de site bepalen die je bezoekt. Het proces kan worden geautomatiseerd en IP-adressen kunnen worden gekoppeld aan serienummers. Het is ook mogelijk om [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs te controleren op het serienummer. + +## Moet ik versleutelde DNS gebruiken? + +We hebben dit stroomschema gemaakt om te beschrijven wanneer u *versleutelde DNS zou moeten* gebruiken: + +``` mermaid +graph TB + Begin[Begin] --> anoniem{Probeert
anoniem te zijn?} + anoniem--> | Ja | tor(Use Tor) + anoniem --> | Nee | censuur{Censuur
vermijden?} + censuur --> | Ja | vpnOrTor(Gebruik
VPN of Tor) + censuur --> | Nee | privacy{Wil je privacy
van ISP?} + privacy --> | Jaa | vpnOrTor + privacy --> | Nee | onaangenaam{ISP wijzigt
zoekopdrachten?} + onaangenaam --> | Ja | encryptedDNS(Gebruik
versleutelde DNS
met derde partij) + onaangenaam --> | Nee | ispDNS{Doet ISP ondersteunen
versleutelde DNS?} + ispDNS --> | Ja | useISP(Gebruik
versleutelde DNS
met ISP) + ispDNS --> | Nee | nothing(Doe niets) +``` + +Versleutelde DNS met een derde partij mag alleen worden gebruikt om redirects en basis-DNS-blokkering van [te omzeilen](https://en.wikipedia.org/wiki/DNS_blocking) als je er zeker van kunt zijn dat er geen gevolgen zijn of als je geïnteresseerd bent in een provider die een aantal rudimentaire filters uitvoert. + +[Lijst van aanbevolen DNS-servers](../dns.md ""){.md-button} + +## Wat is DNSSEC? + +[DNSSEC (Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)) is een functie van DNS waarmee reacties op domeinnaamzoekopdrachten worden geverifieerd. Het biedt geen bescherming van de privacy voor die lookups, maar voorkomt dat aanvallers de antwoorden op DNS-verzoeken manipuleren of vergiftigen. + +Met andere woorden, DNSSEC ondertekent gegevens digitaal om de geldigheid ervan te helpen garanderen. Om een veilige lookup te garanderen, vindt de ondertekening plaats op elk niveau in het DNS lookup-proces. Als gevolg daarvan kunnen alle antwoorden van DNS worden vertrouwd. + +Het DNSSEC-ondertekeningsproces is vergelijkbaar met iemand die een juridisch document met een pen ondertekent; die persoon ondertekent met een unieke handtekening die niemand anders kan maken, en een gerechtsdeskundige kan naar die handtekening kijken en verifiëren dat het document door die persoon is ondertekend. Deze digitale handtekeningen garanderen dat er niet met de gegevens is geknoeid. + +DNSSEC implementeert een hiërarchisch digitaal ondertekeningsbeleid over alle lagen van DNS. Bijvoorbeeld, in het geval van een `privacyguides.org` lookup, zou een root DNS-server een sleutel ondertekenen voor de `.org` nameserver, en de `.org` nameserver zou dan een sleutel ondertekenen voor `privacyguides.org`'s gezaghebbende nameserver. + +Aangepast uit [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) van Google en [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) van Cloudflare, beide met een licentie onder [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## Wat is QNAME-minimalisatie? + +Een QNAME is een "gekwalificeerde naam", bijvoorbeeld `privacyguides.org`. QNAME-minimalisatie vermindert de hoeveelheid informatie die van de DNS-server naar de [authoratieve naamserver](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server) wordt gestuurd. + +In plaats van het hele domein `privacyguides.org` te sturen, betekent QNAME-minimalisatie dat de DNS-server alle records opvraagt die eindigen op `.org`. Een verdere technische beschrijving is te vinden in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## Wat is EDNS Client Subnet (ECS)? + +Het [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is een methode voor een recursieve DNS-oplosser om een [subnetwerk](https://en.wikipedia.org/wiki/Subnetwork) te specificeren voor de [host of client](https://en.wikipedia.org/wiki/Client_(computing)) die de DNS-query uitvoert. + +Het is bedoeld om de levering van gegevens te "versnellen" door de client een antwoord te geven dat toebehoort aan een server die zich dicht bij hem bevindt, zoals een [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), die vaak worden gebruikt bij videostreaming en het serveren van JavaScript-webapps. + +Deze functie gaat wel ten koste van de privacy, aangezien de DNS-server informatie krijgt over de locatie van de client. diff --git a/i18n/nl/advanced/payments.md b/i18n/nl/advanced/payments.md new file mode 100644 index 00000000..1a593c4d --- /dev/null +++ b/i18n/nl/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Privé betalingen +icon: material/hand-coin +--- + +Er is een reden waarom gegevens over jouw koopgedrag word beschouwd als de heilige graal van gerichte advertenties: jouw aankopen kunnen een ware schat aan gegevens over je lekken. Helaas is het huidige financiële systeem anti-privacy by design, waardoor banken, andere bedrijven en overheden transacties gemakkelijk kunnen traceren. Toch heb je tal van opties als het gaat om het maken van betalingen privé. + +## Contant + +Eeuwenlang was **contant geld** de belangrijkste vorm van particuliere betaling. Cash heeft in de meeste gevallen uitstekende privacy-eigenschappen, wordt in de meeste landen algemeen geaccepteerd en is **vervangbaar**, wat betekent dat het niet uniek en volledig verwisselbaar is. + +De wetgeving inzake contante betaling verschilt per land. In de Verenigde Staten is voor contante betalingen van meer dan 10.000 dollar een speciale melding aan de IRS vereist op [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). Het ontvangende bedrijf moet de naam, het adres, het beroep, de geboortedatum en het burgerservicenummer of een ander TIN van de begunstigde verifiëren (met enkele uitzonderingen). Lagere limieten zonder ID zoals $ 3.000 of minder bestaan voor uitwisselingen en geldoverdracht. Contant geld bevat ook serienummers. Deze worden bijna nooit door handelaren getraceerd, maar kunnen door rechtshandhavingsinstanties worden gebruikt bij gerichte onderzoeken. + +Toch is het meestal de beste optie. + +## Prepaidkaarten & Cadeaubonnen + +Het is relatief eenvoudig om cadeaubonnen en prepaidkaarten te kopen bij de meeste supermarkten en gemakswinkels met contant geld. Cadeaukaarten hebben meestal geen geen kosten, maar prepaidkaarten vaak wel, dus let goed op deze kosten en vervaldata. Sommige winkels kunnen vragen om je legitimatiebewijs te zien bij het afrekenen om fraude te verminderen. + +Cadeaubonnen hebben meestal limieten tot $ 200 per kaart, maar sommige bieden limieten tot $ 2.000 per kaart. Prepaidkaarten (bijv. van Visa of Mastercard) hebben meestal limieten tot $ 1.000 per kaart. + +Cadeaubonnen hebben het nadeel dat ze onderworpen zijn aan het winkelbeleid, dat vreselijke voorwaarden en beperkingen kan hebben. Sommige verkopers accepteren bijvoorbeeld niet uitsluitend betaling met cadeaubonnen, of ze kunnen de waarde van de kaart annuleren als ze je als een gebruiker met een hoog risico beschouwen. Zodra je een cadeaubon hebt, heeft de winkel een sterke mate van controle over dit krediet. + +Prepaidkaarten staan geen geldopnames van geldautomaten of "peer-to-peer" -betalingen in Venmo en soortgelijke apps toe. + +Cash blijft de beste optie voor persoonlijke aankopen voor de meeste mensen. Cadeaubonnen kunnen nuttig zijn voor de besparingen die ze opleveren. Prepaidkaarten kunnen handig zijn voor plaatsen die geen contant geld accepteren. Cadeaubonnen en prepaidkaarten zijn gemakkelijker online te gebruiken dan contant geld en ze zijn gemakkelijker te verkrijgen met cryptocurrencies dan contant geld. + +### Online marktplaatsen + +Als je [cryptocurrency](../cryptocurrency.md) hebt, kun je cadeaubonnen kopen bij een online cadeaubon marktplaats. Sommige van deze services bieden opties voor ID-verificatie voor hogere limieten, maar ze staan ook accounts toe met alleen een e-mailadres. Basislimieten beginnen bij $ 5.000-10.000 per dag voor basisaccounts en aanzienlijk hogere limieten voor ID geverifieerde accounts (indien aangeboden). + +Bij het online kopen van cadeaukaarten is er meestal een kleine korting. Prepaidkaarten worden meestal online verkocht tegen nominale waarde of tegen een vergoeding. Als je prepaidkaarten en cadeaubonnen met cryptocurrencies koopt, moet je sterk de voorkeur geven aan betalen met Monero, wat een sterke privacy biedt, meer hierover hieronder. Het betalen voor een cadeaukaart met een traceerbare betaalmethode doet de voordelen teniet die een cadeaukaart kan bieden wanneer deze met contant geld of Monero wordt gekocht. + +- [Online marktplaatsen voor cadeaubonnen :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtuele kaarten + +Een andere manier om jouw informatie te beschermen tegen online handelaars is het gebruik van virtuele kaarten voor eenmalig gebruik die jouw werkelijke bank- of factureringsgegevens maskeren. Dit is vooral handig om je te beschermen tegen inbreuken op de gegevens van verkopers, minder geavanceerde tracking of aankoopcorrelatie door marketingbureaus en online gegevensdiefstal. Ze helpen je **niet** om een aankoop volledig anoniem te doen, noch verbergen ze informatie voor de bankinstelling zelf. Reguliere financiële instellingen die virtuele kaarten aanbieden zijn onderworpen aan "Know Your Customer" (KYC) wetten, wat betekent dat zij jouw ID of andere identificerende informatie kunnen verlangen. + +- [Aanbevolen betalingsmaskeringsdiensten :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +Dit zijn meestal goede opties voor online terugkerende betalingen/abonnementen, terwijl de voorkeur wordt gegeven aan vooraf betaalde cadeaubonnen voor eenmalige transacties. + +## Cryptocurrency + +Cryptocurrencies zijn een digitale vorm van valuta die is ontworpen om te werken zonder centrale autoriteiten zoals een overheid of bank. Hoewel *sommige* cryptocurrency-projecten je in staat stellen online privétransacties te verrichten, gebruiken vele een openbare blockchain die geen enkele transactieprivacy biedt. Cryptovaluta's zijn ook zeer volatiele assets, wat betekent dat hun waarde op elk moment snel en aanzienlijk kan veranderen. Als zodanig raden we over het algemeen niet aan om cryptocurrency te gebruiken als een lange termijn opslag van waarde. Als je besluit cryptocurrency online te gebruiken, zorg er dan voor dat je vooraf volledig op de hoogte bent van de privacy-aspecten ervan, en investeer alleen bedragen die niet rampzalig zijn om te verliezen. + +!!! danger "Gevaar" + + De overgrote meerderheid van de cryptocurrencies werkt op een **publieke** blockchain, wat betekent dat elke transactie publiekelijk bekend is. Dit omvat zelfs de meeste bekende cryptocurrencies zoals Bitcoin en Ethereum. Transacties met deze cryptocurrencies mogen niet als privé worden beschouwd en zullen jouw anonimiteit niet beschermen. + + Daarnaast zijn veel of misschien niet de meeste cryptovaluta's oplichters. Voer transacties zorgvuldig uit met alleen projecten die je vertrouwt. + +### Privacy Coins + +Er zijn een aantal cryptocurrency-projecten die beweren privacy te bieden door transacties anoniem te maken. Wij raden aan er een te gebruiken die standaard transactie anonimiteit **biedt** om menselijke fouten te voorkomen. + +- [Aanbevolen cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacymunten worden steeds kritischer bekeken door overheidsinstanties. In 2020 publiceerde [de IRS een bounty van $625.000](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) voor tools die het Bitcoin Lightning Network en/of de transactieprivacy van Monero kunnen doorbreken. Ze hebben uiteindelijk [twee bedrijven](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis en Integra Fec) samen 1,25 miljoen dollar betaald voor tools die dit pretenderen te doen (het is onbekend op welk cryptocurrency netwerk deze tools zich richten). Vanwege de geheimhouding rond tools zoals deze, is geen van deze methoden voor het traceren van cryptocurrencies onafhankelijk bevestigd.== Het is vrij waarschijnlijk dat er instrumenten bestaan die gericht onderzoek naar particuliere munttransacties ondersteunen, en dat privacymunten er alleen in slagen massasurveillance te dwarsbomen. + +### Andere munten (Bitcoin, Ethereum, enz.) + +De overgrote meerderheid van cryptocurrency-projecten maakt gebruik van een openbare blockchain, wat betekent dat alle transacties zowel gemakkelijk traceerbaar als permanent zijn. Als zodanig raden we het gebruik van de meeste cryptocurrency om privacygerelateerde redenen ten zeerste af. + +Anonieme transacties op een openbare blockchain zijn *theoretisch* mogelijk en de Bitcoin wiki [geeft een voorbeeld van een "volledig anonieme" transactie](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). Hiervoor is echter een ingewikkelde configuratie nodig waarbij Tor en "solo-mining" een blok nodig is om volledig onafhankelijke cryptovaluta te genereren een praktijk die al jaren voor bijna geen enkele enthousiasteling praktisch is. + +==Jouw beste optie is om deze cryptocurrencies volledig te vermijden en vast te houden aan een die standaard privacy biedt.== Pogingen om andere cryptocurrency te gebruiken vallen buiten het bereik van deze site en worden sterk afgeraden. + +### Wallet Bewaring + +Bij cryptocurrency zijn er twee vormen van wallets: custodial wallets en noncustodial wallets. Custodial wallets worden beheerd door gecentraliseerde bedrijven/beurzen, waar de privésleutel voor jouw wallet in handen is van dat bedrijf, en je kunt er overal bij met een gewone gebruikersnaam en wachtwoord. Niet-custodiale portemonnees zijn portemonnees waarbij jij de privé-sleutels om toegang te krijgen controleert en beheert. Ervan uitgaande dat je de privésleutels van jouw portemonnee veilig bewaart en er een back-up van maakt, bieden niet-custodial wallets meer veiligheid en weerstand tegen censuur dan custodial wallets, omdat jouw cryptocurrency niet kan worden gestolen of bevroren door een bedrijf dat jouw privésleutels bewaart. Sleutelbewaring is vooral belangrijk als het gaat om privacy-munten: Custodial wallets geven de exploitatiemaatschappij de mogelijkheid om jouw transacties te bekijken, waardoor de privacyvoordelen van die cryptocurrencies teniet worden gedaan. + +### Aankoop + +Het particulier verwerven van [cryptocurrencies](../cryptocurrency.md) zoals Monero kan moeilijk zijn. P2P-marktplaatsen zoals [LocalMonero](https://localmonero.co/), een platform dat handel tussen mensen vergemakkelijkt, zijn een optie die kan worden gebruikt. Als het gebruik van een exchange die KYC vereist een aanvaardbaar risico voor je is zolang latere transacties niet kunnen worden getraceerd, is een veel eenvoudigere optie om Monero te kopen op een exchange zoals [Kraken](https://kraken.com/), of Bitcoin/Litecoin te kopen van een KYC exchange die dan kan worden omgewisseld voor Monero. Vervolgens kun je de aangekochte Monero opnemen in jouw eigen, niet-vrijwillige portemonnee om vanaf dat moment privé te gebruiken. + +Als je voor deze route kiest, zorg er dan voor dat je Monero koopt op andere tijdstippen en in andere hoeveelheden dan waar je het zult uitgeven. Als je $5000 aan Monero koopt op een beurs en een uur later een aankoop van $5000 in Monero doet, kunnen die acties mogelijk gecorreleerd worden door een buitenstaander, ongeacht welke weg de Monero aflegde. Door aankopen te spreiden en vooraf grotere hoeveelheden Monero te kopen om later uit te geven aan meerdere kleinere transacties, kan deze valkuil worden vermeden. + +## Aanvullende overwegingen + +Zorg ervoor dat je privacy in gedachten houdt wanneer je een betaling in persoon doet met contanten. Beveiligingscamera 's zijn alomtegenwoordig. Overweeg het dragen van onopvallende kleding en een gezichtsmasker (zoals een chirurgisch masker of N95). Meld je niet aan voor beloningsprogramma's en geef geen andere informatie over jezelf. + +Bij online aankopem, gebruik dan bij voorkeur [Tor](tor-overview.md). Veel handelaren staan echter geen aankopen bij Tor toe. U kunt overwegen een [aanbevolen VPN](../vpn.md) te gebruiken (betaald met contant geld, cadeaubond, of Monero), of het doen in een koffiewinkel of bibliotheek met gratis wifi. Als je een fysiek voorwerp bestelt dat geleverd moet worden, moet je een afleveradres opgeven. Overweeg een postvak, privépostvak of werkadres te gebruiken. diff --git a/i18n/nl/advanced/tor-overview.md b/i18n/nl/advanced/tor-overview.md new file mode 100644 index 00000000..4a31576e --- /dev/null +++ b/i18n/nl/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overzicht" +icon: 'simple/torproject' +description: Tor is een gratis te gebruiken, gedecentraliseerd netwerk dat is ontworpen om het internet met zoveel mogelijk privacy te gebruiken. +--- + +Tor is een gratis te gebruiken, gedecentraliseerd netwerk dat is ontworpen om het internet met zoveel mogelijk privacy te gebruiken. Bij correct gebruik maakt het netwerk privé en anoniem browsen en communicatie mogelijk. + +## Opbouw van het pad naar Clearnet diensten + +"Clearnet diensten" zijn websites die je met elke browser kunt bezoeken, zoals [privacyguides.org](https://www.privacyguides.org). Met Tor kun je anoniem verbinding maken met deze websites door je verkeer door een netwerk te leiden dat bestaat uit duizenden vrijwillig gerunde servers die nodes (of relays) worden genoemd. + +Telkens wanneer je [verbinding maakt met Tor](../tor.md), zal het drie nodes kiezen om een pad naar het internet te bouwen; dit pad wordt een "circuit" genoemd + +
+ Tor-pad waarop jouw apparaat verbinding maakt met een ingangsknooppunt, middelste knooppunt en uitgangsknooppunt voordat de website van bestemming wordt bereikt](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor-pad waarop jouw apparaat verbinding maakt met een ingangsknooppunt, middelste knooppunt en uitgangsknooppunt voordat de website van bestemming wordt bereikt](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor-circuitroute
+
+ +Elk van deze knooppunten heeft zijn eigen functie: + +### De Entry Node + +De entry node, vaak de guard node genoemd, is het eerste knooppunt waarmee uw Tor-client verbinding maakt. De entry node kan uw IP-adres zien, maar het kan niet zien waarmee u verbinding maakt. + +In tegenstelling tot de andere nodes, zal de Tor client willekeurig een entry node kiezen en deze twee tot drie maanden aanhouden om je te beschermen tegen bepaalde aanvallen.[^1] + +### De Middle Node + +De Middle node is het tweede knooppunt waarmee je Tor client verbinding maakt. Het kan zien van welk knooppunt het verkeer afkomstig is - de entry node - en naar welk knooppunt het vervolgens gaat. De middle node kan jouw IP-adres of het domein waarmee je verbinding maakt niet zien. + +Voor elk nieuw circuit wordt de middle node willekeurig gekozen uit alle beschikbare Tor-knooppunten. + +### De Exit Node + +De exit node is het punt waar je webverkeer het Tor netwerk verlaat en wordt doorgestuurd naar de gewenste bestemming. De exit node kan jouw IP-adres niet zien, maar weet wel met welke site hij verbinding maakt. + +De exit node wordt willekeurig gekozen uit alle beschikbare Tor-knooppunten met een exit-relaisvlag.[^2] + +## Opbouw van het pad naar onion diensten + +"Onion Services" (ook wel "verborgen diensten" genoemd) zijn websites die alleen toegankelijk zijn via de Tor-browser. Deze websites hebben een lange willekeurig gegenereerde domeinnaam die eindigt op `.onion`. + +Verbinden met een Onion Service in Tor werkt ongeveer hetzelfde als verbinden met een clearnet service, maar je verkeer wordt door een totaal van **zes** nodes geleid voordat het de bestemmingsserver bereikt. Net als voorheen dragen echter slechts drie van deze knooppunten bij tot *jouw* anonimiteit, de andere drie knooppunten beschermen *de Onion Service's* anonimiteit, door het ware IP en de locatie van de website te verbergen op dezelfde manier als Tor Browser die van jou verbergt. + +
+ Tor-pad dat ujouw verkeer via uw drie Tor-knooppunten leidt plus drie extra Tor-knooppunten die de identiteit van de website verbergen](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor pad dat jouw verkeer toont dat door uw drie Tor nodes wordt geleid plus drie extra Tor nodes die de identiteit van de website verbergen](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pad met Onion Services. Knooppunten in het blauwe hek behoren tot jouw browser, terwijl knooppunten in het rode hek tot de server behoren, zodat hun identiteit voor jou verborgen blijft.
+
+ +## Encryptie + +Tor versleutelt elk netwerk pakket ( in een blok verzonden gegevens) drie keer met de sleutels van het Exit-, middle- en entry node- in die volgorde. + +Zodra Tor een circuit heeft gebouwd, verloopt de gegevensoverdracht als volgt: + +1. Ten eerste: wanneer het pakket bij het entry node aankomt, wordt de eerste encryptielaag verwijderd. In dit versleutelde pakket vindt de entry een ander versleuteld pakket met het adres van de middle node. De entry node stuurt het pakket dan door naar de middle node. + +2. Ten tweede: wanneer de middle node het pakket van de entr node ontvangt, verwijdert het ook een versleutelingslaag met zijn sleutel, en vindt ditmaal een versleuteld pakket met het adres van de exit node. De middle node stuurt het pakket dan door naar de exit node. + +3. Ten slotte: wanneer de exit node zijn pakket ontvangt, verwijdert het de laatste versleutelingslaag met zijn sleutel. De exit node ziet hierna bestemmingsadres en stuurt het pakket door naar dat adres. + +Hieronder staat een alternatief schema dat het proces weergeeft. Elke node verwijdert zijn eigen versleutelings laag, en wanneer de bestemmings server gegevens terugstuurt, gebeurt hetzelfde proces volledig in omgekeerde richting. Zo weet de exit node niet wie je bent, maar wel van welk knooppunt het afkomstig is, en dus voegt het zijn eigen versleutelings laag toe en stuurt het het terug. + +
+ Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Gegevens verzenden en ontvangen via het Tor Netwerk
+
+ +Met Tor kunnen we verbinding maken met een server zonder dat een enkele partij het hele pad kent. De entry node weet wie je bent, maar niet waar je naartoe gaat; De middle node weet niet wie je bent of waar je naartoe gaat; en de exit node weet waar je naartoe gaat, maar niet wie je bent. Omdat de exit node de uiteindelijke verbinding maakt, zal de bestemmingsserver nooit jouw IP-adres kennen. + +## Opmerkingen + +Hoewel Tor sterke privacygaranties biedt, moet men beseffen dat Tor niet perfect is: + +- Goed gefinancierde tegenstanders met de mogelijkheid om passief het meeste netwerkverkeer over de hele wereld te bekijken, hebben een kans om Tor-gebruikers te deanonimiseren door middel van geavanceerde verkeersanalyse. Tor beschermt je ook niet tegen het per ongeluk blootstellen van jezelf, bijvoorbeeld als je te veel informatie over je echte identiteit deelt. +- Tor exit nodes kunnen ook het verkeer controleren dat via hen verloopt. Dit betekent dat verkeer dat niet versleuteld is, zoals gewoon HTTP-verkeer, kan worden geregistreerd en gecontroleerd. Als dergelijk verkeer persoonlijk identificeerbare informatie bevat, kan het u deanonimiseren tot dat exit-knooppunt. Daarom raden wij aan waar mogelijk HTTPS over Tor te gebruiken. + +Als je Tor wilt gebruiken om op het web te surfen, raden we alleen de **officiële** Tor Browser aan - deze is ontworpen om vingerafdrukken te voorkomen. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Extra bronnen + +- [Tor Browser Gebruikershandleiding](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: De entry node in jouw circuit wordt een "bewaker" of "Guard" genoemd. Het is een snel en stabiel node dat gedurende 2-3 maanden de eerste blijft in jouw circuit, ter bescherming tegen een bekende anonimiteitsdoorbrekende aanval. De rest van je circuit verandert bij elke nieuwe website die je bezoekt, en alles bij elkaar bieden deze relays de volledige privacybescherming van Tor. Voor meer informatie over de werking van guard nodes, zie deze [blogpost](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) en [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) over inloopbeveiliging. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relaysvlag: een speciale (dis-)kwalificatie van relais voor circuitposities (bijvoorbeeld "Guard", "Exit", "BadExit"), circuiteigenschappen (bijvoorbeeld "Fast", "Stable"), of rollen (bijvoorbeeld "Authority", "HSDir"), zoals toegewezen door de directory-autoriteiten en nader gedefinieerd in de specificatie van het directory-protocol. ([https://metrics.torproject.org/glossary.html/](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/nl/android.md b/i18n/nl/android.md new file mode 100644 index 00000000..67d34b9f --- /dev/null +++ b/i18n/nl/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: Je kunt het besturingssysteem op jouw Android-telefoon vervangen door deze veilige en privacy respecterende alternatieven. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Privé Android besturingssystemen + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +Het **Android Open Source Project** is een open-source mobiel besturingssysteem onder leiding van Google dat de meerderheid van de mobiele apparaten van de wereld aandrijft. De meeste telefoons die met Android worden verkocht zijn aangepast om invasieve integraties en apps zoals Google Play Services op te nemen, dus je kunt jouw privacy op jouw mobiele apparaat aanzienlijk verbeteren door de standaardinstallatie van jouw telefoon te vervangen door een versie van Android zonder deze invasieve functies. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentatie} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Broncode" } + +Dit zijn de Android-besturingssystemen, apparaten en apps die wij aanbevelen om de beveiliging en privacy van jouw mobiele apparaat te maximaliseren. aanbeveling + +[Algemeen Android-overzicht en -aanbevelingen :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Waarom we GrapheneOS aanbevelen boven CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP-derivaten + +Wij raden je aan een van deze aangepaste Android-besturingssystemen op jouw toestel te installeren, in volgorde van voorkeur, afhankelijk van de compatibiliteit van jouw toestel met deze besturingssystemen. + +!!! note + + End-of-life apparaten (zoals GrapheneOS of CalyxOS's apparaten met "uitgebreide ondersteuning") beschikken niet over volledige beveiligingspatches (firmware-updates) omdat de OEM de ondersteuning heeft stopgezet. Deze apparaten kunnen niet als volledig veilig worden beschouwd, ongeacht de geïnstalleerde software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is de beste keuze als het gaat om privacy en veiligheid. + + GrapheneOS biedt extra [beveiligingsversteviging](https://en.wikipedia.org/wiki/Hardening_(computing)) en privacyverbeteringen. Het heeft een [geharde geheugentoewijzer](https://github.com/GrapheneOS/hardened_malloc), netwerk- en sensormachtigingen, en diverse andere [beveiligingskenmerken](https://grapheneos.org/features). GrapheneOS wordt ook geleverd met volledige firmware-updates en ondertekende builds, dus geverifieerd opstarten wordt volledig ondersteund. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Broncode" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Bijdragen } + +GrapheneOS ondersteunt [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), die draait [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) volledig sandboxed als elke andere gewone app. Dit betekent dat je kunt profiteren van de meeste Google Play-services, zoals [pushmeldingen](https://firebase.google.com/docs/cloud-messaging/), terwijl je volledige controle hebt over hun machtigingen en toegang, en terwijl je ze bevat in een specifiek [werkprofiel](os/android-overview.md#work-profile) of [gebruikersprofiel](os/android-overview.md#user-profiles) van jouw keuze. + +Google Pixel-telefoons zijn de enige apparaten die momenteel voldoen aan GrapheneOS's [hardware beveiligingseisen](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is een soft-fork van [LineageOS](https://lineageos.org/). + DivestOS erft veel [ondersteunde apparaten](https://divestos.org/index.php?page=devices&base=LineageOS) van LineageOS. Het heeft ondertekende builds, waardoor het mogelijk is om [geverifieerde boot](https://source.android.com/security/verifiedboot) te hebben op sommige niet-Pixel apparaten. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Broncode" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Bijdragen } + +DivestOS heeft geautomatiseerde kernel kwetsbaarheden ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), minder propriëtaire blobs, en een aangepaste [hosts](https://divested.dev/index.php?page=dnsbl) bestand. Zijn geharde WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), maakt [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) mogelijk voor alle architecturen en [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), en ontvangt out-of-band updates. DivestOS bevat ook kernelpatches van GrapheneOS en schakelt alle beschikbare kernelbeveiligingsfuncties in via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). Alle kernels nieuwer dan versie 3.4 bevatten volledige pagina [sanitization](https://lwn.net/Articles/334747/) en alle ~22 Clang-gecompileerde kernels hebben [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) ingeschakeld. + +DivestOS implementeert enkele systeemhardingspatches die oorspronkelijk voor GrapheneOS zijn ontwikkeld. DivestOS 16.0 en hoger implementeert GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) en SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](android/grapheneos-vs-calyxos.md#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), en partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 en hoger bevat GrapheneOS's per-netwerk volledige [MAC randomisatie](https://en.wikipedia.org/wiki/MAC_address#Randomization) optie, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) controle, en automatische reboot/Wi-Fi/Bluetooth [timeout opties](https://grapheneos.org/features). + +DivestOS gebruikt F-Droid als standaard app store. Normaal gesproken raden we aan om F-Droid te vermijden vanwege de vele [beveiligingsproblemen](#f-droid). Op DivestOS is dat echter niet mogelijk; de ontwikkelaars werken hun apps bij via hun eigen F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) en [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). Wij raden aan de officiële F-Droid app uit te schakelen en [Neo Store](https://github.com/NeoApplications/Neo-Store/) te gebruiken met de DivestOS repositories ingeschakeld om die componenten up-to-date te houden. Voor andere apps gelden nog steeds onze aanbevolen methoden om ze te verkrijgen. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) en kwaliteitscontrole varieert tussen de apparaten die het ondersteunt. We raden nog steeds GrapheneOS aan, afhankelijk van de compatibiliteit van uw toestel. Voor andere apparaten is DivestOS een goed alternatief. + + Niet alle ondersteunde apparaten hebben geverifieerde boot, en sommige doen het beter dan andere. + +## Android-apparaten + +Wanneer je een apparaat koopt, raden wij je aan er een zo nieuw als mogelijk te kopen. De software en firmware van mobiele apparaten worden slechts een beperkte tijd ondersteund, dus door nieuw te kopen wordt die levensduur zoveel mogelijk verlengd. + +Vermijd het kopen van telefoons van jouw mobiele provider. Deze hebben vaak een **vergrendelde bootloader** en bieden geen ondersteuning voor [OEM-ontgrendeling](https://source.android.com/devices/bootloader/locking_unlocking). Deze telefoonvarianten voorkomen dat je enige vorm van alternatieve Android-distributie installeert. + +Wees zeer **voorzichtig** met het kopen van tweedehands telefoons van online marktplaatsen. Controleer altijd de reputatie van de verkoper. Als het apparaat is gestolen, is het mogelijk [IMEI geblacklist](https://www.gsma.com/security/resources/imei-blacklisting/) is. Er is ook een risico dat je in verband wordt gebracht met de activiteiten van de vorige eigenaar. + +Nog een paar tips met betrekking tot Android toestellen en compatibiliteit van het besturingssysteem: + +- Koop geen apparaten die het einde van hun levensduur hebben bereikt of bijna hebben bereikt, de fabrikant moet voor extra firmware-updates zorgen. +- Koop geen voorgeladen LineageOS of /e/ OS telefoons of Android telefoons zonder de juiste [Verified Boot](https://source.android.com/security/verifiedboot) ondersteuning en firmware updates. Deze apparaten hebben ook geen manier om te controleren of er mee geknoeid is. +- Kortom, als een toestel of Android-distributie hier niet vermeld staat, is daar waarschijnlijk een goede reden voor. Kijk op ons [forum](https://discuss.privacyguides.net/) voor meer details! + +### Google Pixel + +Google Pixel-telefoons zijn de **enige** toestellen die we aanraden om te kopen. Pixel-telefoons hebben een sterkere hardwarebeveiliging dan alle andere Android-toestellen die momenteel op de markt zijn, dankzij de juiste AVB-ondersteuning voor besturingssystemen van derden en Google's aangepaste [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) -beveiligingschips die functioneren als het Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel**-apparaten staan bekend om hun goede beveiliging en goede ondersteuning van [Verified Boot](https://source.android.com/security/verifiedboot), zelfs bij het installeren van aangepaste besturingssystemen. + + Vanaf de **Pixel 6** en **6 Pro** krijgen Pixel-apparaten minimaal 5 jaar lang gegarandeerde beveiligingsupdates, wat een veel langere levensduur garandeert dan de 2-4 jaar die concurrerende OEM's doorgaans bieden. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements zoals de Titan M2 zijn beperkter dan de Trusted Execution Environment van de processor die door de meeste andere telefoons gebruikt wordt, omdat ze alleen gebruikt worden voor geheimen opslag, hardware attestatie, en snelheidsbeperking van het invoeren van wachtwoorden, niet voor het draaien van "vertrouwde" programma's. Telefoons zonder een Secure Element moeten de TEE gebruiken voor *alle* van deze functies. Dat leidt tot een groter aanvalsoppervlak. + +Google Pixel-telefoons gebruiken een TEE OS genaamd Trusty dat [open-source](https://source.android.com/security/trusty#whyTrusty) is, in tegenstelling tot veel andere telefoons. + +De installatie van GrapheneOS op een Pixel telefoon is eenvoudig met hun [web installer](https://grapheneos.org/install/web). Als je zich niet op jouw gemak voelt om het zelf te doen en bereid bent om een beetje extra geld uit te geven, kijk dan eens naar de [NitroPhone](https://shop.nitrokey.com/shop). Deze zijn voorgeladen met GrapheneOS van het gerenommeerde bedrijf [Nitrokey](https://www.nitrokey.com/about). + +Nog een paar tips voor de aanschaf van een Google Pixel: + +- Als je op zoek bent naar een koopje voor een Pixel-toestel, raden wij je aan een "**a**"-model te kopen, net nadat het volgende vlaggenschip is uitgebracht. Kortingen zijn meestal beschikbaar omdat Google zal proberen om hun voorraad op te ruimen. +- Overweeg de mogelijkheden om de prijzen te verlagen en de speciale aanbiedingen van de fysieke winkels. +- Kijk naar online naar de koopjes sites in jouw land. Deze kunnen je waarschuwen voor goede uitverkopen. +- Google geeft een lijst met de [ondersteuningscyclus](https://support.google.com/nexus/answer/4457705) voor elk van hun toestellen. De prijs per dag voor een apparaat kan worden berekend als: $\text{Kosten} \over \text {Datum einde levensduur}-\text{Huidige datum}$, wat betekent dat hoe langer het apparaat wordt gebruikt, hoe lager de kosten per dag zijn. + +## Algemene toepassingen + +Wij bevelen op deze site een groot aantal Android-apps aan. De hier vermelde apps zijn exclusief voor Android en verbeteren of vervangen specifiek belangrijke systeemfuncties. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is een app waarmee je gebruik kunt maken van de functie Werkprofiel van Android om apps op uw apparaat te isoleren of te dupliceren. + + Shelter ondersteunt het blokkeren van het zoeken naar contacten tussen profielen en het delen van bestanden tussen profielen via de standaard bestandsbeheerder ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter wordt aanbevolen boven [Insular](https://secure-system.gitlab.io/Insular/) en [Island](https://github.com/oasisfeng/island) omdat het [blokkeren van contact zoeken](https://secure-system.gitlab.io/Insular/faq.html) ondersteunt. + + Wanneer je Shelter gebruikt, stelt je jouw volledige vertrouwen in de ontwikkelaar, aangezien Shelter optreedt als [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) voor het werkprofiel en uitgebreide toegang heeft tot de gegevens die erin zijn opgeslagen. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is een app die hardwarebeveiligingsfuncties gebruikt om de integriteit van het apparaat te bewaken voor [ondersteunde apparaten](https://attestation.app/about#device-support). Momenteel werkt het alleen met GrapheneOS en het standaard besturingssysteem van het toestel. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentatie} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Broncode" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor voert attest en inbraakdetectie uit door: + +- Door gebruik te maken van een [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model tussen een *auditor* en *audittee*, stelt het paar een private sleutel op in de [hardwaregebaseerde sleutelbewaarplaats](https://source.android.com/security/keystore/) van de *auditor*. +- De *auditor* kan een ander exemplaar van de Auditor app zijn of de [Remote Attestation Service](https://attestation.app). +- De *auditor* registreert de huidige toestand en configuratie van de *auditee*. +- Mocht er met het besturingssysteem van de *auditee worden geknoeid* nadat de koppeling is voltooid, dan zal de auditor op de hoogte zijn van de verandering in de toestand en de configuraties van het apparaat. +- Je zult op de hoogte worden gebracht van de wijziging. + +Er wordt geen persoonlijk identificeerbare informatie aan de attestatiedienst verstrekt. Wij raden je aan je aan te melden met een anonieme account en attestatie op afstand in te schakelen voor voortdurende controle. + +Als jouw [bedreigingsmodel](basics/threat-modeling.md) privacy vereist, kunt je overwegen [Orbot](tor.md#orbot) of een VPN te gebruiken om jouw IP-adres voor de attestatiedienst te verbergen. Om er zeker van te zijn dat jouw hardware en besturingssysteem echt zijn, voert [onmiddellijk na de installatie van het apparaat en vóór elke internetverbinding een lokale attestatie uit:](https://grapheneos.org/install/web#verifying-installation). + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is een camera-app gericht op privacy en veiligheid die afbeeldingen, video's en QR-codes kan vastleggen. De uitbreidingen van CameraX (Portret, HDR, Nachtzicht, Gezichtsretouche en Auto) worden ook ondersteund op beschikbare toestellen. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Broncode" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Bijdrage leveren } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +De belangrijkste privacyfuncties zijn: + +- Automatisch verwijderen van [Exif](https://en.wikipedia.org/wiki/Exif) metadata (standaard ingeschakeld) +- Gebruik van de nieuwe [Media](https://developer.android.com/training/data-storage/shared/media) API, daarom zijn [opslagmachtigingen](https://developer.android.com/training/data-storage) niet vereist +- Microfoontoestemming niet vereist, tenzij je geluid wilt opnemen + +!!! note + + Metadata worden momenteel niet verwijderd uit videobestanden, maar dat is wel de bedoeling. + + De metadata over de beeldoriëntatie worden niet gewist. Als je gps locatie inschakelt (in Secure camera), wordt deze **niet** verwijderd. Als je dat later wilt verwijderen moet je een externe app gebruiken zoals [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is een PDF-viewer gebaseerd op [pdf.js](https://en.wikipedia.org/wiki/PDF.js) die geen rechten vereist. De PDF wordt ingevoerd in een [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_ontwikkeling)) [webview](https://developer.android.com/guide/webapps/webview). Dit betekent dat er niet direct toestemming nodig is om toegang te krijgen tot inhoud of bestanden. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) wordt gebruikt om af te dwingen dat de JavaScript en styling eigenschappen binnen het WebView volledig statische inhoud zijn. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Het verkrijgen van Applicaties + +### GrapheneOS App Store + +De app store van GrapheneOS is beschikbaar op [GitHub](https://github. com/GrapheneOS/Apps/releases). Het ondersteunt Android 12 en hoger en is in staat om zichzelf te updaten. De app store heeft losstaande applicaties gebouwd door het GrapheneOS project, zoals de [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), en [PDF-viewer](https://github.com/GrapheneOS/PdfViewer). Als je op zoek bent naar deze applicaties, raden wij je ten zeerste aan ze te halen uit de app-winkel van GrapheneOS in plaats van de Play Store, omdat de apps in hun winkel zijn ondertekend door de eigen handtekening van het GrapheneOS-project waar Google geen toegang toe heeft. + +### Aurora Store + +De Google Play Store vereist een Google-account om in te loggen, wat de privacy niet ten goede komt. Je kunt dit omzeilen door een alternatieve client te gebruiken, zoals Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is een Google Play Store-client waarvoor geen Google-account, Google Play Services of microG nodig is om apps te downloaden. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Met de Aurora Store kun je geen betaalde apps downloaden met hun anonieme accountfunctie. Je kunt optioneel inloggen met jouw Google-account bij de Aurora Store om apps te downloaden die je hebt gekocht, waardoor Google toegang krijgt tot de lijst van apps die je hebt geïnstalleerd, maar je profiteert nog steeds van het feit dat je niet de volledige Google Play-client en Google Play Services of microG op jouw toestel nodig hebt. + +### Handmatig met RSS-meldingen + +Voor apps die worden uitgebracht op platforms als GitHub en GitLab, kun je misschien een RSS-feed toevoegen aan je [nieuwsaggregator](/news-aggregators) waarmee je nieuwe releases kunt volgen. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +Op GitHub, met [Secure Camera](#secure-camera) als voorbeeld, zou je navigeren naar de [release pagina](https://github.com/GrapheneOS/Camera/releases) en `.atom` toevoegen aan de URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### Gitlab + +Op GitLab, met [Aurora Store](#aurora-store) als voorbeeld, zou je naar zijn [project repository](https://gitlab.com/AuroraOSS/AuroraStore) navigeren en `/-/tags?format=atom` aan de URL toevoegen: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifiëren van APK vingerafdrukken + +Als u APK-bestanden downloadt om handmatig te installeren, kunt je hun handtekening verifiëren met de tool [`apksigner`](https://developer.android.com/studio/command-line/apksigner), die deel uitmaakt van Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Installeer [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download de [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Pak het gedownloade archief uit: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Voer het handtekening verificatie commando uit: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. De resulterende hashes kunnen dan worden vergeleken met een andere bron. Sommige ontwikkelaars zoals Signal [tonen de vingerafdrukken](https://signal.org/android/apk/) op hun website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We raden **momenteel niet** F-Droid aan als een manier om apps te verkrijgen.== F-Droid wordt vaak aanbevolen als alternatief voor Google Play, vooral in de privacygemeenschap. De optie om repositories van derden toe te voegen en niet beperkt te zijn tot het ecosysteem van Google heeft geleid tot de populariteit. F-Droid heeft bovendien [reproduceerbare builds](https://f-droid.org/en/docs/Reproducible_Builds/) voor sommige toepassingen en zet zich in voor vrije en open-source software. Er zijn echter [opmerkelijke problemen](https://privsec.dev/posts/android/f-droid-security-issues/) met de officiële F-Droid-client, hun kwaliteitscontrole en hoe ze pakketten bouwen, ondertekenen en leveren. + +Vanwege hun proces van het bouwen van apps lopen apps in de officiële F-Droid-repository vaak achter op updates. F-Droid maintainers hergebruiken ook pakket-ID's tijdens het ondertekenen van apps met hun eigen sleutels, wat niet ideaal is omdat het F-Droid team dan het ultieme vertrouwen krijgt. + +Andere populaire repositories van derden zoals [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) verlichten enkele van deze zorgen. De IzzyOnDroid repository haalt builds rechtstreeks van GitHub en is het op één na beste optie naast het direct downloaden vanaf de eigen repositories van de ontwikkelaars. Het is echter niet iets dat we kunnen aanbevelen, aangezien apps meestal [worden verwijderd](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) van die respository wanneer ze in de hoofdrepository van F-Droid terechtkomen. Hoewel dat logisch is (omdat het doel van die specifieke repository is om apps te hosten voordat ze worden geaccepteerd in de belangrijkste F-Droid-repository), kan het je achterlaten met geïnstalleerde apps die niet langer updates ontvangen. + +Dat gezegd zijnde, de [F-Droid](https://f-droid.org/en/packages/) en [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories zijn de thuisbasis van talloze apps, dus ze kunnen een nuttig hulpmiddel zijn om open-source apps te zoeken en te ontdekken die je vervolgens kunt downloaden via Play Store, Aurora Store, of door het verkrijgen van de APK rechtstreeks van de ontwikkelaar. Het is belangrijk om in gedachten te houden dat sommige apps in deze repositories al jaren niet zijn bijgewerkt en mogelijk afhankelijk zijn van niet-ondersteunde bibliotheken, onder andere, die een potentieel beveiligingsrisico vormen. Je moet jouw beste oordeel gebruiken bij het zoeken naar nieuwe apps via deze methode. + +!!! note + + In sommige zeldzame gevallen verspreidt de ontwikkelaar van een app deze alleen via F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is hier een voorbeeld van). Als je echt zo'n app nodig hebt, raden we je aan de [Neo Store](https://github.com/NeoApplications/Neo-Store/) te gebruiken in plaats van de officiële F-Droid app om hem te verkrijgen. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Besturingssystemen + +- Moet open-source software zijn. +- Moet bootloadervergrendeling met aangepaste AVB-sleutel ondersteunen. +- Moet belangrijke Android-updates ontvangen binnen 0-1 maanden na de release. +- Moet binnen 0-14 dagen na release Android feature updates (minor versie) ontvangen. +- Moet regelmatige beveiligingspatches ontvangen binnen 0-5 dagen na vrijgave. +- Moet **niet** standaard "geroot" zijn uit de doos. +- Moet **niet** standaard Google Play Services inschakelen. +- Moet **niet** systeemaanpassing vereisen om Google Play Services te ondersteunen. + +### Apparaten + +- Moet ten minste één van onze aanbevolen aangepaste besturingssystemen ondersteunen. +- Moet momenteel nieuw in de winkel worden verkocht. +- Moet minimaal 5 jaar beveiligingsupdates ontvangen. +- Moet beschikken over speciale hardware voor secure elements. + +### Applicaties + +- Toepassingen op deze pagina mogen niet van toepassing zijn op andere softwarecategorieën op de site. +- Algemene toepassingen moeten de kernfunctionaliteit van het systeem uitbreiden of vervangen. +- Toepassingen moeten regelmatig worden bijgewerkt en onderhouden. diff --git a/i18n/nl/assets/img/account-deletion/exposed_passwords.png b/i18n/nl/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/nl/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/nl/assets/img/android/rss-apk-dark.png b/i18n/nl/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/nl/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/nl/assets/img/android/rss-apk-light.png b/i18n/nl/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/nl/assets/img/android/rss-apk-light.png differ diff --git a/i18n/nl/assets/img/android/rss-changes-dark.png b/i18n/nl/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/nl/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/nl/assets/img/android/rss-changes-light.png b/i18n/nl/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/nl/assets/img/android/rss-changes-light.png differ diff --git a/i18n/nl/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/nl/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..26731ca9 --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + + apparaat + + + + Gegevens verzenden naar een website + + + + + Gegevens ontvangen van een website + + + + + Jouw + + apparaat + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/how-tor-works/tor-encryption.svg b/i18n/nl/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..ab2c4b1e --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + + apparaat + + + + Gegevens verzenden naar een website + + + + + Gegevens ontvangen van een website + + + + + Jouw + + apparaat + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/how-tor-works/tor-path-dark.svg b/i18n/nl/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..782897a2 --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + apparaat + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/nl/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d017da25 --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + + + Apparaat + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/nl/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..fd69a23a --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + + + Apparaat + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/how-tor-works/tor-path.svg b/i18n/nl/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..200c9a5d --- /dev/null +++ b/i18n/nl/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Jouw + apparaat + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/nl/assets/img/multi-factor-authentication/fido.png b/i18n/nl/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/nl/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/nl/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/nl/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/nl/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/nl/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/nl/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/nl/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/nl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/nl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/nl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/nl/basics/account-creation.md b/i18n/nl/basics/account-creation.md new file mode 100644 index 00000000..e609c988 --- /dev/null +++ b/i18n/nl/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Het aanmaken van accounts" +icon: 'material/account-plus' +description: Online accounts aanmaken is bijna een internetbehoefte, neem deze stappen om ervoor te zorgen dat je privé blijft. +--- + +Vaak melden mensen zich aan voor diensten zonder na te denken. Misschien is het een streamingdienst zodat je die nieuwe show kunt bekijken waar iedereen het over heeft, of een account waarmee je korting krijgt op uw favoriete fastfood zaak. Wat het geval ook is, je moet nu en later rekening houden met de implicaties voor jouw gegevens. + +Aan elke nieuwe dienst die je gebruikt, zijn risico's verbonden. Datalekken; onthulling van klanteninformatie aan derden; malafide werknemers die toegang krijgen tot gegevens; het zijn allemaal mogelijkheden die moeten worden overwogen wanneer je jouw informatie verstrekt. Je moet er zeker van zijn dat je de service kunt vertrouwen, daarom raden we niet aan om waardevolle gegevens op te slaan over iets anders dan de meest volwassen en stressgeteste producten. Dat betekent meestal diensten die end-to-end encryptie leveren en een cryptografische audit hebben ondergaan. Een audit vergroot de zekerheid dat het product is ontworpen zonder opvallende beveiligingsproblemen die zijn veroorzaakt door een onervaren ontwikkelaar. + +Bij sommige diensten kan het ook moeilijk zijn om de accounts te verwijderen. Soms kan [gegevens overschrijven](account-deletion.md#overwriting-account-information) die aan een account zijn gekoppeld, maar in andere gevallen bewaart de dienst een hele geschiedenis van wijzigingen in de account. + +## Servicevoorwaarden en Privacybeleid + +De ToS zijn de regels waarmee je akkoord gaat wanneer je de dienst gebruikt. Bij grotere diensten worden deze regels vaak afgedwongen door geautomatiseerde systemen. Soms kunnen deze geautomatiseerde systemen fouten maken. Je kunt bijvoorbeeld bij sommige diensten worden verbannen of uitgesloten van jouw account omdat je een VPN- of VOIP-nummer gebruikt. Een beroep doen op een dergelijke verbanning is vaak moeilijk en omvat ook een geautomatiseerd proces, wat niet altijd succesvol is. Dit is een van de redenen waarom wij bijvoorbeeld niet aanraden Gmail als e-mail te gebruiken. E-mail is cruciaal voor de toegang tot andere diensten waarvoor je zich misschien hebt aangemeld. + +Het privacybeleid is hoe de service zegt dat ze jouw gegevens zullen gebruiken en het is de moeite waard om te lezen, zodat je begrijpt hoe jouw gegevens zullen worden gebruikt. Een bedrijf of organisatie is mogelijk niet wettelijk verplicht om alles wat in het beleid staat te volgen (het hangt af van de jurisdictie). We raden je aan om een idee te hebben van wat je lokale wetten zijn en wat ze een provider toestaan om te verzamelen. + +Wij raden je aan te zoeken naar bepaalde termen zoals "gegevensverzameling", "gegevensanalyse", "cookies", "advertenties" of "diensten van derden". Soms kunt je je afmelden voor het verzamelen van gegevens of voor het delen van jouw gegevens, maar het is het beste om een dienst te kiezen die jouw privacy vanaf het begin respecteert. + +Vergeet niet dat je ook jouw vertrouwen stelt in het bedrijf of de organisatie en dat zij hun eigen privacybeleid zullen naleven. + +## Authenticatie methodes + +Er zijn meestal meerdere manieren om een account aan te maken, elk met hun eigen voor- en nadelen. + +### E-mailadres en wachtwoord + +De meest gebruikelijke manier om een nieuwe account aan te maken is met een e-mailadres en wachtwoord. Wanneer je deze methode gebruikt, moet je een wachtwoord manager gebruiken en de best practices [volgen](passwords-overview.md) met betrekking tot wachtwoorden. + +!!! tip + + Je kunt jouw wachtwoord manager ook gebruiken om andere verificatiemethoden te organiseren! Voeg gewoon het nieuwe item toe en vul de juiste velden in, u kunt notities toevoegen voor zaken als beveiligingsvragen of een back-up sleutel. + +Je bent verantwoordelijk voor het beheer van jouw inloggegevens. Voor extra beveiliging kunt je [MFA](multi-factor-authentication.md) instellen op jouw accounts. + +[Lijst van aanbevolen wachtwoordbeheerders](../passwords.md ""){.md-button} + +#### E-mail aliassen + +Als je jouw echte e-mailadres niet aan een dienst wilt geven, kunt je een alias gebruiken. We hebben deze in meer detail beschreven op onze pagina met aanbevelingen voor e-maildiensten. Met alias diensten kunt je nieuwe e-mailadressen aanmaken die alle e-mails doorsturen naar jouw hoofdadres. Dit kan helpen bij het voorkomen van tracking tussen services en je helpen bij het beheren van de marketing-e-mails die soms bij het aanmeldingsproces worden geleverd. Die kunnen automatisch worden gefilterd op basis van de alias waarnaar ze worden gestuurd. + +Als een dienst wordt gehackt, kunt je phishing- of spam-e-mails ontvangen op het adres waarmee je je hebt aangemeld. Het gebruik van unieke aliassen voor elke service kan helpen bij het identificeren van precies welke service is gehackt. + +[Aanbevolen diensten voor e-mailaliasing](../email.md#email-aliasing-services ""){.md-button} + +### Eenmalige aanmelding + +!!! note + + We bespreken Single sign-on voor persoonlijk gebruik, niet voor zakelijke gebruikers. + +Single sign-on (SSO) is een authenticatiemethode waarmee je zich kunt registreren voor een dienst zonder veel informatie te delen, als die er al is. Wanneer je iets ziet in de trant van "Aanmelden met *providernaam*" op een registratieformulier, dan is dat SSO. + +Wanneer je kiest voor eenmalige aanmelding op een website, wordt jouw aanmeldingspagina van de SSO-provider gevraagd en wordt jouw account vervolgens verbonden. Jouw wachtwoord wordt niet gedeeld, maar sommige basisinformatie wel (je kunt deze bekijken tijdens het inlogverzoek). Dit proces is nodig elke keer dat je wilt inloggen op hetzelfde account. + +De belangrijkste voordelen zijn: + +- **Beveiliging**: geen risico om betrokken te raken bij een [datalek](https://en.wikipedia.org/wiki/Data_breach) omdat de website uw inlog gegevens niet opslaat. +- **Gebruiksgemak**: meerdere accounts worden beheerd door één enkele login. + +Maar er zijn ook nadelen: + +- **Privacy**: een SSO-provider weet welke diensten je gebruikt. +- **Centralisatie**: als uw SSO-account wordt gecompromitteerd of als je niet kunt inloggen, worden alle andere accounts die ermee verbonden zijn, getroffen. + +SSO kan vooral nuttig zijn in situaties waarin je zou kunnen profiteren van een diepere integratie tussen services. Een van die diensten kan bijvoorbeeld SSO aanbieden voor de andere. Onze aanbeveling is om SSO te beperken tot alleen waar je het nodig hebt en de hoofdaccount te beschermen met [MFA](multi-factor-authentication.md). + +Alle diensten die SSO gebruiken zijn even veilig als jouw SSO-account. Als je bijvoorbeeld een account wilt beveiligen met een hardwaresleutel, maar die dienst ondersteunt geen hardwaresleutels, dan kunt je jouw SSO-account beveiligen met een hardwaresleutel en nu hebt je in wezen hardware-MFA op al jouw accounts. Het is echter vermeldenswaard dat zwakke authenticatie op jouw SSO-account betekent dat elk account dat aan die login is gekoppeld, ook zwak zal zijn. + +### Telefoonnummer + +We raden je aan services te vermijden waarvoor een telefoonnummer nodig is om je aan te melden. Een telefoonnummer kan je identificeren in meerdere services en afhankelijk van overeenkomsten voor het delen van gegevens zal dit jouw gemakkelijker te volgen maken, vooral als een van die services wordt geschonden, omdat het telefoonnummer vaak **niet** versleuteld is. + +Vermijd het geven van jouw echte telefoonnummer als je kunt. Sommige diensten staan het gebruik van VOIP-nummers toe, maar deze alarmeren vaak fraudedetectiesystemen, waardoor een rekening wordt geblokkeerd. + +In veel gevallen moet je een nummer opgeven waarvan je smsjes of telefoontjes kunt ontvangen, vooral wanneer je internationaal winkelt, voor het geval er een probleem is met jouw bestelling bij de grenscontrole. Het is gebruikelijk dat services je nummer gebruiken als verificatiemethode; laat je niet buitensluiten van een belangrijk account omdat je slim wilt zijn en een nepnummer wilt geven! + +### Gebruikersnaam en wachtwoord + +Bij sommige diensten kunt je je zonder e-mailadres registreren en hoeft je alleen een gebruikersnaam en wachtwoord in te stellen. Deze diensten kunnen meer anonimiteit bieden in combinatie met een VPN of Tor. Houd er rekening mee dat er voor deze accounts hoogstwaarschijnlijk **geen manier is om jouw account** te herstellen als je jouw gebruikersnaam of wachtwoord vergeet. diff --git a/i18n/nl/basics/account-deletion.md b/i18n/nl/basics/account-deletion.md new file mode 100644 index 00000000..966cbc7e --- /dev/null +++ b/i18n/nl/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account verwijderen" +icon: 'material/account-remove' +description: Het is gemakkelijk om een groot aantal internetaccounts op te bouwen, hier zijn enkele tips over hoe je jouw verzameling kunt snoeien. +--- + +Na verloop van tijd kan het gemakkelijk zijn om een aantal online accounts te verzamelen, waarvan je er vele misschien niet meer gebruikt. Het verwijderen van deze ongebruikte accounts is een belangrijke stap in het terugwinnen van jouw privacy, aangezien slapende accounts kwetsbaar zijn voor gegevensinbreuken. Van een datalek is sprake wanneer de beveiliging van een dienst wordt gecompromitteerd en beschermde informatie door onbevoegden wordt ingezien, doorgegeven of gestolen. Inbreuken op gegevens zijn tegenwoordig helaas al [te gewoon](https://haveibeenpwned.com/PwnedWebsites), en dus is een goede digitale hygiëne de beste manier om de impact ervan op jouw leven te minimaliseren. Het doel van deze gids is je door het vervelende proces van accountverwijdering te loodsen, vaak bemoeilijkt door [bedrieglijk ontwerp](https://www.deceptive.design/), ten voordele van uw online aanwezigheid. + +## Oude accounts vinden + +### Wachtwoord Manager + +Als u een wachtwoord manager hebt die je al jouw hele digitale leven gebruikt, is dit deel heel eenvoudig. Vaak hebben ze ingebouwde functionaliteit om te detecteren of jouw gegevens zijn blootgesteld bij een datalek, zoals het [Data Breach Report van Bitwarden](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden 's Data Breach Report-functie](../assets/img/account-deletion/exposed_passwords.png) +
+ +Zelfs als je nog nooit expliciet een wachtwoordmanager hebt gebruikt, is de kans groot dat je er een in jouw browser of op jouw telefoon hebt gebruikt zonder het te beseffen. Bijvoorbeeld: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) en [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktopplatforms hebben vaak ook een wachtwoordmanager waarmee je vergeten wachtwoorden kunt terugvinden: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Wachtwoorden](https://support.apple.com/en-us/HT211145) +- iOS [Wachtwoorden](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, die toegankelijk is via [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) of [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +Als je in het verleden geen wachtwoord manager hebt gebruikt of je denkt dat je accounts hebt die nooit aan jouw wachtwoord manager zijn toegevoegd, is een andere optie om de e-mailaccount(s) te doorzoeken waarop je zich volgens je hebt aangemeld. Zoek in jouw e-mailprogramma op trefwoorden als "verifiëren" of "welkom" Bijna elke keer dat je een online account aanmaakt, zal de dienst een verificatielink of een inleidend bericht naar jouw e-mail sturen. Dit kan een goede manier zijn om oude, vergeten accounts te vinden. + +## Oude accounts verwijderen + +### Inloggen + +Om je oude accounts te verwijderen, moet je er eerst voor zorgen dat je er op in kunt loggen. Nogmaals, als de account in jouw wachtwoordmanager stond, is deze stap eenvoudig. Zo niet, dan kunt je proberen jouw wachtwoord te raden. Als dat niet lukt, zijn er meestal opties om weer toegang te krijgen tot jouw account, meestal beschikbaar via een link "wachtwoord vergeten" op de inlogpagina. Het kan ook zijn dat accounts die je hebt opgegeven al zijn verwijderd - soms verwijderen diensten alle oude accounts. + +Als de site een foutmelding geeft dat het e-mailadres niet gekoppeld is aan een account, of als je na meerdere pogingen nooit een reset-link ontvangt, dan hebt je geen account onder dat e-mailadres en moet je een ander e-mailadres proberen. Als je niet kunt achterhalen welk e-mailadres je hebt gebruikt, of als je geen toegang meer hebt tot dat e-mailadres, kunt je proberen contact op te nemen met de klantenondersteuning van de dienst. Helaas is er geen garantie dat je de toegang tot jouw account kunt terugkrijgen. + +### GDPR (alleen inwoners van de EER) + +Inwoners van de EER hebben aanvullende rechten met betrekking tot het wissen van gegevens, zoals gespecificeerd in [artikel 17](https://www.gdpr.org/regulation/article-17.html) van de GDPR. Als het op je van toepassing is, lees dan het privacybeleid voor een bepaalde dienst om informatie te vinden over hoe je jouw recht op wissing kunt uitoefenen. Het lezen van het privacybeleid kan belangrijk blijken, want sommige diensten hebben een optie "Account verwijderen" die alleen jouw account uitschakelt en voor echte verwijdering moet je extra actie ondernemen. Soms kan het daadwerkelijk wissen inhouden dat je een enquête invult, een e-mail stuurt naar de functionaris voor gegevensbescherming van de dienst of zelfs bewijst dat je in de EER woont. Als je van plan bent deze weg te gaan, overschrijf dan de accountgegevens van **niet** - jouw identiteit als inwoner van de EER kan vereist zijn. Merk op dat de locatie van de dienst er niet toe doet; GDPR is van toepassing op iedereen die Europese gebruikers bedient. Indien de dienst jouw recht op wissing niet respecteert, kunt je contact opnemen met jouw nationale [gegevensbeschermingsautoriteit](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) en kunt je recht hebben op een geldelijke vergoeding. + +### Overschrijven van account informatie + +In sommige situaties waarin je van plan bent een account op te heffen, kan het zinvol zijn de accountinformatie te overschrijven met valse gegevens. Zodra je zeker weet dat je kunt inloggen, wijzig je alle gegevens in je account in vervalste gegevens. De reden hiervoor is dat veel sites informatie bewaren die je eerder had, zelfs na het verwijderen van jouw account. De hoop is dat zij de vorige informatie zullen overschrijven met de nieuwste gegevens die je hebt ingevoerd. Er is echter geen garantie dat er geen back-ups zullen zijn met de vroegere informatie. + +Voor de e-mail van de account maakt je een nieuwe alternatieve e-mailaccount aan via de provider van jouw keuze of maakt je een alias aan met behulp van een [e-mail aliasing service](/email/#email-aliasing-services). Je kunt dan jouw alternatieve e-mailadres verwijderen zodra je klaar bent. Wij raden het gebruik van tijdelijke e-mailproviders af, omdat het vaak onmogelijk is tijdelijke e-mails weer te activeren. + +### Verwijderen + +Je kunt kijken op [JustDeleteMe](https://justdeleteme.xyz) voor instructies over het verwijderen van de account voor een specifieke dienst. Sommige sites hebben vriendelijk een "Delete Account" optie, terwijl andere zo ver gaan dat ze je dwingen met een support medewerker te spreken. Het verwijderingsproces kan van site tot site verschillen, en op sommige sites is het onmogelijk een account te verwijderen. + +Voor diensten die het wissen van een account niet toestaan, kunt je het beste al jouw informatie vervalsen zoals eerder vermeld en de beveiliging van jouw account versterken. Schakel daartoe [MFA](multi-factor-authentication.md) en alle extra aangeboden beveiligingsfuncties in. Verander ook het wachtwoord in een willekeurig gegenereerd wachtwoord dat de maximaal toegestane grootte heeft (een [password manager](/passwords/#local-password-managers) kan hier handig voor zijn). + +Als je tevreden bent dat alle informatie waar je om geeft verwijderd is, kunt je deze account gerust vergeten. Zo niet, dan is het misschien een goed idee om de gegevens bij jouw andere wachtwoorden te bewaren en af en toe opnieuw in te loggen om het wachtwoord te resetten. + +Zelfs wanneer je een account kunt verwijderen, is er geen garantie dat al jouw informatie zal worden verwijderd. Sommige ondernemingen zijn zelfs wettelijk verplicht bepaalde informatie te bewaren, met name wanneer deze verband houdt met financiële transacties. Je hebt meestal geen controle over wat er met jouw gegevens gebeurt als het gaat om websites en clouddiensten. + +## Vermijd nieuwe accounts + +Zoals het oude gezegde luidt: "Voorkomen is beter dan genezen." Telkens wanneer je in de verleiding komt om een nieuwe account aan te maken, vraag jezelf dan af: "Heb ik dit echt nodig? Kan ik doen wat ik moet doen zonder een account?" Het kan vaak veel moeilijker zijn om een account te verwijderen dan om er een aan te maken. En zelfs na het verwijderen of wijzigen van de info op jouw account, kan er een cache-versie van een derde partij zijn, zoals het [Internet Archive](https://archive.org/). Vermijd de verleiding als je kunt. Je toekomstige ik zal je dankbaar zijn! diff --git a/i18n/nl/basics/common-misconceptions.md b/i18n/nl/basics/common-misconceptions.md new file mode 100644 index 00000000..109d7f17 --- /dev/null +++ b/i18n/nl/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Veel voorkomende misvattingen" +icon: 'material/robot-confused' +description: Privacy is geen eenvoudig onderwerp, en men raakt gemakkelijk verstrikt in marketingclaims en andere desinformatie. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherent veilig? + acceptedAnswer: + "@type": Answer + text: | + Of de broncode beschikbaar is en hoe software is gelicentieerd, heeft op geen enkele manier invloed op de veiligheid ervan. Open-source software kan veiliger zijn dan private software, maar er is geen enkele garantie dat dit het geval is. Wanneer je software evalueert, moet je op individuele basis kijken naar de reputatie en beveiliging van elk hulpmiddel. + - + "@type": Question + name: Kan vertrouwen verschuiven naar een andere provider je privacy verbeteren? + acceptedAnswer: + "@type": Answer + text: | + We hebben het vaak over "verschuivend vertrouwen" bij het bespreken van oplossingen zoals VPN's (die het vertrouwen dat je in jouw ISP stelt verschuiven naar de VPN-aanbieder). Hiermee worden jouw internetgegevens speciaal door je internetprovider beschermd. de VPN-provider die je kiest heeft nog steeds toegang totjouw browsergegevens: jouw gegevens zijn niet volledig beveiligd voor alle partijen. + - + "@type": Question + name: Zijn privacygerichte oplossingen inherent betrouwbaar? + acceptedAnswer: + "@type": Answer + text: | + Als je je zich uitsluitend richt op het privacybeleid en de marketing van een tool of provider, kunt je je blindstaren op de zwakke punten ervan. Wanneer je op zoek bent naar een meer private oplossing, moet je bepalen wat het onderliggende probleem is en technische oplossingen voor dat probleem vinden. Je kunt bijvoorbeeld Google Drive vermijden, dat Google toegang geeft tot al Jouw gegevens. Het onderliggende probleem in dit geval is een gebrek aan E2EE, dus je moet ervoor zorgen dat de provider waarnaar je overstapt daadwerkelijk E2EE implementeert, of een tool gebruiken (zoals Cryptomator) die E2EE biedt op elke cloud provider. Overstappen naar een "privacygerichte" provider (die geen end-to-end encryptie implementeert) lost je probleem niet op: het verschuift alleen het vertrouwen van Google naar die provider. + - + "@type": Question + name: Hoe ingewikkeld zou mijn bedreigingsmodel moeten zijn? + acceptedAnswer: + "@type": Answer + text: | + We zien vaak dat mensen overdreven ingewikkelde dreigingsmodellen voor privacybedreigingen beschrijven. Vaak omvatten deze oplossingen problemen zoals veel verschillende e-mailaccounts of ingewikkelde opstellingen met veel bewegende delen en voorwaarden. De antwoorden zijn meestal antwoorden op "Wat is de beste manier om X te doen?" + Het vinden van de "beste" oplossing voor jezelf betekent niet noodzakelijk dat je op zoek bent naar een onfeilbare oplossing met tientallen voorwaarden - deze oplossingen zijn vaak moeilijk om realistisch mee te werken. Zoals we eerder hebben besproken, gaat veiligheid vaak ten koste van gemak. +--- + +## "Open source software is altijd veilig" of "Private software is veiliger" + +Deze mythes komen voort uit een aantal vooroordelen, maar of de broncode beschikbaar is en hoe software in licentie wordt gegeven, heeft op geen enkele manier invloed op de beveiliging ervan. ==Open-source software heeft de *potentieel* om veiliger te zijn dan propriëtaire software, maar er is absoluut geen garantie dat dit het geval is.== Wanneer je software evalueert, moet je op individuele basis naar de reputatie en beveiliging van elke tool kijken. + +Open-source software *kan* worden gecontroleerd door derden, en is vaak transparanter over mogelijke kwetsbaarheden dan propriëtaire tegenhangers. Ze kunnen ook flexibeler zijn, zodat je in de code kunt duiken en alle verdachte functionaliteit kunt uitschakelen die je zelf vindt. Echter, *tenzij je dit zelf doet*, is er geen garantie dat code ooit is geëvalueerd, vooral bij kleinere softwareprojecten. Het open ontwikkelingsproces is soms ook misbruikt om zelfs in grote projecten nieuwe kwetsbaarheden te introduceren.[^1] + +Aan de andere kant is propriëtaire software minder transparant, maar dat betekent niet dat het niet veilig is. Grote propriëtaire softwareprojecten kunnen intern en door derden worden gecontroleerd, en onafhankelijke veiligheidsonderzoekers kunnen nog steeds kwetsbaarheden vinden met technieken als reverse engineering. + +Om bevooroordeelde beslissingen te vermijden, is het *van vitaal belang* dat je de privacy- en veiligheidsnormen evalueert van de software die je gebruikt. + +## "Verschuiven van vertrouwen kan de privacy vergroten" + +We hebben het vaak over "verschuivend vertrouwen" bij het bespreken van oplossingen zoals VPN's (die het vertrouwen dat je in jouw ISP stelt verschuiven naar de VPN-aanbieder). Hoewel dit je surf gedrag beschermt tegen uw ISP *specifiek*, heeft de VPN provider die je kiest nog steeds toegang tot jouw surf gedrag: jouw gegevens zijn niet volledig beveiligd tegen alle partijen. Dit betekent dat: + +1. Je moet voorzichtig zijn bij het kiezen van een provider om je vertrouwen naar toe te verschuiven. +2. Je zou nog steeds andere technieken moeten gebruiken, zoals E2EE, om je gegevens volledig te beschermen. Alleen al het wantrouwen van een provider om een andere te vertrouwen, staat niet gelijk aan het beveiligen van je gegevens. + +## Privacy-gerichte oplossingen zijn van nature betrouwbaar + +Als je je zich uitsluitend richt op het privacybeleid en de marketing van een tool of provider, kunt je je blindstaren op de zwakke punten ervan. Wanneer je op zoek bent naar een meer private oplossing, moet je bepalen wat het onderliggende probleem is en technische oplossingen voor dat probleem vinden. Je kunt bijvoorbeeld Google Drive vermijden, dat Google toegang geeft tot al Jouw gegevens. Het onderliggende probleem is in dit geval een gebrek aan end-to-end encryptie, dus je moet ervoor zorgen dat de provider waar je naar overstapt daadwerkelijk end-to-end encryptie implementeert of een tool (zoals [Cryptomator](../encryption.md#cryptomator-cloud)) gebruiken die end-to-end encryptie biedt op elke cloud provider. Overstappen naar een "privacygerichte" provider (die geen end-to-end encryptie implementeert) lost je probleem niet op: het verschuift alleen het vertrouwen van Google naar die provider. + +Het privacybeleid en de zakelijke praktijken van de aanbieders die je kiest, zijn zeer belangrijk. Maar moeten toch worden beschouwd als minder belangrijk dan technische garanties van jouw privacy: je moet vertrouwen niet overdragen naar een andere provider wanneer het vertrouwen in een provider helemaal geen vereiste is. + +## "Ingewikkeld is beter" + +We zien vaak dat mensen overdreven ingewikkelde dreigingsmodellen voor privacybedreigingen beschrijven. Vaak omvatten deze oplossingen problemen zoals veel verschillende e-mailaccounts of ingewikkelde opstellingen met veel bewegende delen en voorwaarden. De antwoorden zijn meestal antwoorden op "Wat is de beste manier om *X* te doen?" + +Het vinden van de "beste" oplossing voor jezelf betekent niet noodzakelijk dat je op zoek bent naar een onfeilbare oplossing met tientallen voorwaarden - deze oplossingen zijn vaak moeilijk om realistisch mee te werken. Zoals we eerder hebben besproken, gaat veiligheid vaak ten koste van gemak. Hieronder geven we enkele tips: + +1. ==Acties moeten een bepaald doel dienen==, denk na over hoe je met zo weinig mogelijk acties kunt doen wat je wilt. +2. ==Verwijder menselijke faalpunten:== We maken fouten, worden moe, en vergeten dingen. Om de veiligheid te behouden, moet je voorkomen dat je vertrouwt op handmatige acties en processen die je moet onthouden. +3. ==Gebruik het juiste niveau van bescherming voor wat je van plan bent.== Wij zien vaak aanbevelingen van zogenaamde politie, en legerbestendige oplossingen. Deze vereisen vaak specialistische kennis en zijn over het algemeen niet wat de mensen willen. Het heeft geen zin een ingewikkeld dreigingsmodel voor anonimiteit op te stellen als je gemakkelijk kunt worden gedeanonimiseerd door een eenvoudige vergissing. + +Dus, hoe zou dit eruit zien? + +Een van de duidelijkste dreigingsmodellen is een model waarbij mensen *weten wie je bent* en een model waarbij ze dat niet weten. Er zullen altijd situaties zijn waarin je je wettelijke naam moet opgeven en er zijn situaties waarin je dat niet hoeft te doen. + +1. **Bekende identiteit** - Een bekende identiteit wordt gebruikt voor zaken waarbij je jouw naam moet opgeven. Er zijn veel juridische documenten en contracten waar een wettelijke identiteit vereist is. Dit kan variëren van het openen van een bankrekening, het ondertekenen van een huurovereenkomst, het verkrijgen van een paspoort, douaneaangiften bij het importeren van spullen, of op andere manieren omgaan met de overheid. Deze dingen zullen meestal leiden tot referenties zoals creditcards, kredietwaardigheidscontroles, rekeningnummers en mogelijk fysieke adressen. + + We raden niet aan om een VPN of Tor voor een van deze dingen te gebruiken, omdat je identiteit al op andere manieren bekend is. + + !!! tip + + Wanneer je online winkelt, kan het gebruik van een [pakketkluis](https://en.wikipedia.org/wiki/Parcel_locker) helpen om jouw fysieke adres privé te houden. + +2. **Onbekende identiteit** - Een onbekende identiteit kan een stabiel pseudoniem zijn dat je regelmatig gebruikt. Het is niet anoniem omdat het niet verandert. Als je deel uitmaakt van een online gemeenschap, wilt je misschien een identiteit behouden dat anderen kennen. Dit pseudoniem is niet anoniem omdat - indien lang genoeg gevolgd - details over de eigenaar verdere informatie kunnen onthullen, zoals de manier waarop hij of zij schrijft, algemene kennis over interessante onderwerpen, enz. + + Je kunt hiervoor eventueel een VPN gebruiken om jouw IP-adres te maskeren. Financiële transacties zijn moeilijker te maskeren: je kunt hier overwegen anonieme crypto valuta te gebruiken, zoals [Monero](https://www.getmonero.org/). Het gebruik van altcoin-shifting kan ook helpen om te verbergen waar jouw valuta vandaan komt. Doorgaans vereisen exchanges dat KYC (know your customer/ ken jouw klant) wordt ingevuld voordat zij u toestaan fiat valuta zoals euro's en dollars om te wisselen in een of andere crypto valuta. Lokale meet-ups kunnen ook een oplossing zijn; deze zijn echter vaak duurder en vereisen soms ook KYC. + +3. **Anonieme identiteit** - zelfs met ervaring, anonieme identiteiten zijn moeilijk te behouden voor lange perioden. Deze identiteiten horen een korte levensduur te hebben, en dienen regelmatig gerouleerd te worden. + + Het gebruik van Tor kan hierbij helpen. Ook moet worden opgemerkt dat een grotere anonimiteit mogelijk is door asynchrone communicatie: Real-time communicatie is kwetsbaar voor analyse van typpatronen (d.w.z. meer dan een alinea tekst, verspreid op een forum, via e-mail, enz.) + +[^1]: Een opmerkelijk voorbeeld hiervan is het incident van [2021, waarbij onderzoekers van de Universiteit van Minnesota drie kwetsbaarheden in het Linux-kernelontwikkelingsproject](https://cse.umn.edu/cs/linux-incident)introduceerden. diff --git a/i18n/nl/basics/common-threats.md b/i18n/nl/basics/common-threats.md new file mode 100644 index 00000000..06a90e65 --- /dev/null +++ b/i18n/nl/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Veel voorkomende bedreigingen" +icon: 'material/eye-outline' +description: Jouw dreigingsmodel is persoonlijk voor je, maar dit zijn enkele van de dingen die veel bezoekers van deze site belangrijk vinden. +--- + +In grote lijnen delen wij onze aanbevelingen in in deze algemene categorieën van [bedreigingen](threat-modeling.md) of doelstellingen die voor de meeste mensen gelden. ==U kunt zich bezighouden met geen, een, enkele, of al deze mogelijkheden==, en de instrumenten en diensten die je gebruikt hangen af van wat jouw doelstellingen zijn. Misschien heb je ook specifieke bedreigingen buiten deze categorieën, en dat is prima! Het belangrijkste is dat je inzicht krijgt in de voordelen en tekortkomingen van de middelen die je gebruikt, want vrijwel geen enkel middel beschermt je tegen elke denkbare bedreiging. + +- :material-incognito: Anonimiteit - Het afschermen van jouw online activiteiten van jouw echte identiteit, waardoor je beschermd bent tegen mensen die proberen te achterhalen *jouw* identiteit specifiek. +- :material-target-account: Gerichte aanvallen - Beschermd zijn tegen gerichte hackers of andere kwaadwillenden die toegang proberen te krijgen tot *jouw* gegevens of apparaten specifiek. +- :material-bug-outline: Passieve aanvallen - Beschermd zijn tegen zaken als malware, inbreuken op gegevens en andere aanvallen die tegen veel mensen tegelijk worden uitgevoerd +- :material-server-network: Dienstverleners - Bescherming van jouw gegevens tegen dienstverleners, bv. met end-to-endencryptie waardoor jouw gegevens onleesbaar worden voor de server. +- :material-eye-outline: Mass Surveillance - Bescherming tegen overheidsinstellingen, organisaties, websites en diensten die samenwerken om jouw activiteiten te volgen. +- :material-account-cash: Surveillance Capitalism - Jezelf beschermen tegen grote advertentienetwerken zoals Google en Facebook, en een groot aantal andere gegevensverzamelaars van derden +- :material-account-search: Public Exposure - het beperken van de informatie over je die online toegankelijk is voor zoekmachines of het grote publiek. +- :material-close-outline: Censuur - Voorkomen van gecensureerde toegang tot informatie en zelf gecensureerd worden als je online spreekt + +Sommige van deze bedreigingen kunnen zwaarder wegen dan andere, afhankelijk van jouw specifieke zorgen. Een softwareontwikkelaar die toegang heeft tot waardevolle of kritieke gegevens is bijvoorbeeld misschien in de eerste plaats bezorgd over :material-target-account: gerichte aanvallen, maar verder willen zij waarschijnlijk nog steeds hun persoonlijke gegevens beschermen tegen opneming in :material-eye-outline: programma's voor massatoezicht. Op dezelfde manier is de "gemiddelde consument" misschien in de eerste plaats bezorgd over :material-account-search: Public Exposure van zijn persoonsgegevens, maar moet hij toch op zijn hoede zijn voor op beveiliging gerichte zaken zoals :material-bug-outline: Passive Attacks zoals malware die zijn apparaten aantast. + +## Anonimiteit versus privacy + +:material-incognito: Anonimiteit + +Anonimiteit wordt vaak verward met privacy, maar het is een apart concept. Terwijl privacy een reeks keuzes is die je maakt over hoe jouw gegevens worden gebruikt en gedeeld, is anonimiteit het volledig loskoppelen van jouw online activiteiten van jouw echte identiteit. + +Voor klokkenluiders en journalisten, bijvoorbeeld, kan een veel extremer bedreigingsmodel gelden, dat volledige anonimiteit vereist. Dat is niet alleen verbergen wat zij doen, welke gegevens zij hebben, en niet gehackt worden door hackers of overheden, maar ook volledig verbergen wie zij zijn. Zij zullen elke vorm van gemak opofferen als dat betekent dat hun anonimiteit, privacy of veiligheid wordt beschermd, want hun leven kan ervan afhangen. De meeste gewone mensen hoeven niet zo ver te gaan. + +## Veiligheid en privacy + +:material-bug-outline: Passieve aanvallen + +Beveiliging en privacy worden vaak door elkaar gehaald, omdat je beveiliging nodig hebt om enige schijn van privacy te krijgen: Hulpmiddelen gebruiken die privé lijken, is zinloos als ze gemakkelijk door aanvallers kunnen worden misbruikt om jouw gegevens later vrij te geven. Het omgekeerde is echter niet noodzakelijk waar; de veiligste dienst ter wereld *is niet noodzakelijk* privé. Het beste voorbeeld hiervan is het toevertrouwen van gegevens aan Google, dat, gezien zijn omvang, minimale veiligheidsincidenten heeft gekend door vooraanstaande beveiligingsexperts in te zetten om zijn infrastructuur te beveiligen. Hoewel Google een zeer veilige dienst aanbiedt, zouden maar weinigen hun gegevens als privé beschouwen in de gratis consumentenproducten van Google (Gmail, YouTube, enz.). + +Wat de beveiliging van toepassingen betreft, weten we over het algemeen niet (en kunnen we soms niet) weten of de software die we gebruiken kwaadaardig is, of dat op een dag zou kunnen worden. Zelfs bij de meest betrouwbare ontwikkelaars is er meestal geen garantie dat hun software geen ernstige kwetsbaarheid bevat die later kan worden uitgebuit. + +Om de potentiële schade van kwaadaardige software tot een minimum te beperken, moet u beveiliging door compartimentering toepassen. Dit kan in de vorm van het gebruik van verschillende computers voor verschillende taken, het gebruik van virtuele machines om verschillende groepen van gerelateerde toepassingen te scheiden, of het gebruik van een veilig besturingssysteem met een sterke nadruk op sandboxing van toepassingen en verplichte toegangscontrole. + +!!! tip + + Mobiele besturingssystemen zijn over het algemeen veiliger dan desktopbesturingssystemen als het gaat om sandboxing van toepassingen. + + Apps kunnen geen root-toegang krijgen en hebben alleen toegang tot systeembronnen die je hen verleent. Desktop besturingssystemen lopen over het algemeen achter op het gebied van goede sandboxing. Chrome OS heeft vergelijkbare sandboxing-eigenschappen als Android, en macOS heeft volledige controle over systeemtoestemmingen en opt-in (voor ontwikkelaars) sandboxing voor applicaties, maar deze besturingssystemen geven wel identificerende informatie door aan hun respectieve OEM's. Linux heeft de neiging geen informatie door te geven aan systeemverkopers, maar het heeft een slechte bescherming tegen exploits en kwaadaardige apps. Dit kan enigszins worden ondervangen met gespecialiseerde distributies die veel gebruik maken van virtuele machines of containers, zoals Qubes OS. + +:material-target-account: Gerichte aanvallen + +Gerichte aanvallen tegen een specifieke gebruiker zijn moeilijker aan te pakken. Gangbare aanvalsmethoden zijn het verzenden van schadelijke documenten via e-mails, het uitbuiten van kwetsbaarheden in de browser en het besturingssysteem, en fysieke aanvallen. Als dit voor je een punt van zorg is, moet je mogelijk meer geavanceerde strategieën ter beperking van bedreigingen toepassen. + +!!! tip + + **Webbrowsers**, **e-mailclients**, en **kantoorapplicaties** voeren standaard onvertrouwde code uit die je door derden wordt toegestuurd. Het draaien van meerdere virtuele machines om toepassingen als deze te scheiden van uw hostsysteem en van elkaar is een techniek die je kunt gebruiken om te voorkomen dat een exploit in deze toepassingen de rest van jouw systeem aantast. Technologieën als Qubes OS of Microsoft Defender Application Guard op Windows bieden bijvoorbeeld handige methoden om dit naadloos te doen. + +Als je zich zorgen maakt over **fysieke aanvallen** moet je een besturingssysteem gebruiken met een veilige geverifieerde opstartimplementatie, zoals Android, iOS, macOS, [Windows (met TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). Je moet er ook voor zorgen dat jouw schijf versleuteld is, en dat het besturingssysteem een TPM of Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) of [Element](https://developers.google.com/android/security/android-ready-se) gebruikt voor het beperken van de snelheid waarmee pogingen worden gedaan om de wachtwoordzin voor de versleuteling in te voeren. Je moet voorkomen dat je jouw computer deelt met mensen die je niet vertrouwt, omdat de meeste desktopbesturingssystemen gegevens niet afzonderlijk per gebruiker versleutelen. + +## Privacy van dienstverleners + +:material-server-network: Dienstverleners + +Wij leven in een wereld waarin bijna alles met het internet is verbonden. Onze "privé"-berichten, e-mails, sociale interacties worden gewoonlijk ergens op een server opgeslagen. Wanneer je iemand een bericht stuurt, wordt dat bericht opgeslagen op een server en wanneer jouw vriend het bericht wil lezen, zal de server het hem tonen. + +Het voor de hand liggende probleem hierbij is dat de dienstverlener (of een hacker die de server heeft gecompromitteerd) in jouw "privé"-gesprekken kan kijken wanneer en hoe hij maar wil, zonder dat je het ooit te weten komt. Dit geldt voor veel gangbare diensten zoals SMS-berichten, Telegram, Discord, enzovoort. + +Gelukkig kan end-to-end encryptie dit probleem verlichten door de communicatie tussen jou en de gewenste ontvangers te versleutelen voordat ze zelfs maar naar de server worden verzonden. De vertrouwelijkheid van jouw berichten is gewaarborgd, zolang de dienstverlener geen toegang heeft tot de particuliere sleutels van beide partijen. + +!!! note "Opmerking op webgebaseerde encryptie" + + In de praktijk varieert de doeltreffendheid van verschillende implementaties van end-to-end encryptie. Toepassingen zoals [Signal](../real-time-communication.md#signal) draaien op het toestel zelf, en elke kopie van de toepassing is hetzelfde voor verschillende installaties. Als de dienstverlener een backdoor in zijn applicatie zou aanbrengen om te proberen jouw privé-sleutels te stelen, zou dat later met reverse engineering kunnen worden opgespoord. + + Anderzijds vertrouwen webgebaseerde end-to-end encryptie-implementaties, zoals Proton Mail's webmail of Bitwarden's web vault, erop dat de server dynamisch JavaScript-code naar de browser stuurt om cryptografische operaties uit te voeren. Een kwaadwillende server zou zich op een specifieke gebruiker kunnen richten en hem kwaadwillige JavaScript-code sturen om zijn encryptiesleutel te stelen, en het zou uiterst moeilijk zijn voor de gebruiker om zoiets ooit op te merken. Zelfs als de gebruiker de poging om zijn sleutel te stelen opmerkt, zou het ongelooflijk moeilijk zijn om te bewijzen dat het de provider is die dit probeert, omdat de server ervoor kan kiezen om verschillende webclients aan verschillende gebruikers aan te bieden. + + Wanneer je vertrouwt op end-to-end encryptie, moet je daarom waar mogelijk native applicaties verkiezen boven web clients. + +Zelfs met end-to-end encryptie kunnen dienstverleners je nog steeds profileren op basis van **metadata**, die doorgaans niet beschermd zijn. Hoewel de dienstverlener jouw berichten niet kan lezen om te zien wat je zegt, kan hij wel observeren met wie je praat, hoe vaak je hen berichten stuurt en op welke tijden je doorgaans actief bent. Bescherming van metadata is tamelijk ongewoon, en je zou goed moeten opletten in de technische documentatie van de software die je gebruikt om te zien of er überhaupt sprake is van minimalisering of bescherming van metadata, als dat voor je een punt van zorg is. + +## Programma's voor massatoezicht + +:material-eye-outline: Massabewaking + +Massasurveillance is een poging om een groot deel van of een gehele bevolking te surveilleren. Het verwijst vaak naar overheidsprogramma's, zoals de programma's [die in 2013 door Edward Snowden werden onthuld](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). + +!!! abstract "Atlas of Surveillance" + + Als je meer wilt weten over bewakingsmethoden en hoe die in jouw stad worden toegepast, kunt je ook de [Atlas of Surveillance](https://atlasofsurveillance.org/) van de [Electronic Frontier Foundation](https://www.eff.org/) bekijken. + + In Frankrijk kunt u een kijkje nemen op de [Technolopolice website](https://technopolice.fr/villes/) die wordt onderhouden door de non-profit vereniging La Quadrature du Net. + +Regeringen rechtvaardigen massasurveillanceprogramma's vaak als noodzakelijke middelen om terrorisme te bestrijden en misdaad te voorkomen. Het schendt echter de mensenrechten en wordt meestal gebruikt om zich buitenproportioneel te richten op onder andere minderheidsgroepen en politieke dissidenten. + +!!! quote "ACLU: [*De privacyles van 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Het omzeilen van de censuur zelf is betrekkelijk eenvoudig, maar het feit dat je het censuursysteem omzeilt voor de censoren kan zeer problematisch zijn. Je moet nagaan welke aspecten van het netwerk jouw tegenstander kan waarnemen, en of je jouw acties kunt ontkennen. + +Ondanks de toenemende massasurveillance in de Verenigde Staten heeft de regering vastgesteld dat massasurveillanceprogramma's zoals Section 215 "weinig unieke waarde" hebben gehad wat betreft het stoppen van daadwerkelijke misdaden of terroristische complotten, waarbij de inspanningen grotendeels de eigen gerichte surveillanceprogramma's van de FBI dupliceren.[^2] + +Ondanks de toenemende massasurveillance in de Verenigde Staten is de regering tot de conclusie gekomen dat massasurveillanceprogramma's zoals Sectie 215 "weinig unieke waarde" hebben gehad wat betreft het stoppen van echte misdaden of terroristische complotten, waarbij de inspanningen grotendeels een herhaling zijn van de eigen gerichte surveillanceprogramma's van de FBI.[^1] + +- Jouw IP-adres +- Browser cookies +- Gegevens die je aan websites verstrekt +- Jouw browser of apparaat vingerafdruk +- Correlatie van betalingsmethodes + +\[Deze lijst is niet uitputtend]. + +Als je bezorgd bent over massale surveillance programma's, kun je strategieën gebruiken zoals het opsplitsen van jouw online-identiteiten, je mengen met andere gebruikers of, waar mogelijk, gewoon vermijden om identificerende informatie te geven. + +:material-account-cash: Surveillance kapitalisme + +> Het surveillance kapitalisme is een economisch systeem dat draait om het vastleggen en verhandelen van persoonsgegevens met als hoofddoel het maken van winst.[^2] + +De beste manier om ervoor te zorgen dat jouw gegevens privé blijven, is ze in de eerste plaats gewoon niet openbaar te maken. Het verwijderen van informatie die je online over jezelf vindt, is een van de beste eerste stappen die je kunt nemen om jouw privacy terug te krijgen. Het gebruik van hulpmiddelen zoals content blockers om netwerkverzoeken aan hun servers te beperken, en het lezen van het privacybeleid van de diensten die je gebruikt, kunnen je helpen veel laag hangend fruit te vermijden, maar kunnen je nooit volledig beschermen tegen alle tracking.[^4] + +Op sites waar je informatie deelt, is het heel belangrijk dat je de privacyinstellingen van jouw account controleert om te beperken hoe wijd die gegevens worden verspreid. Als jouw accounts bijvoorbeeld een "privémodus" hebben, schakel deze dan in om ervoor te zorgen dat jouw account niet wordt geïndexeerd door zoekmachines en niet kan worden bekeken door mensen die je niet van tevoren vertrouwd. De sterkste bescherming tegen het verzamelen van bedrijfsgegevens is om jouw gegevens waar mogelijk te versleutelen of te verdoezelen, waardoor het voor verschillende providers moeilijk wordt om gegevens met elkaar te correleren en een profiel op je op te bouwen. + +## Beperking van publieke informatie + +:material-account-search: Publiekelijke bekendheid + +De beste manier om ervoor te zorgen dat jouw gegevens privé blijven, is ze in de eerste plaats gewoon niet openbaar te maken. Het verwijderen van ongewenste informatie die je online over jezelf vindt, is een van de beste eerste stappen die je kunt nemen om jouw privacy te terug te winnen. + +- [Bekijk onze gids over het verwijderen van accounts :material-arrow-right-drop-circle:](account-deletion.md) + +Online-censuur kan in verschillende mate worden uitgeoefend door actoren zoals totalitaire regeringen, netwerkbeheerders en dienstverleners die de meningsuiting van hun gebruikers en de informatie waartoe zij toegang hebben, willen controleren. Deze pogingen om het internet te filteren zullen altijd onverenigbaar zijn met de idealen van vrije meningsuiting. + +Censuur op bedrijfsplatforms komt steeds vaker voor nu platforms als Twitter en Facebook toegeven aan de vraag van het publiek, de druk van de markt en de druk van overheidsinstanties. Overheidsdruk kan bestaan uit heimelijke verzoeken aan bedrijven, zoals het verzoek van het Witte Huis [om een provocerende YouTube-video uit de lucht te halen ](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html), of uit openlijke, zoals de Chinese regering die van bedrijven eist dat zij zich houden aan een streng censuurregime. + +## Censuur vermijden + +:material-close-outline: Censuur + +Censuur online kan (in verschillende mate) worden uitgeoefend door actoren zoals totalitaire regeringen, netwerkbeheerders en dienstverleners. Deze pogingen om de communicatie te controleren en de toegang tot informatie te beperken zullen altijd onverenigbaar zijn met het mensenrecht op vrijheid van meningsuiting.[^5] + +Censuur op bedrijfsplatforms komt steeds vaker voor, nu platforms als Twitter en Facebook toegeven aan de vraag van het publiek, de druk van de markt en de druk van overheidsinstanties. Overheidsdruk kan bestaan uit heimelijke verzoeken aan bedrijven, zoals het verzoek van het Witte Huis [om een provocerende YouTube-video uit de lucht te halen ](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html), of uit openlijke, zoals de Chinese regering die van bedrijven eist dat zij zich houden aan een streng censuurregime. + +Mensen die bezorgd zijn over de dreiging van censuur kunnen technologieën als [Tor](../advanced/tor-overview.md) gebruiken om die te omzeilen, en steun verlenen aan censuurbestendige communicatieplatforms als [Matrix](../real-time-communication.md#element), dat geen gecentraliseerde accountautoriteit heeft die willekeurig accounts kan sluiten. + +!!! tip + + Het ontwijken van censuur kan gemakkelijk zijn, maar het verbergen van het feit dat je het doet kan heel moeilijk zijn. + + Je zou moeten overwegen welke aspecten van het netwerk je tegenstander kan waarnemen en of je plausibele ontkenningsmogelijkheden voor je actie hebt. Het gebruik van [versleutelde DNS](../advanced/dns-overview.md#what-is-encrypted-dns) kan je bijvoorbeeld helpen om rudimentaire, DNS-gebaseerde censuursystemen te omzeilen, maar het kan niet echt verbergen wat je bezoekt bij je ISP. Een VPN of Tor kan helpen verbergen wat je bezoekt voor netwerkbeheerders, maar je kunt niet verbergen dat je deze netwerken als gebruikt. Pluggable transports (zoals Obfs4proxy, Meek of Shadowsocks) kunnen je helpen firewalls te omzeilen die gangbare VPN-protocollen of Tor blokkeren, maar jouw pogingen tot omzeiling kunnen nog steeds worden ontdekt door methoden als probing of [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +Je moet altijd rekening houden met de risico 's van het proberen om censuur te omzeilen, de mogelijke gevolgen en hoe geavanceerd je tegenstander kan zijn. Je moet voorzichtig zijn met jouw software selectie, en een back-up plan hebben voor het geval je betrapt wordt. + +[^1]: United States Privacy and Civil Liberties Oversight Board: [Rapport over het telefoongegevens programma, uitgevoerd onder Section 215](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^2]: Wikipedia: [Surveillance kapitalisme](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^3]: Wikipedia: [*Surveillancekapitalisme*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Het opsommen van slechtheid](https://www.ranum.com/security/computer_security/editorials/dumb/)" (of, "het opsommen van alle slechte dingen die we kennen"), zoals veel adblockers en antivirusprogramma's doen, beschermt je niet afdoende tegen nieuwe en onbekende bedreigingen omdat ze nog niet zijn toegevoegd aan de filterlijst. Je moet ook andere mitigatietechnieken gebruiken. +[^5]: Verenigde Naties: [*Universele Verklaring van de Rechten van de Mens*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/nl/basics/email-security.md b/i18n/nl/basics/email-security.md new file mode 100644 index 00000000..7fbeabe3 --- /dev/null +++ b/i18n/nl/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email beveiliging +icon: material/email +description: E-mail is op vele manieren inherent onveilig, en dit zijn enkele van de redenen waarom het niet onze eerste keuze is voor veilige communicatie. +--- + +E-mail is standaard een onveilige vorm van communicatie. Je kunt je e-mailbeveiliging verbeteren met tools als OpenPGP, die end-to-end encryptie toevoegen aan je berichten, maar OpenPGP heeft nog steeds een aantal nadelen in vergelijking met encryptie in andere berichtentoepassingen, en sommige e-mailgegevens kunnen nooit inherent worden versleuteld als gevolg van de manier waarop e-mail is ontworpen. + +Als gevolg hiervan wordt e-mail het beste gebruikt voor het ontvangen van transactionele e-mails (zoals meldingen, verificatie-e-mails, wachtwoordresets, enz.) van de services waarvoor je je online aanmeldt, niet voor het communiceren met anderen. + +## Overzicht van e-mailversleuteling + +De standaardmanier om E2EE toe te voegen aan e-mails tussen verschillende e-mailproviders is door OpenPGP te gebruiken. Er zijn verschillende implementaties van de OpenPGP-standaard, waarvan [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) en [OpenPGP.js](https://openpgpjs.org)de meest voorkomende zijn. + +Er is een andere standaard die populair is bij bedrijven, [S/MIME](https://en.wikipedia.org/wiki/S/MIME), maar deze vereist een certificaat dat is afgegeven door een [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (niet alle instanties geven S/MIME-certificaten af). Het heeft ondersteuning in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) en [Outlook for Web of Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Zelfs als je OpenPGP gebruikt, biedt het geen ondersteuning voor [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), wat betekent dat als jouw privésleutel of die van de ontvanger ooit wordt gestolen, alle eerdere berichten die ermee zijn versleuteld, openbaar worden. Daarom bevelen wij [instant messengers](../real-time-communication.md) aan, die indien mogelijk forward secrecy implementeren in plaats van e-mail voor communicatie van persoon tot persoon. + +### Welke e-mailclients ondersteunen E2EE? + +E-mailproviders die je in staat stellen standaard toegangsprotocollen zoals IMAP en SMTP te gebruiken, kunnen worden gebruikt met elk van de [e-mailclients die wij aanbevelen](../email-clients.md). Afhankelijk van de authenticatiemethode kan dit leiden tot een verminderde veiligheid indien de provider of de e-mailclient OATH of een bridge-toepassing niet ondersteunt, aangezien [multifactor authenticatie](/basics/multi-factor-authentication/) niet mogelijk is met gewone wachtwoordauthenticatie. + +### Hoe bescherm ik mijn private sleutels? + +Een smartcard (zoals een [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) of [Nitrokey](https://www.nitrokey.com)) werkt door een geëncrypteerd e-mailbericht te ontvangen van een apparaat (telefoon, tablet, computer, enz.) waarop een e-mail/webmailclient draait. Het bericht wordt vervolgens door de smartcard ontsleuteld en de ontsleutelde inhoud wordt teruggestuurd naar het apparaat. + +Het is gunstig dat de ontcijfering op de smartcard gebeurt om te voorkomen dat jouw privé-sleutel aan een gecompromitteerd apparaat wordt blootgesteld. + +## Overzicht e-mailmetagegevens + +E-mail metadata wordt opgeslagen in de [message header](https://en.wikipedia.org/wiki/Email#Message_header) van het e-mailbericht en omvat een aantal zichtbare headers die je wellicht hebt gezien, zoals: `Aan`, `Van`, `Cc`, `Datum`, `Onderwerp`. Veel e-mailclients en -providers hebben ook een aantal verborgen headers die informatie over jouw account kunnen onthullen. + +Client-software kan metagegevens over e-mail gebruiken om aan te geven van wie een bericht afkomstig is en hoe laat het werd ontvangen. Servers kunnen het gebruiken om te bepalen waar een e-mailbericht naartoe moet worden gestuurd, naast [andere doeleinden](https://en.wikipedia.org/wiki/Email#Message_header) die niet altijd transparant zijn. + +### Wie kan e-mailmetagegevens bekijken? + +E-mail metadata wordt beschermd tegen externe waarnemers met [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS), maar kan nog steeds worden gezien door jouw e-mail client software (of webmail) en alle servers die het bericht van je doorsturen naar alle ontvangers, inclusief jouw e-mail provider. Soms maken e-mailservers ook gebruik van diensten van derden ter bescherming tegen spam, die over het algemeen ook toegang hebben tot jouw berichten. + +### Waarom kan metadata niet E2EE zijn? + +E-mail metadata is van cruciaal belang voor de meest elementaire functionaliteit van e-mail (waar het vandaan komt, en waar het naartoe moet). E2EE was oorspronkelijk niet in de e-mailprotocollen ingebouwd; in plaats daarvan was extra software zoals OpenPGP nodig. Omdat OpenPGP-berichten nog steeds met traditionele e-mailproviders moeten werken, kan het niet de metagegevens van e-mail versleutelen, alleen de inhoud van het bericht zelf. Dat betekent dat zelfs wanneer OpenPGP wordt gebruikt, externe waarnemers veel informatie over jouw berichten kunnen zien, zoals wie je e-mailt, de onderwerpregels, wanneer je e-mailt, enz. diff --git a/i18n/nl/basics/multi-factor-authentication.md b/i18n/nl/basics/multi-factor-authentication.md new file mode 100644 index 00000000..2795891a --- /dev/null +++ b/i18n/nl/basics/multi-factor-authentication.md @@ -0,0 +1,209 @@ +--- +title: "Multifactor-authenticatie" +icon: 'material/two-factor-authentication' +description: MFA is een cruciaal beveiligingsmechanisme voor de beveiliging van jouw online accounts, maar sommige methoden zijn sterker dan andere. +--- + +**Multifactorauthenticatie** is een beveiligingsmechanisme dat extra stappen vereist naast het invoeren van jouw gebruikersnaam (of e-mail) en wachtwoord. De meest gebruikelijke methode zijn codes met tijdsbeperking die je via sms of een app kunt ontvangen. + +Als een hacker (of tegenstander) jouw wachtwoord weet te achterhalen, krijgt hij toegang tot de account waar dat wachtwoord bij hoort. Een account met MFA dwingt de hacker om zowel het wachtwoord te hebben (iets wat je *weet*) als een apparaat dat je bezit (iets wat je *hebt*), zoals je telefoon. + +MFA-methoden variëren in beveiliging, maar zijn gebaseerd op de vooronderstelling dat hoe moeilijker het voor een aanvaller is om toegang te krijgen tot uw MFA-methode, hoe beter. Voorbeelden van MFA-methoden (van zwakste naar sterkste) zijn sms, e-mailcodes, app-pushmeldingen, TOTP, Yubico OTP en FIDO. + +## Vergelijking van MFB-methoden + +### SMS of e-mail MFA + +Het ontvangen van OTP-codes via SMS of e-mail is een van de zwakkere manieren om jouw accounts met MFA te beveiligen. Het verkrijgen van een code via e-mail of sms doet afbreuk aan het idee van "iets wat je *hebt*", omdat er verschillende manieren zijn waarop een hacker jouw telefoonnummer + +kan overnemen of toegang tot jouw e-mail kan krijgen zonder fysieke toegang te hebben tot een van jouw apparaten. Als een onbevoegd persoon toegang zou krijgen tot jouw e-mail, zou hij die toegang kunnen gebruiken om zowel jouw wachtwoord te resetten als de verificatiecode te ontvangen, waardoor hij volledige toegang tot jouw account zou krijgen.

+ + + +### Push-meldingen + +Push notification MFA neemt de vorm aan van een bericht dat naar een app op jouw telefoon wordt gestuurd en waarin je wordt gevraagd nieuwe accountlogins te bevestigen. Deze methode is veel beter dan SMS of e-mail, omdat een aanvaller deze pushmeldingen meestal niet kan krijgen zonder een al aangemeld apparaat, wat betekent dat hij eerst een van jouw andere apparaten zou moeten compromitteren. + +We maken allemaal fouten, en het risico bestaat dat u de inlogpoging per ongeluk aanvaardt. Inlogautorisaties via push-notificatie worden doorgaans verzonden naar *alle* jouw apparaten in een keer, waardoor de beschikbaarheid van de MFA-code wordt uitgebreid als je veel apparaten hebt. + +De beveiliging van push notification MFA is afhankelijk van zowel de kwaliteit van de app, de servercomponent als het vertrouwen van de ontwikkelaar die de app maakt. Als je een app installeert, kan het ook zijn dat je moet instemmen met invasieve privileges die toegang verlenen tot andere gegevens op jouw apparaat. . en individuele app vereist ook dat je voor elke dienst een specifieke app hebt, die misschien geen wachtwoord vereist om te openen, in tegenstelling tot een goede TOTP generator app. + + + +### Time-based One-time Password (TOTP) + +TOTP is een van de meest voorkomende vormen van MFB. Wanneer je TOTP instelt, moet je over het algemeen een [QR-code](https://en.wikipedia.org/wiki/QR_code) scannen die een "[gedeeld geheim](https://en.wikipedia.org/wiki/Shared_secret)" tot stand brengt met de dienst die je van plan bent te gebruiken. Het gedeelde geheim is beveiligd in de gegevens van de authenticator-app, en is soms beveiligd met een wachtwoord. + +De in de tijd beperkte code wordt dan afgeleid van het gedeelde geheim en de huidige tijd. Aangezien de code slechts korte tijd geldig is, kan een adversair zonder toegang tot het gedeelde geheim geen nieuwe codes genereren. + +Als je een hardware beveiligingssleutel hebt met TOTP-ondersteuning (zoals een YubiKey met [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), raden wij je aan om jouw "gedeelde geheimen" op de hardware op te slaan. Hardware zoals de YubiKey werd ontwikkeld met de bedoeling het "gedeelde geheim" moeilijk te ontfutselen en te kopiëren te maken. Een YubiKey is ook niet verbonden met het internet, in tegenstelling tot een telefoon met een TOTP-app. + +In tegenstelling tot [WebAuthn](#fido-fast-identity-online)biedt TOTP geen bescherming tegen [phishing](https://en.wikipedia.org/wiki/Phishing) of hergebruikaanvallen. Als een tegenstander een geldige code van je krijgt, mag hij die zo vaak gebruiken als hij wil totdat de code is verlopen (over het algemeen 60 seconden. + +Een tegenstander kan een website opzetten om een officiële dienst te imiteren in een poging om je te verleiden jouw gebruikersnaam, wachtwoord en huidige TOTP-code te geven. Als de tegenstander vervolgens deze vastgelegde gegevens gebruikt, kan hij op de echte dienst inloggen en de account kapen. + +Hoewel niet perfect, is TOTP veilig genoeg voor de meeste mensen, en wanneer [hardware security keys](/multi-factor-authentication/#hardware-security-keys) niet worden ondersteund zijn [authenticator apps](/multi-factor-authentication/#authenticator-apps) nog steeds een goede optie. + + + +### Hardware beveiligingssleutels + +De YubiKey slaat gegevens op een manipulatiebestendige solid-state chip die [onmogelijk is om toegang te krijgen tot](https://security.stackexchange.com/a/245772) niet-destructief zonder een duur proces en een forensisch laboratorium. + +Deze sleutels zijn over het algemeen multifunctioneel en bieden een aantal methoden om zich te authenticeren. Hieronder staan de meest voorkomende. + + + +#### Yubico OTP + +Yubico OTP is een authenticatieprotocol dat typisch wordt geïmplementeerd in hardware beveiligingssleutels. Wanneer je besluit Yubico OTP te gebruiken, zal de sleutel een publiek ID, privaat ID, en een Geheime Sleutel genereren die dan geupload wordt naar de Yubico OTP server. + +Wanneer je inlogt op een website, hoeft je alleen maar de beveiligingssleutel fysiek aan te raken. De beveiligingssleutel zal een toetsenbord emuleren en een eenmalig wachtwoord in het wachtwoordveld afdrukken. + +De dienst zal dan het eenmalige wachtwoord doorsturen naar de Yubico OTP server voor validatie. Zowel op de sleutel als op de validatieserver van Yubico wordt een teller opgehoogd. De OTP kan slechts één keer worden gebruikt, en wanneer een authenticatie met succes plaatsvindt, wordt de teller verhoogd, waardoor hergebruik van de OTP wordt voorkomen. Yubico geeft een [gedetailleerd document](https://developers.yubico.com/OTP/OTPs_Explained.html) over het proces. + +
+ Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +Er zijn enkele voor- en nadelen aan het gebruik van Yubico OTP in vergelijking met TOTP. + +De Yubico validatieserver is een cloud-gebaseerde dienst, en je vertrouwt op Yubico dat zij jouw gegevens veilig opslaan en je niet profileren. De publieke ID die bij Yubico OTP hoort, wordt op elke website hergebruikt en kan voor derden een extra mogelijkheid zijn om je te profileren. Net als TOTP biedt Yubico OTP geen weerstand tegen phishing. + +Als jouw dreigingsmodel vereist dat je verschillende identiteiten op verschillende websites heeft, **gebruik dan geen** Yubico OTP met dezelfde hardware beveiligingssleutel op die websites, aangezien de publieke ID uniek is voor elke beveiligingssleutel. + + + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) omvat een aantal normen, eerst was er U2F en later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) die de webnorm [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn)omvat. + +U2F en FIDO2 verwijzen naar het [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), dat het protocol is tussen de beveiligingssleutel en de computer, zoals een laptop of telefoon. Het is een aanvulling op WebAuthn, de component die wordt gebruikt om je te authenticeren bij de website (de "Betrouwbare Partij") waarop je probeert in te loggen. + +WebAuthn is de meest veilige en private vorm van tweede factor authenticatie. De verificatie-ervaring is vergelijkbaar met Yubico OTP, maar de sleutel drukt geen eenmalig wachtwoord af en valideert niet met een server van een derde partij. In plaats daarvan gebruikt het [openbare sleutel cryptografie](https://en.wikipedia.org/wiki/Public-key_cryptography) voor authenticatie. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +Wanneer je een account aanmaakt, wordt de openbare sleutel naar de dienst gestuurd, en wanneer je inlogt, zal de dienst je vragen bepaalde gegevens te "ondertekenen" met jouw privé-sleutel. Het voordeel hiervan is dat er nooit wachtwoordgegevens door de dienst worden opgeslagen, zodat er voor een adverteerder niets te stelen valt. + +Deze presentatie bespreekt de geschiedenis van wachtwoordauthenticatie, de valkuilen (zoals hergebruik van wachtwoorden), en bespreking van de FIDO2- en [WebAuthn](https://webauthn.guide) -normen. + +
+ +
+ +FIDO2 en WebAuthn hebben superieure beveiligings- en privacy-eigenschappen in vergelijking met andere MFA-methoden. + +Typisch voor webdiensten wordt het gebruikt met WebAuthn dat deel uitmaakt van de [W3C aanbevelingen](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). Het gebruikt publieke sleutelauthenticatie en is veiliger dan gedeelde geheimen die worden gebruikt in de Yubico OTP- en TOTP-methoden, omdat het de oorsprongsnaam (gewoonlijk de domeinnaam) bij de authenticatie betrekt. Attestatie wordt verstrekt om je te beschermen tegen phishing-aanvallen, aangezien het je helpt vast te stellen dat je de authentieke dienst gebruikt en niet een namaakkopie. + +In tegenstelling tot Yubico OTP, gebruikt WebAuthn geen publieke ID, dus de sleutel is **niet** identificeerbaar over verschillende websites. Het maakt ook geen gebruik van een cloud server van derden voor verificatie. Alle communicatie vindt plaats tussen de sleutel en de website waarop je inlogt. FIDO gebruikt ook een teller die bij gebruik wordt opgehoogd om hergebruik van sessies en gekloonde sleutels te voorkomen. + +Als een website of dienst WebAuthn ondersteunt voor de authenticatie, is het sterk aan te bevelen dit te gebruiken boven elke andere vorm van MFA. + + + +## Algemene aanbevelingen + +Wij hebben deze algemene aanbevelingen: + + + +### Welke methode moet ik gebruiken? + +Wanneer je jouw MFA-methode configureert, moet je in gedachten houden dat deze slechts zo veilig is als de zwakste authenticatiemethode die je gebruikt. Dit betekent dat het belangrijk is dat je alleen de beste beschikbare MFA-methode gebruikt. Als je bijvoorbeeld al TOTP gebruikt, moet je e-mail en SMS MFA uitschakelen. Als je al FIDO2/WebAuthn gebruikt, moet je geen Yubico OTP of TOTP gebruiken op jouw account. + + + +### Back-ups + +Je moet altijd back-ups hebben voor jouw MFA-methode. Hardwaresleutels kunnen zoekraken, gestolen worden of na verloop van tijd niet meer werken. Het is aan te bevelen om een paar hardware beveiligingssleutels te hebben met dezelfde toegang tot jouw accounts in plaats van slechts één. + +Wanneer je TOTP gebruikt met een authenticatie app, zorg er dan voor dat je een back-up maakt van jouw herstel sleutels of de app zelf, of kopieer de "gedeelde geheimen" naar een ander exemplaar van de app op een andere telefoon of naar een versleutelde container (bijv. [VeraCrypt](../encryption.md#veracrypt)). + + + +### Eerste installatie + +Wanneer je een beveiligingssleutel koopt, is het belangrijk dat je de standaardgegevens wijzigt, wachtwoordbeveiliging voor de sleutel instelt, en aanraakbevestiging inschakelt als jouw sleutel dit ondersteunt. Producten zoals de YubiKey hebben meerdere interfaces met afzonderlijke referenties voor elk ervan, dus je moet elke interface overlopen en ook bescherming instellen. + + + +### E-mail en SMS + +Als je e-mail moet gebruiken voor MFA, zorg er dan voor dat de e-mailaccount zelf beveiligd is met een goede MFA-methode. + +Als je SMS MFA gebruikt, gebruik dan een provider die jouw telefoonnummer niet zonder accounttoegang naar een nieuwe SIM-kaart wisselt, of gebruik een speciaal VoIP-nummer van een provider met vergelijkbare beveiliging om een [SIM-swapaanval te voorkomen](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools die wij aanbevelen](../multi-factor-authentication.md ""){.md-button} + + + +## Meer plaatsen om MFA op te zetten + +Naast het beveiligen van jouw website logins, kan multifactor authenticatie ook worden gebruikt om jouw lokale logins, SSH sleutels of zelfs wachtwoord databases te beveiligen. + + + +### Windows + +Yubico heeft een speciale [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) die Challenge-Response authenticatie toevoegt voor de gebruikersnaam + wachtwoord login flow voor lokale Windows accounts. Als je een YubiKey hebt met ondersteuning voor Challenge-Response authenticatie, kijk dan eens naar de [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), waarmee je MFA kunt instellen op jouw Windows-computer. + + + +### macOS + +macOS heeft [native ondersteuning](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) voor authenticatie met smartcards (PIV). Indien je een smartcard of een hardware beveiligingssleutel heeft die de PIV interface ondersteunt, zoals de YubiKey, raden wij je aan om de documentatie van jouw smartcard/hardware beveiligingsleverancier te volgen en tweede factor authenticatie voor jouw macOS computer in te stellen. + +Yubico heeft een gids [je YubiKey als Smart Card gebruiken in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) die je kan helpen bij het instellen van jouw YubiKey op macOS. + +Nadat jouw smartcard/security key is ingesteld, raden wij je aan dit commando in de Terminal uit te voeren: + + + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + + +Het commando zal voorkomen dat een tegenstander MFA omzeilt wanneer de computer opstart. + + + +### Linux + +!!! warning + + Als de hostnaam van jouw systeem verandert (bijvoorbeeld door DHCP), zou je niet kunnen inloggen. Het is van vitaal belang dat je een correcte hostnaam instelt voor jouw computer alvorens deze gids te volgen. + + +De `pam_u2f` module op Linux kan twee-factor authenticatie bieden om in te loggen op de meeste populaire Linux distributies. Als je een hardware beveiligingssleutel hebt die U2F ondersteunt, kun je MFA verificatie instellen voor jouw aanmelding. Yubico heeft een gids [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) die zou moeten werken op elke distributie. De commando's van de pakketbeheerder - zoals `apt-get`- en de pakketnamen kunnen echter verschillen. Deze gids is **niet** van toepassing op Qubes OS. + + + +### Qubes OS + +Qubes OS heeft ondersteuning voor Challenge-Response authenticatie met YubiKeys. Als je een YubiKey heeft met ondersteuning voor Challenge-Response authenticatie, kijk dan eens naar de Qubes OS [YubiKey documentatie](https://www.qubes-os.org/doc/yubikey/) als je MFA wilt instellen op Qubes OS. + + + +### SSH + + + +#### Hardware Veiligheidssleutels + +SSH MFA kan worden ingesteld met behulp van meerdere verschillende authenticatiemethoden die populair zijn met hardware beveiligingssleutels. Wij raden je aan om de Yubico documentatie [te raadplegen](https://developers.yubico.com/SSH/) over hoe dit in te stellen. + + + +#### Time-based One-time Password (TOTP) + +SSH MFA kan ook worden ingesteld met TOTP. DigitalOcean heeft een tutorial beschikbaar gesteld [How To Set Up MultiFactor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). De meeste dingen zouden hetzelfde moeten zijn, ongeacht de distributie, maar de commando's van de pakketbeheerder - zoals `apt-get`- en de pakketnamen kunnen verschillen. + + + +### KeePass (en KeePassXC) + +KeePass en KeePassXC databases kunnen worden beveiligd met Challenge-Response of HOTP als een tweede-factor authenticatie. Yubico heeft een document beschikbaar gesteld voor KeePass [Uw YubiKey gebruiken met KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) en er is er ook een op de [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/nl/basics/passwords-overview.md b/i18n/nl/basics/passwords-overview.md new file mode 100644 index 00000000..4665cbbe --- /dev/null +++ b/i18n/nl/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Inleiding tot wachtwoorden" +icon: 'material/form-textbox-password' +description: Dit zijn enkele tips en trucs om de sterkste wachtwoorden te maken en jouw accounts veilig te houden. +--- + +Wachtwoorden zijn een essentieel onderdeel van ons dagelijkse digitale leven. We gebruiken ze om onze accounts, onze apparaten en onze geheimen te beschermen. Hoewel ze vaak het enige zijn tussen ons en een tegenstander die uit is op onze privégegevens, wordt er niet veel aandacht aan besteed, wat er vaak toe leidt dat mensen wachtwoorden gebruiken die gemakkelijk geraden of gebruteforcet kunnen worden. + +## Best practices + +### Gebruik unieke wachtwoorden voor elke dienst + +Stel je voor: je meldt je aan voor een account met dezelfde e-mail en hetzelfde wachtwoord op meerdere online diensten. Als een van die dienstverleners kwaadwillend is, of hun dienst een datalek heeft waardoor uw wachtwoord in een onversleuteld formaat wordt vrijgegeven, hoeft een kwaadwillende alleen maar die combinatie van e-mail en wachtwoord te proberen bij meerdere populaire diensten totdat hij iets vindt. Het maakt dan niet uit hoe sterk dat ene wachtwoord is, omdat ze het al hebben. + +Dit heet [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), en het is een van de meest voorkomende manieren waarop jouw accounts kunnen worden gecompromitteerd door kwaadwillenden. Om dit te voorkomen, moet u ervoor zorgen dat u uw wachtwoorden nooit opnieuw gebruikt. + +### Gebruik willekeurig gegenereerde wachtwoorden + +==Je moet **nooit** vertrouwen op jezelf om een goed wachtwoord te bedenken.== Wij raden aan [willekeurig gegenereerde wachtwoorden](#passwords) of [diceware passphrases](#diceware-passphrases) met voldoende entropie te gebruiken om je accounts en apparaten te beschermen. + +Al onze [aanbevolen wachtwoordmanagers](../passwords.md) bevatten een ingebouwde wachtwoordgenerator die je kunt gebruiken. + +### Roterende wachtwoorden + +Wachtwoorden die je moet onthouden (zoals het hoofdwachtwoord van jouw wachtwoordmanager) moet je niet te vaak veranderen, tenzij je reden hebt om aan te nemen dat ze gecompromitteerd zijn, omdat je door ze te vaak te veranderen het risico loopt ze te vergeten. + +Als het gaat om wachtwoorden die je niet hoeft te onthouden (zoals wachtwoorden die zijn opgeslagen in jouw wachtwoordmanager), adviseren wij, als jouw [dreigingsmodel](threat-modeling.md) daarom vraagt, belangrijke accounts door te nemen (vooral accounts die geen multi-factor authenticatie gebruiken) en hun wachtwoord om de paar maanden te wijzigen, voor het geval ze zijn gecompromitteerd in een datalek dat nog niet openbaar is geworden. Bij de meeste wachtwoordmanagers kunt u een vervaldatum voor uw wachtwoord instellen om dit gemakkelijker te beheren. + +!!! tip "Controleren op datalekken" + + Als je met jouw wachtwoordmanager kunt controleren op gecompromitteerde wachtwoorden, doe dat dan en wijzig onmiddellijk alle wachtwoorden die bij een datalek bekend zijn geworden. Je kunt ook de [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) volgen met behulp van een [nieuwsaggregator](../news-aggregators.md). + +## Sterke wachtwoorden maken + +### Wachtwoorden + +Veel diensten leggen bepaalde criteria op voor wachtwoorden, zoals een minimale of maximale lengte, en welke speciale tekens eventueel mogen worden gebruikt. Gebruik de ingebouwde wachtwoordgenerator van uw wachtwoord manager om wachtwoorden te maken die zo lang en complex zijn als de dienst toelaat, met hoofdletters en kleine letters, cijfers en speciale tekens. + +Als je een wachtwoord nodig hebt dat je kunt onthouden, raden wij een [diceware wachtwoord zinnen](#diceware-passphrases) aan. + +### Diceware wachtwoord zinnen + +Diceware is een methode om wachtzinnen te maken die gemakkelijk te onthouden zijn, maar moeilijk te raden. + +Diceware passphrases zijn een geweldige optie wanneer je jouw gegevens uit het hoofd moet leren of handmatig moet invoeren, zoals voor het hoofdwachtwoord van jouw wachtwoord manager of het coderingswachtwoord van jouw apparaat. + +Een voorbeeld van een diceware wachtwoord zin is: `zichtbaar snelheid hond terughoudend zeventien weergegeven potlood`. + +Volg deze stappen om een diceware passphrase te genereren met echte dobbelstenen: + +!!! note + + Deze instructies gaan ervan uit dat je [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) gebruikt om de wachtwoord zin te genereren, waarvoor vijf dobbelsteenworpen per woord nodig zijn. Andere woordenlijsten kunnen meer of minder rollen per woord vereisen, en kunnen een ander aantal woorden nodig hebben om dezelfde entropie te bereiken. + +1. Gooi vijf keer met een zeszijdige dobbelsteen en noteer het getal na elke worp. + +2. Laten we bijvoorbeeld zeggen dat u `2-5-2-6-6`heeft gerold. Zoek in de grote woordenlijst van [EFF](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) naar het woord dat overeenkomt met `25266`. + +3. U vindt het woord `gecodeerd`. Schrijf dat woord op. + +4. Herhaal dit proces totdat jouw wachtwoord zoveel woorden bevat als je nodig hebt, die je moet scheiden met een spatie. + +!!! warning "Belangrijk" + + Je moet **niet** opnieuw woorden rollen totdat je een combinatie van woorden krijgt die je aanspreekt. Het proces moet volledig willekeurig zijn. + +Als je geen toegang hebt tot of liever geen echte dobbelstenen gebruikt, kunt je de ingebouwde wachtwoordgenerator van jouw wachtwoord manager gebruiken, omdat de meeste daarvan de optie hebben om naast gewone wachtwoorden ook diceware wachtwoord zinnen te genereren. + +Wij adviseren het gebruik van [EFF's grote woordenlijst](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) om jouw diceware wachtwoord zinnen te genereren, omdat het exact dezelfde veiligheid biedt als de originele lijst, terwijl het woorden bevat die gemakkelijker te onthouden zijn. Er zijn ook [andere woordenlijsten in verschillende talen](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), als u niet wilt dat uw wachtwoord in het Engels is. + +??? note "Uitleg van entropie en sterkte van diceware wachtwoord zinnen" + + Om aan te tonen hoe sterk diceware wachtwoord zin zijn, gebruiken we de eerder genoemde wachtwoord zin van zeven woorden (`kijkbaar snel terughoudend hond zeventien getoond potlood`) en [EFF's grote woordenlijst](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) als voorbeeld. + + Eén meting om de sterkte van een wachtwoord zin te bepalen is hoeveel entropie het heeft. De entropie per woord in een diceware wachtwoord zin wordt berekend als $\text{log}_2(\text{WordsInList})$ en de totale entropie van de wachtwoord zin wordt berekend als $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Daarom resulteert elk woord in de bovengenoemde lijst in ~12,9 bits entropie ($\text{log}_2(7776)$), en een daarvan afgeleide wachtwoord zin van zeven woorden heeft ~90,47 bits entropie ($\text{log}_2(7776^7)$). + + De [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) bevat 7776 unieke woorden. Om het aantal mogelijke passphrases te berekenen, hoeven we alleen maar $\text{WordsInList}^\text{WordsInPhrase}$, of in ons geval, $7776^7$, uit te rekenen. + + Laten we dit alles in perspectief plaatsen: Een passphrase van zeven woorden met [EFF's grote woordenlijst](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is één van ~1,719,070,799,748,422,500,000,000,000 mogelijke wachtwoord zinnen. + + Gemiddeld duurt het proberen van 50% van alle mogelijke combinaties om uw zin te raden. Met dat in gedachten, zelfs als uw tegenstander in staat is tot ~1.000.000.000.000 raden per seconde, zou het hem nog steeds ~27.255.689 jaar kosten om uw wachtwoord te raden. Zelfs als de volgende dingen waar zijn: + + - Je tegenstander weet dat je de diceware-methode hebt gebruikt. + - Je tegenstander kent de specifieke woordenlijst die je gebruikt hebt. + - Jouw tegenstander weet hoeveel woorden jouw wachtwoord bevat. + +Kortom, diceware wachtzinnen zijn jouw beste optie wanneer je iets nodig hebt dat zowel gemakkelijk te onthouden is *als* uitzonderlijk sterk. + +## Wachtwoorden opslaan + +### Wachtwoordmanagers + +De beste manier om jouw wachtwoorden op te slaan is met behulp van een wachtwoordmanager. Hiermee kunt je jouw wachtwoorden opslaan in een bestand of in de cloud en ze beschermen met een enkel hoofdwachtwoord. Op die manier hoeft u maar één sterk wachtwoord te onthouden, waarmee je toegang krijgt tot de rest. + +Er zijn veel goede opties om uit te kiezen, zowel cloud-gebaseerd als lokaal. Kies een van onze aanbevolen wachtwoordbeheerders en gebruik deze om sterke wachtwoorden in te stellen voor al jouw accounts. Wij raden je aan om jouw wachtwoordmanager te beveiligen met een [diceware wachtwoord zin](#diceware-passphrases) bestaande uit ten minste zeven woorden. + +[Lijst van aanbevolen wachtwoordmanagers](../passwords.md ""){.md-button} + +!!! warning "Plaats uw wachtwoorden en TOTP-tokens niet in dezelfde wachtwoordmanager" + + Wanneer je TOTP-codes gebruikt als [multi-factor authenticatie](../multi-factor-authentication.md), is de beste beveiligingspraktijk om jouw TOTP-codes in een [aparte app] te bewaren(../multi-factor-authentication.md#authenticator-apps). + + Het opslaan van jouw TOTP-tokens op dezelfde plaats als jouw wachtwoorden is weliswaar handig, maar beperkt de accounts tot één factor in het geval dat een tegenstander toegang krijgt tot jouw wachtwoord manager. + + Verder raden wij af om herstelcodes voor eenmalig gebruik op te slaan in uw wachtwoord manager. Deze moeten apart worden opgeslagen, zoals in een versleutelde container op een offline opslagapparaat. + +### Back-ups + +Je moet een [gecodeerde](../encryption.md) back-up van jouw wachtwoorden opslaan op meerdere opslagapparaten of een cloud-opslagprovider. Dit kan nuttig zijn als er iets gebeurt met jouw toestel of de dienst die je gebruikt. diff --git a/i18n/nl/basics/threat-modeling.md b/i18n/nl/basics/threat-modeling.md new file mode 100644 index 00000000..a010348c --- /dev/null +++ b/i18n/nl/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Bedreiging Modellering" +icon: 'material/target-account' +description: Een evenwicht vinden tussen veiligheid, privacy en gebruiksvriendelijkheid is een van de eerste en moeilijkste taken die je op jouw privacyreis tegenkomt. +--- + +Een evenwicht vinden tussen veiligheid, privacy en gebruiksvriendelijkheid is een van de eerste en moeilijkste taken die je op jouw privacyreis tegenkomt. Alles is een afweging: hoe veiliger iets is, hoe beperkter of onhandiger het over het algemeen is, enzovoort. Vaak vinden mensen het probleem met de hulpmiddelen die ze aanbevolen zien, dat ze gewoon te moeilijk zijn om te beginnen gebruiken! + +Als je de **meest** veilige tools wilt gebruiken, moet je *veel* gebruiksgemak opofferen. En zelfs dan, ==niets is ooit volledig veilig.== Er is **hoge** veiligheid, maar nooit **volledige** veiligheid. Daarom zijn dreigingsmodellen belangrijk. + +**Dus, wat zijn deze dreigingsmodellen eigenlijk?** + +==Een bedreigingsmodel is een lijst van de meest waarschijnlijke bedreigingen voor uw veiligheid/privacy inspanningen.== Aangezien het onmogelijk is om jezelf te beschermen tegen **elke** aanval(er), moet je je richten op de **meest waarschijnlijke** bedreigingen. In computerbeveiliging is een bedreiging een potentiële gebeurtenis die jouw inspanningen om privé en veilig te blijven kan ondermijnen. + +Door je te concentreren op de bedreigingen die voor je van belang zijn, kun je beter nadenken over de bescherming die je nodig hebt, zodat je de juiste hulpmiddelen kunt kiezen. + +## Het creëren van jouw dreigingsmodel + +Om na te gaan wat er zou kunnen gebeuren met de dingen die je waardeert en om te bepalen tegen wie je ze moet beschermen, moet je deze vijf vragen beantwoorden: + +1. Wat wil ik beschermen? +2. Tegen wie wil ik het beschermen? +3. Hoe groot is de kans dat ik het zal moeten beschermen? +4. Hoe erg zijn de gevolgen als ik faal? +5. Hoeveel moeite ben ik bereid te doen om mogelijke gevolgen te voorkomen? + +### Wat wil ik beschermen? + +==Een "asset" is iets waar je waarde aan hecht en dat je wilt beschermen.== In de context van digitale beveiliging is een asset meestal een soort informatie. Bijvoorbeeld, uw e-mails, contactlijsten, instant-berichten, locatie en bestanden zijn allemaal mogelijke assets. Jouw apparaten zelf kunnen ook activa zijn. + +*Maak een lijst van jouw assets: gegevens die je bewaart, waar ze worden bewaard, wie er toegang toe heeft en wat anderen ervan weerhoudt er toegang toe te krijgen.* + +### Tegen wie wil ik het beschermen? + +Om deze vraag te beantwoorden, is het belangrijk na te gaan wie je of jouw informatie als doelwit zou willen gebruiken. ==Een persoon of entiteit die een bedreiging vormt voor jouw bezittingen is een "tegenstander".== Voorbeelden van potentiële tegenstanders zijn jouw baas, jouw voormalige partner, jouw zakelijke concurrentie, jouw regering, of een hacker op een openbaar netwerk. + +*Maak een lijst van jouw tegenstanders, of van degenen die jouw bezittingen in handen zouden willen krijgen. Jouw lijst kan personen, een overheidsinstantie of bedrijven omvatten.* + +Afhankelijk van wie ujouw tegenstanders zijn, kan deze lijst onder bepaalde omstandigheden iets zijn dat je wilt vernietigen nadat je klaar bent met de beveiligingsplanning. + +### Hoe groot is de kans dat ik het zal moeten beschermen? + +==Risico is de kans dat een bepaalde dreiging tegen een bepaald goed zich voordoet.== Het gaat hand in hand met vermogen. Hoewel jouw mobiele-telefoonprovider toegang heeft tot al jouw gegevens, is het risico klein dat hij jouw privégegevens online plaatst om jouw reputatie te schaden. + +Het is belangrijk onderscheid te maken tussen wat zou kunnen gebeuren en de waarschijnlijkheid dat het gebeurt. Er bestaat bijvoorbeeld een risico dat jouw gebouw instort, maar het risico dat dit gebeurt is veel groter in San Francisco (waar aardbevingen vaak voorkomen) dan in Stockholm (waar dit niet het geval is). + +Risico's inschatten is zowel een persoonlijk als een subjectief proces. Veel mensen vinden bepaalde bedreigingen onaanvaardbaar, ongeacht de waarschijnlijkheid dat zij zich zullen voordoen, omdat alleen al de aanwezigheid van de bedreiging, ongeacht de waarschijnlijkheid, de kosten niet waard is. In andere gevallen veronachtzamen mensen grote risico's omdat ze de dreiging niet als een probleem zien. + +*Schrijf op welke bedreigingen je serieus gaat nemen, en welke te zeldzaam of te onschuldig zijn (of te moeilijk te bestrijden) om je zorgen over te maken.* + +### Hoe erg zijn de gevolgen als ik faal? + +Er zijn vele manieren waarop een tegenstander toegang tot jouw gegevens kan krijgen. Een tegenstander kan bijvoorbeeld jouw privécommunicatie lezen terwijl die door het netwerk gaat, of hij kan jouw gegevens wissen of beschadigen. + +Een regering die de verspreiding van een video met politiegeweld wil verhinderen, kan ermee volstaan die video te verwijderen of de beschikbaarheid ervan te beperken. Daarentegen kan een politieke tegenstander toegang willen krijgen tot geheime inhoud en die inhoud publiceren zonder dat je dat weet. + +Bij beveiligingsplanning gaat het erom te begrijpen wat de gevolgen kunnen zijn als een tegenstander zich met succes toegang verschaft tot een van jouw bedrijfsmiddelen. Om dit te bepalen, moet je het vermogen van jouw tegenstander in overweging nemen. De provider van jouw mobiele telefoon heeft bijvoorbeeld toegang tot al jouw telefoongegevens. Een hacker op een open Wi-Fi-netwerk kan toegang krijgen tot jouw onversleutelde communicatie. Jouw regering heeft misschien meer mogelijkheden. + +*Schrijf op wat je tegenstander zou willen doen met je privégegevens.* + +### Hoeveel moeite ben ik bereid te doen om mogelijke gevolgen te voorkomen? + +==Er is geen perfecte optie voor beveiliging.== Niet iedereen heeft dezelfde prioriteiten, zorgen, of toegang tot middelen. Aan de hand van jouw risicobeoordeling kun je de juiste strategie voor je uitstippelen, waarbij gemak, kosten en privacy met elkaar in evenwicht worden gebracht. + +Een advocaat die een cliënt vertegenwoordigt in een zaak van nationale veiligheid zal bijvoorbeeld bereid zijn meer moeite te doen om de communicatie over die zaak te beschermen, zoals het gebruik van gecodeerde e-mail, dan een moeder die haar dochter regelmatig grappige kattenvideo's e-mailt. + +*Schrijf op welke opties je hebt om jouw unieke bedreigingen te beperken. Noteer of je financiële, technische of sociale beperkingen hebt.* + +### Probeer het zelf: Bescherm jouw bezittingen + +Deze vragen kunnen van toepassing zijn op een groot aantal situaties, online en offline. Laten we, als algemene demonstratie van hoe deze vragen werken, een plan opstellen om jouw huis en bezittingen veilig te stellen. + +**Wat wil je beschermen? (Of *wat heb je dat de moeite waard is om te beschermen?*)** +: + +Jouw bezittingen kunnen juwelen, elektronica, belangrijke documenten of foto's zijn. + +**Tegen wie wil je het beschermen?** +: + +Jouw tegenstanders kunnen inbrekers, huisgenoten of gasten zijn. + +**Hoe groot is de kans dat je het zult moeten beschermen?** +: + +Heeft jouw buurt een geschiedenis van inbraken? Hoe betrouwbaar zijn jouw huisgenoten/gasten? Wat zijn de capaciteiten van jouw tegenstanders? Wat zijn de risico's waarmee je rekening moet houden? + +**Hoe erg zijn de gevolgen als je faalt?** +: + +Heeft je iets in jouw huis dat je niet kunt vervangen? Heb je de tijd of het geld om deze dingen te vervangen? Heb je een verzekering die goederen dekt die uit jouw huis zijn gestolen? + +**Hoeveel moeite bent je bereid te doen om deze gevolgen te voorkomen?** +: + +Ben je bereid een kluis te kopen voor gevoelige documenten? Kun je je het veroorloven een slot van hoge kwaliteit te kopen? Heb je de tijd om een kluisje te openen bij jouw plaatselijke bank en jouw waardevolle spullen daar te bewaren? + +Pas als je jezelf deze vragen hebt gesteld, zal je kunnen beoordelen welke maatregelen je moet nemen. Als jouw bezittingen waardevol zijn, maar de kans op inbraak klein, dan wil je misschien niet te veel geld investeren in een slot. Maar als de kans op inbraak groot is, wil je het beste slot op de markt en overweeg je een beveiligingssysteem toe te voegen. + +Het opstellen van een beveiligingsplan zal je helpen inzicht te krijgen in de bedreigingen die uniek zijn voor je en een evaluatie te maken van jouw assets, jouw tegenstanders en de mogelijkheden van jouw tegenstanders, samen met de waarschijnlijkheid van de risico's waarmee je wordt geconfronteerd. + +## Meer lezen + +Voor mensen die hun privacy en veiligheid online willen vergroten, hebben we een lijst samengesteld van veelvoorkomende bedreigingen waarmee onze bezoekers te maken krijgen of doelen die onze bezoekers hebben, om je wat inspiratie te geven en de basis van onze aanbevelingen te laten zien. + +- [Gemeenschappelijke doelstellingen en bedreigingen :material-arrow-right-drop-circle:](common-threats.md) + +## Bronnen + +- [EFF Surveillance Zelfverdediging: Jouw Beveiligingsplan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/nl/basics/vpn-overview.md b/i18n/nl/basics/vpn-overview.md new file mode 100644 index 00000000..baa7229f --- /dev/null +++ b/i18n/nl/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN-overzicht +icon: material/vpn +description: Virtual Private Networks verleggen het risico van jouw ISP naar een derde partij die je vertrouwt. Je moet deze dingen in gedachten houden. +--- + +Virtual Private Networks zijn een manier om het einde van jouw netwerk uit te breiden tot een uitgang ergens anders in de wereld. Een ISP kan de stroom van internetverkeer zien dat jouw netwerkaansluitapparaat (d.w.z. modem) binnenkomt en verlaat. + +Encryptieprotocollen zoals HTTPS worden algemeen gebruikt op het internet, zodat zij misschien niet precies kunnen zien wat je post of leest, maar zij kunnen wel een idee krijgen van de [domeinen die je opvraagt](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +Een VPN kan helpen omdat het vertrouwen kan verschuiven naar een server ergens anders in de wereld. Het resultaat is dat de ISP dan alleen ziet dat je verbonden bent met een VPN en niets over de activiteit die je erin doorgeeft. + +## Moet ik een VPN gebruiken? + +**Ja**, tenzij je Tor al gebruikt. Een VPN doet twee dingen: het verschuift de risico's van jouw Internet Service Provider naar zichzelf en het verbergt jouw IP voor een dienst van derden. + +VPN's kunnen geen gegevens versleutelen buiten de verbinding tussen jouw toestel en de VPN-server. VPN providers kunnen jouw verkeer zien en wijzigen op dezelfde manier als jouw ISP dat kan. En er is geen enkele manier om het "no logging" beleid van een VPN provider te verifiëren. + +Zij verbergen echter wel jouw werkelijke IP-adres voor een dienst van derden, op voorwaarde dat er geen IP-lekken zijn. Ze helpen je op te gaan in anderen en IP-gebaseerde opsporing te beperken. + +## Wanneer zou ik geen VPN moeten gebruiken? + +Het gebruik van een VPN in gevallen waarin je jouw [bekende identiteit](common-threats.md#common-misconceptions) gebruikt, is waarschijnlijk niet nuttig. + +Dit kan spam- en fraudedetectiesystemen alarmeren, zoals wanneer je zou inloggen op de website van uw bank. + +## Hoe zit het met encryptie? + +De encryptie die door VPN-aanbieders wordt aangeboden, bevindt zich tussen jouw apparaten en hun servers. Het garandeert dat deze specifieke link veilig is. Dit is een stap verder dan het gebruik van onversleutelde proxies, waarbij een tegenstander op het netwerk de communicatie tussen jouw apparaten en deze proxies kan onderscheppen en wijzigen. De versleuteling tussen jouw apps of browsers en de dienstverleners wordt echter niet door deze versleuteling afgehandeld. + +Om wat je doet op de websites die je bezoekt privé en veilig te houden, moet je HTTPS gebruiken. Dit houdt jouw wachtwoorden, sessietokens en zoekopdrachten veilig voor de VPN-provider. Overweeg om "HTTPS everywhere" in jouw browser in te schakelen om downgrade-aanvallen zoals [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf)tegen te gaan. + +## Moet ik versleutelde DNS gebruiken met een VPN? + +Tenzij jouw VPN-provider de versleuteldeDNS-servers host, **nee**. Het gebruik van DOH/DOT (of een andere vorm van versleutelde DNS) met servers van derden zal gewoon meer entiteiten toevoegen om te vertrouwen en doet **absoluut niets** om jouw privacy/veiligheid te verbeteren. Jouw VPN-provider kan nog steeds zien welke websites je bezoekt op basis van de IP-adressen en andere methoden. In plaats van alleen jouw VPN-provider te vertrouwen, vertrouwt je nu zowel de VPN-provider als de DNS-provider. + +Een veelgehoorde reden om versleutelde DNS aan te bevelen is dat het helpt tegen DNS spoofing. Jouw browser zou echter al moeten controleren op [TLS-certificaten](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) met **HTTPS** en je daarvoor moeten waarschuwen. Als je **HTTPS** niet gebruikt, dan kan een tegenstander nog steeds gewoon iets anders dan jouw DNS-query's wijzigen en zal het eindresultaat weinig anders zijn. + +Niet onnodig te zeggen, **dat je geen versleutelde DNS moet gebruiken met Tor**. Dit zou al jouw DNS-verzoeken via één enkel circuit leiden en de gecodeerde DNS-provider in staat stellen je te deanonimiseren. + +## Moet ik Tor *gebruiken en* een VPN? + +Door een VPN met Tor te gebruiken, creëer je in wezen een permanent toegangsknooppunt, vaak met een geldspoor eraan vast. Dit levert je geen enkel extra voordeel op, terwijl het aanvalsoppervlak van jouw verbinding drastisch wordt vergroot. Als je je Tor gebruik wilt verbergen voor je ISP of je overheid, dan heeft Tor daar een ingebouwde oplossing voor: Tor bridges. [Lees meer over Tor bridges en waarom het gebruik van een VPN niet nodig is](../advanced/tor-overview.md). + +## Wat als ik anonimiteit nodig heb? + +VPN's kunnen geen anonimiteit bieden. Jouw VPN-provider ziet nog steeds jouw echte IP-adres, en heeft vaak een geldspoor dat direct naar u kan worden teruggeleid. Je kunt niet vertrouwen op een "no logging"-beleid om jouw gegevens te beschermen. Gebruik in plaats daarvan [Tor](https://www.torproject.org/). + +## Hoe zit het met VPN providers die Tor nodes aanbieden? + +Gebruik die functie niet. Het punt van het gebruik van Tor is dat je je VPN provider niet vertrouwt. Momenteel ondersteunt Tor alleen het [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (gebruikt in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) voor het delen van spraak en video, het nieuwe [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, enz.), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) en andere pakketten zullen worden gedropt. Om dit te compenseren, routeren VPN-aanbieders gewoonlijk alle niet-TCP-pakketten via hun VPN-server (je eerste hop). Dit is het geval met [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Bovendien, wanneer je deze Tor over VPN setup gebruikt, heb je geen controle over andere belangrijke Tor functies zoals [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (een ander Tor circuit gebruiken voor elk domein dat je bezoekt). + +De functie moet gezien worden als een handige manier om toegang te krijgen tot het Tor Netwerk, niet om anoniem te blijven. Gebruik voor echte anonimiteit de Tor Browser, TorSocks of een Tor gateway. + +## Wanneer zijn VPN's nuttig? + +Een VPN kan nog steeds nuttig zijn voor je in een aantal scenario's, zoals: + +1. Het verbergen van jouw verkeer van **is alleen** jouw Internet Service Provider. +1. Het verbergen van je downloads (zoals torrents) voor je ISP en anti-piraterij organisaties. +1. Het verbergen van jouw IP-adres voor websites en diensten van derden, zodat IP-gebaseerde tracering wordt voorkomen. + +Voor dit soort situaties, of als je een andere dwingende reden hebt, zijn de VPN-providers die we hierboven hebben opgesomd volgens ons de meest betrouwbare. Het gebruik van een VPN-provider betekent echter nog steeds dat je *vertrouwt op* de provider. In vrijwel elk ander scenario zou je een veilige **"by-design"** tool zoals Tor moeten gebruiken. + +## Bronnen en verdere lectuur + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) door Dennis Schubert +1. [Tor Netwerk Overzicht](../advanced/tor-overview.md) +1. [IVPN Privacy Gidsen](https://www.ivpn.net/privacy-guides) +1. ["Heb ik een VPN nodig?"](https://www.doineedavpn.com), een tool ontwikkeld door IVPN om agressieve VPN-marketing uit te dagen door mensen te helpen beslissen of een VPN geschikt is voor hen. + +## Verwante VPN-informatie + +- [Het probleem met VPN- en privacybeoordelingssites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Gratis VPN-app onderzoek](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Verborgen VPN-eigenaars onthuld: 101 VPN-producten van slechts 23 bedrijven](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [Dit Chinese bedrijf zit in het geheim achter 24 populaire apps die gevaarlijke toestemmingen zoeken](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/nl/calendar.md b/i18n/nl/calendar.md new file mode 100644 index 00000000..295b2d48 --- /dev/null +++ b/i18n/nl/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Kalendersynchronisatie" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Kalenders en contactpersonen bevatten enkele van jouw gevoeligste gegevens; gebruik producten die E2EE in rust implementeren om te voorkomen dat een provider ze kan lezen. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** biedt een gratis en gecodeerde kalender op hun ondersteunde platforms. Functies zijn onder meer: automatische E2EE van alle gegevens, functies voor delen, import-/exportfunctionaliteit, multifactorauthenticatie, en [more](https://tutanota.com/calendar-app-comparison/). + + Meerdere kalenders en uitgebreide functionaliteit voor delen zijn beperkt tot betalende abonnees. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Broncode" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is een versleutelde kalenderdienst die beschikbaar is voor Proton-leden via web- of mobiele clients. Functies zijn onder meer: automatische E2EE van alle gegevens, functies voor delen, import/export-functionaliteit, en [more](https://proton.me/support/proton-calendar-guide). Gratis abonnees krijgen toegang tot één agenda, terwijl betalende abonnees tot 20 agenda's kunnen aanmaken. De uitgebreide functionaliteit voor delen is ook beperkt tot betaalde abonnees. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimum kwalificaties + +- Moet informatie synchroniseren en opslaan met E2EE om ervoor te zorgen dat gegevens niet zichtbaar zijn voor de dienstverlener. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet integreren met native OS agenda en contact management apps indien van toepassing. diff --git a/i18n/nl/cloud.md b/i18n/nl/cloud.md new file mode 100644 index 00000000..93961495 --- /dev/null +++ b/i18n/nl/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud opslag" +icon: material/file-cloud +description: Veel aanbieders van cloud-opslag eisen jouw volledige vertrouwen dat zij niet in jouw bestanden zullen kijken. Dit zijn de privé alternatieven! +--- + +Veel aanbieders van cloud-opslag eisen jouw volledige vertrouwen dat zij niet in jouw bestanden zullen kijken. De onderstaande alternatieven elimineren de noodzaak van vertrouwen door veilige E2EE te implementeren. + +Als deze alternatieven niet aan jouw behoeften voldoen, raden wij je aan te kijken naar het gebruik van encryptiesoftware zoals [Cryptomator](encryption.md#cryptomator-cloud) met een andere cloud provider. Het gebruik van Cryptomator in combinatie met **elke** cloud provider (inclusief deze) kan een goed idee zijn om het risico van versleutelingsfouten in de native clients van een provider te verminderen. + +??? question "Op zoek naar Nextcloud?" + + Nextcloud is [nog steeds een aanbevolen tool](productivity.md) voor het zelf hosten van een bestandsbeheersuite, maar we bevelen momenteel geen opslagproviders van derden aan, omdat we de ingebouwde E2EE-functionaliteit van Nextcloud niet aanbevelen voor thuisgebruikers. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is een E2EE algemene bestandsopslagdienst van de populaire versleutelde e-mailprovider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +De Proton Drive webapplicatie is onafhankelijk gecontroleerd door Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), volledige details werden niet beschikbaar gesteld, maar in de verklaring van Securitum staat: + +> De controleurs ontdekten twee zwakke plekken met een lage ernstgraad. Daarnaast werden vijf algemene aanbevelingen gedaan. Tegelijkertijd bevestigen wij dat tijdens de pentest geen belangrijke beveiligingsproblemen zijn vastgesteld. + +De gloednieuwe mobiele klanten van Proton Drive zijn nog niet publiekelijk gecontroleerd door een derde partij. + +## Tresorit + +!!! recommendation + + Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is een Hongaarse aanbieder van versleutelde cloud-opslag, opgericht in 2011. Tresorit is eigendom van de Zwitserse Post, de nationale postdienst van Zwitserland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentatie} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit heeft een aantal onafhankelijke beveiligingsaudits ontvangen: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Conformiteit [Certificering](https://www.certipedia.com/quality_marks/9108644476) door TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetratietesten door Computest + - Bij deze evaluatie is de beveiliging van de Tresorit webclient, Android app, Windows app en bijbehorende infrastructuur beoordeeld. + - Computest ontdekte twee kwetsbaarheden die zijn opgelost. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetratie testen door Ernst & Young. + - Deze evaluatie analyseerde de volledige broncode van Tresorit en bevestigde dat de implementatie overeenkomt met de concepten die zijn beschreven in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young testte bovendien de web-, mobiele en desktopclients: "Testresultaten vonden geen afwijking van Tresorit's claims over de vertrouwelijkheid van gegevens." + +Ze hebben ook het Digital Trust Label ontvangen, een certificering van het [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) waarvoor ze moeten voldoen aan [35 criteria](https://digitaltrust-label.swiss/criteria/) met betrekking tot veiligheid, privacy en betrouwbaarheid. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimale vereisten + +- Moet end-to-end encryptie afdwingen. +- Moet een gratis plan of proefperiode aanbieden om te testen. +- Moet TOTP of FIDO2 multi-factor authenticatie ondersteunen, of Passkey-logins. +- Moet een webinterface bieden die basisfuncties voor bestandsbeheer ondersteunt. +- Moet gemakkelijke export van alle bestanden/documenten mogelijk maken. +- Gebruik standaard gecontroleerde versleuteling. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Clients moeten open-source zijn. +- Clients moeten in hun geheel door een onafhankelijke derde partij worden gecontroleerd. +- Moet native clients aanbieden voor Linux, Android, Windows, macOS en iOS. + - Deze clients moeten integreren met native OS tools voor cloud storage providers, zoals Files app integratie op iOS, of DocumentsProvider functionaliteit op Android. +- Moet het gemakkelijk delen van bestanden met andere gebruikers ondersteunen. +- Moet ten minste een basisfunctionaliteit voor het bekijken en bewerken van bestanden op de webinterface bieden. + +[^1]: [De naleving van ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 heeft betrekking op het beheersysteem voor informatiebeveiliging van het bedrijf [](https://en.wikipedia.org/wiki/Information_security_management) en heeft betrekking op de verkoop, de ontwikkeling, het onderhoud en de ondersteuning van hun clouddiensten. diff --git a/i18n/nl/cryptocurrency.md b/i18n/nl/cryptocurrency.md new file mode 100644 index 00000000..2b2412b5 --- /dev/null +++ b/i18n/nl/cryptocurrency.md @@ -0,0 +1,58 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Online betalen is een van de grootste uitdagingen voor privacy. Deze cryptocurrencies bieden standaard transactieprivacy (iets wat door de meeste cryptocurrencies **niet** wordt gegarandeerd), mits je goed begrijpt hoe je private betalingen effectief kunt uitvoeren. Wij raden je sterk aan eerst ons overzichtsartikel over betalingen te lezen voordat je aankopen doet: + +[Privébetalingen maken :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger "Gevaar" + + Veel zo niet de meeste cryptocurrency projecten zijn zwendel. Voer transacties zorgvuldig uit met alleen projecten die je vertrouwt. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** gebruikt een blockchain met privacyverbeterende technologieën die transacties versluieren om anonimiteit te bereiken. Elke Monero-transactie verbergt het transactiebedrag, het verzenden en ontvangen van adressen en de bron van fondsen zonder hoepels om doorheen te springen, waardoor het een ideale keuze is voor beginners met cryptocurrency. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +Met Monero kunnen externe waarnemers geen adressen ontcijferen die handelen in Monero, transactiebedragen, adresbalansen of transactiegeschiedenissen. + +Voor optimale privacy, zorg ervoor dat je een noncustodial wallet gebruikt waar de view key op het apparaat blijft. Dit betekent dat alleen jij je geld kunt uitgeven en de inkomende en uitgaande transacties kunt zien. Als je een custodial wallet gebruikt, kan de provider **alles zien wat** je doet; als je een "lichtgewicht" wallet gebruikt waarbij de provider jouw privé view key bewaard, kan de provider bijna alles zien wat u doet. Sommige niet-custodiale wallets omvatten: + +- [Officiële Monero-client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet ondersteunt meerdere cryptocurrencies. Een Monero-only versie van Cake Wallet is beschikbaar op [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +Voor maximale privacy (zelfs met een niet-custodiale wallet) moet je jouw eigen Monero-knooppunt beheren. Als je een knooppunt van een ander gebruikt, krijgt hij enige informatie, zoals het IP-adres van waaruit je verbinding maakt, de tijdstempels waarmee je jouw portemonnee synchroniseert, en de transacties die je vanuit jouw portemonnee verstuurt (maar geen andere details over die transacties). Als alternatief kun je via Tor of i2p verbinding maken met het Monero-knooppunt van iemand anders. + +In augustus 2021 kondigde CipherTrace [](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) verbeterde Monero-tracing-mogelijkheden aan voor overheidsinstanties. Uit openbare berichten blijkt dat het Financial Crimes Enforcement Network van het Amerikaanse ministerie van Financiën [eind 2022 een licentie heeft verleend aan](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module". + +De privacy van de Monero-transactiegrafiek wordt beperkt door de relatief kleine ringhandtekeningen, vooral tegen gerichte aanvallen. De privacyfuncties van Monero zijn ook + +in twijfel getrokken door sommige beveiligingsonderzoekers, en in het verleden zijn een aantal ernstige kwetsbaarheden gevonden en gepatcht, dus de beweringen van organisaties als CipherTrace zijn niet uitgesloten. Hoewel het onwaarschijnlijk is dat er voor Monero massa surveillance instrumenten bestaan zoals voor Bitcoin en andere, is het zeker dat opsporingstools helpen bij gerichte onderzoeken.

+ +Uiteindelijk is Monero de sterkste mededinger voor een privacyvriendelijke cryptocurrency, maar zijn privacyclaims zijn **niet** definitief bewezen. Er is meer tijd en onderzoek nodig om te beoordelen of Monero weerbaar genoeg is tegen aanvallen om altijd voldoende privacy te bieden. + + + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + + +- Cryptocurrency moet standaard private/ontraceerbare transacties bieden. diff --git a/i18n/nl/data-redaction.md b/i18n/nl/data-redaction.md new file mode 100644 index 00000000..93075d3f --- /dev/null +++ b/i18n/nl/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Redactie van gegevens en metagegevens" +icon: material/tag-remove +description: Gebruik deze hulpmiddelen om metadata zoals GPS-locatie en andere identificerende informatie te verwijderen uit foto's en bestanden die je deelt. +--- + +Wanneer je bestanden deelt, is het belangrijk om de bijbehorende metadata te verwijderen. Afbeeldingsbestanden bevatten vaak [Exif](https://en.wikipedia.org/wiki/Exif) data. Foto's bevatten soms zelfs GPS-coördinaten in de metadata van het bestand. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is vrije software, waarmee de metadata uit beeld-, audio-, torrent- en documentbestanden kan worden verwijderd. Het biedt zowel een opdrachtregelprogramma als een grafische gebruikersinterface via een [extensie voor Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), de standaard bestandsbeheerder van [GNOME](https://www.gnome.org), en [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), de standaard bestandsbeheerder van [KDE](https://kde.org). + + Voor Linux bestaat een grafisch hulpprogramma van derden [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) op basis van MAT2, dat [beschikbaar is op Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentatie} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobiel + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is een moderne, toestemmingsvrije applicatie voor het verwijderen van metadata in afbeeldingen voor Android. + + Het ondersteunt momenteel JPEG-, PNG- en WebP-bestanden. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +De metagegevens die worden gewist, hangen af van het bestandstype van de afbeelding: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources en XMP/ExtendedXMP metadata worden gewist als ze bestaan. +* **PNG**: ICC Profile, Exif en XMP metadata worden gewist als ze bestaan. +* **WebP**: ICC Profile, Exif en XMP metadata zullen worden gewist als ze bestaan. + +Na het verwerken van de afbeeldingen, geeft ExifEraser je een volledig overzicht over wat er precies uit elke afbeelding is verwijderd. + +De app biedt meerdere manieren om metadata uit afbeeldingen te wissen. Namelijk: + +* Je kunt een afbeelding vanuit een andere toepassing delen met ExifEraser. +* Via de app zelf kan je een enkele afbeelding, meerdere afbeeldingen tegelijk of zelfs een hele map selecteren. +* Het heeft een "Camera"-optie, die de camera-app van je besturingssysteem gebruikt om een foto te maken, en vervolgens de metadata ervan verwijdert. +* Het laat je foto's uit een ander programma naar ExifEraser slepen wanneer beide programma's in split-screen modus geopend zijn. +* Als laatste kan je een afbeelding uit het klembord plakken. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + Metapho geeft eenvoudige en nette weergave van de afbeeldingsmetadata zoals datum, bestandsnaam, grootte, camera model, sluitertijd, en locatie. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is een gratis app die gevoelige delen van foto's kan vervagen voordat je ze online deelt. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + Je moet **nooit** vervaging gebruiken om [tekst in afbeeldingen](https://bishopfox.com/blog/unredacter-tool-never-pixelation) te redigeren. Als u tekst in een afbeelding wilt redigeren, tekent u een kader over de tekst. Hiervoor stellen wij apps voor zoals [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is de originele perl library en command-line applicatie voor het lezen, schrijven en bewerken van metadata (Exif, IPTC, XMP, en meer) in een groot aantal bestandsformaten (JPEG, TIFF, PNG, PDF, RAW, en meer). + + Het is vaak een onderdeel van andere Exif verwijderingsprogramma's en staat in de repositories van de meeste Linux distributies. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Broncode" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Verwijder alle metadata uit een map met bestanden" + + ```bash + exiftool -all= *.bestands_extensie + ``` + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Apps ontwikkeld voor open-source besturingssystemen moeten open-source zijn. +- Apps moeten gratis zijn en mogen geen advertenties of andere beperkingen bevatten. diff --git a/i18n/nl/desktop-browsers.md b/i18n/nl/desktop-browsers.md new file mode 100644 index 00000000..4d63089c --- /dev/null +++ b/i18n/nl/desktop-browsers.md @@ -0,0 +1,363 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Aanbevelingen voor privé desktopbrowsers + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +Dit zijn momenteel onze aanbevolen mobiele webbrowsers en configuraties. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +In het algemeen raden we aan om extensies tot een minimum te beperken: ze hebben geprivilegieerde toegang binnen jouw browser, vereisen dat je de ontwikkelaar vertrouwt, kunnen je [doen opvallen](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), en [verzwakken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-Uchnm34/m/lDaXwQhzBAAJ) site-isolatie. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox-logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** biedt krachtige privacy-instellingen zoals [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), die kunnen helpen bij het blokkeren van verschillende [soorten tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentatie} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Broncode" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox bevat een uniek [downloadtoken](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads van Mozilla's website en gebruikt telemetrie in Firefox om het token te verzenden. Het token is **niet** opgenomen in uitgaven van de [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Aanbevolen configuratie + +Deze opties zijn te vinden in :material-menu: → **Instellingen** → **Privacy & Beveiliging**. + +##### Verbeterde traceringsbescherming + +- [x] Select **Strict** Verbeterde traceringsbescherming + +Dit beschermt je door het blokkeren van social media trackers, fingerprinting scripts (merk op dat dit je niet beschermt tegen *alle* fingerprinting), cryptominers, cross-site tracking cookies, en sommige andere tracking content. ETP beschermt tegen veel voorkomende bedreigingen, maar blokkeert niet alle tracking-wegen omdat het is ontworpen om de bruikbaarheid van de site zo min mogelijk of helemaal niet te beïnvloeden. + +##### Saneren bij sluiten + +Als je op bepaalde sites aangemeld wilt blijven, kunt je uitzonderingen toestaan in **Cookies en Sitegegevens** → **Uitzonderingen beheren...** + +- [x] Check **Cookies en sitegegevens verwijderen wanneer Firefox wordt afgesloten** + +Dit beschermt je tegen blijvende cookies, maar niet tegen cookies die tijdens een bepaalde surfsessie worden aangemaakt. Wanneer dit is ingeschakeld, wordt het mogelijk om jouw browsercookies gemakkelijk te wissen door Firefox gewoon opnieuw op te starten. Je kunt per site uitzonderingen instellen, als je ingelogd wilt blijven op een bepaalde site die je vaak bezoekt. + +##### Zoeksuggesties + +- [ ] Uncheck **Geef zoeksuggesties** + +Functies voor zoeksuggesties zijn mogelijk niet beschikbaar in jouw regio. + +Zoeksuggesties sturen alles wat je in de adresbalk typt naar de standaardzoekmachine, ongeacht of je een echte zoekopdracht geeft. Door zoeksuggesties uit te schakelen, kun je nauwkeuriger bepalen welke gegevens je naar jouw zoekmachineprovider stuurt. + +##### Telemetrie + +- [ ] Uncheck **Firefox toestaan technische en interactiegegevens naar Mozilla**te sturen +- [ ] Uncheck **Firefox toestaan om studies te installeren en uit te voeren**uit +- [ ] Uncheck **Firefox toestaan om namens je achterstallige crashmeldingen te verzenden uit** + +> Firefox stuurt ons gegevens over jouw Firefox-versie en -taal; besturingssysteem van het apparaat en hardwareconfiguratie; geheugen, basisinformatie over crashes en fouten; resultaat van geautomatiseerde processen zoals updates, veilig browsen en activering. Wanneer Firefox gegevens naar ons verzendt, wordt uw IP-adres tijdelijk verzameld als onderdeel van onze serverlogs. + +Daarnaast verzamelt de Firefox Accounts service [enkele technische gegevens](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). Als je een Firefox-account gebruikt, kun je je afmelden: + +1. Open jouw [profielinstellingen op accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Schakel **Gegevensverzameling en -gebruik uit** > **Help Firefox-accounts verbeteren** + +##### Alleen HTTPS-modus + +- [x] Select **Schakel HTTPS-only modus in alle vensters in** + +Dit voorkomt dat je onbedoeld verbinding maakt met een website in platte HTTP-tekst. Sites zonder HTTPS zijn tegenwoordig zeldzaam, dus dit zou weinig tot geen impact moeten hebben op jouw dagelijkse browsen. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) maakt jouw browsegegevens (geschiedenis, bladwijzers, enz.) toegankelijk op al jouw apparaten en beschermt ze met E2EE. + +### Arkenfox (gevorderd) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +Het [Arkenfox-project](https://github.com/arkenfox/user.js) biedt een reeks zorgvuldig overwogen opties voor Firefox. Als je [besluit](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) om Arkenfox te gebruiken, zijn er een [paar opties](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) die subjectief streng zijn en/of ervoor kunnen zorgen dat sommige websites niet goed werken - [die je gemakkelijk kunt wijzigen](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) om aan jouw behoeften te voldoen. Wij **raden je ten zeerste aan** hun volledige [wiki](https://github.com/arkenfox/user.js/wiki)door te lezen. Arkenfox biedt ook ondersteuning voor [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users). + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave-logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** bevat een ingebouwde inhoudsblokker en [privacyfuncties](https://brave.com/privacy-features/), waarvan vele standaard zijn ingeschakeld. + + Brave is gebouwd op het Chromium webbrowser project, dus het zou vertrouwd moeten aanvoelen en minimale website compatibiliteitsproblemen moeten hebben. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }. + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Broncode" } + + ??? downloads annotate "Downloaden" + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We raden af om de Flatpak-versie van Brave te gebruiken, omdat die de sandbox van Chromium vervangt door die van Flatpak, wat minder effectief is. Bovendien wordt het pakket niet onderhouden door Brave Software, Inc. + +### Aanbevolen configuratie + +Deze opties zijn te vinden in :material-menu: → **Instellingen**. + +##### Schilden + +Brave bevat enkele anti-vingerafdruk maatregelen in zijn [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) functie. Wij raden aan om deze opties [globaal te configureren](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) voor alle pagina's die je bezoekt. + +De opties van Shields kunnen naar behoefte per site worden gedowngrade, maar standaard raden wij aan de volgende opties in te stellen: + +
+ +- [x] Select **Voorkom dat sites vingerafdrukken van mij nemen op basis van mijn taalvoorkeuren** +- [x] Select **Aggressief** onder Trackers & advertentieblokkering + + ??? warning "Gebruik standaard filter lijsten" + Brave staat je toe om extra inhoud filters te selecteren binnen de interne `brave://adblock` pagina. Wij raden het gebruik van deze functie af; houd in plaats daarvan de standaardfilterlijsten aan. Het gebruik van extra lijsten zorgt ervoor dat u zich onderscheidt van andere Brave gebruikers en kan ook het aanvalsoppervlak vergroten als er een exploit in Brave is en een kwaadaardige regel wordt toegevoegd aan één van de lijsten die je gebruikt. + +- [x] (Optional) Selecteer **Block Scripts** (1) +- [x] Select **Strict, may break sites** onder Block fingerprinting + +
+ +1. Deze optie biedt functionaliteit die vergelijkbaar is met uBlock Origin's geavanceerde [blokkeringsmodes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) of de [NoScript](https://noscript.net/) extensie. + +##### Sociale media blokkeren + +- [ ] Uncheck alle sociale media componenten uit + +##### Privacy en veiligheid + +
+ +- [x] Select **Disable non-proxied UDP** onder [WebRTC IP Handling Policy](https://support.brave.com/hc/nl-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Google services gebruiken voor push messaging** +- [ ] Uncheck **Privacy-preserving product analytics (P3A) toestaan** +- [ ] Uncheck **Automatisch dagelijks gebruik ping sturen naar Brave**. +- [ ] Uncheck **Stuur automatisch een dagelijkse gebruiksping naar Brave** +- [ ] Uncheck **Stuur automatisch diagnostische rapporten** +- [x] Select **Gebruik altijd beveiligde verbindingen** in het menu **Veiligheid** +- [ ] Uncheck **Privé venster met Tor** (1) + + !!! tip "Saneren bij sluiten" + - [x] Select **Cookies en sitegegevens wissen bij het sluiten van alle vensters** in het menu *Cookies en andere sitegegevens* + + Als u ingelogd wilt blijven bij een bepaalde site die je vaak bezoekt, kunt u per site uitzonderingen instellen in het gedeelte *Aangepast gedrag*. + +
+ +1. Brave is **niet** zo resistent tegen vingerafdrukken als de Tor Browser en veel minder mensen gebruiken Brave met Tor, dus zal je opvallen. Wanneer [sterke anonimiteit vereist is](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) gebruik dan de [Tor Browser](tor.md#tor-browser). + +##### Extensies + +Ingebouwde extensies die je niet gebruikt uitschakelen in **Extensies** + +- [ ] Uncheck **Hangouts**uit +- [ ] Uncheck **WebTorrent**uit + +##### Web3 + +
+ +- [x] Select Uitgeschakeld op Methode om IPFS-bronnen op te lossen) + +
+ +1. InterPlanetary File System (IPFS) is een gedecentraliseerd, peer-to-peer netwerk voor het opslaan en delen van gegevens in een gedistribueerd bestandssysteem. Tenzij je de functie gebruikt, schakel hem uit. + +##### Extra instellingen + +In het menu *Systeem* + +
+ +- [ ] Uncheck **Doorgaan met draaiende apps als Brave gesloten is** uit om achtergrond apps uit te schakelen (1) + +
+ +1. Deze optie is niet op alle platforms aanwezig. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) maakt jouw surfgegevens (geschiedenis, bladwijzers, enz.) toegankelijk op al jouw apparaten zonder dat je een account nodig hebt en beschermt ze met E2EE. + +## Extra bronnen + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. Ublock Origin of AdGuard kunnen echter nuttig blijken als je waarde hecht aan de functionaliteit voor het blokkeren van inhoud. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is een populaire inhoudsblokker die je kan helpen bij het blokkeren van advertenties, trackers en vingerafdrukscripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +Wij raden aan om de documentatie van de [ontwikkelaar te volgen](https://github.com/gorhill/uBlock/wiki/Blocking-mode) en een van de "modes" te kiezen. Extra filterlijsten kunnen de prestaties beïnvloeden en [kan het aanvalsoppervlak vergroten](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Andere lijsten + +Dit zijn enkele andere [filterlijsten](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) die je zou kunnen overwegen toe te voegen: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Voeg [Actually Legitimatee URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) toe + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimale vereisten + +- Moet open-source software zijn. +- Ondersteunt automatische updates. +- Ontvangt engine updates in 0-1 dagen na upstream release. +- Beschikbaar op Linux, macOS en Windows. +- Wijzigingen die nodig zijn om de browser privacyvriendelijker te maken, mogen de gebruikerservaring niet negatief beïnvloeden. +- Blokkeert standaard cookies van derden. +- Ondersteunt [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) om cross-site tracking tegen te gaan.[^1] + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Beschikt over ingebouwde functionaliteit voor het blokkeren van inhoud. +- Ondersteunt cookie Compartimentalisatie ( à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Ondersteunt Progressive Web Apps. + PWA 's stellen je in staat om bepaalde websites te installeren alsof het native apps op jouw computer zijn. Dit kan voordelen hebben ten opzichte van het installeren van op electron gebaseerde apps, omdat je profiteert van de regelmatige beveiligingsupdates van jouw browser. +- Omvat geen add-on functionaliteit (bloatware) die geen invloed heeft op de privacy van gebruikers. +- Verzamelt standaard geen telemetrie. +- Biedt een open-source sync-server implementatie. +- Standaard ingesteld op een [privézoekmachine](search-engines.md). + +### Uitbreidings criteria + +- Mag geen ingebouwde browser- of OS-functionaliteit repliceren. +- Moet rechtstreeks van invloed zijn op de privacy van de gebruiker, d.w.z. mag niet gewoon informatie verstrekken. + +[^1]: De implementatie van Brave wordt gedetailleerd beschreven op [Brave Privacy Updates: Partitionering van netwerkstatus voor privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/nl/desktop.md b/i18n/nl/desktop.md new file mode 100644 index 00000000..b9eb4d88 --- /dev/null +++ b/i18n/nl/desktop.md @@ -0,0 +1,181 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux-distributies worden algemeen aanbevolen voor privacybescherming en softwarevrijheid. +--- + +Linux-distributies worden algemeen aanbevolen voor privacybescherming en softwarevrijheid. Als je nog geen Linux gebruikt, zijn hieronder enkele distributies die we aanraden om uit te proberen, evenals enkele algemene tips om je privacy en veiligheid te verbeteren die op veel Linux-distributies van toepassing zijn. + +- [Algemeen Linux-overzicht :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditionele verdelingen + +### Fedora Werkstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is onze aanbevolen distributie voor mensen die nieuw zijn met Linux. Fedora adopteert over het algemeen nieuwere technologieën dan andere distributies, b.v. [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), en binnenkort. Deze nieuwe technologieën gaan vaak gepaard met verbeteringen op het gebied van veiligheid, privacy en bruikbaarheid in het algemeen. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentatie} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Bijdragen} + +Fedora heeft een semi-rollende release cyclus. Terwijl sommige pakketten zoals [GNOME](https://www.gnome.org) bevroren worden tot de volgende Fedora uitgave, worden de meeste pakketten (inclusief de kernel) regelmatig bijgewerkt gedurende de levensduur van de uitgave. Elke Fedora release wordt een jaar lang ondersteund, met elke 6 maanden een nieuwe versie. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is een stabiele distributie met rollende release. + + openSUSE Tumbleweed heeft een [transactionele update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) systeem dat gebruik maakt van [Btrfs](https://en.wikipedia.org/wiki/Btrfs) en [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) om ervoor te zorgen dat snapshots kunnen worden teruggerold mocht er een probleem zijn. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentatie} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Bijdragen} + +Tumbleweed volgt een rollend release-model waarbij elke update wordt vrijgegeven als een momentopname van de distributie. Wanneer je jouw systeem upgrade, wordt een nieuwe momentopname gedownload. Elke momentopname wordt door [openQA](https://openqa.opensuse.org) aan een reeks geautomatiseerde tests onderworpen om de kwaliteit ervan te verzekeren. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is een lichtgewicht, doe-het-zelf (DIY) distributie, wat betekent dat u alleen krijgt wat u installeert. Zie voor meer informatie hun [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentatie} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Bijdragen} + +Arch Linux heeft een doorlopende uitgavecyclus. Er is geen vast releaseschema en pakketten worden zeer frequent bijgewerkt. + +Omdat het een doe-het-zelf distributie is, wordt van je verwacht [dat je jouw systeem zelf opzet en onderhoudt](#arch-based-distributions). Arch heeft een [officiële installer](https://wiki.archlinux.org/title/Archinstall) om het installatieproces wat gemakkelijker te maken. + +Een groot deel van [Arch Linux's pakketten](https://reproducible.archlinux.org) zijn [reproduceerbaar](https://reproducible-builds.org). + +## Immutable distributies + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** en **Fedora Kinoite** zijn immutable varianten van Fedora met een sterke focus op container workflows. Silverblue wordt geleverd met de [GNOME](https://www.gnome.org/) desktop omgeving terwijl Kinoite wordt geleverd met [KDE](https://kde.org/). Silverblue en Kinoite volgen hetzelfde release schema als Fedora Workstation, profiteren van dezelfde snelle updates en blijven zeer dicht bij de upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentatie} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Bijdragen} + +Silverblue (en Kinoite) verschillen van Fedora Workstation doordat ze de [DNF](https://fedoraproject.org/wiki/DNF) pakketbeheerder vervangen door een veel geavanceerder alternatief genaamd [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). De `rpm-ostree` pakketbeheerder werkt door een basis image voor het systeem te downloaden, en er dan pakketten overheen te leggen in een [git](https://en.wikipedia.org/wiki/Git)-achtige commit tree. Wanneer het systeem wordt bijgewerkt, wordt een nieuw basisbeeld gedownload en worden de overlays op dat nieuwe beeld toegepast. + +Nadat de update is voltooid, start je het systeem opnieuw op in de nieuwe versie. `rpm-ostree` houdt twee versies van het systeem bij, zodat je gemakkelijk kunt terugdraaien als er iets kapot gaat in de nieuwe versie. Er is ook de mogelijkheid om meer versies vast te pinnen als dat nodig is. + +[Flatpak](https://www.flatpak.org) is de primaire pakketinstallatiemethode op deze distributies, aangezien `rpm-ostree` alleen bedoeld is om pakketten die niet in een container kunnen blijven bovenop de basisafbeelding te plaatsen. + +Als alternatief voor Flatpaks is er de optie [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) om [Podman](https://podman.io) containers te maken met een gedeelde home directory met het gast-besturingssysteem en een traditionele Fedora omgeving na te bootsen, wat een [nuttige eigenschap is](https://containertoolbx.org) voor de veeleisende ontwikkelaar. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is een onafhankelijke distributie gebaseerd op de Nix pakketbeheerder met een focus op reproduceerbaarheid en betrouwbaarheid. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentatie} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Bijdragen} + +De pakketbeheerder van NixOS bewaart elke versie van elk pakket in een andere map in de **Nix store**. Hierdoor kun je verschillende versies van hetzelfde pakket op jouw systeem geïnstalleerd hebben. Nadat de inhoud van het pakket naar de map is geschreven, wordt de map alleen-lezen gemaakt. + +NixOS biedt ook atomaire updates; het downloadt (of bouwt) eerst de pakketten en bestanden voor de nieuwe systeemgeneratie en schakelt daar dan naar over. Er zijn verschillende manieren om over te schakelen naar een nieuwe generatie; je kunt NixOS vertellen deze te activeren na reboot of je kunt er tijdens runtime naar overschakelen. Je kunt ook *testen* de nieuwe generatie door er tijdens runtime naar over te schakelen, maar het niet in te stellen als de huidige systeemgeneratie. Als iets in het updateproces stuk gaat, kunt je gewoon opnieuw opstarten en automatisch terugkeren naar een werkende versie van jouw systeem. + +Nix de pakketbeheerder gebruikt een zuiver functionele taal - die ook Nix wordt genoemd - om pakketten te definiëren. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (de belangrijkste bron van pakketten) zijn opgenomen in een enkele GitHub repository. Je kan ook je eigen packages definiëren in dezelfde taal en ze dan gemakkelijk opnemen in je config. + +Nix is een source-based package manager; als er geen pre-built beschikbaar is in de binaire cache, zal Nix het pakket gewoon vanaf de broncode bouwen met behulp van zijn definitie. Het bouwt elk pakket in een sandboxed *pure* omgeving, die zo onafhankelijk mogelijk is van het hostsysteem, waardoor binaries reproduceerbaar zijn. + +## Op anonimiteit gerichte distributies + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is gebaseerd op [Kicksecure](https://www.whonix.org/wiki/Kicksecure), een op beveiliging gerichte vork van Debian. Het is gefocust op privacy, veiligheid en anonimiteit op het internet te bieden. Whonix wordt het best gebruikt in combinatie met [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentatie} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Dragen bij } + +Whonix is bedoeld om te draaien als twee virtuele machines: een "Workstation" en een Tor "Gateway" Alle communicatie van het werkstation moet via de Tor-gateway gaan. Dit betekent dat zelfs als het werkstation wordt gecompromitteerd door malware, het ware IP-adres verborgen blijft. + +Enkele van de functies zijn Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), en een hardened memory allocator. + +Toekomstige versies van Whonix zullen waarschijnlijk [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) en een [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) bevatten om alle processen op het systeem volledig in te perken. + +Whonix wordt het best gebruikt [in combinatie met Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix heeft diverse [nadelen](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) in vergelijking met andere hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is een live besturingssysteem gebaseerd op Debian dat alle communicatie via Tor laat lopen. Hij kan op bijna elke computer opstarten vanaf een DVD, USB-stick of SD-kaart. + + Het is bedoeld om de privacy en anonimiteit te bewaren, censuur te omzeilen en geen sporen achter te laten op de computer waarop het wordt gebruikt. + +Het is de bedoeling dat Tails zichzelf reset na elke reboot. Versleutelde [persistente opslag](https://tails. boum. org/doc/first_steps/persistence/index. en. html) kan worden geconfigureerd om bepaalde gegevens op te slaan. Een Tails-systeem dat door malware is aangetast, kan de transparante proxy omzeilen, waardoor de gebruiker kan worden gedeanonimiseerd. + +Tails bevat standaard [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser, wat het voor tegenstanders mogelijk gemakkelijker maakt om Tails-gebruikers te identificeren. [Whonix](desktop.md#whonix) virtuele machines zijn misschien lekbestendiger, maar ze zijn niet amnesisch, wat betekent dat gegevens kunnen worden teruggehaald van jouw opslagapparaat. + +Het is de bedoeling dat Tails zichzelf volledig reset na elke herstart. Een versleutelde [persistente opslag](https://tails.boum.org/doc/persistent_storage/index.en.html) kan worden geconfigureerd om bepaalde gegevens tussen reboots op te slaan. + +## Op veiligheid gerichte distributies + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is een open-source besturingssysteem ontworpen om sterke beveiliging te bieden voor desktop computergebruik. Qubes is gebaseerd op Xen, het X Window System, en Linux, en kan de meeste Linux-toepassingen draaien en de meeste Linux-stuurprogramma's gebruiken. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" }. + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentatie }. + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Broncode" }. + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Bijdragen } + +Qubes OS is een op Xen gebaseerd besturingssysteem dat bedoeld is om sterke beveiliging te bieden voor desktopcomputers via beveiligde virtuele machines (VM's), ook bekend als *Qubes*. + +Het besturingssysteem Qubes beveiligt de computer door subsystemen (bijv. netwerken, USB, enz.) en applicaties in afzonderlijke VM 's te isoleren. Als een deel van het systeem wordt gecompromitteerd, zal de extra isolatie waarschijnlijk de rest van het systeem beschermen. Zie voor meer details de Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +Onze aanbevolen besturingssystemen: + +- Moet open-source zijn. +- Moet regelmatig software en Linux kernel updates ontvangen. +- Linux-distributies moeten [Wayland](os/linux-overview.md#Wayland) ondersteunen. +- Moet tijdens de installatie volledige schijfversleuteling ondersteunen. +- Mag regelmatige releases niet langer dan 1 jaar bevriezen. Wij [raden](os/linux-overview.md#release-cycle) "Long Term Support" of "stabiele" distro-uitgaven niet aan voor desktopgebruik. +- Moet een grote verscheidenheid aan hardware ondersteunen. diff --git a/i18n/nl/dns.md b/i18n/nl/dns.md new file mode 100644 index 00000000..abb6da8e --- /dev/null +++ b/i18n/nl/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS-resolvers" +icon: material/dns +description: Dit zijn enkele versleutelde DNS-providers die wij aanbevelen, ter vervanging van de standaardconfiguratie van jouw ISP. +--- + +Versleutelde DNS met servers van derden zou alleen moeten worden gebruikt om simpele [DNS-blokkering](https://en.wikipedia.org/wiki/DNS_blocking) te omzeilen en als je er zeker van bent dat er geen gevolgen zullen zijn. Versleutelde DNS zal je niet helpen jouw surfactiviteiten te verbergen. + +[Meer informatie over DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Aanbevolen Providers + +| DNS-provider | Privacybeleid | Protocollen | Loggen | ECS | Filteren | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Beetje[^1] | Nee | Gebaseerd op server keuze. De filterlijst die wordt gebruikt, is hier te vinden. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Beetje[^2] | Nee | Gebaseerd op server keuze. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optioneel[^3] | Nee | Gebaseerd op server keuze. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Geen[^4] | Nee | Gebaseerd op server keuze. De filterlijst die wordt gebruikt, is hier te vinden. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optioneel[^5] | Optioneel | Gebaseerd op server keuze. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Beetje[^6] | Optioneel | Gebaseerd op server keuze, malware blokkering is standaard. | + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaard criteria](about/criteria.md) hebben wij een duidelijke reeks eisen opgesteld om objectieve aanbevelingen te kunnen doen. We raden je aan deze lijst goed door te lezen voordat je een project kiest en je eigen onderzoek te doen om er zeker van te zijn dat het de juiste keuze voor jou is. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en ga er niet van uit dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet [DNSSEC](advanced/dns-overview.md#what-is-dnssec) ondersteunen. +- [QNAME Minimalisatie](advanced/dns-overview.md#what-is-qname-minimization). +- Toestaan dat [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) kan worden uitgeschakeld. +- Voorkeur voor [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) ondersteuning of geo-steering ondersteuning. + +## Ondersteuning voor besturingssystemen + +### Android + +Android 9 en hoger ondersteunen DNS over TLS. De instellingen kunnen worden gevonden in: **Instellingen** → **Netwerk & internet** → **Privé-DNS**. + +### Apple apparaten + +De nieuwste versies van iOS, iPadOS, tvOS en macOS ondersteunen zowel DoT als DoH. Beide protocollen worden ondersteund via [configuratieprofielen](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) of via de [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +Na installatie van een configuratieprofiel of een app die gebruik maakt van de DNS Settings API, kan de DNS-configuratie worden geselecteerd. Als een VPN actief is, zal de resolutie binnen de VPN-tunnel de DNS-instellingen van het VPN gebruiken en niet je systeembrede instellingen. + +#### Ondertekende Profielen + +Apple biedt geen native interface voor het maken van versleutelde DNS-profielen. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is een onofficiële tool voor het maken van je eigen versleutelde DNS-profielen, echter worden deze niet ondertekend. Ondertekende profielen hebben de voorkeur; ondertekening valideert de oorsprong van een profiel en helpt de integriteit van de profielen te waarborgen. Een groen "Geverifieerd" label wordt gegeven aan ondertekende configuratieprofielen. Voor meer informatie over het ondertekenen van codes, zie [Over het ondertekenen van codes](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Ondertekende profielen** worden aangeboden door [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), en [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, die veel Linux-distributies gebruiken om hun DNS lookups te doen, [ondersteunt DoH nog niet](https://github.com/systemd/systemd/issues/8639). Als je DoH wilt gebruiken, moet je een proxy installeren zoals [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) en [configureren](https://wiki.archlinux.org/title/Dnscrypt-proxy) om alle DNS-query's van je systeem-resolver te nemen en ze over HTTPS door te sturen. + +## Versleutelde DNS-proxy + +Versleutelde DNS-proxy software biedt een lokale proxy voor de [onversleutelde DNS](advanced/dns-overview.md#unencrypted-dns)-resolver om naar door te sturen. Meestal wordt het gebruikt op platformen die [versleutelde DNS](advanced/dns-overview.md#what-is-encrypted-dns)niet ondersteunen. + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + !RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is een open-source Android client met ondersteuning voor [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) en DNS-proxy samen met het cachen van DNS antwoorden, lokaal loggen van DNS-queries en kan ook gebruikt worden als firewall. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is een DNS-proxy met ondersteuning voor [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), en [Geanonimiseerde DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "De geanonimiseerde DNS-functie anonimiseert [**niet**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) ander netwerkverkeer." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Broncode" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Bijdrage leveren } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Zelf gehoste oplossingen + +Een zelf gehoste DNS-oplossing is handig voor het bieden van filtering op gecontroleerde platforms, zoals Smart TV's en andere IoT-apparaten, omdat er geen client-side software nodig is. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is een open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) die gebruik maakt van [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) om ongewenste webinhoud, zoals advertenties, te blokkeren. + + AdGuard Home beschikt over een vriendelijke webinterface om inzicht te krijgen en geblokkeerde inhoud te beheren. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Broncode" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is een open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) die [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) gebruikt om ongewenste webinhoud, zoals advertenties, te blokkeren. + + Pi-hole is ontworpen om te worden gehost op een Raspberry Pi, maar het is niet beperkt tot dergelijke hardware. De software beschikt over een vriendelijke webinterface om inzicht te krijgen en geblokkeerde inhoud te beheren. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Broncode" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Bijdrage leveren } + +[^1]: AdGuard slaat geaggregeerde prestatiecijfers van hun DNS-servers op, namelijk het aantal volledige verzoeken aan een bepaalde server, het aantal geblokkeerde verzoeken, en de snelheid waarmee verzoeken worden verwerkt. Zij houden ook de database bij van domeinen die in de laatste 24 uur zijn aangevraagd. "We hebben deze informatie nodig om nieuwe trackers en bedreigingen te identificeren en te blokkeren." "We houden ook bij hoe vaak bepaalde trackers geblokkeerd zijn. We hebben deze informatie nodig om verouderde regels uit onze filters te verwijderen." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare verzamelt en bewaart alleen de beperkte DNS-querygegevens die naar de 1.1.1.1 resolver worden gestuurd. De 1.1.1.1 resolver dienst logt geen persoonsgegevens, en het grootste deel van de beperkte niet-persoonlijk identificeerbare query-gegevens wordt slechts 25 uur bewaard. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D logt alleen voor Premium resolvers met aangepaste DNS-profielen. Gratis resolvers loggen geen gegevens. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: De DNS-service van Mullvad is beschikbaar voor zowel abonnees als niet-abonnees van Mullvad VPN. Hun privacybeleid beweert expliciet dat zij op geen enkele manier DNS-verzoeken loggen. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS kan inzichten en loggingfuncties bieden op een opt-in basis. Je kan retentietijden en opslaglocaties kiezen voor de logs die je wilt bewaren. Als er niet specifiek om gevraagd wordt, worden er geen gegevens gelogd. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 verzamelt sommige gegevens ten behoeve van de monitoring van en reactie op bedreigingen. Die gegevens kunnen vervolgens opnieuw worden gemengd en gedeeld, bijvoorbeeld ten behoeve van veiligheidsonderzoek. Quad9 verzamelt of registreert geen IP-adressen of andere gegevens die zij als persoonlijk identificeerbaar beschouwen. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/nl/email-clients.md b/i18n/nl/email-clients.md new file mode 100644 index 00000000..dd3a7f93 --- /dev/null +++ b/i18n/nl/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email clients" +icon: material/email-open +description: Deze e-mailclients respecteren de privacy en ondersteunen OpenPGP e-mail versleuteling. +--- + +Onze aanbevelingslijst bevat e-mailcliënten die zowel [OpenPGP](encryption.md#openpgp) als sterke authenticatie ondersteunen, zoals [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). Met OAuth kunt u [Multi-Factor Authentication](basics/multi-factor-authentication.md) gebruiken en accountdiefstal voorkomen. + +??? warning "E-mail biedt geen forward secrecy" + + Bij gebruik van end-to-end encryptie (E2EE) technologie zoals OpenPGP, zal e-mail nog steeds [enkele metadata](email.md#email-metadata-overzicht) bevatten die niet versleuteld zijn in de header van de e-mail. + + OpenPGP ondersteunt ook geen [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), wat betekent dat als uw of de geadresseerde's private sleutel ooit wordt gestolen, alle voorgaande berichten die ermee zijn versleuteld zullen worden blootgelegd: [How do I protect my private keys?](basics/email-security.md) Overweeg het gebruik van een medium dat forward secrecy biedt: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird-logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is een gratis, open-source, cross-platform email, nieuwsgroep, nieuwsfeed, en chat (XMPP, IRC, Twitter) client ontwikkeld door de Thunderbird gemeenschap, en voorheen door de Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentatie} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Aanbevolen configuratie + +We raden aan om sommige van deze instellingen te wijzigen om Thunderbird een beetje meer privé te maken. + +Deze opties zijn te vinden in :material-menu: → **Instellingen** → **Privacy & Beveiliging**. + +##### Web Content + +- [ ] Deselecteer **Onthoud websites en links die ik heb bezocht** +- [ ] Deselecteer **Accepteer cookies van sites** + +##### Telemetrie + +- [ ] Deselecteer **Toestaan dat Thunderbird technische en interactiegegevens naar Mozilla stuurt** + +#### Thunderbird-user.js (geavanceerd) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is een set van configuratie-opties die erop gericht is zoveel mogelijk van de web-browsing functies binnen Thunderbird uit te schakelen om de aanvals oppervlakte te verkleinen en de privacy te behouden. let op + +## Platform specifiek + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail-logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is opgenomen in macOS en kan worden uitgebreid met OpenPGP-ondersteuning met [GPG Suite](/encryption/#gpg-suite), waarmee de mogelijkheid wordt toegevoegd om versleutelde e-mail te versturen. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentatie} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail-logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is een betaalde e-mailclient die is ontworpen om end-to-end versleuteling naadloos te laten verlopen met beveiligingsfuncties zoals een biometrische app-vergrendeling. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail heeft pas onlangs een Windows- en Android-client uitgebracht, hoewel die volgens ons niet zo stabiel zijn als hun iOS- en Mac-tegenhangers. + +Canary Mail is closed-source. We raden het aan omdat er maar weinig keuzes zijn voor e-mailclients op iOS die PGP E2EE ondersteunen. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is een minimale, open-source e-mail app, die gebruik maakt van open standaarden (IMAP, SMTP, OpenPGP) met een laag data- en batterijverbruik. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Broncode" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### Gnome evolutie (Gnome) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is een applicatie voor het beheer van persoonlijke informatie die geïntegreerde mail-, agenda- en adresboekfuncties biedt. Evolution heeft uitgebreide [documentation](https://help.gnome.org/users/evolution/stable/) om u op weg te helpen. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentatie} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is een onafhankelijke mail-applicatie die zowel POP3 als IMAP mailboxen ondersteunt, maar alleen push mail voor IMAP ondersteunt. + + In de toekomst zal K-9 Mail de [officieel gemerkte](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client voor Android zijn. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Broncode" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + Bij het beantwoorden van iemand op een mailinglijst kan de optie "beantwoorden" ook de mailinglijst omvatten. Zie voor meer informatie [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is een persoonlijke informatiemanager (PIM) applicatie van het [KDE](https://kde.org) project. Het biedt een mail client, adresboek, organizer en RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentatie} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Broncode" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is een browser extensie die de uitwisseling van versleutelde e-mails mogelijk maakt volgens de OpenPGP encryptie standaard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Broncode} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Bijdragen" } + + ??? downloads "Downloaden" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is een open-source command line mail reader (of MUA) voor Linux en BSD. Het is een vork van [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) met toegevoegde mogelijkheden. + + NeoMutt is een tekst-gebaseerde client die een steile leercurve heeft. Het is echter zeer aanpasbaar. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimum kwalificaties + +- Apps ontwikkeld voor open-source besturingssystemen moeten open-source zijn. +- Mag geen telemetrie verzamelen, of een gemakkelijke manier hebben om alle telemetrie uit te schakelen. +- Moet OpenPGP-berichtversleuteling ondersteunen. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet open-source zijn. +- Moet cross-platform zijn. +- Verzamelt standaard geen telemetrie. +- Moet OpenPGP native ondersteunen, dat wil zeggen zonder extensies. +- Moet ondersteuning bieden voor het lokaal opslaan van OpenPGP-versleutelde e-mails. diff --git a/i18n/nl/email.md b/i18n/nl/email.md new file mode 100644 index 00000000..4b41030c --- /dev/null +++ b/i18n/nl/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Diensten" +icon: material/email +description: Deze e-mailproviders bieden een uitstekende plaats om jouw e-mails veilig op te slaan, en vele bieden interoperabele OpenPGP versleuteling met andere providers. +--- + +E-mail is bijna een noodzaak voor het gebruik van elke online dienst, maar wij raden het niet aan voor gesprekken van persoon tot persoon. In plaats van e-mail te gebruiken om andere mensen te contacteren, kunt u overwegen een instant messenger te gebruiken die forward secrecy ondersteunt. + +[Aanbevolen Instant Messengers](real-time-communication.md ""){.md-button} + +Voor al het andere raden wij verschillende e-mailproviders aan op basis van duurzame bedrijfsmodellen en ingebouwde beveiligings- en privacyfuncties. + +- [OpenPGP-compatibele e-mailproviders :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Andere versleutelde aanbieders :material-arrow-right-drop-circle:](#more-providers) +- [E-mail Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Zelf-gehoste opties :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP compatibele diensten + +Deze providers ondersteunen standaard OpenPGP-encryptie/decryptie en het Web Key Directory (WKD) -standaard, waardoor provider-agnostische E2EE-e-mails mogelijk zijn. Een Proton Mail-gebruiker zou bijvoorbeeld een E2EE-bericht kunnen sturen naar een Mailbox.org-gebruiker, of je zou OpenPGP-versleutelde meldingen kunnen ontvangen van internetdiensten die dit ondersteunen. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning "Waarschuwing" + + Wanneer gebruik wordt gemaakt van E2EE-technologie zoals OpenPGP, zullen e-mailberichten nog steeds metagegevens bevatten die niet zijn versleuteld in de header van het e-mailbericht. Lees meer over [e-mail metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP ondersteunt ook geen forward secrecy, wat betekent dat als jouw of de geadresseerde's privésleutel ooit wordt gestolen, alle eerdere berichten die ermee zijn versleuteld, openbaar worden. [Hoe bescherm ik mijn privésleutels?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is een e-maildienst met focus op privacy, encryptie, veiligheid en gebruiksgemak. Ze zijn al actief sinds **2013**. Proton AG is gevestigd in Genève, Zwitserland. Accounts beginnen met 500 MB opslagruimte met hun gratis abonnement. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacybeleid" }. + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Gratis accounts hebben enkele beperkingen, zoals het niet kunnen doorzoeken van bodytekst en geen toegang tot [Proton Mail Bridge](https://proton.me/mail/bridge), die nodig is om een [aanbevolen desktop e-mailclient](email-clients.md) (bv. Thunderbird) te gebruiken. Betaalde accounts bevatten functies zoals Proton Mail Bridge, extra opslagruimte en ondersteuning voor aangepaste domeinen. Een [attestatiebrief](https://proton.me/blog/security-audit-all-proton-apps) werd op 9 november 2021 verstrekt voor de apps van Proton Mail door [Securitum](https://research.securitum.com). + +Als je Proton Unlimited, Business of Visionary hebt, krijg je ook [SimpleLogin](#simplelogin) Premium gratis. + +Proton Mail heeft interne crash rapporten die ze **niet** delen met derden. Dit kan worden uitgeschakeld in: **Instellingen** > **Ga naar Instellingen** > **Account** > **Beveiliging en privacy** > **Crashmeldingen versturen**. + +#### :material-check:{ .pg-green } Aangepaste domeinen en aliassen + +Betaalde Proton Mail abonnees kunnen hun eigen domein met de dienst gebruiken of een [catch-all](https://proton.me/support/catch-all) adres. Proton Mail ondersteunt ook [subadressering](https://proton.me/support/creating-aliases), wat handig is voor mensen die geen domein willen kopen. + +#### :material-check:{ .pg-green } Privé betaalmethoden + +Proton Mail [accepteert](https://proton.me/support/payment-options) contant geld per post, naast standaard creditcard/debetkaart, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), en PayPal-betalingen. + +#### :material-check:{ .pg-green } Accountbeveiliging + +Proton Mail ondersteunt TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) en [hardware security keys](https://proton.me/support/2fa-security-key) met behulp van FIDO2 of U2F standaarden. Voor het gebruik van een hardware beveiligingssleutel moet eerst TOTP tweefactorauthenticatie worden ingesteld. + +#### :material-check:{ .pg-green } Gegevensbeveiliging + +Proton Mail heeft [zero-access encryptie](https://proton.me/blog/zero-access-encryption) in rust voor jouw e-mails en [agenda's](https://proton.me/news/protoncalendar-security-model). Gegevens die zijn beveiligd met zero-access encryptie zijn alleen voor jouw toegankelijk. + +Bepaalde informatie opgeslagen in [Proton Contacts](https://proton.me/support/proton-contacts), zoals namen en e-mailadressen, zijn niet beveiligd met zero-access encryptie. Contact velden die zero-access encryptie ondersteunen, zoals telefoonnummers, worden aangegeven met een hangslot pictogram. + +#### :material-check:{ .pg-green } Email encryptie + +Proton Mail heeft [OpenPGP encryptie](https://proton.me/support/how-to-use-pgp) geïntegreerd in hun webmail. E-mails naar andere Proton Mail-accounts worden automatisch versleuteld, en versleuteling naar niet-Proton Mail-adressen met een OpenPGP-sleutel kan eenvoudig worden ingeschakeld in je accountinstellingen. Je kunt hiermee ook [berichten versleutelen naar niet-Proton Mail adressen](https://proton.me/support/password-protected-emails) zonder dat zij zich hoeven aan te melden voor een Proton Mail account of software zoals OpenPGP hoeven te gebruiken. + +Proton Mail ondersteunt ook de ontdekking van openbare sleutels via HTTP van hun [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Hierdoor kunnen mensen die geen Proton Mail gebruiken de OpenPGP sleutels van Proton Mail accounts gemakkelijk vinden, voor cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Beëindiging van account + +Als je een betaald account hebt en je na 14 dagen [niet je rekening hebt betaald](https://proton.me/support/delinquency), krijg je geen toegang meer tot je gegevens. Na 30 dagen wordt uw account delinquent en ontvangt u geen inkomende e-mail meer. Tijdens deze periode word je nog steeds gefactureerd. + +#### :material-information-outline:{ .pg-blue } Aanvullende functionaliteit + +Proton Mail biedt een "Unlimited" account voor €9,99/maand, die ook toegang geeft tot Proton VPN, naast meerdere accounts, domeinen, aliassen en 500 GB opslagruimte. + +Proton Mail heeft geen digitale erfenis functie. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is een e-maildienst gericht op veiligheid, is reclamevrij en wordt 100% mogelijk gemaakt door milieuvriendelijke energie. Ze zijn sinds 2014 in bedrijf. Mailbox.org is gevestigd in Berlijn, Duitsland. Accounts beginnen met 2 GB opslagruimte, die naar behoefte kan worden uitgebreid. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Aangepaste domeinen en aliassen + +Mailbox.org laat je je eigen domein gebruiken en ze ondersteunen [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) adressen. Mailbox.org ondersteunt ook [subadressering](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), wat handig is als je geen domein wilt kopen. + +#### :material-check:{ .pg-green } Privé betaalmethoden + +Mailbox.org accepteert geen Bitcoin of andere cryptocurrencies als gevolg van het feit dat hun betalingsverwerker BitPay zijn activiteiten in Duitsland heeft opgeschort. Echter aanvaarden ze wel contant geld per post, contante betaling op bankrekening, bankoverschrijving, kredietkaart, PayPal en een paar Duitse verwerkers: paydirekt en Sofortüberweisung. + +#### :material-check:{ .pg-green } Accountbeveiliging + +Mailbox.org ondersteunt [twee-factor authenticatie](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) alleen voor hun webmail. Je kunt TOTP of een [Yubikey](https://en.wikipedia.org/wiki/YubiKey) gebruiken via de [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Webstandaarden zoals [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) worden nog niet ondersteund. + +#### :material-information-outline:{ .pg-blue } Gegevensbeveiliging + +Mailbox.org maakt encryptie van inkomende mail mogelijk met behulp van hun [versleutelde mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). Nieuwe berichten die je ontvangt, worden dan onmiddellijk versleuteld met jouw openbare sleutel. + +Echter, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), het softwareplatform dat wordt gebruikt door Mailbox.org, [ondersteunt niet](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) de versleuteling van je adresboek en agenda. Een [standalone optie](calendar.md) kan geschikter zijn voor die informatie. + +#### :material-check:{ .pg-green } Email encryptie + +Mailbox.org heeft [geïntegreerde encryptie](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in hun webmail, wat het verzenden van berichten naar mensen met openbare OpenPGP-sleutels vereenvoudigt. Ook kunnen [ontvangers op afstand een e-mail](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) op de servers van Mailbox.org ontsleutelen. Deze functie is nuttig wanneer de ontvanger op afstand geen OpenPGP heeft en geen kopie van de e-mail in zijn eigen mailbox kan ontsleutelen. + +Mailbox.org ondersteunt ook de ontdekking van publieke sleutels via HTTP vanuit hun [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). Hierdoor kunnen mensen buiten Mailbox.org gemakkelijk de OpenPGP sleutels van Mailbox.org accounts vinden, voor cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Beëindiging van account + +Je account wordt ingesteld op een beperkt gebruikersaccount zodra je contract is beëindigd, na [30 dagen wordt deze onherroepelijk verwijderd](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Extra functionaliteit + +Je kan je Mailbox.org-account openen via IMAP/SMTP met behulp van hun [.onion-service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). Hun webmail interface is echter niet toegankelijk via hun .onion dienst en kan je te maken krijgen met TLS-certificaatfouten. + +Alle accounts hebben een beperkte cloud opslag die [kan worden versleuteld](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org biedt ook de alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), die de TLS-versleuteling op de verbinding tussen mailservers afdwingt, anders wordt het bericht helemaal niet verzonden. Mailbox.org ondersteunt ook [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) naast standaard toegangsprotocollen zoals IMAP en POP3. + +Mailbox.org heeft een digitale nalatenschap functie voor alle abonnementen. Je kunt kiezen of je wilt dat jouw gegevens worden doorgegeven aan jouw erfgenamen, mits zij een aanvraag indienen en jouw testament overleggen. Je kunt ook een persoon nomineren met naam en adres. + +## Meer providers + +Deze providers slaan je e-mails op met zero-knowledge encryptie, waardoor ze geweldige opties zijn om je opgeslagen e-mails veilig te houden. Zij ondersteunen echter geen interoperabele versleutelingsnormen voor E2EE-communicatie tussen aanbieders. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail-logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail-logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is een e-maildienst met de nadruk op veiligheid en privacy door het gebruik van standaard OpenPGP-versleuteling. StartMail is sinds 2014 actief en is gevestigd in Boulevard 11, Zeist Nederland. Accounts beginnen met 10GB. Ze bieden een 30 dagen proefperiode. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Aangepaste domeinen en aliassen + +Persoonlijke accounts kunnen [aangepaste of Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliassen gebruiken. [Aangepaste domeinen](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) zijn ook beschikbaar. + +#### :material-alert-outline:{ .pg-orange } Privé betaalmethodes + +StartMail accepteert Visa, MasterCard, American Express en Paypal. StartMail heeft ook andere [betalingsopties](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) zoals [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (momenteel alleen voor Persoonlijke accounts) en SEPA Direct Debit voor accounts ouder dan een jaar. + +#### :material-check:{ .pg-green } Accountbeveiliging + +StartMail ondersteunt TOTP tweefactorauthenticatie [alleen voor webmail](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). Zij staan geen U2F-authenticatie met beveiligingssleutel toe. + +#### :material-information-outline:{ .pg-blue } Gegevensbeveiliging + +StartMail heeft [zero access encryptie bij rust](https://www.startmail.com/en/whitepaper/#_Toc458527835), met behulp van hun "user vault" systeem. Wanneer je inlogt, wordt de kluis geopend, en de e-mail wordt dan uit de wachtrij naar de kluis verplaatst, waar hij wordt ontsleuteld met de bijbehorende privésleutel. + +StartMail ondersteunt het importeren van [contacten](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) echter, ze zijn alleen toegankelijk in de webmail en niet via protocollen zoals [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacten worden ook niet opgeslagen met behulp van zero knowledge encryptie. + +#### :material-check:{ .pg-green } Email encryptie + +StartMail heeft [encryptie](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) geïntegreerd in hun webmail, wat het versturen van versleutelde berichten met openbare OpenPGP-sleutels vereenvoudigt. Ze ondersteunen echter niet de Web Key Directory-standaard, waardoor de ontdekking van de openbare sleutel van een Startmail-postvak uitdagender wordt voor andere e-mailproviders of -clients. + +#### :material-information-outline:{ .pg-blue } Beëindiging van account + +Bij afloop van jouw account, zal StartMail jouw account definitief verwijderen na [6 maanden in 3 fasen](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } extra functionaliteit + +StartMail maakt proxying van afbeeldingen in e-mails mogelijk. Als je toestaat dat het beeld op afstand wordt geladen, weet de verzender niet wat jouw IP-adres is. + +StartMail biedt geen digitale erfenisfunctie. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is een e-maildienst met de nadruk op veiligheid en privacy door het gebruik van encryptie. Tutanota is actief sinds **2011** en is gevestigd in Hannover, Duitsland. Accounts beginnen met 1GB opslagruimte met hun gratis plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Broncode" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota ondersteunt het [IMAP protocol](https://tutanota.com/faq/#imap) em het gebruik van e-mailclients van derden niet[](email-clients.md), en je zult ook niet in staat zijn om [externe e-mailaccounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) toe te voegen aan de Tutanota app. Beide [E-mail import](https://github.com/tutao/tutanota/issues/630) of [submappen](https://github.com/tutao/tutanota/issues/927) worden momenteel ondersteund, hoewel dit binnenkort [zal worden gewijzigd](https://tutanota.com/blog/posts/kickoff-import). E-mails kunnen [individueel of per bulk selectie](https://tutanota.com/howto#generalMail) per map worden geëxporteerd, wat onhandig kan zijn als je veel mappen hebt. + +#### :material-check:{ .pg-green } Aangepaste domeinen en aliassen + +Betaalde Tutanota accounts kunnen tot 5 [aliassen gebruiken](https://tutanota.com/faq#alias) en [aangepaste domeinen](https://tutanota.com/faq#custom-domain). Tutanota staat geen [subadressering (plus adressen)](https://tutanota.com/faq#plus)toe, maar je kunt een [catch-all](https://tutanota.com/howto#settings-global) gebruiken met een aangepast domein. + +#### :material-information-outline:{ .pg-blue } Privé betaalmethodes + +Tutanota accepteert alleen rechtstreeks creditcards en PayPal, maar Bitcoin en Monero kunnen worden gebruikt om cadeaubonnen te kopen via hun [partnerschap](https://tutanota.com/faq/#cryptocurrency) met Proxystore. + +#### :material-check:{ .pg-green } Accountbeveiliging + +Tutanota ondersteunt [twee-factor authenticatie](https://tutanota.com/faq#2fa) met TOTP of U2F. + +#### :material-check:{ .pg-green } Gegevensbeveiliging + +Tutanota heeft [zero access encryptie bij rust](https://tutanota.com/faq#what-encrypted) voor jouw e-mails, [adresboek contacten](https://tutanota.com/faq#encrypted-address-book), en [kalenders](https://tutanota.com/faq#calendar). Dit betekent dat de berichten en andere gegevens die in jouw account zijn opgeslagen, alleen door je kunnen worden gelezen. + +#### :material-information-outline:{ .pg-blue } Email Encryptie + +Tutanota [maakt geen gebruik van OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota-accounts kunnen alleen versleutelde e-mails ontvangen van niet-Tutanota-e-mailaccounts wanneer ze worden verzonden via een [tijdelijke Tutanota-postvak](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Beëindiging van account + +Tutanota zal [inactieve gratis accounts](https://tutanota.com/faq#inactive-accounts) verwijderen na zes maanden. Je kunt een gedeactiveerd gratis account opnieuw gebruiken als je betaalt. + +#### :material-information-outline:{ .pg-blue } extra functionaliteit + +Tutanota biedt de zakelijke versie van [Tutanota aan non-profitorganisaties](https://tutanota.com/blog/posts/secure-email-for-non-profit) gratis of met een fikse korting. + +Tutanota heeft ook een zakelijke functie genaamd [Secure Connect](https://tutanota.com/secure-connect/). Dit zorgt ervoor dat het klantcontact met het bedrijf gebruik maakt van E2EE. De functie kost €240/j. + +Tutanota biedt geen digitale erfenis functie. + +## E-mail aliasing diensten + +Met een e-mail aliasing dienst kun je gemakkelijk een nieuw e-mailadres genereren voor elke website waarvoor je je aanmeldt. De e-mailaliassen die je aanmaakt worden dan doorgestuurd naar een e-mailadres vanjouw keuze, waardoor zowel jouw "hoofd"-e-mailadres als de identiteit van jouw e-mailprovider wordt verborgen. Echte e-mailaliasing is beter dan de door veel providers gebruikte en ondersteunde plus-adressering, waarmee je aliassen kunt maken als jouwnaam+[anythinghere]@voorbeeld.com, omdat websites, adverteerders en traceringsnetwerken triviaal alles na het +-teken kunnen verwijderen om jouw echte e-mailadres te ontdekken. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +E-mailaliasing kan fungeren als een waarborg voor het geval jouw e-mailprovider ooit ophoudt te werken. In dat scenario kun je jouw aliassen gemakkelijk omleiden naar een nieuw e-mailadres. Op zijn beurt stelt je echter vertrouwen in de aliasingdienst om te blijven functioneren. + +Het gebruik van een speciale e-mail aliasing dienst heeft ook een aantal voordelen ten opzichte van een catch-all alias op een aangepast domein: + +- Aliassen kunnen individueel worden in- en uitgeschakeld wanneer je ze nodig hebt, zodat websites je niet willekeurig e-mailen. +- Antwoorden worden verzonden vanaf het aliasadres, waardoor jouw echte e-mailadres wordt afgeschermd. + +Ze hebben ook een aantal voordelen ten opzichte van "tijdelijke e-mail" diensten: + +- Aliassen zijn permanent en kunnen weer worden ingeschakeld als je iets moet ontvangen zoals een wachtwoord-reset. +- E-mails worden naar jouw vertrouwde mailbox gestuurd in plaats van opgeslagen door de alias provider. +- Tijdelijke e-maildiensten hebben doorgaans openbare mailboxen die voor iedereen die het adres kent toegankelijk zijn, aliassen zijn privé. + +Onze aanbevelingen voor e-mailaliassen zijn providers waarmee je aliassen kunt aanmaken op domeinen die zij beheren, en op jouw eigen aangepaste domein(en) voor een bescheiden jaarlijks bedrag. Ze kunnen ook zelf worden gehost als je maximale controle wilt. Het gebruik van een eigen domein kan echter ook nadelen hebben voor de privacy: Als je de enige persoon bent die ouw aangepaste domein gebruikt, kunnen jouw acties op verschillende websites gemakkelijk worden getraceerd door simpelweg naar de domeinnaam in het e-mailadres te kijken en alles voor het at (@) teken te negeren. + +Het gebruik van een aliasingdienst vereist dat je zowel jouw e-mailprovider als jouw aliasingprovider vertrouwt met jouw onversleutelde berichten. Sommige aanbieders verzachten dit enigszins met automatische PGP-versleuteling, die het aantal partijen dat je moet vertrouwen terugbrengt van twee naar één door inkomende e-mails te versleutelen voordat ze bij je uiteindelijke postbusaanbieder worden afgeleverd. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** laat je gratis 20 domein aliassen aanmaken op een gedeeld domein, of onbeperkt "standaard" aliassen die minder anoniem zijn. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Broncode" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +Het aantal gedeelde aliassen (die eindigen op een gedeeld domein zoals @anonaddy.me) dat je kunt aanmaken is beperkt tot 20 op het gratis plan van AnonAddy en 50 op hun $12/maand plan. Je kunt onbeperkt standaard aliassen aanmaken (die eindigen op een domein zoals @[username].anonaddy.com of een aangepast domein op betaalde plannen), echter, zoals eerder vermeld, kan dit nadelig zijn voor de privacy omdat mensen uw standaard aliassen triviaal aan elkaar kunnen linken op basis van de domeinnaam alleen. Onbeperkte gedeelde aliassen zijn beschikbaar voor $36/jaar. + +Opmerkelijke gratis functies: + +- [x] 20 Gedeelde Aliassen +- [x] Onbeperkt aantal standaard aliassen +- [ ] Geen uitgaande antwoorden +- [x] 2 Ontvanger Mailboxen +- [x] Automatische PGP-versleuteling + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is een gratis dienst die e-mailaliassen op verschillende gedeelde domeinnamen biedt, en optioneel betaalde functies zoals onbeperkte aliassen en aangepaste domeinen. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin werd [overgenomen door Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) met ingang van 8 april 2022. Als je Proton Mail gebruikt voor uw primaire mailbox, is SimpleLogin een goede keuze. Aangezien beide producten nu eigendom zijn van hetzelfde bedrijf, hoeft je nog maar op één entiteit te vertrouwen. Wij verwachten ook dat SimpleLogin in de toekomst nauwer zal worden geïntegreerd met het aanbod van Proton. SimpleLogin blijft forwarding naar elke e-mailprovider van jouw keuze ondersteunen. Securitum [heeft begin 2022 een audit uitgevoerd op](https://simplelogin.io/blog/security-audit/) SimpleLogin en alle problemen [zijn aangepakt](https://simplelogin.io/audit2022/web.pdf). + +Je kunt jouw SimpleLogin account in de instellingen koppelen aan jouw Proton account. Als je Proton Unlimited, Business of Visionary Plan hebt, heb je SimpleLogin Premium gratis. + +Opmerkelijke gratis functies: + +- [x] 10 Gedeelde Aliassen +- [x] Onbeperkt antwoorden +- [x] 1 Ontvanger Mailbox + +## Onze criteria + +Gevorderde systeembeheerders kunnen overwegen hun eigen e-mailserver op te zetten. Mailservers vereisen aandacht en voortdurend onderhoud om de zaken veilig te houden en de mailbezorging betrouwbaar. + +### Gecombineerde softwareoplossingen + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is een meer geavanceerde mailserver, perfect voor mensen met wat meer Linux ervaring. Het heeft alles wat je nodig hebt in een Docker container: Een mailserver met DKIM-ondersteuning, antivirus- en spammonitoring, webmail en ActiveSync met SOGo, en webgebaseerd beheer met 2FA-ondersteuning. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Bijdrage leveren } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is een geautomatiseerd setup script voor het implementeren van een mailserver op Ubuntu. Het doel ervan is om het voor mensen gemakkelijker te maken om hun eigen mailserver op te zetten. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Broncode" } } + +Voor een meer handmatige aanpak hebben we deze twee artikelen uitgekozen: + +- [Een mailserver opzetten met OpenSMTPD, Dovecot en Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [Hoe run je je eigen mailserver](https://www.c0ffee.net/blog/mail-server-guide/) (augustus 2017) + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaard criteria](about/criteria.md) hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je zich vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat het de juiste keuze voor je is. + +### Technologie + +Wij beschouwen deze kenmerken als belangrijk om een veilige en optimale dienst te kunnen verlenen. Je zou moeten nagaan of de provider de functies heeft die je nodig hebt. + +**Minimum om in aanmerking te komen:** + +- Versleutelt e-mail accountgegevens in rust met zero-access encryptie. +- Exportmogelijkheid als [Mbox](https://en.wikipedia.org/wiki/Mbox) of individuele .eml met [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standaard. +- Sta gebruikers toe hun eigen [domeinnaam te gebruiken](https://en.wikipedia.org/wiki/Domain_name). Aangepaste domeinnamen zijn belangrijk voor gebruikers omdat ze zo hun agentschap van de dienst kunnen behouden, mocht het slecht aflopen of overgenomen worden door een ander bedrijf dat privacy niet hoog in het vaandel heeft staan. +- Werkt op eigen infrastructuur, d.w.z. niet gebaseerd op e-mail service providers van derden. + +**Beste geval:** + +- Versleutelt alle accountgegevens (Contacten, Agenda's, etc) in rust met zero-access encryptie. +- Geïntegreerde webmail E2EE/PGP-codering voor het gemak. +- Ondersteuning voor [WKD](https://wiki.gnupg.org/WKD) om een verbeterde ontdekking van publieke OpenPGP sleutels via HTTP mogelijk te maken. GnuPG-gebruikers kunnen een sleutel krijgen door te typen: `gpg --locate-key example_user@example.com` +- Ondersteuning voor een tijdelijke mailbox voor externe gebruikers. Dit is handig wanneer je een versleutelde e-mail wilt verzenden, zonder een echte kopie naar jouw ontvanger te sturen. Deze e-mails hebben meestal een beperkte levensduur en worden daarna automatisch verwijderd. Zij vereisen ook niet dat de ontvanger cryptografie configureert zoals OpenPGP. +- Beschikbaarheid van de diensten van de e-mailprovider via een [onion service](https://en.wikipedia.org/wiki/.onion). +- [Ondersteuning voor subadressering](https://en.wikipedia.org/wiki/Email_address#Subaddressing). +- Catch-all of alias functionaliteit voor diegenen die hun eigen domeinen bezitten. +- Gebruik van standaard e-mail toegangsprotocollen zoals IMAP, SMTP of [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standaard toegangsprotocollen zorgen ervoor dat klanten al hun e-mail gemakkelijk kunnen downloaden, mochten zij naar een andere provider willen overstappen. + +### Privacy + +Wij geven er de voorkeur aan dat de door ons aanbevolen aanbieders zo weinig mogelijk gegevens verzamelen. + +**Minimum om in aanmerking te komen:** + +- Beschermt het IP adres van de afzender. Filter het uit de weergave in het `Received` header veld. +- Vereisen geen persoonlijk identificeerbare informatie (PII) naast een gebruikersnaam en een wachtwoord. +- Privacybeleid dat voldoet aan de vereisten van de GDPR. +- Mag niet in de VS worden gehost wegens [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) die [nog moet worden hervormd](https://epic.org/ecpa/). + +**Beste geval:** + +- Accepteert [anonieme betalingsopties](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), contant geld, cadeaukaarten, etc.) + +### Veiligheid + +Email servers verwerken veel zeer gevoelige gegevens. We verwachten dat providers de beste praktijken in de branche zullen toepassen om hun gebruikers te beschermen. + +**Minimum om in aanmerking te komen:** + +- Bescherming van webmail met 2FA, zoals TOTP. +- Zero access encryptie, bouwt voort op encryptie in rust. De provider heeft geen decryptiesleutels voor de gegevens die ze hebben. Dit voorkomt dat een malafide werknemer gegevens lekt waartoe hij toegang heeft, of dat een tegenstander op afstand gegevens vrijgeeft die hij heeft gestolen door ongeoorloofde toegang tot de server te verkrijgen. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) ondersteuning. +- Geen [TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) fouten/kwetsbaarheden bij profilering door tools zoals [Hardenize](https://www.hardenize.com), [testssl.sh](https://testssl.sh) of [Qualys SSL Labs](https://www.ssllabs.com/ssltest), dit omvat certificaatgerelateerde fouten, slechte of zwakke ciphersuites, zwakke DH-parameters zoals die welke hebben geleid tot [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- Een geldig [MTA-STS](https://tools.ietf.org/html/rfc8461) en [TLS-RPT](https://tools.ietf.org/html/rfc8460) beleid. +- Geldig [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Geldige [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) en [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Geldige [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) en [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Zorg voor een correct [DMARC](https://en.wikipedia.org/wiki/DMARC) record en beleid of gebruik [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) voor verificatie. Als DMARC-authenticatie wordt gebruikt, moet het beleid worden ingesteld op `reject` of `quarantine`. +- Een server suite voorkeur van TLS 1.2 of hoger en een plan voor [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) indiening, ervan uitgaande dat SMTP wordt gebruikt. +- Beveiligingsnormen voor websites, zoals: + - [HTTP Strict Transport Security](https://nl.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subbron Integriteit](https://en.wikipedia.org/wiki/Subresource_Integrity) als dingen van externe domeinen worden geladen. +- Moet het bekijken van [Message headers](https://en.wikipedia.org/wiki/Email#Message_header)ondersteunen, aangezien dit een cruciale forensische functie is om te bepalen of een e-mail een phishing-poging is. + +**Beste geval:** + +- Ondersteuning voor hardware-authenticatie, d.w.z. U2F en [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F en WebAuthn zijn veiliger omdat zij een privésleutel gebruiken die is opgeslagen op een hardware-apparaat aan de clientzijde om mensen te authenticeren, in tegenstelling tot een gedeeld geheim dat is opgeslagen op de webserver en aan de clientzijde wanneer TOTP wordt gebruikt. Bovendien zijn U2F en WebAuthn beter bestand tegen phishing omdat hun authenticatierespons gebaseerd is op de geauthenticeerde [domeinnaam](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certificatie Autoriteit Autorisatie (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in aanvulling op DANE ondersteuning. +- Implementatie van [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), dit is nuttig voor mensen die posten naar mailinglijsten [RFC8617](https://tools.ietf.org/html/rfc8617). +- Programma's voor bug-bounty's en/of een gecoördineerd proces voor de openbaarmaking van kwetsbaarheden. +- Beveiligingsnormen voor websites, zoals: + - [Inhoud beveiligingsbeleid (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Vertrouwen + +Je zou je financiën niet toevertrouwen aan iemand met een valse identiteit, dus waarom zou je hen je e-mail toevertrouwen? Wij eisen van onze aanbevolen aanbieders dat zij hun eigendom of leiderschap openbaar maken. Wij zouden ook graag zien dat regelmatig verslag wordt uitgebracht over de transparantie, met name wat betreft de wijze waarop verzoeken van de overheid worden behandeld. + +**Minimum om in aanmerking te komen:** + +- Publiekelijk leiderschap of eigendom. + +**Beste geval:** + +- Publieksgericht leiderschap. +- Frequente transparantieverslagen. + +### Marketing + +Bij de e-mail providers die we aanbevelen zien we graag verantwoorde marketing. + +**Minimum om in aanmerking te komen:** + +- Moet zelf analytics hosten (geen Google Analytics, Adobe Analytics, etc). De site van de aanbieder moet ook voldoen aan [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) voor degenen die zich willen afmelden. + +Mag geen marketing hebben die onverantwoord is: + +- Claims van "onbreekbare encryptie." Encryptie moet worden gebruikt met de bedoeling dat zij in de toekomst niet meer geheim is wanneer de technologie bestaat om haar te kraken. +- Garanties van 100% bescherming van de anonimiteit. Wanneer iemand beweert dat iets 100% is, betekent dit dat er geen zekerheid is voor mislukking. We weten dat mensen zichzelf vrij gemakkelijk kunnen deanonimiseren op een aantal manieren, bv.: + +- Hergebruik van persoonlijke informatie, bijv. (e-mailaccounts, unieke pseudoniemen, enz.) waartoe zij toegang hadden zonder anonimiteitssoftware (Tor, VPN, enz.) +- [Browser vingerafdrukken](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Beste geval:** + +- Duidelijke en gemakkelijk te lezen documentatie. Dit omvat zaken als het instellen van 2FA, e-mailclients, OpenPGP, enz. + +### Extra functionaliteit + +Hoewel het geen strikte vereisten zijn, zijn er nog enkele andere factoren met betrekking tot gemak of privacy die wij in aanmerking hebben genomen bij het bepalen van de aan te bevelen providers. diff --git a/i18n/nl/encryption.md b/i18n/nl/encryption.md new file mode 100644 index 00000000..5aaddf4e --- /dev/null +++ b/i18n/nl/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Versleutelingssoftware" +icon: material/file-lock +description: Encryptie van gegevens is de enige manier om te controleren wie er toegang toe heeft. Met deze tools kun je jouw e-mails en andere bestanden versleutelen. +--- + +Encryptie van gegevens is de enige manier om te controleren wie er toegang toe heeft. Als je momenteel geen encryptiesoftware gebruikt voor jouw harde schijf, e-mails of bestanden, moet je hier een optie kiezen. + +## Multi-platform + +De hier genoemde opties zijn multiplatform en zeer geschikt voor het maken van versleutelde back-ups van jouw gegevens. + +### Cryptomator (Cloud) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is een encryptie-oplossing die is ontworpen voor het privé opslaan van bestanden bij elke cloudprovider. Hiermee kunt u kluizen maken die worden opgeslagen op een virtuele schijf, waarvan de inhoud wordt gecodeerd en gesynchroniseerd met uw cloudopslagprovider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Broncode" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator maakt gebruik van AES-256 encryptie om zowel bestanden als bestandsnamen te versleutelen. Cryptomator kan geen metadata versleutelen, zoals tijdstempels voor toegang, wijziging en creatie, noch het aantal en de grootte van bestanden en mappen. + +Sommige cryptografische bibliotheken van Cryptomator zijn [geaudit](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) door Cure53. De reikwijdte van de gecontroleerde bibliotheken omvat: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) en [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). De controle strekte zich niet uit tot [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), een bibliotheek die door Cryptomator voor iOS wordt gebruikt. + +In de documentatie van Cryptomator worden de beoogde [beveiligingsdoelstelling](https://docs.cryptomator.org/en/latest/security/security-target/), [beveiligingsarchitectuur](https://docs.cryptomator.org/en/latest/security/architecture/), en [beste praktijken](https://docs.cryptomator.org/en/latest/security/best-practices/) voor gebruik nader toegelicht. + +### Picocrypt (Bestand) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is een klein en eenvoudig encryptieprogramma dat moderne encryptie biedt. Picocrypt gebruikt het veilige XChaCha20-cijfer en de Argon2id-sleutelafleidingsfunctie om een hoog niveau van veiligheid te bieden. Het gebruikt Go's standaard x/crypto modules voor zijn versleutelingsfuncties. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Schijf) + +!!! recommendation + + ![VeraCrypt-logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt-logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is een met broncode beschikbaar freeware hulpprogramma dat wordt gebruikt voor on-the-fly encryptie. Het kan een virtuele versleutelde schijf binnen een bestand maken, een partitie versleutelen of het gehele opslagapparaat versleutelen met pre-boot verificatie. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Broncode" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is een vork van het beëindigde TrueCrypt-project. Volgens de ontwikkelaars zijn er beveiligingsverbeteringen doorgevoerd en zijn de problemen die bij de eerste controle van de TrueCrypt-code aan het licht zijn gekomen, aangepakt. + +Bij het versleutelen met VeraCrypt heb je de keuze uit verschillende [hashfuncties](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). Wij raden je aan **alleen** [SHA-512](https://en.wikipedia.org/wiki/SHA-512) te selecteren en vast te houden aan het [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) blokcijfer. + +Truecrypt is [een aantal keer gecontroleerd](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), en VeraCrypt is ook [apart gecontroleerd](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Volledige Schijfversleuteling + +Moderne besturingssystemen omvatten [FDE](https://en.wikipedia.org/wiki/Disk_encryption) en zullen gebruik maken van een [beveiligde cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker-logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is de oplossing voor volledige volume-encryptie die met Microsoft Windows wordt meegeleverd. De belangrijkste reden waarom wij het aanbevelen is vanwege zijn [gebruik van TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), een forensisch bedrijf, heeft er over geschreven in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentatie} + +BitLocker is [alleen ondersteund](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) op Pro, Enterprise en Education edities van Windows. Het kan worden ingeschakeld op Home-edities, mits deze aan de voorwaarden voldoen. + +??? example "BitLocker inschakelen op Windows Home" + + Om BitLocker in te schakelen op "Home"-edities van Windows, moet je partities hebben die zijn geformatteerd met een [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) en beschikken over een speciale TPM-module (v1.2, 2.0+). + + 1. Open een opdrachtprompt en controleer de indeling van de partitietabel van jouw schijf met het volgende commando. Je zou "**GPT**" moeten zien staan onder "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Voer dit commando uit (in een admin commando prompt) om jouw TPM versie te controleren. Je zou `2.0` of `1.2` moeten zien staan naast `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Ga naar de [Geavanceerde opstartopties](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). Je moet opnieuw opstarten terwijl je op de F8-toets drukt voordat Windows start en naar de *opdrachtprompt* gaat in **Problemen oplossen** → **Geavanceerde opties** → **Opdrachtprompt**. + + 4. Log in met jouw admin-account en typ dit in de opdrachtprompt om de versleuteling te starten: + + ``` + manage-bde -on c: -used + ``` + + 5. Sluit de opdrachtprompt en en start verder op naar de gewone Windows installatie. + + 6. Open een admin commando prompt en voer de volgende commando's uit: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Back-up de `BitLocker-Recovery-Key.txt` op uw bureaublad naar een apart opslagapparaat. Het verlies van deze herstelcode kan leiden tot verlies van gegevens. + +### FileVault + +!!! recommendation + + ![FileVault-logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is de in macOS ingebouwde oplossing voor volumeversleuteling tijdens het filteren. FileVault wordt aanbevolen omdat het [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware beveiligingsmogelijkheden biedt die aanwezig zijn op een Apple silicium SoC of T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentatie} + +Wij raden je aan een lokale herstelsleutel op een veilige plaats op te slaan in plaats van uw iCloud-account te gebruiken voor herstel. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS-logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is de standaard FDE-methode voor Linux. Het kan worden gebruikt om volledige volumes of partities te versleutelen, of om versleutelde containers te maken. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentatie} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Broncode" } + +??? example "Creëren en openen van versleutelde containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Versleutelde containers openen + We raden aan om containers en volumes te openen met `udisksctl`, omdat dit gebruik maakt van [Polkit](https://en.wikipedia.org/wiki/Polkit). De meeste bestandsbeheerders, zoals die van populaire desktopomgevingen, kunnen versleutelde bestanden ontgrendelen. Hulpprogramma's zoals [udiskie](https://github.com/coldfix/udiskie) kunnen in het systeemvak draaien en een nuttige gebruikersinterface bieden. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Vergeet niet een back-up te maken van de volumekoppen" + + Wij raden je aan altijd [een back-up te maken van uw LUKS-headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in geval van een gedeeltelijke schijfstoring. Dit kan gedaan worden met: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-gebaseerd + +Versleuteling via de browser kan handig zijn als je een bestand moet versleutelen, maar geen software of apps op jouw apparaat kunt installeren. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is een webapplicatie die veilige client-side versleuteling van bestanden in jouw browser biedt. Het kan ook zelf worden gehost en is handig als je een bestand moet versleutelen, maar geen software op jouw apparaat kunt installeren vanwege organisatorisch beleid. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donatiemogelijkheden vindt u onderaan de website" } + +## Command-line + +Tools met command-line interfaces zijn handig voor het integreren van [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is een gratis en open-source programma voor het versleutelen en ondertekenen van bestanden dat gebruik maakt van moderne en veilige cryptografische algoritmen. Het beoogt een betere versie te zijn van [age](https://github.com/FiloSottile/age) en [Minisign](https://jedisct1.github.io/minisign/) om een eenvoudig, gemakkelijker alternatief voor GPG te bieden. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is een is een command-line shell wrapper voor LUKS. Het ondersteunt steganografie via [hulpprogramma's van derden](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Bijdragen} + +## OpenPGP + +OpenPGP is soms nodig voor specifieke taken zoals het digitaal ondertekenen en versleutelen van e-mail. PGP heeft veel mogelijkheden en is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) omdat het al heel lang bestaat. Voor taken zoals het ondertekenen of versleutelen van bestanden, raden wij de bovenstaande opties aan. + +Bij het versleutelen met PGP, heb je de optie om verschillende opties te configureren in het `gpg.conf` bestand. We raden aan om de standaard opties te gebruiken zoals gespecificeerd in de [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Gebruik toekomstige standaardwaarden bij het genereren van een sleutel" + + Bij het [genereren van sleutels](https://www.gnupg.org/gph/en/manual/c14.html) raden we aan het `future-default` commando te gebruiken omdat dit GnuPG zal instrueren moderne cryptografie te gebruiken zoals [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) en [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is een GPL-gelicenseerd alternatief voor de PGP-suite van cryptografische software. GnuPG is in overeenstemming met [RFC 4880](https://tools.ietf.org/html/rfc4880), de huidige IETF-specificatie van OpenPGP. Het GnuPG-project heeft gewerkt aan een [bijgewerkt ontwerp](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in een poging OpenPGP te moderniseren. GnuPG is een onderdeel van het GNU-softwareproject van de Free Software Foundation en heeft van de Duitse regering het belangrijke [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) ontvangen. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win-logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is een pakket voor Windows van [Intevation en g10 Code](https://gpg4win.org/impressum.html). Het bevat [diverse hulpmiddelen](https://gpg4win.org/about.html) die je kunnen helpen bij het gebruik van GPG op Microsoft Windows. Het project is in 2005 opgezet en oorspronkelijk [gefinancierd door](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) het Bundesamt für Informationssicherheit (BSI) van Duitsland. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Broncode" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We raden [Canary Mail](email-clients.md#canary-mail) aan voor het gebruik van PGP met e-mail op iOS-apparaten. + +!!! recommendation + + ![GPG Suite-logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** biedt OpenPGP-ondersteuning voor [Apple Mail](email-clients.md#apple-mail) en macOS. + + Wij raden aan een kijkje te nemen in hun [Eerste stappen pagina](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) en [Kennisbank](https://gpgtools.tenderapp.com/kb) voor ondersteuning. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain-logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is een Android implementatie van GnuPG. Het wordt algemeen vereist door mail clients zoals [K-9 Mail](email-clients.md#k-9-mail) en [FairEmail](email-clients.md#fairemail) en andere Android apps om encryptie ondersteuning te bieden. Cure53 voltooide een [beveiligingsaudit](https://www.openkeychain.org/openkeychain-3-6) van OpenKeychain 3.6 in oktober 2015. Technische details over de audit en OpenKeychain's oplossingen zijn te vinden op [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimum kwalificaties + +- Cross-platform encryptie apps moeten open-source zijn. +- Apps voor bestandsversleuteling moeten ontsleuteling ondersteunen op Linux, macOS en Windows. +- Apps voor externe schijfversleuteling moeten ontsleuteling ondersteunen op Linux, macOS en Windows. +- Interne (OS) schijfversleutelingsapps moeten platformonafhankelijk zijn of ingebouwd zijn in het besturingssysteem. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Toepassingen voor versleuteling van het besturingssysteem (FDE) moeten gebruik maken van hardwarebeveiliging zoals een TPM of Secure Enclave. +- Bestandsversleutelingsapps moeten ondersteuning van eerste of derde partijen hebben voor mobiele platforms. diff --git a/i18n/nl/file-sharing.md b/i18n/nl/file-sharing.md new file mode 100644 index 00000000..3b6954ab --- /dev/null +++ b/i18n/nl/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "Bestanden delen en synchroniseren" +icon: material/share-variant +description: Ontdek hoe je jouw bestanden privé kunt delen tussen jouw apparaten, met jouw vrienden en familie, of anoniem online. +--- + +Ontdek hoe je jouw bestanden privé kunt delen tussen jouw apparaten, met jouw vrienden en familie, of anoniem online. + +## Bestanden Delen + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is een vork van Mozilla 's beëindigde Firefox Send-service waarmee je bestanden naar anderen kunt verzenden met een link. Bestanden worden op jouw apparaat versleuteld zodat ze niet door de server kunnen worden gelezen, en ze kunnen optioneel ook met een wachtwoord worden beveiligd. De maintainer van Send hosts een [openbare instantie](https://send.vis.ee/). Je kunt andere openbare instanties gebruiken, of je kunt Send zelf hosten. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Bijdragen } + +Send kan worden gebruikt via de webinterface of via de [ffsend](https://github.com/timvisee/ffsend) CLI. Als je vertrouwd bent met de commandline en vaak bestanden verstuurt, raden wij je aan de CLI-client te gebruiken om versleuteling op basis van JavaScript te vermijden. Je kunt de vlag `--host` opgeven om een specifieke server te gebruiken: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is een open-source tool waarmee je veilig en anoniem een bestand van elke grootte kunt delen. Het werkt door een webserver te starten die toegankelijk is als een Tor onion service, met een onleesbare URL die je met de ontvangers kunt delen om bestanden te downloaden of te verzenden. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Mag geen gedecodeerde gegevens op een externe server opslaan. +- Moet open-source software zijn. +- Moet clients hebben voor Linux, macOS en Windows; of een webinterface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is een besturingssysteem ontworpen om te draaien op een [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). Het doel is om het gemakkelijk te maken om servertoepassingen op te zetten die je misschien zelf wilt hosten. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentatie} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Broncode" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Bijdrage leveren } + +## Bestandssynchronisatie + +### Nextcloud (client-server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is een suite van gratis en open-source client-server software voor het creëren van jouw eigen bestandshosting diensten op een prive-server die jij controleert. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Broncode" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Gevaar" + + Wij raden het gebruik van de [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) voor Nextcloud af, omdat dit kan leiden tot gegevensverlies; het is zeer experimenteel en niet van productiekwaliteit. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is een open-source peer-to-peer continue bestandssynchronisatie hulpprogramma. Het wordt gebruikt om bestanden te synchroniseren tussen twee of meer toestellen via het lokale netwerk of het internet. Syncthing gebruikt geen gecentraliseerde server; het gebruikt het [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) om gegevens tussen apparaten over te dragen. Alle gegevens worden versleuteld met behulp van TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Broncode" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Bijdrage leveren } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +#### Minimale vereisten + +- Mag geen externe/cloudserver van derden vereisen. +- Moet open-source software zijn. +- Moet clients hebben voor Linux, macOS en Windows; of een webinterface. + +#### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Heeft mobiele clients voor iOS en Android, die tenminste document previews ondersteunen. +- Ondersteunt back-up van foto's van iOS en Android, en ondersteunt optioneel synchronisatie van bestanden/mappen op Android. diff --git a/i18n/nl/financial-services.md b/i18n/nl/financial-services.md new file mode 100644 index 00000000..e3effe0d --- /dev/null +++ b/i18n/nl/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financiële diensten +icon: material/bank +--- + +Online betalen is een van de grootste uitdagingen voor privacy. Deze diensten kunnen je helpen jouw privacy te beschermen tegen handelaren en andere trackers, op voorwaarde dat je goed weet hoe je privébetalingen doeltreffend kunt verrichten. Wij raden je sterk aan eerst ons overzichtsartikel over betalingen te lezen voordat je aankopen doet: + +[Privébetalingen maken :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Maskerende betalingsdiensten + +Er zijn een aantal diensten die "virtuele debetkaarten" aanbieden die je bij online handelaren kunt gebruiken zonder in de meeste gevallen jouw werkelijke bank- of factureringsgegevens bekend te maken. Het is belangrijk op te merken dat deze financiële diensten **niet** anoniem zijn en onderworpen zijn aan "Know Your Customer" (KYC) wetten en jouw ID of andere identificerende informatie kunnen vereisen. Deze diensten zijn vooral nuttig om je te beschermen tegen inbreuken op gegevens van handelaars, minder gesofisticeerde tracking of aankoopcorrelatie door marketingbureaus, en online gegevensdiefstal; en **niet** om volledig anoniem een aankoop te doen. + +!!! tip "Controleer jouw huidige bank" + + Veel banken en kredietkaartaanbieders bieden hun eigen virtuele kaartfunctionaliteit. Als je er een gebruikt die deze optie al biedt, moet je deze in de meeste gevallen over de volgende aanbevelingen gebruiken. Op die manier vertrouw je niet meerdere partijen met jouw persoonlijke informatie. + +### Privacy.com (VS) + +!!! recommendation + + Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + Met het gratis plan van **Privacy.com** kunt je tot 12 virtuele kaarten per maand aanmaken, uitgavenlimieten op die kaarten instellen en kaarten onmiddellijk uitschakelen. Met hun betaalde plan kunt je tot 36 kaarten per maand aanmaken, 1% cashback krijgen op aankopen en transactiegegevens voor jouw bank verbergen. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentatie} + +Privacy.com geeft standaard informatie over de handelaren bij wie je koopt door aan jouw bank. Hun betaalde functie "discrete handelaars" verbergt handelaarsinformatie voor jouw bank, zodat jouw bank alleen ziet dat een aankoop werd gedaan bij Privacy.com maar niet waar dat geld werd uitgegeven, maar dat is niet waterdicht, en natuurlijk heeft Privacy.com nog steeds kennis over de handelaars waar je geld uitgeeft. + +### MySudo (VS, Betaald) + +!!! recommendation + + MySudo logo](assets/img/financiële-diensten/mysudo.svg#alleen-licht){ align=right } + MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** biedt tot 9 virtuele kaarten, afhankelijk van het plan dat je koopt. Hun betaalde plannen omvatten bovendien functionaliteit die nuttig kan zijn om privé aankopen te doen, zoals virtuele telefoonnummers en e-mailadressen, hoewel wij gewoonlijk andere [email aliasing providers](email.md) aanbevelen voor uitgebreid e-mail aliasing gebruik. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Maakt het mogelijk om meerdere kaarten aan te maken die functioneren als een schild tussen de handelaar en jouw persoonlijke financiën. +- Kaarten mogen je niet verplichten de handelaar nauwkeurige informatie over het factuuradres te verstrekken. + +## Marktplaatsen voor cadeaubonnen + +Met deze diensten kunt je online cadeaubonnen kopen voor verschillende handelaren met [cryptocurrency](cryptocurrency.md). Sommige van deze services bieden opties voor ID-verificatie voor hogere limieten, maar ze staan ook accounts toe met alleen een e-mailadres. Basislimieten beginnen bij $ 5.000-10.000 per dag voor basisaccounts en aanzienlijk hogere limieten voor ID geverifieerde accounts (indien aangeboden). + +### Cake Pay + +!!! recommendation + + CakePay logo](assets/img/financiële-diensten/cakepay.svg){ align=right } + + Met **Cake Pay** kunt je cadeaubonnen en aanverwante producten kopen met Monero. Aankopen voor Amerikaanse handelaren zijn beschikbaar in de Cake Wallet mobiele app, terwijl de Cake Pay web app een brede selectie van wereldwijde handelaren bevat. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentatie} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + ** CoinCards ** (beschikbaar in de VS, Canada en het VK) kunt je cadeaubonnen kopen voor een grote verscheidenheid aan verkopers. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentatie} + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Accepteert betaling in [een aanbevolen cryptocurrency](cryptocurrency.md). +- Geen identificatieplicht. diff --git a/i18n/nl/frontends.md b/i18n/nl/frontends.md new file mode 100644 index 00000000..ea672f0d --- /dev/null +++ b/i18n/nl/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: Deze open-source frontends voor verschillende internetdiensten geven je toegang tot inhoud zonder JavaScript of andere ergernissen. +--- + +Soms proberen diensten je te dwingen zich aan te melden voor een account door de toegang tot inhoud te blokkeren met vervelende popups. Ze kunnen ook breken zonder JavaScript. Met deze frontends kunt je deze beperkingen omzeilen. + +## Cliënten + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is een gratis en open-source frontend voor de [Odysee](https://odysee.com/) (LBRY) video sharing netwerk dat ook zelf te hosten is. + + Er zijn een aantal openbare instanties, waarvan sommige instanties [Tor](https://www.torproject.org) .onion diensten ondersteunen. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Broncode" } + +!!! warning + + Librarian proxied standaard geen videos. Video's die bekeken worden via Librarian zullen nog steeds directe verbindingen maken naar de servers van Odysee (bv. `odycdn.com`); sommige instanties kunnen echter proxying inschakelen, wat gedetailleerd wordt beschreven in het privacybeleid van de instantie. + +!!! tip + + Librarian is handig als je LBRY content op mobiel wilt bekijken zonder verplichte telemetrie en als je JavaScript in je browser wilt uitschakelen, zoals het geval is met [Tor Browser](https://www.torproject.org/) op het veiligheidsniveau Safest. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe je Librarian host, aangezien het gebruik van anderen gelinkt zal worden aan jouw instantie. + +Wanneer je een librarian instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. Librarian instances kunnen door hun eigenaars gewijzigd worden en geven daarom mogelijk niet het standaardbeleid weer. Librarian instances hebben een "privacy voedingslabel" om een overzicht te geven van hun beleid. Sommige instanties hebben Tor .onion adressen die enige privacy kunnen bieden zolang jouw zoekopdrachten geen PII (Personally Identifiable Information) bevat. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is een gratis en open-source frontend voor [Twitter](https://twitter.com) dat ook zelf te hosten is. + + Er zijn een aantal openbare instanties, waarvan sommige instanties [Tor](https://www.torproject.org) .onion diensten ondersteunen. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Bijdragen } + +!!! tip + + Nitter is handig als u de inhoud van Twitter wilt bekijken zonder in te loggen en als je JavaScript in jouw browser wilt uitschakelen, zoals het geval is met [Tor Browser](https://www.torproject.org/) op beveiligingsniveau safest. Je kunt er ook [RSS feeds voor Twitter mee maken](news-aggregators.md#twitter). + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe u Nitter host, want het gebruik van andere mensen wordt gekoppeld aan jouw instantie. + +Wanneer je een Nitter-instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. Nitter instanties kunnen door hun eigenaars worden gewijzigd en weerspiegelen daarom mogelijk niet het standaardbeleid. Sommige instanties hebben Tor .onion adressen die enige privacy kunnen bieden zolang jouw zoekopdrachten geen PII (Personally Identifiable Information) bevat. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is een open source frontend voor de [TikTok](https://www.tiktok.com) website die ook zelf te hosten is. + + Er zijn een aantal openbare instanties, waarvan sommige instanties [Tor](https://www.torproject.org) .onion diensten ondersteunen. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Broncode" } + +!!! tip + + ProxiTok is handig als je JavaScript wilt uitschakelen in jouw browser, zoals [Tor Browser](https://www.torproject.org/) op beveiligingsniveau safest. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe je ProxiTok host, want het gebruik van andere mensen wordt gekoppeld aan jouw instance. + +Als u een ProxiTok-instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. ProxiTok-instanties kunnen door hun eigenaars worden gewijzigd en geven daarom mogelijk niet het bijbehorende privacybeleid weer. Sommige instanties hebben Tor .onion adressen die enige privacy kunnen bieden zolang jouw zoekopdrachten geen PII (Personally Identifiable Information) bevat. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is een gratis en open-source desktop applicatie voor [YouTube](https://youtube.com). Bij gebruik van FreeTube worden je abonnementenlijst en afspeellijsten lokaal op je toestel opgeslagen. + + Standaard blokkeert FreeTube alle YouTube-advertenties. Bovendien integreert FreeTube optioneel met [SponsorBlock](https://sponsor.ajay.app) om u te helpen gesponsorde videosegmenten over te slaan. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Broncode" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Bijdragen } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + Als je FreeTube gebruikt, kan je IP-adres nog steeds bekend zijn bij YouTube, [Invidious](https://instances.invidious.io) of [SponsorBlock](https://sponsor.ajay.app/), afhankelijk van je configuratie. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is een gratis en open-source privacy georiënteerde videospeler voor iOS, tvOS en macOS voor [YouTube](https://youtube.com). Wanneer je Yattee gebruikt, wordt je abonnementenlijst lokaal op je toestel opgeslagen. + + Je zult een paar [extra stappen](https://gonzoknows.com/posts/Yattee/) moeten nemen voordat je Yattee kunt gebruiken om YouTube te kijken, vanwege beperkingen in de App Store. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Bijdragen } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + Wanneer je Yattee gebruikt, is jouw IP-adres mogelijk nog steeds bekend bij YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) of [SponsorBlock](https://sponsor.ajay.app/), afhankelijk van jouw configuratie. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +Yattee blokkeert standaard alle YouTube-advertenties. Bovendien integreert Yattee optioneel met [SponsorBlock](https://sponsor.ajay.app) om u te helpen gesponsorde videosegmenten over te slaan. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube-logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is een gratis en open-source Android applicatie voor [YouTube](https://youtube.com) die gebruik maakt van de [Piped](#piped) API. + + Met LibreTube kunt u uw abonnementenlijst en afspeellijsten lokaal op uw Android-toestel opslaan, of in een account op uw Piped-instantie naar keuze, waardoor u er ook op andere toestellen naadloos toegang toe hebt. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + Wanneer u LibreTube gebruikt, is uw IP-adres zichtbaar voor de door u gekozen instantie [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) en/of [SponsorBlock](https://sponsor.ajay.app/), afhankelijk van uw configuratie. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +LibreTube blokkeert standaard alle YouTube-advertenties. Bovendien gebruikt Libretube [SponsorBlock](https://sponsor.ajay.app) om u te helpen gesponsorde videosegmenten over te slaan. U kunt de soorten segmenten die SponsorBlock zal overslaan volledig configureren, of volledig uitschakelen. Er is ook een knop op de videospeler zelf om deze desgewenst voor een specifieke video uit te schakelen. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is een gratis en open-source Android applicatie voor [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), en [PeerTube](https://joinpeertube.org/) (1). + + Uw abonnementenlijst en afspeellijsten worden lokaal op uw Android toestel opgeslagen. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Broncode" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Bijdragen } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. De standaard instantie is [FramaTube](https://framatube.org/), maar er kunnen er meer worden toegevoegd via **Instellingen** → **Inhoud** → **PeerTube instanties** + +!!! Warning + + Wanneer je NewPipe gebruikt, is jouw IP-adres zichtbaar voor de gebruikte videoproviders. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is een gratis en open-source frontend voor [YouTube](https://youtube.com) dat ook zelf te hosten is. + + Er zijn een aantal openbare instanties, waarvan sommige instanties [Tor](https://www.torproject.org) .onion diensten ondersteunen. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Broncode" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Bijdragen } + +!!! warning + + Invidious proxied standaard geen videos. Video's die bekeken worden via Invidious zullen nog steeds directe verbindingen maken met Google's servers (bijv. `googlevideo.com`); sommige instanties ondersteunen echter video proxying- Activeer *Proxy videos* binnen de instellingen van de instanties of voeg `&local=true` toe aan de URL. + +!!! tip + + Invidious is handig als je JavaScript wilt uitschakelen in je browser, zoals [Tor Browser](https://www.torproject.org/) op het beveiligingsniveau safest. Het biedt op zichzelf geen privacy, en wij raden niet aan in te loggen op een account. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe je Invidious host, omdat het gebruik van anderen gekoppeld zal worden aan jouw instantie. + +Als u een Invidious-instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. Invidious instanties kunnen door hun eigenaren worden gewijzigd en weerspiegelen daarom mogelijk niet hun bijbehorende privacybeleid. Sommige instanties hebben Tor .onion adressen die enige privacy kunnen bieden zolang jouw zoekopdrachten geen PII (Personally Identifiable Information) bevat. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is een gratis en open-source frontend voor [YouTube](https://youtube.com) dat ook zelf te hosten is. + + Piped vereist JavaScript om te kunnen functioneren en er zijn een aantal openbare instanties. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Bijdragen } + +!!! tip + + Piped is handig als je [SponsorBlock](https://sponsor.ajay.app) wilt gebruiken zonder een extensie te installeren of als je zonder account toegang wilt krijgen tot inhoud met leeftijdsbeperkingen. Het biedt op zichzelf geen privacy, en wij raden niet aan in te loggen op een account. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van uw instantie, zodat je op kunt gaan in de menigte. U moet voorzichtig zijn met waar en hoe je Piped host, omdat het gebruik van andere mensen aan jouw instantie wordt gekoppeld. + +Wanneer je een Piped-instantie gebruikt, moet je het privacybeleid van die specifieke instantie lezen. Piped instanties kunnen worden gewijzigd door hun eigenaren en daarom kunnen niet hun bijbehorende privacybeleid weerspiegelen. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +Aanbevolen frontends... + +- Moet open-source software zijn. +- Moet zelf te hosten zijn. +- Moet alle basisfuncties van de website beschikbaar stellen aan anonieme gebruikers. + +We overwegen alleen frontends voor websites die... + +- Niet normaal toegankelijk zonder JavaScript. diff --git a/i18n/nl/index.md b/i18n/nl/index.md new file mode 100644 index 00000000..1cfd3ae5 --- /dev/null +++ b/i18n/nl/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.nl.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Waarom moet ik me zorgen maken? + +##### "Ik heb niks te verbergen. Waarom zou ik me zorgen maken over mijn privacy?" + +Net zoals het recht op interraciale huwelijken, het kiesrecht voor vrouwen, de vrijheid van meningsuiting en vele andere, hadden wij niet altijd recht op privacy. In verschillende dictaturen is dat nog steeds niet het geval. Generaties voor ons vochten voor ons recht op privacy. ==Privacy is een mensenrecht, inherent aan ons allen,== waar we recht op hebben (zonder discriminatie). + +Je moet privacy niet verwarren met geheimhouding. We weten wat er in de badkamer gebeurt, maar je doet nog steeds de deur dicht. Dat is omdat je privacy wilt, geen geheimzinnigheid. **Iedereen** heeft iets te beschermen. Privacy is iets wat ons menselijk maakt. + +[:material-target-account: Veel voorkomende internetbedreigingen](basics/common-threats.md ""){.md-button.md-button--primary} + +## Wat moet ik doen? + +##### Eerst moet je een plan maken + +Het is onpraktisch, duur en vermoeiend om te proberen al jouw gegevens altijd tegen iedereen te beschermen. Maar maak je geen zorgen! Veiligheid is een proces, en door vooruit te denken kun je een plan samenstellen dat bij jou past. Veiligheid gaat niet alleen over de tools die je gebruikt of de software die je downloadt. Integendeel, het begint met het begrijpen van de unieke bedreigingen waarmee je wordt geconfronteerd en hoe je deze kunt beperken. + +==Dit proces van het identificeren van bedreigingen en het vaststellen van tegenmaatregelen wordt **bedreigingsmodellering** genoemd==, en het vormt de basis van elk goed beveiligings- en privacyplan. + +[:material-book-outline: Meer informatie over dreigingsmodellering](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We hebben je nodig! Zo kan je betrokken raken: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Word lid van ons forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Volg ons op Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Draag bij aan deze website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help deze website vertalen" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat met ons op Matrix" } +[:material-information-outline:](about/index.md){ title="Meer informatie over ons" } +[:material-hand-coin-outline:](about/donate.md){ title="Steun het project" } + +Het is belangrijk voor een website zoals Privacy Guides om altijd up-to-date te blijven. Ons publiek moet software-updates in de gaten houden voor de toepassingen die op onze site staan en recent nieuws volgen over aanbieders die wij aanbevelen. Het is moeilijk om het hoge tempo van het internet bij te houden, maar we doen ons best. Als je een fout ziet, denkt dat een provider niet in de lijst thuishoort, merkt dat een gekwalificeerde provider ontbreekt, denkt dat een browserplugin niet langer de beste keuze is, of een ander probleem ontdekt, laat het ons dan weten. diff --git a/i18n/nl/kb-archive.md b/i18n/nl/kb-archive.md new file mode 100644 index 00000000..2c6dcee5 --- /dev/null +++ b/i18n/nl/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archief +icon: material/archive +description: Sommige pagina's die vroeger in onze kennisbank zaten, zijn nu te vinden op onze blog. +--- + +# Pagina's verplaatst naar Blog + +Sommige pagina's die vroeger in onze kennisbank zaten, zijn nu te vinden op onze blog: + +- [GrapheneOS vs CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal configuratie en verharding](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - Systeem verharding](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Applicatie Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Veilig wissen van gegevens](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integreren van metadata verwijdering](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS configuratiegids](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/nl/meta/brand.md b/i18n/nl/meta/brand.md new file mode 100644 index 00000000..0237502d --- /dev/null +++ b/i18n/nl/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Richtlijnen voor merknamen +--- + +De naam van de website is **Privacy Guides** en moet **niet** worden veranderd in: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +De naam van de subreddit is **r/PrivacyGuides** of **the Privacy Guides Subreddit**. + +Aanvullende merkrichtlijnen zijn te vinden op [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Handelsmerk + +"Privacy Guides" en het schild logo zijn handelsmerken in eigendom van Jonah Aragon, onbeperkt gebruik is toegekend aan de Privacy Guides project. + +Zonder af te zien van haar rechten, adviseert Privacy Guides anderen niet over de reikwijdte van haar intellectuele-eigendomsrechten. Privacy Guides staat geen gebruik van haar handelsmerken toe op een manier die verwarring kan veroorzaken door associatie met of sponsoring door Privacy Guides te impliceren, en geeft daar ook geen toestemming voor. Als u op de hoogte bent van dergelijk gebruik, neem dan contact op met Jonah Aragon via jonah@privacyguides.org. Raadpleeg uw juridisch adviseur als u vragen hebt. diff --git a/i18n/nl/meta/git-recommendations.md b/i18n/nl/meta/git-recommendations.md new file mode 100644 index 00000000..bb81b6a8 --- /dev/null +++ b/i18n/nl/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +Als je veranderingen aan deze website direct op de web editor van GitHub.com maakt, zou je je hier geen zorgen over moeten maken. Als je lokaal ontwikkelt en/of een ervaren website-editor bent (die waarschijnlijk lokaal zou moeten ontwikkelen!), overweeg dan deze aanbevelingen. + +## SSH Key Commit Signing inschakelen + +U kunt een bestaande SSH-sleutel gebruiken voor ondertekening, of [een nieuwe aanmaken](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configureer je Git client om standaard commits en tags te ondertekenen (verwijder `--global` om alleen standaard te ondertekenen voor deze repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Kopieer bijvoorbeeld jouw SSH publieke sleutel naar jouw klembord: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Stel je SSH sleutel in voor ondertekening in Git met het volgende commando, waarbij je de laatste string tussen aanhalingstekens vervangt door de publieke sleutel in je klembord: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Zorg ervoor dat je [je SSH sleutel toevoegt aan je GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **als een Signing Key** (in tegenstelling tot of in aanvulling op als een Authentication Key). + +## Rebase op Git pull + +Gebruik `git pull --rebase` in plaats van `git pull` als je wijzigingen van GitHub naar je lokale machine trekt. Op deze manier zullen je lokale wijzigingen altijd "bovenop" de laatste wijzigingen op GitHub staan, en je vermijdt merge commits (die niet zijn toegestaan in deze repo). + +Je kunt dit als standaard gedrag instellen: + +``` +git config --global pull.rebase true +``` + +## Rebase van `main` voor het indienen van een PR + +Als je aan jouw eigen branch werkt, voer dan deze commando's uit voordat je een PR indient: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/nl/meta/uploading-images.md b/i18n/nl/meta/uploading-images.md new file mode 100644 index 00000000..4de7106d --- /dev/null +++ b/i18n/nl/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Afbeeldingen uploaden +--- + +Hier zijn een paar algemene regels voor het bijdragen aan Privacy Guides: + +## Afbeeldingen + +- Wij geven **de voorkeur aan** SVG-afbeeldingen, maar als die niet bestaan, kunnen we PNG-afbeeldingen gebruiken + +Bedrijfslogo's hebben canvas grootte van: + +- 128x128px +- 384x128px + +## Optimalisatie + +### PNG + +Gebruik [OptiPNG](https://sourceforge.net/projects/optipng/) om de PNG-afbeelding te optimaliseren: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) alle SVG-afbeeldingen. + +In Inkscape: + +1. Bestand Opslaan Als.. +2. Type instellen op Geoptimaliseerde SVG (*.svg) + +In het tabblad **Opties**: + +- **Aantal significante cijfers voor coördinaten** > **5** +- [x] Zet aan **Kleurwaarden inkorten** +- [x] Zet **aan Zet CSS-attributen om in XML-attributen** +- [x] Zet **aan Samengevoegde groepen** +- [x] Zet **aan Maak groepen voor vergelijkbare kenmerken** +- [ ] Schakel **Bewaar bewerkingsgegevens** uit +- [ ] Schakel **uit zonder verwijzing gedefinieerde definities** +- [x] Zet **Werk rond renderbugs** aan + +In het tabblad **SVG-uitvoer** onder **Documentopties**: + +- [ ] Schakel **Verwijder de XML declaratie** uit +- [x] Zet **Metadata verwijderen** aan +- [x] Schakel **Reacties verwijderen** in +- [x] Schakel **ingevoegde rasterafbeeldingen** in +- [x] Zet **'viewboxen' aan** + +In de **SVG Output** onder **Pretty-printing**: + +- [ ] Schakel **Formatteer uitvoer uit met regeleinden en inspringen** +- **Inspringing tekens** > Selecteer **spatie** +- **Inspringing** > **1** +- [ ] Schakel **Strip het kenmerk "xml:space" uit het hoofdSVG-element** + +In het **IDs** tabblad: + +- [x] Schakel in **Ongebruikte ID's verwijderen** +- [ ] Schakel **Korte ID's** uit +- **Voorvoegsel verkorte IDs met** > `leeg laten` +- [x] Zet **Handmatig aangemaakte IDs aan die niet eindigen met cijfers** +- **Behoud de volgende IDs** > `laat leeg` +- **Behoud ID's beginnend met** > `laat leeg` + +#### CLI + +Hetzelfde kan worden bereikt met het commando [Scour](https://github.com/scour-project/scour): + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/nl/meta/writing-style.md b/i18n/nl/meta/writing-style.md new file mode 100644 index 00000000..999f73cc --- /dev/null +++ b/i18n/nl/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Schrijfstijl +--- + +Privacy Guides is geschreven in Amerikaans Engels, en je dient bij twijfel de [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) te raadplegen. + +In het algemeen bieden de [Amerikaanse federale richtlijnen inzake klare taal](https://www.plainlanguage.gov/guidelines/) een goed overzicht van hoe duidelijk en beknopt te schrijven. Wij belichten hieronder enkele belangrijke opmerkingen uit deze richtsnoeren. + +## Schrijven voor ons publiek + +Het beoogde [publiek van Privacy Guides](https://www.plainlanguage.gov/guidelines/audience/) is voornamelijk gemiddelde, technologie gebruikende volwassenen. Verlaag de inhoud niet alsof je een middelbare schoolklas toespreekt, maar gebruik niet te veel ingewikkelde terminologie over concepten waarmee de gemiddelde computergebruiker niet vertrouwd is. + +### Ga alleen in op wat mensen willen weten + +Mensen hebben geen behoefte aan al te complexe artikelen die weinig relevant voor hen zijn. Zoek uit wat je wilt dat mensen bereiken als je een artikel schrijft, en neem alleen die details op. + +> Vertel je publiek waarom het materiaal belangrijk voor hen is. Zeg, "Als je een onderzoeksbeurs wilt, is dit wat je moet doen." Of, "Als je federale steenkool wilt ontginnen, is dit wat je moet weten." Of, "Als je een reis naar Rwanda plant, lees dit dan eerst." + +### Spreek mensen rechtstreeks aan + +We schrijven *voor* een grote verscheidenheid aan mensen, maar we schrijven *voor* de persoon die het daadwerkelijk leest. Gebruik "je" om de lezer rechtstreeks aan te spreken. + +> Meer dan enige andere techniek, trekt het gebruik van "jij" gebruikers in de informatie en maakt het deze relevant voor hen. +> +> Wanneer je "je" gebruikt om gebruikers aan te spreken, zullen zij eerder begrijpen wat hun verantwoordelijkheid is. + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Vermijd "gebruikers" + +Vermijd om mensen "gebruikers" te noemen, in plaats van "mensen", of een meer specifieke beschrijving van de groep mensen waarvoor je schrijft. + +## Organiseren van content + +Organisatie is de sleutel. De inhoud moet stromen van de belangrijkste naar de minst belangrijke informatie, en gebruik zoveel koppen als nodig is om verschillende ideeën logisch van elkaar te scheiden. + +- Beperk het document tot ongeveer vijf of zes secties. Lange documenten moeten waarschijnlijk worden opgesplitst in afzonderlijke pagina's. +- Markeer belangrijke ideeën met **vet** of *cursief*. + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin met een onderwerpzin + +> Als je jouw lezer vertelt waarover hij gaat lezen, is de kans kleiner dat hij jouw alinea opnieuw moet lezen. Rubrieken helpen, maar zijn niet genoeg. Stel een context vast voor jouw publiek voordat je hen de details verstrekt. +> +> We schrijven vaak de manier waarop we denken, waarbij we onze uitgangspunten eerst plaatsen en dan onze conclusie. Het is misschien de natuurlijke manier om gedachten te ontwikkelen, maar we eindigen met de onderwerpzin aan het eind van de alinea. Verplaats het naar voren en laat gebruikers weten waar je naartoe gaat. Laat de lezers niet te veel informatie in hun hoofd houden voordat ze ter zake komen. + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Kies je woorden zorgvuldig + +> Woorden zijn belangrijk. Het zijn de meest elementaire bouwstenen van geschreven en gesproken communicatie. Maak het niet ingewikkeld door jargon, technische termen of afkortingen te gebruiken die mensen niet zullen begrijpen. + +We moeten proberen afkortingen waar mogelijk te vermijden, maar de technologie zit vol afkortingen. In het algemeen, schrijf de afkorting/acroniem de eerste keer dat het wordt gebruikt op een pagina, en voeg de afkorting toe aan de afkorting woordenlijst bestand wanneer het herhaaldelijk wordt gebruikt. + +> Kathy McGinty geeft met een knipoog aanwijzingen om je eenvoudige, directe zinnen op te leuken: +> +> > Er valt niet aan te ontkomen dat het van groot belang wordt geacht op te merken dat in een aantal verschillende beschikbare toepasselijke studies ipso facto in het algemeen is vastgesteld dat aanvullende passende nachtarbeid gewoonlijk jeugdige adolescenten tijdens de nachtelijke uren, met inbegrip van maar niet beperkt tot de tijd vóór middernacht op weeknachten en/of 2 uur 's nachts, van de verkeersaders kan weren. in het weekend. +> +> En het origineel, met sterkere, eenvoudigere woorden: +> +> > Meer nachtwerk zou jongeren van de straat houden. + +## Wees beknopt + +> Onnodige woorden verspillen de tijd van je publiek. Goed schrijven is als een gesprek. Laat informatie weg die het publiek niet hoeft te weten. Dit kan moeilijk zijn als een expert op het gebied van onderwerpen, dus het is belangrijk dat iemand naar de informatie kijkt vanuit het perspectief van het publiek. + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Tekst conversatief houden + +> Werkwoorden zijn de brandstof van het schrijven. Ze geven je zinnen kracht en richting. Ze verlevendigen je schrijven en maken het interessanter. +> +> Werkwoorden vertellen je publiek wat ze moeten doen. Zorg dat het duidelijk is wie wat doet. + +### Gebruik de actieve stem + +> De actieve stem maakt duidelijk wie wat moet doen. Het neemt onduidelijkheid over verantwoordelijkheden weg. Niet "Het moet gebeuren," maar "Je moet het doen." + +Bron: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Gebruik "must" voor vereisten + +> - "moet" voor een verplichting +> - "mag niet" voor een verbod +> - "kan" voor een discretionaire actie +> - “zou moeten” voor een aanbeveling diff --git a/i18n/nl/mobile-browsers.md b/i18n/nl/mobile-browsers.md new file mode 100644 index 00000000..50a5e9f7 --- /dev/null +++ b/i18n/nl/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobiele browsers" +icon: material/cellphone-information +description: Deze browsers zijn wat we momenteel aanbevelen voor standaard/niet-anoniem internetten op jouw telefoon. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +Dit zijn onze momenteel aanbevolen mobiele webbrowsers en configuraties voor standaard/niet-anoniem internetten. In het algemeen raden we aan om extensies tot een minimum te beperken: ze hebben geprivilegieerde toegang binnen jouw browser, vereisen dat je de ontwikkelaar vertrouwt, kunnen je [doen opvallen](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), en [verzwakken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-Uchnm34/m/lDaXwQhzBAAJ) site-isolatie. In het algemeen raden we aan om extensies tot een minimum te beperken: ze hebben geprivilegieerde toegang binnen jouw browser, vereisen dat u de ontwikkelaar vertrouwt, kunnen je [doen opvallen](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), en [verzwakken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site-isolatie. + +## Android + +Op Android is Firefox nog steeds minder veilig dan op Chromium gebaseerde alternatieven: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), moet nog [site-isolatie](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) ondersteunen of [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196) inschakelen. + +### Brave + +!!! recommendation + + ![Brave-logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** bevat een ingebouwde inhoudsblokker en [privacyfuncties](https://brave.com/privacy-features/), waarvan vele standaard zijn ingeschakeld. + + Brave is gebouwd op het Chromium webbrowser project, dus het zou vertrouwd moeten aanvoelen en minimale website compatibiliteitsproblemen moeten hebben. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" }. + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Broncode" } + + ??? downloads annoteren "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Aanbevolen configuratie + +Tor Browser is de enige manier om echt anoniem op het internet te surfen. Wanneer je Brave gebruikt, raden we je aan de volgende instellingen te wijzigen om jouw privacy tegen bepaalde partijen te beschermen, maar alle browsers behalve de [Tor Browser](tor.md#tor-browser) zijn in sommige opzichten traceerbaar door *iemand*. + +Deze opties zijn te vinden in :material-menu: → **Instellingen** → **Dappere schilden & privacy** + +##### Schilden + +Brave bevat enkele anti-vingerafdruk maatregelen in zijn [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) functie. Wij raden aan om deze opties [globaal te configureren](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) voor alle pagina's die je bezoekt. + +##### Brave shields global defaults + +De opties van Shields kunnen naar behoefte per site worden gedowngrade, maar standaard raden wij aan de volgende opties in te stellen: + +
+ +- [x] Selecteer **Aggressief** onder Trackers & advertenties blokkeren + + ??? warning "Gebruik standaard filter lijsten" + Brave staat je toe om extra inhoud filters te selecteren binnen de interne `brave://adblock` pagina. Wij raden het gebruik van deze functie af; houd in plaats daarvan de standaardfilterlijsten aan. Het gebruik van extra lijsten zorgt ervoor dat u zich onderscheidt van andere Brave gebruikers en kan ook het aanvalsoppervlak vergroten als er een exploit in Brave is en een kwaadaardige regel wordt toegevoegd aan één van de lijsten die je gebruikt. + +- [x] Selecteer **Verbeter verbindingen naar HTTPS** +- [x] Selecteer **Gebruik altijd beveiligde verbindingen** +- [x] (Optioneel) Selecteer **Blokkeer scripts** (1) +- [x] Selecteer **Streng, kan sites breken** onder **Blokkeer vingerafdrukken** + +
+ +1. Deze optie biedt functionaliteit die vergelijkbaar is met uBlock Origin's geavanceerde [blokkeringsmodes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) of de [NoScript](https://noscript.net/) extensie. + +##### Browserdata opschonen + +- [x] Selecteer **Gegevens wissen bij het sluiten van de browser** + +##### Altijd-aan Incognito modus + +- [ ] Uncheck alle sociale media componenten uit + +##### Privacyrapport + +
+ +- [x] Selecteer **Disable non-proxied UDP** onder [WebRTC IP Handling Policy](https://support.brave.com/hc/nl-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Selecteer **Sites toestaan te controleren of je betaalmethoden hebt opgeslagen** +- [ ] Selecteer **IPFS Gateway** uit (1) +- [x] Selecteer **Tabbladen sluiten bij afsluiten** +- [ ] Uitvinken **Privacy-preserving product analytics (P3A) toestaan** +- [ ] Uitvinken **Automatisch diagnoserapporten versturen** +- [ ] Uitvinken **Dagelijkse gebruiksping automatisch naar Brave sturen** + +
+ +1. InterPlanetary File System (IPFS) is een gedecentraliseerd, peer-to-peer netwerk voor het opslaan en delen van gegevens in een gedistribueerd bestandssysteem. Tenzij je de functie gebruikt, schakel hem uit. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) maakt jouw surfgegevens (geschiedenis, bladwijzers, enz.) toegankelijk op al jouw apparaten zonder dat je een account nodig hebt en beschermt ze met E2EE. + +## iOS + +Op iOS is elke app die op het web kan surfen beperkt tot [](https://developer.apple.com/app-store/review/guidelines) het door Apple geleverde [WebKit framework](https://developer.apple.com/documentation/webkit), dus er is weinig reden om een webbrowser van een derde partij te gebruiken. + +### Safari + +!!! recommendation + + ![Safari-logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is de standaardbrowser in iOS. Het bevat [privacyfuncties](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) zoals Intelligent Tracking Protection, Privacy Report, geïsoleerde tabbladen voor privénavigatie, iCloud Private Relay, en automatische HTTPS-upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentatie} + +#### Aanbevolen configuratie + +Deze opties zijn te vinden onder :gear: **Instellingen** → **Safari** → **Privacy en beveiliging**. + +##### Preventie van Cross-Site Tracking + +- [x] Activeer **Voorkom Cross-Site Tracking** + +Dit maakt WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp)mogelijk. De functie helpt beschermen tegen ongewenste tracking door gebruik te maken van on-device machine learning om trackers te stoppen. ITP beschermt tegen veel voorkomende bedreigingen, maar blokkeert niet alle tracking-wegen omdat het is ontworpen om de bruikbaarheid van websites niet te hinderen. + +##### Privacyrapport + +Privacyrapport biedt een momentopname van cross-site trackers die u momenteel niet kunnen profileren op de website die u bezoekt. Het kan ook een wekelijks rapport weergeven om te laten zien welke trackers in de loop van de tijd zijn geblokkeerd. + +Privacyrapport is toegankelijk via het menu Pagina-instellingen. + +##### Privacybehoudende advertentiemeting + +- [ ] Schakel **Privacy Preserving Ad Measurement**uit + +Bij het meten van advertentieklikken wordt van oudsher gebruik gemaakt van trackingtechnologie die inbreuk maakt op de privacy van de gebruiker. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is een WebKit-functie en een voorgestelde webstandaard die adverteerders in staat moet stellen de doeltreffendheid van webcampagnes te meten zonder afbreuk te doen aan de privacy van de gebruiker. + +De functie heeft op zichzelf weinig privacyproblemen, dus hoewel je ervoor kunt kiezen om hem ingeschakeld te laten, beschouwen wij het feit dat hij automatisch is uitgeschakeld in Privénavigatie als een aanwijzing om de functie uit te schakelen. + +##### Altijd privé browsen + +Open Safari en tik op de knop Tabbladen, rechtsonder. Vouw vervolgens de lijst Tabbladgroepen uit. + +- [x] Selecteer **Privé** + +Safari's Privénavigatie modus biedt extra bescherming van de privacy. Private Browsing gebruikt een nieuwe [kortstondige](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) sessie voor elk tabblad, wat betekent dat tabbladen van elkaar geïsoleerd zijn. Als er een [kwetsbaarheid is in uBlock Origin](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) kan een filter van een derde partij kwaadaardige regels toevoegen die mogelijk gebruikersgegevens kunnen stelen. + +Houd er rekening mee dat privénavigatie geen cookies en gegevens opslaat, zodat het niet mogelijk is om ingelogd te blijven op sites. Dit kan een ongemak zijn. + +##### iCloud Synchronisatie + +De synchronisatie van de Safari-geschiedenis, tabbladgroepen, iCloud-tabbladen en opgeslagen wachtwoorden verloopt via E2EE. Standaard zijn bladwijzers dat echter [niet](https://support.apple.com/en-us/HT202303). Apple kan ze ontsleutelen en openen in overeenstemming met hun [privacybeleid](https://www.apple.com/legal/privacy/en-ww/). + +Je kunt E2EE inschakelen voor jouw Safari bladwijzers en downloads door [Geavanceerde gegevensbescherming](https://support.apple.com/en-us/HT212520)in te schakelen. Ga naar jouw **Apple ID naam → iCloud → Geavanceerde gegevensbescherming**. + +- [x] Zet **Geavanceerde gegevensbescherming aan** + +Als je iCloud gebruikt terwijl Geavanceerde gegevensbescherming is uitgeschakeld, raden we je ook aan te controleren of de standaard downloadlocatie van Safari is ingesteld op lokaal op jouw apparaat. Extra filterlijsten kunnen de prestaties beïnvloeden en het aanvalsoppervlak vergroten, dus pas alleen toe wat u nodig hebt. + +### AdGuard + +!!! recommendation + + ![AdGuard-logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard voor iOS** is een gratis en open-source uitbreiding voor het blokkeren van inhoud voor Safari die gebruikmaakt van de eigen [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard voor iOS heeft enkele premium functies, maar standaard Safari-inhoud blokkeren is gratis. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Extra filterlijsten kunnen de prestaties beïnvloeden en het aanvalsoppervlak vergroten, dus gebruik alleen wat je nodig hebt. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimale vereisten + +- Moet automatische updates ondersteunen. +- Moet engine updates ontvangen binnen 0-1 dagen na upstream release. +- Wijzigingen die nodig zijn om de browser privacyvriendelijker te maken, mogen de gebruikerservaring niet negatief beïnvloeden. +- Android-browsers moeten de Chromium-engine gebruiken. + - Helaas is Mozilla GeckoView nog steeds minder veilig dan Chromium op Android. + - iOS-browsers zijn beperkt tot WebKit. + +### Uitbreidings criteria + +- Mag geen ingebouwde browser- of OS-functionaliteit repliceren. +- Moet rechtstreeks van invloed zijn op de privacy van de gebruiker, d.w.z. mag niet gewoon informatie verstrekken. diff --git a/i18n/nl/multi-factor-authentication.md b/i18n/nl/multi-factor-authentication.md new file mode 100644 index 00000000..867acc69 --- /dev/null +++ b/i18n/nl/multi-factor-authentication.md @@ -0,0 +1,138 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: Deze tools helpen je jouw internetaccounts te beveiligen met Multi-Factor Authentication zonder jouw geheimen naar een derde partij te sturen. +--- + +## Hardware Veiligheidssleutels + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + De **YubiKeys** behoren tot de meest populaire beveiligingssleutels. Sommige YubiKey modellen hebben een breed scala aan functies, zoals: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 en WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP en HOTP](https://developers.yubico.com/OATH) verificatie. + + Een van de voordelen van de YubiKey is dat één sleutel bijna alles kan (YubiKey 5), wat je van een hardware beveiligingssleutel mag verwachten. Wij raden je aan om vóór de aankoop de [quiz](https://www.yubico.com/quiz/) te nemen om er zeker van te zijn dat je de juiste keuze maakt. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentatie} + +Deze [vergelijkingstabel](https://www.yubico.com/store/compare/) toont de kenmerken en hoe de YubiKeys zich tot elkaar verhouden. Wij raden je ten zeerste aan om sleutels uit de YubiKey 5-serie te kiezen. + +YubiKeys kunnen worden geprogrammeerd met behulp van de [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) of [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). Voor het beheer van TOTP-codes kunt je de [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)gebruiken. Alle Yubico's clients zijn open source. + +Voor modellen die HOTP en TOTP ondersteunen, zijn er 2 slots in de OTP-interface die kunnen worden gebruikt voor HOTP en 32 slots om TOTP geheimen op te slaan. Deze geheimen worden versleuteld opgeslagen op de sleutel en worden nooit blootgesteld aan de apparaten waarop ze zijn aangesloten. Zodra een "seed" ( het gedeeld geheim) aan de Yubico Authenticator is gegeven, zal deze alleen de zescijferige codes geven, maar nooit de seed. Dit beveiligingsmodel beperkt wat een aanvaller kan doen als hij een van de apparaten waarop de Yubico Authenticator draait, in gevaar brengt en maakt de YubiKey bestand tegen een fysieke aanvaller. + +!!! warning + De firmware van YubiKey is niet open-source en kan niet worden geüpdatet. Als je functies in nieuwere firmwareversies wilt, of als er een kwetsbaarheid is in de firmwareversie die je gebruikt, moet je een nieuwe sleutel kopen. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** heeft een beveiligingssleutel die geschikt is voor [FIDO2 en WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) genaamd de **Nitrokey FIDO2**. Voor PGP-ondersteuning moet je een van hun andere sleutels kopen, zoals de **Nitrokey Start**, **Nitrokey Pro 2** of de **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentatie} + +De [vergelijkingstabel](https://www.nitrokey.com/#comparison) toont de kenmerken en hoe de Nitrokey-modellen zich verhouden. De genoemde **Nitrokey 3** zal een gecombineerde functieset hebben. + +Nitrokey-modellen kunnen worden geconfigureerd met behulp van de [Nitrokey-app](https://www.nitrokey.com/download). + +Voor de modellen die HOTP en TOTP ondersteunen, zijn er 3 slots voor HOTP en 15 voor TOTP. Sommige Nitrokeys kunnen functioneren als een wachtwoord manager. Ze kunnen 16 verschillende inloggegevens opslaan en deze versleutelen met hetzelfde wachtwoord als de OpenPGP-interface. + +!!! warning + + Hoewel Nitrokeys de HOTP/TOTP geheimen niet vrijgeven aan het apparaat waar ze op aangesloten zijn, is de HOTP en TOTP opslag **niet** versleuteld en is kwetsbaar voor fysieke aanvallen. Als je deze geheimen HOTP of TOTP wilt bewaren, raden we je ten zeerste aan om in plaats daarvan een Yubikey te gebruiken. + +!!! warning + + Het resetten van de OpenPGP interface op een Nitrokey zal ook de wachtwoord database [inaccessible]maken (https://docs.nitrokey.com/pro/linux/factory-reset). + +De Nitrokey Pro 2, Nitrokey Storage 2 en de komende Nitrokey 3 ondersteunen systeemintegriteitscontrole voor laptops met de [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, in tegenstelling tot de YubiKey. De firmware op moderne NitroKey-modellen (behalve de **NitroKey Pro 2**) kan worden bijgewerkt. + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +#### Minimale vereisten + +- Moet gebruik maken van hoogwaardige, fraudebestendige hardwarebeveiligingsmodules. +- Moet de meest recente FIDO2-specificatie ondersteunen. +- Mag geen extractie van de private sleutel toestaan. +- Apparaten die meer dan 35 dollar kosten, moeten OpenPGP en S/MIME aankunnen. + +#### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Zou beschikbaar moeten zijn in USB-C vorm-factor. +- Zou beschikbaar moeten zijn met NFC. +- Moet TOTP opslag ondersteunen. +- Moet veilige firmware-updates ondersteunen. + +## Authenticator Apps + +Authenticator Apps implementeren een beveiligingsstandaard die is aangenomen door de Internet Engineering Task Force (IETF), genaamd **Time-based One-time Passwords**, of **TOTP**. Dit is een methode waarbij websites een geheim met je delen dat door jouw authenticator-app wordt gebruikt om een code van zes (meestal) cijfers te genereren op basis van de huidige tijd, die je invoert terwijl je inlogt om de website te controleren. Deze codes worden gewoonlijk om de 30 seconden geregenereerd, en zodra een nieuwe code is gegenereerd, wordt de oude nutteloos. Zelfs als een hacker één zescijferige code bemachtigt, is er geen manier om die code om te keren om het oorspronkelijke geheim te bemachtigen of om anderszins te kunnen voorspellen wat eventuele toekomstige codes zouden kunnen zijn. + +Wij raden je ten zeerste aan om mobiele TOTP apps te gebruiken in plaats van desktop alternatieven, aangezien Android en IOS een betere beveiliging en app isolatie hebben dan de meeste desktop besturingssystemen. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is een gratis, veilige en open-source app om jouw 2-staps verificatie tokens voor uw online diensten te beheren. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is een native, lichtgewicht en veilige time-based (TOTP) & counter-based (HOTP) password client voor iOS. Raivo OTP biedt optionele iCloud back-up & sync. Raivo OTP is ook beschikbaar voor macOS in de vorm van een statusbalkapplicatie, maar de Mac-app werkt niet onafhankelijk van de iOS-app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Broncode" }. [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Broncode moet openbaar beschikbaar zijn. +- Moet geen internetverbinding vereisen. +- Mag niet synchroniseren met een cloud sync/backup service van derden. + - **Optioneel is** E2EE sync-ondersteuning met OS-native tools aanvaardbaar, bv. versleutelde sync via iCloud. diff --git a/i18n/nl/news-aggregators.md b/i18n/nl/news-aggregators.md new file mode 100644 index 00000000..786df229 --- /dev/null +++ b/i18n/nl/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "Nieuws Aggregators" +icon: material/rss +description: Met deze news aggregator clients kunt je op de hoogte blijven van jouw favoriete blogs en nieuwssites via internetstandaarden zoals RSS. +--- + +Een [nieuwsaggregator](https://en.wikipedia.org/wiki/News_aggregator) is een manier om op de hoogte te blijven van jouw favoriete blogs en nieuwssites. + +## Aggregator-cliënts + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is een nieuwsfeedlezer die deel uitmaakt van het [KDE](https://kde.org) project. Het wordt geleverd met een snelle zoekfunctie, geavanceerde archiveringsfunctionaliteit en een interne browser voor het gemakkelijk lezen van nieuws. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentatie} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Broncode" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is een moderne RSS-client voor Android die veel [features](https://gitlab.com/spacecowboy/Feeder#features) heeft en goed werkt met het mappen van RSS-feeds. Het ondersteunt [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) en [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) en [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is een veilige cross-platform nieuwsaggregator met handige privacy-functies, zoals het verwijderen van cookies bij afsluiten, strikte [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) en proxy-ondersteuning, wat betekent dat je het kunt gebruiken via [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### Gnome Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is een [RSS](https://en.wikipedia.org/wiki/RSS) en [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) nieuwslezer voor [GNOME](https://www.gnome.org). Het heeft een eenvoudige interface en is vrij snel. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Broncode" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux-logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux-logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is een webgebaseerde nieuwsaggregator die je zelf kunt hosten. Het ondersteunt [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) en [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) en [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Broncode" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Bijdragen} + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** een gratis en open-source feedlezer voor macOS en iOS met een focus op een native ontwerp en functieset. Het ondersteunt de typische feedformaten naast ingebouwde ondersteuning voor Twitter- en Reddit-feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is een RSS/Atom feed lezer voor de tekstconsole. Het is een actief onderhouden vork van [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). Het is zeer licht, en ideaal voor gebruik via [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Broncode" } + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet open-source software zijn. +- Moet lokaal werken, d.w.z. mag geen clouddienst zijn. + +## RSS-ondersteuning voor sociale media + +Sommige socialemediadiensten ondersteunen ook RSS, hoewel dat niet vaak wordt geadverteerd. + +### Reddit + +Met Reddit kun je je abonneren op subreddits via RSS. + +!!! Voorbeeld + Vervang `subreddit_name` door de subreddit waarop je je wilt abonneren. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Met behulp van een van de Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) kunt je je gemakkelijk abonneren via RSS. + +!!! Voorbeeld + 1. Kies een instantie en stel `nitter_instance`in. + 2. Vervang `twitter_account` door de accountnaam. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +Je kunt zich abonneren op YouTube-kanalen zonder in te loggen en gebruiksinformatie te koppelen aan jouw Google-account. + +!!! Voorbeeld + + Om je te abonneren op een YouTube kanaal met een RSS client, zoek je eerst je [channel code](https://support.google.com/youtube/answer/6180214), vervang `channel_id` hieronder: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/nl/notebooks.md b/i18n/nl/notebooks.md new file mode 100644 index 00000000..c2f38a35 --- /dev/null +++ b/i18n/nl/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notitieboekjes" +icon: material/notebook-edit-outline +description: Met deze versleutelde notitie-apps kun je je notities bijhouden zonder ze aan derden te geven. +--- + +Houd jouw notities en aantekeningen bij zonder ze aan derden te geven. + +Als je momenteel een toepassing zoals Evernote, Google Keep of Microsoft OneNote gebruikt, raden wij je aan hier een alternatief te kiezen dat E2EE ondersteunt. + +## Cloud-gebaseerd + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is een gratis, open-source, en volledig uitgeruste applicatie voor het maken van notities en to-do's die een groot aantal markdown notities kan verwerken, georganiseerd in notitieblokken en tags. Het biedt E2EE en kan synchroniseren via Nextcloud, Dropbox, en meer. Het biedt ook een gemakkelijke import vanuit Evernote en notities in gewone tekst. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Broncode" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin ondersteunt geen wachtwoord/PIN beveiliging voor de [applicatie zelf of individuele notities en notebooks](https://github.com/laurent22/joplin/issues/289). Gegevens worden nog steeds versleuteld tijdens het transport en op de synchronisatielocatie met behulp van jouw hoofdsleutel. Sinds januari 2023 ondersteunt Joplin biometrische app-vergrendeling voor [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) en [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes is een eenvoudige en persoonlijke notitie app die jouw notities gemakkelijk en overal beschikbaar maakt. Het biedt E2EE op elk platform, en een krachtige desktop-ervaring met thema's en aangepaste editors. Het is ook [door een onafhankelijke instantie gecontroleerd (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Broncode" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is een web-gebaseerde, versleutelde, veilige foto opslag service en documenten editor. Cryptee is een PWA, wat betekent dat het naadloos werkt op alle moderne apparaten zonder dat er native apps voor elk platform nodig zijn. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee biedt gratis 100MB opslag, met betaalde opties als je meer nodig hebt. Aanmelden vereist geen e-mail of andere persoonlijk identificeerbare informatie. + +## Lokale notitieblokken + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is een [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) voor GNU Emacs. Org-mode is voor het bijhouden van notities, het bijhouden van TODO lijsten, het plannen van projecten, en het schrijven van documenten met een snel en effectief plain-text systeem. Synchronisatie is mogelijk met [bestandssynchronisatie](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Broncode" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Bijdrage leveren } + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Clients moeten open-source zijn. +- Elke cloud-synchronisatiefunctionaliteit moet E2EE zijn. +- Moet het exporteren van documenten naar een standaardformaat ondersteunen. + +### Beste geval + +- De lokale backup/sync-functie moet encryptie ondersteunen. +- Cloud-platforms moeten het delen van documenten ondersteunen. diff --git a/i18n/nl/os/android-overview.md b/i18n/nl/os/android-overview.md new file mode 100644 index 00000000..171bee14 --- /dev/null +++ b/i18n/nl/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overzicht +icon: simple/android +description: Android is een open-source besturingssysteem met sterke beveiliging, waardoor het onze topkeuze is voor telefoons. +--- + +Android is een veilig besturingssysteem met sterke [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), en een robuust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Het kiezen van een Android distributie + +Wanneer je een Androidtelefoon koopt, wordt het standaardbesturingssysteem van het toestel vaak geleverd met een indringende integratie met apps en diensten die geen deel uitmaken van het [Android Open-Source Project](https://source.android.com/). Een voorbeeld hiervan zijn Google Play Services, die onherroepelijke rechten heeft om toegang te krijgen tot jouw bestanden, contactenopslag, oproeplogs, sms-berichten, locatie, camera, microfoon, hardware-identificaties, enzovoort. Deze apps en diensten vergroten het aanvalsoppervlak van jouw toestel en zijn de bron van diverse privacyproblemen met Android. + +Dit probleem kan worden opgelost door een aangepaste Android-distributie te gebruiken die niet met een dergelijke invasieve integratie komt. Helaas schenden veel aangepaste Android-distributies vaak het Android-beveiligingsmodel door cruciale beveiligingsfuncties zoals AVB, terugdraaibeveiliging, firmware-updates, enzovoort, niet te ondersteunen. Sommige distributies leveren ook [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds die root blootstellen via [ADB](https://developer.android.com/studio/command-line/adb) en [meer permissieve](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies vereisen om debug-functies te accommoderen, wat resulteert in een verder verhoogd aanvalsoppervlak en een verzwakt beveiligingsmodel. + +Idealiter, wanneer je een aangepaste Android distributie kiest, moet je ervoor zorgen dat het het Android beveiligingsmodel handhaaft. Op zijn minst zou de distributie productie builds moeten hebben, ondersteuning voor AVB, rollback bescherming, tijdige firmware en besturingssysteem updates, en SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). Al onze aanbevolen Android distributies voldoen aan deze criteria. + +[Onze Android Systeemaanbevelingen :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Rooting vermijden + +[Rooten van](https://en.wikipedia.org/wiki/Rooting_(Android)) Android-telefoons kan de veiligheid aanzienlijk verminderen omdat het het volledige [Android beveiligingsmodel verzwakt](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). Dit kan de privacy verminderen mocht er een exploit zijn die door de verminderde beveiliging wordt geholpen. Bij veelgebruikte rootingmethoden wordt rechtstreeks met de opstartpartitie geknoeid, waardoor het onmogelijk is om een succesvolle Verified Boot uit te voeren. Apps die root vereisen zullen ook de systeempartitie wijzigen, wat betekent dat Verified Boot uitgeschakeld zou moeten blijven. Als root direct in de gebruikersinterface wordt blootgesteld, wordt ook het [aanvalsoppervlak](https://en.wikipedia.org/wiki/Attack_surface) van jouw apparaat vergroot en kan het helpen bij [privilege-escalatie](https://en.wikipedia.org/wiki/Privilege_escalation) kwetsbaarheden en omzeilen van SELinux-beleidslijnen. + +Adblockers, die het [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) wijzigen en firewalls (AFWall+) die voortdurend root-toegang vereisen, zijn gevaarlijk en mogen niet worden gebruikt. Zij zijn ook niet de juiste manier om het beoogde doel te bereiken. Voor Adblocking stellen wij versleutelde [DNS](../dns.md) of [VPN](../vpn.md) serverblokkeringsoplossingen voor. RethinkDNS, TrackerControl en AdAway in niet-root modus zullen het VPN-slot innemen (door gebruik te maken van een lokale loopback VPN) waardoor je geen privacy verhogende diensten zoals Orbot of een echte VPN-server kunt gebruiken. + +AFWall+ werkt op basis van de [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) benadering en kan in sommige situaties omzeild worden. + +Wij geloven niet dat de veiligheidsoffers die gemaakt worden door het rooten van een telefoon, de twijfelachtige privacyvoordelen van die apps waard zijn. + +## Geverifieerde boot + +[Geverifieerde Boot](https://source.android.com/security/verifiedboot) is een belangrijk onderdeel van het Android-beveiligingsmodel. Het biedt bescherming tegen [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) aanvallen, malware persistentie, en zorgt ervoor dat beveiligingsupdates niet kunnen worden gedowngraded met [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 en hoger is overgestapt van volledige schijfversleuteling naar meer flexibele [bestandsgebaseerde versleuteling](https://source.android.com/security/encryption/file-based). Jouw gegevens worden versleuteld met unieke encryptiesleutels, en de bestanden van het besturingssysteem blijven onversleuteld. + +Verified Boot garandeert de integriteit van de besturingssysteembestanden en voorkomt zo dat een tegenstander met fysieke toegang kan knoeien of malware op het apparaat kan installeren. In het onwaarschijnlijke geval dat malware in staat is om andere delen van het systeem te misbruiken en hogere geprivilegieerde toegang te verkrijgen, zal Verified Boot veranderingen aan de systeempartitie voorkomen en terugdraaien bij het herstarten van het apparaat. + +OEM's zijn helaas alleen verplicht om de verspreiding van geverifieerde Boot op hun voorraad Android te ondersteunen. Slechts enkele OEM's, zoals Google, ondersteunen aangepaste AVB key enrollment op hun toestellen. Bovendien ondersteunen sommige AOSP afgeleiden zoals LineageOS of /e/ OS Verified Boot niet, zelfs niet op hardware met Verified Boot-ondersteuning voor besturingssystemen van derden. Wij raden je aan te controleren of er ondersteuning is op **voordat je** een nieuw apparaat aanschaft. AOSP-derivaten die geen Geverifieerde Boot ondersteunen, worden **niet** aanbevolen. + +Veel OEM's hebben ook een gebroken uitvoering van Verified Boot waar je je bewust van moet zijn buiten hun marketing. De Fairphone 3 en 4 zijn bijvoorbeeld standaard niet veilig, aangezien de [standaard bootloader vertrouwt op de publieke AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). Dit breekt geverifieerd opstarten op een standaard Fairphone toestel, omdat het systeem alternatieve Android besturingssystemen zoals (zoals /e/) [zal opstarten zonder enige waarschuwing](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) over aangepast besturingssysteem gebruik. + +## Firmware-updates + +Firmware-updates zijn van cruciaal belang voor het behoud van de veiligheid en zonder deze updates kan uw toestel niet veilig zijn. OEM's hebben ondersteuningsovereenkomsten met hun partners om de closed-source componenten voor een beperkte ondersteuningsperiode te leveren. Deze worden gedetailleerd beschreven in de maandelijkse [Android Security Bulletins](https://source.android.com/security/bulletin). + +Aangezien de onderdelen van de telefoon, zoals de processor en de radiotechnologieën, afhankelijk zijn van closed-source componenten, moeten de updates door de respectieve fabrikanten worden verstrekt. Daarom is het belangrijk dat u een toestel koopt binnen een actieve ondersteuningscyclus. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) en [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) ondersteunen hun toestellen gedurende 4 jaar, terwijl goedkopere producten vaak kortere ondersteuningscycli hebben. Met de introductie van de [Pixel 6](https://support.google.com/pixelphone/answer/4457705) maakt Google nu hun eigen SoC en zullen ze minimaal 5 jaar ondersteuning bieden. + +EOL-apparaten die niet langer door de SoC-fabrikant worden ondersteund, kunnen geen firmware-updates ontvangen van OEM-verkopers of aftermarket-distributeurs van Android. Dit betekent dat beveiligingsproblemen met die apparaten onopgelost zullen blijven. + +Fairphone, bijvoorbeeld, brengt hun toestellen op de markt met een ondersteuning van 6 jaar. De SoC (Qualcomm Snapdragon 750G op de Fairphone 4) heeft echter een aanzienlijk kortere EOL-datum. Dit betekent dat de firmware-beveiligingsupdates van Qualcomm voor de Fairphone 4 in september 2023 aflopen, ongeacht of Fairphone doorgaat met het uitbrengen van software-beveiligingsupdates. + +## Android-versies + +Het is belangrijk om geen [end-of-life](https://endoflife.date/android) versie van Android te gebruiken. Nieuwere versies van Android krijgen niet alleen beveiligingsupdates voor het besturingssysteem, maar ook belangrijke updates die privacy verbeteren. Bijvoorbeeld, [vóór Android 10](https://developer.android.com/about/versions/10/privacy/changes) konden alle apps met de toestemming [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) toegang krijgen tot gevoelige en unieke serienummers van uw telefoon, zoals [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), en uw SIM-kaart [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity). Nu moeten dat systeem-apps zijn om dit te kunnen doen. Systeem-apps worden alleen geleverd door de OEM of de Android-distributie. + +## Android-machtigingen + +[Machtigingen op Android](https://developer.android.com/guide/topics/permissions/overview) geven je controle over waar apps toegang tot toe krijgen. Google brengt regelmatig [verbeteringen aan](https://developer.android.com/about/versions/11/privacy/permissions) in het machtigingssysteem in elke opeenvolgende versie. Alle apps die je installeert zijn strikt [sandboxed](https://source.android.com/security/app-sandbox), daarom is het niet nodig om antivirus apps te installeren. + +Een smartphone met de nieuwste versie van Android zal altijd veiliger zijn dan een oude smartphone met een betaalde antivirus. Het is beter om niet te betalen voor antivirussoftware en geld te sparen om een nieuwe smartphone te kopen, zoals een Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) geeft je meer controle over jouw bestanden en kan beperken wat [toegang heeft tot externe opslag](https://developer.android.com/training/data-storage#permissions). Apps kunnen een specifieke map in externe opslag hebben en de mogelijkheid om daar specifieke soorten media op te slaan. +- Strengere toegang op [apparaatlocatie](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) door invoering van de machtiging `ACCESS_BACKGROUND_LOCATION`. Dit voorkomt dat apps op de achtergrond toegang krijgen tot de locatie zonder uitdrukkelijke toestemming van de gebruiker. + +Android 11: + +- [Eenmalige toestemmingen](https://developer.android.com/about/versions/11/privacy/permissions#one-time) waarmee je eenmalig een machtiging kunt verlenen aan een app. +- [Automatische reset machtigingen](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), die [runtime machtigingen](https://developer.android.com/guide/topics/permissions/overview#runtime) terugzet die werden toegekend toen de app werd geopend. +- Machtigingen voor toegang tot [telefoon nummer](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) gerelateerde functies. + +Android 12: + +- Een machtiging om alleen de [geschatte locatie](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location) toe te kennen. +- Auto-reset van [apps in slaapstand](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) die het gemakkelijker maakt om te bepalen welk deel van een app een bepaald type gegevenstoegang gebruikt. + +Android 13: + +- Een permissie voor [nabijgelegen wifi toegang](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). De MAC-adressen van WiFi-toegangspunten in de buurt waren een populaire manier voor apps om de locatie van een gebruiker te traceren. +- Een meer [granulaire mediatoestemmingen](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), wat betekent dat je alleen toegang kan verlenen tot afbeeldingen, video's of audiobestanden. +- Achtergrondgebruik van sensoren vereist nu de toestemming [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission). + +Een app kan een toestemming vragen voor een specifieke functie die hij heeft. Bijvoorbeeld, elke app die QR-codes kan scannen heeft toestemming voor de camera nodig. Sommige apps kunnen meer toestemmingen vragen dan ze nodig hebben. + +[Exodus](https://exodus-privacy.eu.org/) kan nuttig zijn bij het vergelijken van apps die vergelijkbare doelen hebben. Als een app veel machtigingen nodig heeft en veel advertenties en analytics heeft, is dit waarschijnlijk een slecht teken. Wij raden aan de individuele trackers te bekijken en hun beschrijvingen te lezen in plaats van eenvoudigweg **het totaal** te tellen en aan te nemen dat alle vermelde items gelijk zijn. + +!!! warning + + Als een app vooral een webdienst is, kan de tracking aan de serverzijde plaatsvinden. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) toont "geen trackers", maar volgt zeker de interesses en het gedrag van gebruikers op de site. Apps kunnen detectie omzeilen door geen gebruik te maken van door de reclame-industrie geproduceerde standaardcodebibliotheken, hoewel dit onwaarschijnlijk is. + +!!! note + + Privacy-vriendelijke apps zoals [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) kunnen sommige trackers tonen zoals [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). Deze bibliotheek bevat [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) die [pushmeldingen](https://en.wikipedia.org/wiki/Push_technology) in apps kan bieden. Dit [is het geval](https://fosstodon.org/@bitwarden/109636825700482007) met Bitwarden. Dat betekent niet dat Bitwarden alle analysefuncties gebruikt die Google Firebase Analytics biedt. + +## Mediatoegang + +Heel wat toepassingen laten je toe een bestand te "delen" met hen voor het uploaden van media. Als je bijvoorbeeld een foto naar Twitter wilt tweeten, geef Twitter dan geen toegang tot jouw "media en foto's", want dan heeft het toegang tot al jouw foto's. Ga in plaats daarvan naar je bestandsbeheerder (documentsUI), houd de foto vast en deel hem dan met Twitter. + +## Gebruikers Profielen + +Meervoudige gebruikersprofielen zijn te vinden in **Instellingen** → **Systeem** → **Meervoudige gebruikers** en zijn de eenvoudigste manier om te isoleren in Android. + +Met gebruikersprofielen kun je beperkingen opleggen aan een specifiek profiel, zoals: bellen, sms'en of apps installeren op het toestel. Elk profiel wordt versleuteld met zijn eigen versleutelingscode en heeft geen toegang tot de gegevens van andere profielen. Zelfs de eigenaar van het apparaat kan de gegevens van andere profielen niet bekijken zonder hun wachtwoord te kennen. Meervoudige gebruikersprofielen zijn een veiligere methode van isolatie. + +## Werkprofiel + +[Werkprofielen](https://support.google.com/work/android/answer/6191949) zijn een andere manier om afzonderlijke apps te isoleren en kunnen handiger zijn dan afzonderlijke gebruikersprofielen. + +Een **apparaatcontroller** zoals [Shelter](#recommended-apps) is vereist, tenzij je CalyxOS gebruikt die er een bevat. + +Het werkprofiel is afhankelijk van een apparaatcontroller om te kunnen functioneren. Functies zoals *File Shuttle* en *contact zoeken blokkeren* of enige vorm van isolatiefuncties moeten door de controller worden geïmplementeerd. Je moet de apparaatcontroller-app ook volledig vertrouwen, aangezien deze volledige toegang heeft tot jouw gegevens binnen het werkprofiel. + +Deze methode is over het algemeen minder veilig dan een secundair gebruikersprofiel; het biedt je echter wel het gemak dat je tegelijkertijd apps kunt uitvoeren in zowel het werk- als het persoonlijke profiel. + +## VPN Killswitch + +Android 7 en hoger ondersteunt een VPN killswitch en het is beschikbaar zonder de noodzaak om apps van derden te installeren. Deze functie kan lekken voorkomen als de VPN wordt verbroken. Het kan gevonden worden in :gear: **Instellingen** → **Netwerk & internet** → **VPN** → :gear: → **Blokkeer verbindingen zonder VPN**. + +## Globale schakelaars + +Moderne Android-toestellen hebben globale toggles voor het uitschakelen van Bluetooth en locatiediensten. Android 12 introduceerde toggles voor de camera en microfoon. Wanneer u deze functies niet gebruikt, raden wij je aan ze uit te schakelen. Apps kunnen geen gebruik maken van uitgeschakelde functies (zelfs niet als daarvoor individuele toestemming is verleend) totdat ze weer zijn ingeschakeld. + +## Google + +Als je een apparaat gebruikt met Google-diensten, hetzij ujouw standaard besturingssysteem of een besturingssysteem dat Google Play Services veilig sandboxed zoals GrapheneOS, zijn er een aantal extra wijzigingen die je kunt aanbrengen om jouw privacy te verbeteren. We raden nog steeds aan om Google diensten volledig te vermijden, of om Google Play diensten te beperken tot een specifiek gebruiker/werkprofiel door een apparaatcontroller zoals *Shelter* te combineren met GrapheneOS's Sandboxed Google Play. + +### Geavanceerd beschermingsprogramma + +Als je een Google-account hebt, raden wij je aan je in te schrijven voor het [Advanced Protection Program](https://landing.google.com/advancedprotection/). Het is gratis beschikbaar voor iedereen met twee of meer hardware beveiligingssleutels met [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) ondersteuning. + +Het geavanceerde beschermingsprogramma biedt verbeterde controle op bedreigingen en maakt het mogelijk: + +- Strengere tweefactorauthenticatie; bv. dat [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **moet worden gebruikt** en dat het gebruik van [SMS OTP's](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) en [OAuth](https://en.wikipedia.org/wiki/OAuth)niet is toegestaan +- Alleen Google en geverifieerde apps van derden hebben toegang tot accountgegevens +- Scannen van inkomende e-mails op Gmail-accounts voor [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) pogingen +- Strengere [veilige browser scannen](https://www.google.com/chrome/privacy/whitepaper.html#malware) met Google Chrome +- Striktere herstelprocedure voor accounts met verloren inloggegevens + + Als je gebruikmaakt van niet-sandboxed Google Play Services (gebruikelijk op standaard besturingssystemen), wordt het Advanced Protection Program ook geleverd met [extra voordelen](https://support.google.com/accounts/answer/9764949?hl=en), zoals: + +- Installatie van apps buiten de Google Play Store, de app-winkel van de leverancier van het besturingssysteem of via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge)is niet toegestaan +- Verplichte automatische apparaatscan met [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Je waarschuwt voor niet geverifieerde toepassingen + +### Google Play Systeem Updates + +In het verleden moesten beveiligingsupdates voor Android worden verzonden door de leverancier van het besturingssysteem. Android is meer modulair geworden vanaf Android 10, en Google kan beveiligingsupdates pushen voor **sommige** systeemcomponenten via de bevoorrechte Play Services. + +Als je een EOL-apparaat hebt dat met Android 10 of hoger wordt geleverd en geen van onze aanbevolen besturingssystemen op jouw apparaat kunt uitvoeren, kun je waarschijnlijk beter bij jouw OEM Android-installatie blijven (in tegenstelling tot een besturingssysteem dat hier niet wordt vermeld, zoals LineageOS of /e/ OS). Hierdoor kunt je **sommige** beveiligingsfixes van Google ontvangen, terwijl je het Android beveiligingsmodel niet schendt door een onveilig Android derivaat te gebruiken en jouw aanvalsoppervlak te vergroten. We raden nog steeds aan zo snel mogelijk te upgraden naar een ondersteund apparaat. + +### Reclame-ID + +Alle apparaten waarop Google Play Services zijn geïnstalleerd, genereren automatisch een [-reclame-ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) die wordt gebruikt voor gerichte reclame. Schakel deze functie uit om de over je verzamelde gegevens te beperken. + +Op Android distributies met [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), ga naar :gear: **Instellingen** → **Apps** → **Sandboxed Google Play** → **Google Instellingen** → **Advertenties**, en selecteer *Verwijder reclame ID*. + +Op Android distributies met geprivilegieerde Google Play Services (zoals standaard OSes), kan de instelling op een van verschillende locaties staan. Check + +- :gear: **Instellingen** → **Google** → **Advertenties** +- :gear: **Instellingen** → **Privacy** → **Advertenties** + +Je krijgt de optie om jouw advertentie-ID te verwijderen of om *af te melden voor op interesses gebaseerde advertenties*, dit varieert tussen OEM-distributies van Android. Als de mogelijkheid wordt geboden om de reclame-ID te wissen, heeft dat de voorkeur. Zo niet, zorg er dan voor dat je je afmeldt en jouw reclame-ID reset. + +### SafetyNet en Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) en de [Play Integrity API's](https://developer.android.com/google/play/integrity) worden over het algemeen gebruikt voor [bankapps](https://grapheneos.org/usage#banking-apps). Veel bank apps zullen prima werken in GrapheneOS met sandboxed Play services, maar sommige niet-financiële apps hebben hun eigen grove anti-tampering mechanismen die kunnen falen. GrapheneOS doorstaat de `basicIntegrity` check, maar niet de certificeringscheck `ctsProfileMatch`. Toestellen met Android 8 of later hebben hardware-attestondersteuning die niet kan worden omzeild zonder gelekte sleutels of ernstige kwetsbaarheden. + +Wat Google Wallet betreft, wij raden dit niet aan vanwege hun [privacybeleid](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), waarin staat dat je zich moet afmelden als je niet wilt dat jouw kredietwaardigheid en persoonlijke gegevens worden gedeeld met affiliate marketingdiensten. diff --git a/i18n/nl/os/linux-overview.md b/i18n/nl/os/linux-overview.md new file mode 100644 index 00000000..6235e883 --- /dev/null +++ b/i18n/nl/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overzicht +icon: simple/linux +description: Linux is een open-source, privacy-gericht desktop besturingssysteem alternatief, maar niet alle distributies zijn gelijk. +--- + +Vaak wordt aangenomen dat [open-source](https://en.wikipedia.org/wiki/Open-source_software) software inherent veilig is omdat de broncode beschikbaar is. Er wordt verwacht dat er regelmatig communautaire verificatie plaatsvindt; dit is echter niet altijd [het geval](https://seirdy.one/posts/2022/02/02/floss-security/). Het hangt af van een aantal factoren, zoals de activiteit van het project, de ervaring van de ontwikkelaar, de striktheid waarmee [code wordt gereviewd](https://en.wikipedia.org/wiki/Code_review), en hoe vaak aandacht wordt besteed aan specifieke delen van de [codebase](https://en.wikipedia.org/wiki/Codebase) die misschien jarenlang onaangeroerd zijn gebleven. + +Op dit moment heeft desktop GNU/Linux enkele gebieden die beter zouden kunnen dan hun propriëtaire tegenhangers, bijv.: + +- Een geverifieerde opstartketen, in tegenstelling tot Apple's [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (met [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android's [Verified Boot](https://source.android.com/security/verifiedboot) of Microsoft Windows's [opstartproces](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) met [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). Deze voorzieningen en hardwaretechnologieën kunnen allemaal helpen om aanhoudende sabotage door malware of [evil maid attacks te voorkomen](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- Sterke sandboxing-oplossing zoals die welke te vinden is in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), en [Android](https://source.android.com/security/app-sandbox). Veelgebruikte Linux sandboxing oplossingen zoals [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) en [Firejail](https://firejail.wordpress.com/) hebben nog een lange weg te gaan +- Sterke [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Ondanks deze nadelen zijn desktop GNU/Linux distributies geweldig als je dat wilt: + +- Vermijd telemetrie die vaak gepaard gaat met propriëtaire besturingssystemen +- Handhaving van [softwarevrijheid](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Hebben speciaal gebouwde systemen zoals [Whonix](https://www.whonix.org) of [Tails](https://tails.boum.org/) + +Op onze website wordt de term "Linux" doorgaans gebruikt om desktop GNU/Linux-distributies te beschrijven. Andere besturingssystemen die ook de Linux-kernel gebruiken, zoals ChromeOS, Android en Qubes OS, worden hier niet besproken. + +[Onze Linux-aanbevelingen :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Uw distributie kiezen + +Niet alle Linux-distributies zijn gelijk geschapen. Hoewel onze Linux-aanbevelingspagina niet bedoeld is als een gezaghebbende bron over welke distributie je zou moeten gebruiken, zijn er een paar dingen die je in gedachten moet houden bij het kiezen van de distributie die je wilt gebruiken. + +### Vrijgave cyclus + +Wij raden je ten zeerste aan distributies te kiezen die dicht bij de stabiele upstream software releases blijven, vaak aangeduid als rolling release distributies. Dit komt omdat distributies met een bevroren releasecyclus vaak de pakketversies niet bijwerken en achterlopen op beveiligingsupdates. + +Voor bevroren distributies wordt van pakketbeheerders verwacht dat ze patches backporteren om kwetsbaarheden te verhelpen (Debian is zo'n [voorbeeld](https://www.debian.org/security/faq#handling)) in plaats van de software aan te passen aan de "volgende versie" die door de upstream-ontwikkelaar wordt uitgebracht. Sommige beveiligingsfixes [krijgen](https://arxiv.org/abs/2105.14565) helemaal geen [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (vooral minder populaire software) en komen daarom niet in de distributie met dit patchingmodel. Als gevolg daarvan worden kleine beveiligingsupdates soms uitgesteld tot de volgende grote release. + +Wij geloven niet dat het een goed idee is om pakketten tegen te houden en tussentijdse patches toe te passen, aangezien dit afwijkt van de manier waarop de ontwikkelaar de software bedoeld zou kunnen hebben. [Richard Brown](https://rootco.de/aboutme/) heeft hier een presentatie over: + +
+ +
+ +### Traditionele vs. Atomische updates + +Traditioneel worden Linux distributies bijgewerkt door sequentieel de gewenste pakketten bij te werken. Traditionele updates zoals die gebruikt worden in Fedora, Arch Linux, en Debian gebaseerde distributies kunnen minder betrouwbaar zijn als er een fout optreedt tijdens het updaten. + +Atomic updating distributies passen updates volledig of helemaal niet toe. Typisch zijn transactionele updatesystemen ook atomair. + +Een transactioneel updatesysteem creëert een momentopname die wordt gemaakt voor en na het toepassen van een update. Als een update op een bepaald moment mislukt (bijvoorbeeld door een stroomstoring), kan de update gemakkelijk worden teruggezet naar een "laatst bekende goede staat" + +De Atomic update methode wordt gebruikt voor immutable distributies zoals Silverblue, Tumbleweed, en NixOS en kan betrouwbaarheid bereiken met dit model. [Adam Šamalík](https://twitter.com/adsamalik) gaf een presentatie over hoe `rpm-ostree` werkt met Silverblue: + +
+ +
+ +### "Beveiligingsgerichte" distributies + +Er bestaat vaak enige verwarring over "op veiligheid gerichte" distributies en "pentesting"-distributies. Een snelle zoekactie naar "de veiligste Linux-distributie" levert vaak resultaten op als Kali Linux, Black Arch en Parrot OS. Deze distributies zijn offensieve penetratietestdistributies die hulpmiddelen bundelen voor het testen van andere systemen. Ze bevatten geen "extra beveiliging" of defensieve maatregelen voor normaal gebruik. + +### Arch-gebaseerde distributies + +Arch-gebaseerde distributies worden niet aanbevolen voor mensen die nieuw zijn met Linux, ongeacht de distributie. Arch heeft geen distributie update mechanisme voor de onderliggende software keuzes. Als gevolg daarvan moet je op de hoogte blijven van de huidige trends en technologieën overnemen naarmate deze oudere praktijken verdringen. + +Voor een veilig systeem wordt ook verwacht dat je voldoende Linux kennis hebt om de beveiliging van hun systeem goed in te stellen, zoals het aannemen van een [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) systeem, het opzetten van [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, het harden van boot parameters, het manipuleren van [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, en weten welke componenten ze nodig hebben zoals [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Iedereen die gebruik maakt van de [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **moet zich** comfortabel voelen bij het auditen van PKGBUILDs die ze vanuit die service installeren. AUR-pakketten zijn door de gemeenschap geproduceerde inhoud en worden op geen enkele manier doorgelicht, en zijn daarom kwetsbaar voor aanvallen op de softwareketen, wat in het verleden inderdaad is gebeurd [](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR moet altijd met mate worden gebruikt en vaak is er veel slecht advies op verschillende pagina's die mensen zonder voldoende waarschuwing opdragen om blindelings [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) te gebruiken. Vergelijkbare waarschuwingen gelden voor het gebruik van Personal Package Archives (PPA's) van derden op Debian gebaseerde distributies of Community Projects (COPR) op Fedora. + +Als je ervaring hebt met Linux en een Arch-gebaseerde distributie wilt gebruiken, raden wij alleen Arch Linux zelf aan, niet een van zijn afgeleiden. Wij raden deze twee Arch-derivaten specifiek af: + +- **Manjaro**: Deze distributie houdt pakketten 2 weken achter om er zeker van te zijn dat hun eigen veranderingen niet kapot gaan, niet om er zeker van te zijn dat upstream stabiel is. Wanneer AUR pakketten worden gebruikt, worden ze vaak gebouwd tegen de laatste [bibliotheken](https://en.wikipedia.org/wiki/Library_(computing)) uit Arch's repositories. +- **Garuda**: Zij gebruiken [Chaotic-AUR](https://aur.chaotic.cx/) die automatisch en blindelings pakketten compileert uit de AUR. Er is geen verificatieproces om ervoor te zorgen dat de AUR-pakketten niet te lijden hebben van aanvallen op de toeleveringsketen. + +### Kicksecure + +Hoewel we sterk afraden om verouderde distributies zoals Debian te gebruiken, als je besluit om het te gebruiken, stellen we voor dat je [](https://www. kicksecure. com/wiki/Debian) omzet in [Kicksecure](https://www.kicksecure.com/). Kicksecure is, in oversimplistische termen, een verzameling scripts, configuraties en pakketten die het aanvalsoppervlak van Debian aanzienlijk verkleinen. Het dekt standaard een heleboel aanbevelingen voor privacy en hardening. + +### Linux-libre kernel en "Libre" distributies + +Wij raden **sterk af om** de Linux-libre kernel te gebruiken, aangezien [beveiligingsbeperkingen verwijdert](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) en [om ideologische redenen kernelwaarschuwingen](https://news.ycombinator.com/item?id=29674846) over kwetsbare microcode onderdrukt. + +## Algemene aanbevelingen + +### Schijfversleuteling + +De meeste Linux-distributies hebben een optie in het installatieprogramma om [LUKS](../encryption.md#linux-unified-key-setup) FDE in te schakelen. Als deze optie niet is ingesteld tijdens de installatie, zult je een back-up van jouw gegevens moeten maken en opnieuw moeten installeren, aangezien de versleuteling wordt toegepast na [schijfpartitionering](https://en.wikipedia.org/wiki/Disk_partitioning), maar voordat [bestandssystemen](https://en.wikipedia.org/wiki/File_system) worden geformatteerd. We raden je ook aan jouw opslagapparaat veilig te wissen: + +- [Veilig wissen van gegevens :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Wissel + +Overweeg het gebruik van [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) of [versleutelde swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) in plaats van onversleutelde swap om potentiële beveiligingsproblemen te vermijden met gevoelige gegevens die naar [swap space](https://en.wikipedia.org/wiki/Memory_paging)worden geduwd. Op Fedora gebaseerde distributies [gebruiken standaard ZRAM](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We raden aan een desktopomgeving te gebruiken die het [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) weergaveprotocol ondersteunt, aangezien het ontwikkeld is met beveiliging [in gedachten](https://lwn.net/Articles/589147/). Zijn voorganger, [X11](https://en.wikipedia.org/wiki/X_Window_System), ondersteunt geen GUI isolatie, waardoor alle vensters [scherm kunnen opnemen, loggen en invoer injecteren in andere vensters](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), waardoor elke poging tot sandboxing zinloos wordt. Hoewel er opties zijn om geneste X11 te doen, zoals [Xpra](https://en.wikipedia.org/wiki/Xpra) of [Xephyr](https://en.wikipedia.org/wiki/Xephyr), komen ze vaak met negatieve prestatiegevolgen en zijn ze niet handig op te zetten en hebben ze geen voorkeur boven Wayland. + +Gelukkig hebben veelgebruikte omgevingen zoals [GNOME](https://www.gnome.org), [KDE](https://kde.org), en de window manager [Sway](https://swaywm.org) ondersteuning voor Wayland. Sommige distributies zoals Fedora en Tumbleweed gebruiken het standaard, en sommige andere zullen dat misschien in de toekomst doen aangezien X11 in [harde onderhoudsmodus is](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). Als je een van deze omgevingen gebruikt is het zo eenvoudig als het selecteren van de "Wayland" sessie bij de desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +Wij raden **aan tegen** door desktop omgevingen of window managers te gebruiken die geen Wayland ondersteuning hebben, zoals Cinnamon (standaard op Linux Mint), Pantheon (standaard op Elementary OS), MATE, Xfce, en i3. + +### Eigen firmware (Microcode Updates) + +Linux-distributies zoals die van [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) of DIY (Arch Linux) worden niet geleverd met de propriëtaire [microcode](https://en.wikipedia.org/wiki/Microcode) updates die vaak kwetsbaarheden patchen. Enkele opmerkelijke voorbeelden van deze kwetsbaarheden zijn [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), en andere [hardwarekwetsbaarheden](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +Wij **bevelen** ten zeerste aan dat je de microcode-updates installeert, aangezien jouw CPU al vanaf de fabriek op de eigen microcode draait. Fedora en openSUSE hebben beide standaard de microcode updates toegepast. + +### Updates + +De meeste Linux-distributies zullen automatisch updates installeren of u eraan herinneren om dat te doen. Het is belangrijk om jouw besturingssysteem up-to-date te houden, zodat jouw software wordt gepatcht wanneer een kwetsbaarheid wordt gevonden. + +Sommige distributies (vooral die gericht zijn op gevorderde gebruikers) zijn aan de kale kant en verwachten dat je dingen zelf doet (bijvoorbeeld Arch of Debian). Hiervoor moet de "pakketbeheerder" (`apt`, `pacman`, `dnf`, enz.) handmatig worden uitgevoerd om belangrijke beveiligingsupdates te ontvangen. + +Bovendien downloaden sommige distributies firmware-updates niet automatisch. Daarvoor moet je [`fwupd`](https://wiki.archlinux.org/title/Fwupd)installeren. + +## Privacy Tweaks + +### MAC-adres randomisatie + +Veel desktop Linux distributies (Fedora, openSUSE, enz.) worden geleverd met [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), om Ethernet en Wi-Fi instellingen te configureren. + +Het is mogelijk om [te randomiseren](https://fedoramagazine.org/randomize-mac-address-nm/) het [MAC adres](https://en.wikipedia.org/wiki/MAC_address) bij gebruik van NetworkManager. Dit zorgt voor wat meer privacy op Wi-Fi-netwerken, omdat het moeilijker wordt specifieke apparaten op het netwerk waarmee u verbonden bent, te traceren. Het doet [**niet**](https://papers.mathyvanhoef.com/wisec2016.pdf) maakt je anoniem. + +Wij raden aan de instelling te wijzigen in **random** in plaats van **stable**, zoals voorgesteld in het [artikel](https://fedoramagazine.org/randomize-mac-address-nm/). + +Als je [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components)gebruikt, moet je [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) instellen, waardoor [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=)wordt ingeschakeld. + +Het heeft niet veel zin om het MAC-adres voor Ethernetverbindingen te randomiseren, aangezien een systeembeheerder je kan vinden door te kijken naar de poort die je gebruikt op de [netwerkswitch](https://en.wikipedia.org/wiki/Network_switch). Het willekeurig maken van Wi-Fi MAC-adressen hangt af van de ondersteuning door de firmware van de Wi-Fi. + +### Andere identificatiemiddelen + +Er zijn andere systeemidentifiers waar u misschien voorzichtig mee moet zijn. Je moet hier eens over nadenken om te zien of dit van toepassing is op jouw [dreigingsmodel](../basics/threat-modeling.md): + +- **Hostnamen:** De hostnaam van jouw systeem wordt gedeeld met de netwerken waarmee je verbinding maakt. Je kunt beter geen identificerende termen zoals jouw naam of besturingssysteem in jouw hostnaam opnemen, maar het bij algemene termen of willekeurige strings houden. +- **Gebruikersnamen:** Ook jouw gebruikersnaam wordt op verschillende manieren in jouw systeem gebruikt. Gebruik liever algemene termen als "gebruiker" dan jouw eigenlijke naam. +- **Machine ID:**: Tijdens de installatie wordt een unieke machine ID gegenereerd en opgeslagen op jouw toestel. Overweeg [het in te stellen op een generieke ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### Systeemtelling + +Het Fedora Project [telt](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) hoeveel unieke systemen toegang hebben tot zijn spiegels door gebruik te maken van een [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variabele in plaats van een uniek ID. Fedora doet dit om de belasting te bepalen en waar nodig betere servers voor updates te voorzien. + +Deze [optie](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) staat momenteel standaard uit. We raden aan om `countme=false` toe te voegen aan `/etc/dnf/dnf.conf` voor het geval het in de toekomst wordt ingeschakeld. Op systemen die `rpm-ostree` gebruiken, zoals Silverblue, wordt de countme optie uitgeschakeld door de [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer te maskeren. + +openSUSE gebruikt ook een [unieke ID](https://en.opensuse.org/openSUSE:Statistics) om systemen te tellen, die kan worden uitgeschakeld door het bestand `/var/lib/zypp/AnonymousUniqueId` te verwijderen. diff --git a/i18n/nl/os/qubes-overview.md b/i18n/nl/os/qubes-overview.md new file mode 100644 index 00000000..8e51575c --- /dev/null +++ b/i18n/nl/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overzicht" +icon: simple/qubesos +description: Qubes is een besturingssysteem dat apps isoleert binnen virtuele machines voor een betere beveiliging. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is een besturingssysteem dat gebruik maakt van de [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor om sterke beveiliging te bieden voor desktop computing via geïsoleerde virtuele machines. Elke VM wordt een *Qube* genoemd en je kunt elke Qube een vertrouwensniveau toewijzen op basis van het doel ervan. Omdat Qubes OS beveiliging biedt door isolatie te gebruiken en alleen acties per geval toe te staan, is dit het tegenovergestelde van [slechtheids opsomming](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Hoe werkt Qubes OS? + +Qubes gebruikt [compartimentering](https://www.qubes-os.org/intro/) om het systeem veilig te houden. Qubes worden aangemaakt op basis van sjablonen, waarbij de standaard opties Fedora, Debian en [Whonix](../desktop.md#whonix)zijn. Met Qubes OS kunt u ook [wegwerpbare](https://www.qubes-os.org/doc/how-to-use-disposables/) virtuele machines creëren. + +![Qubes architectuur](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architectuur, Krediet: Wat is Qubes OS Intro
+ +Elke Qube-applicatie heeft een [gekleurde rand](https://www.qubes-os.org/screenshots/) die je kan helpen bij het bijhouden van de virtuele machine waarin het draait. Je kunt bijvoorbeeld een specifieke kleur gebruiken voor jouw bankbrowser, en een andere kleur voor een algemene niet-vertrouwde browser. + +![Gekleurde rand](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes vensterranden, krediet: Qubes Screenshots
+ +## Waarom zou ik Qubes gebruiken? + +Qubes OS is nuttig als jouw [bedreigingsmodel](../basics/threat-modeling.md) een sterke compartimentering en beveiliging vereist, bijvoorbeeld als je denkt dat je onvertrouwde bestanden van onvertrouwde bronnen zult openen. Een typische reden om Qubes OS te gebruiken is het openen van documenten van onbekende bronnen. + +Qubes OS maakt gebruik van [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (dwz een "AdminVM") voor het besturen van andere gast-VM 's of Qubes op het host-besturingssysteem. Andere VM 's geven individuele toepassingsvensters weer binnen de desktopomgeving van Dom0. Hiermee kun je vensters een kleurcode geven op basis van vertrouwensniveaus en apps draaien die met elkaar kunnen communiceren met zeer fijnmazige controle. + +### Tekst kopiëren en plakken + +Je kunt [tekst kopiëren en plakken](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) met behulp van `qvm-copy-to-vm` of de onderstaande instructies: + +1. Druk op **Ctrl+C** om de VM waarin je je bevindt te vertellen dat je iets wilt kopiëren. +2. Druk op **Ctrl+Shift+C** om de VM te vertellen deze buffer beschikbaar te maken voor het algemene klembord. +3. Druk op **Ctrl+Shift+V** in de doel-VM om het globale klembord beschikbaar te maken. +4. Druk op **Ctrl+V** in de bestemmings-VM om de inhoud in de buffer te plakken. + +### Bestandsuitwisseling + +Om bestanden en mappen (mappen) van de ene VM naar de andere te kopiëren en te plakken, kunt je de optie **Kopiëren naar andere AppVM...** of **Verplaatsen naar andere AppVM...**gebruiken. Het verschil is dat de optie **Verplaatsen** het oorspronkelijke bestand verwijdert. Beide opties beschermen jouw klembord tegen uitlekken naar andere Qubes. Dit is veiliger dan bestandsoverdracht via air-gapped, omdat een air-gapped computer nog steeds gedwongen wordt partities of bestandssystemen te parseren. Dat is niet nodig met het inter-qube kopieersysteem. + +??? info "AppVM's of qubes hebben geen eigen bestandssystemen" + + Je kunt [bestanden kopiëren en verplaatsen](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) tussen Qubes. Daarbij worden de wijzigingen niet onmiddellijk aangebracht en kunnen ze bij een ongeval gemakkelijk ongedaan worden gemaakt. + +### Inter-VM Interacties + +Het [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is een kernonderdeel van Qubes dat communicatie tussen virtuele machines in domeinen mogelijk maakt. Het is gebouwd bovenop de Xen-bibliotheek *vchan*, die [isolatie vergemakkelijkt door middel van beleid](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Extra bronnen + +Voor aanvullende informatie raden wij je aan de uitgebreide Qubes OS documentatie pagina's te raadplegen op de [Qubes OS Website](https://www.qubes-os.org/doc/). Offline kopieën kunnen worden gedownload van het Qubes OS [documentatie archief](https://github.com/QubesOS/qubes-doc). + +- Open Technologie Fonds: [*Ongetwijfeld 's werelds veiligste besturingssysteem*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Softwarecompartimentering versus fysieke scheiding*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*De verdeling van mijn digitale leven in veiligheidsdomeinen*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Verwante artikelen*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/nl/passwords.md b/i18n/nl/passwords.md new file mode 100644 index 00000000..c2a9bad0 --- /dev/null +++ b/i18n/nl/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Wachtwoord managers" +icon: material/form-textbox-password +description: Met wachtwoord Managers kunt je wachtwoorden en andere geheimen veilig opslaan en beheren met behulp van een hoofdwachtwoord. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Wachtwoord Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Wachtwoord Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Wachtwoord Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Wachtwoord Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Wachtwoord Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Wachtwoord Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Wachtwoord Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Met wachtwoord Managers kunt je wachtwoorden en andere geheimen veilig opslaan en beheren met behulp van een hoofdwachtwoord. + +[Uitleg over wachtwoorden :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Ingebouwde wachtwoord managers in software zoals browsers en besturingssystemen zijn soms niet zo goed als speciale software voor wachtwoordbeheer. Het voordeel van een ingebouwde wachtwoord manager is een goede integratie met de software, maar het kan vaak erg eenvoudig zijn en mist privacy- en beveiligingsfuncties die aanbiedingen van derden wel hebben. + + De wachtwoord manager in Microsoft Edge biedt bijvoorbeeld helemaal geen E2EE. Google's wachtwoord manager heeft [optional](https://support.google.com/accounts/answer/11350823) E2EE, en [Apple's](https://support.apple.com/en-us/HT202303) biedt standaard E2EE. + +## Cloud-gebaseerd + +Deze wachtwoordbeheerders synchroniseren jouw wachtwoorden met een cloudserver voor gemakkelijke toegang vanaf al jouw apparaten en veiligheid tegen verlies van apparaten. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is een gratis en open-source wachtwoord manager. Het is gericht op het oplossen van problemen op het gebied van wachtwoordbeheer voor individuen, teams en bedrijfsorganisaties. Bitwarden is een van de makkelijkste en veiligste oplossingen om al jouw logins en wachtwoorden op te slaan terwijl ze gemakkelijk gesynchroniseerd blijven tussen al jouw apparaten. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden beschikt ook over de tool genaamd [Bitwarden Send](https://bitwarden.com/products/send/), waarmee je veilig tekst en bestanden kunt delen met [end-to-end encryptie](https://bitwarden.com/help/send-encryption). Een [wachtwoord](https://bitwarden.com/help/send-privacy/#send-passwords) kan nodig zijn samen met de verzendlink. Bitwarden Send beschikt ook over [automatische verwijdering](https://bitwarden.com/help/send-lifespan). + +U hebt het [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) nodig om bestanden te kunnen delen. Het gratis plan staat alleen het delen van tekst toe. + +De server-side code van Bitwarden is [open-source](https://github.com/bitwarden/server), dus als je de Bitwarden-cloud niet wilt gebruiken, kunt je gemakkelijk jouw eigen Bitwarden-synchronisatieserver hosten. + +**Vaultwarden** is een alternatieve implementatie van de sync-server van Bitwarden, geschreven in Rust en compatibel met de officiële Bitwarden-clients, perfect voor zelf-hosting waar het draaien van de officiële resource-heavy service misschien niet ideaal is. Als je Bitwarden zelf wilt hosten op jouw eigen server, wil je vrijwel zeker Vaultwarden gebruiken in plaats van de officiële servercode van Bitwarden. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentatie} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Broncode" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Bijdragen} + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is een wachtwoordmanager met een sterke focus op veiligheid en gebruiksgemak, waarmee je wachtwoorden, creditcards, softwarelicenties en andere gevoelige informatie kunt opslaan in een veilige digitale kluis. Uw kluis wordt gehost op de servers van 1Password voor een [maandelijkse vergoeding](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) op regelmatige basis en biedt uitzonderlijke klantenondersteuning. 1Password is closed source; de beveiliging van het product is echter grondig gedocumenteerd in hun [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditioneel biedt **1Password** de beste wachtwoordmanager-gebruikerservaring voor mensen die macOS en iOS gebruiken; het ondersteunt nu echter alle functies op alle platforms. Het heeft veel functies die gericht zijn op gezinnen en minder technische mensen, maar ook geavanceerde functionaliteit. + +Uw 1Password-kluis is beveiligd met zowel jouw hoofdwachtwoord als een gerandomiseerde beveiligingssleutel van 34 tekens om jouw gegevens op hun servers te versleutelen. Deze beveiligingssleutel voegt een beschermingslaag toe aan jouw gegevens omdat jouw gegevens worden beveiligd met een hoge entropie, ongeacht jouw hoofdwachtwoord. Veel andere oplossingen voor wachtwoordbeheer zijn volledig afhankelijk van de sterkte van jouw hoofdwachtwoord om jouw gegevens te beveiligen. + +Een voordeel van 1Password ten opzichte van Bitwarden is de eersteklas ondersteuning voor native clients. Terwijl Bitwarden veel taken, vooral accountbeheerfuncties, naar hun webkluisinterface verwijst, maakt 1Password bijna elke functie beschikbaar binnen zijn native mobiele of desktop clients. De clients van 1Password hebben ook een meer intuïtieve UI, waardoor ze gemakkelijker te gebruiken en te navigeren zijn. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is een gratis en open-source wachtwoordmanager uit Duitsland, met een focus op wachtwoordbeheer voor teams. Psono ondersteunt het veilig delen van wachtwoorden, bestanden, bladwijzers en e-mails. Alle geheimen worden beschermd door een hoofdwachtwoord. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentatie} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono biedt uitgebreide documentatie voor hun product. De web-client voor Psono kunt je zelf hosten; als alternatief kunt je kiezen voor de volledige Community Edition of de Enterprise Edition met extra mogelijkheden. + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +#### Minimale vereisten + +- Moet gebruik maken van sterke, op standaarden gebaseerde/moderne E2EE. +- Moet beschikken over grondig gedocumenteerde encryptie- en beveiligingspraktijken. +- Moet een gepubliceerde audit hebben van een gerenommeerde, onafhankelijke derde partij. +- Alle niet-essentiële telemetrie moet optioneel zijn. +- Mag niet meer PII verzamelen dan nodig is voor factureringsdoeleinden. + +#### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Telemetrie moet opt-in zijn (standaard uitgeschakeld) of helemaal niet worden verzameld. +- Moet open-source zijn en redelijk self-hostable. + +## Lokale opslag + +Met deze opties kunt je een versleutelde wachtwoorddatabase lokaal beheren. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is een community fork van KeePassX, een native cross-platform port van KeePass Password Safe, met als doel het uit te breiden en te verbeteren met nieuwe functies en bugfixes om een feature-rijke, cross-platform en moderne open-source password manager te bieden. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Broncode" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC slaat zijn exportgegevens op als [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) bestanden. Dit kan gegevensverlies betekenen als je dit bestand importeert in een andere wachtwoordmanager. Wij adviseren je om elke registratie handmatig te controleren. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is een lichtgewicht wachtwoordmanager voor Android, waarmee versleutelde gegevens in een enkel bestand in KeePass-formaat kunnen worden bewerkt en de formulieren op een veilige manier kunnen worden ingevuld. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) maakt het mogelijk om cosmetische inhoud en niet-standaard protocolfuncties vrij te spelen, maar belangrijker nog, het helpt en stimuleert de ontwikkeling. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Bijdrage leveren } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is een native, open-source wachtwoordmanager voor iOS en macOS. Strongbox ondersteunt zowel KeePass als Password Safe formaten en kan worden gebruikt in combinatie met andere wachtwoordmanagers, zoals KeePassXC, op niet-Apple platforms. Door gebruik te maken van een [freemium model](https://strongboxsafe.com/pricing/), biedt Strongbox de meeste functies aan in zijn gratis plan met meer op gemak gerichte [features](https://strongboxsafe.com/comparison/)-zoals biometrische authenticatie- vergrendeld achter een abonnement of eeuwigdurende licentie. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Bovendien wordt er een offline versie aangeboden: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Deze versie is uitgekleed in een poging het aanvalsoppervlak te verkleinen. + +### Command-line + +Deze producten zijn minimale wachtwoordmanagers die kunnen worden gebruikt binnen scriptingtoepassingen. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is een wachtwoordmanager voor de commandoregel geschreven in Go. Het werkt op alle belangrijke desktop- en serverbesturingssystemen (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Broncode" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Bijdrage leveren } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet cross-platform zijn. diff --git a/i18n/nl/productivity.md b/i18n/nl/productivity.md new file mode 100644 index 00000000..72a97ff9 --- /dev/null +++ b/i18n/nl/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productiviteitshulpmiddelen" +icon: material/file-sign +description: De meeste online office suites ondersteunen geen E2EE, wat betekent dat de cloud provider toegang heeft tot alles wat je doet. +--- + +De meeste online office suites ondersteunen geen E2EE, wat betekent dat de cloud provider toegang heeft tot alles wat je doet. Het privacybeleid kan jouw rechten wettelijk beschermen, maar het voorziet niet in technische toegangsbeperkingen. + +## Samenwerkingsplatforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is een suite van gratis en open-source client-server software voor het creëren van jouw eigen bestandshosting diensten op een prive-server die jij controleert. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Broncode" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger "Gevaar" + + Wij raden het gebruik van de [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) voor Nextcloud af, omdat dit kan leiden tot gegevensverlies; het is zeer experimenteel en niet van productiekwaliteit. Om deze reden bevelen wij geen Nextcloud-providers van derden aan. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is een privé alternatief voor populaire office tools. Alle inhoud op deze webdienst is end-to-end versleutelden kan gemakkelijk met andere gebruikers worden gedeeld. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Broncode" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Bijdragen } + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +In het algemeen definiëren wij samenwerkingsplatforms als volwaardige suites die redelijkerwijs als vervanging van samenwerkingsplatforms als Google Drive kunnen dienen. + +- Open source. +- Maakt bestanden toegankelijk via WebDAV, tenzij dat onmogelijk is vanwege E2EE. +- Heeft sync-clients voor Linux, macOS en Windows. +- Ondersteunt het bewerken van documenten en spreadsheets. +- Ondersteunt real-time samenwerking tussen documenten. +- Ondersteunt het exporteren van documenten naar standaard documentformaten (bijv. ODF). + +#### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet bestanden opslaan in een conventioneel bestandssysteem. +- Moet TOTP of FIDO2 multi-factor authenticatie ondersteunen, of Passkey-logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is een gratis en open-source kantoorpakket met uitgebreide functionaliteit. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentatie} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Broncode" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is een gratis en open-source kantoorpakket in de cloud met uitgebreide functionaliteit, inclusief integratie met Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +In het algemeen definiëren wij kantoorsuites als toepassingen die voor de meeste behoeften redelijkerwijs als vervanging van Microsoft Word kunnen dienen. + +- Moet cross-platform zijn. +- Moet open-source software zijn. +- Moet offline functioneren. +- Moet het bewerken van documenten, spreadsheets en diavoorstellingen ondersteunen. +- Moet bestanden exporteren naar standaard documentformaten. + +## Paste diensten + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is een minimalistische, open-source online pastebin waar de server geen kennis heeft van geplakte data. Gegevens worden in de browser versleuteld/ontsleuteld met 256-bit AES. Het is de verbeterde versie van ZeroBin. Er is een [lijst van instanties](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Broncode" } diff --git a/i18n/nl/real-time-communication.md b/i18n/nl/real-time-communication.md new file mode 100644 index 00000000..84730fff --- /dev/null +++ b/i18n/nl/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communicatie" +icon: material/chat-processing +description: Andere instant messengers maken al je privégesprekken beschikbaar voor het bedrijf dat ze beheert. +--- + +Dit zijn onze aanbevelingen voor versleutelde real-time communicatie. + +[Soorten communicatienetwerken :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Versleutelde Messengers + +Deze boodschappers zijn geweldig voor het beveiligen van jouw gevoelige communicatie. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is een mobiele app ontwikkeld door Signal Messenger LLC. De app biedt instant messaging en spraak- en videobellen. + + Alle communicatie is E2EE. Contactlijsten worden versleuteld met uw Signal PIN en de server heeft er geen toegang toe. Persoonlijke profielen worden ook versleuteld en alleen gedeeld met contacten waarmee je chat. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Broncode" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signaal ondersteunt [privégroepen](https://signal.org/blog/signal-private-group-system/). De server heeft geen gegevens van je groepslidmaatschappen, groepstitels, groepsafbeeldingen of groepsattributen. Signaal heeft minimale metadata wanneer [Verzegelde Afzender](https://signal.org/blog/sealed-sender/) is ingeschakeld. Het afzenderadres is versleuteld samen met de inhoud van het bericht, en alleen het adres van de ontvanger is zichtbaar voor de server. Verzegelde afzender is alleen ingeschakeld voor mensen in uw contactenlijst, maar kan ingeschakeld zijn voor alle ontvangers met een verhoogd risico om spam te ontvangen. Signaal vereist jouw telefoonnummer als persoonlijk identificatiemiddel. + +Het protocol was onafhankelijk [gecontroleerd](https://eprint.iacr.org/2016/1013.pdf) in 2016. De specificatie van het Signaal-protocol kan worden gevonden in hun [documentatie](https://signal.org/docs/). + +We hebben nog enkele extra tips over het configureren en verharden van jouw signaalinstallatie: + +[Signaalconfiguratie en Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is een instant messenger die gedecentraliseerd is en niet afhankelijk is van unieke identifiers zoals telefoonnummers of gebruikersnamen. Berichten en bestanden die in privéruimten worden gedeeld (waarvoor een uitnodiging nodig is) zijn standaard E2EE, net als één-op-één spraak- en videogesprekken. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [werd gecontroleerd](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) door Trail Bits in oktober 2022. + +Momenteel biedt SimpleX Chat alleen een client voor Android en iOS. Basisfuncties voor groepschatten, direct messaging, bewerken van berichten en markdown worden ondersteund. E2EE audio- en video-oproepen worden ook ondersteund. + +Jouw gegevens kunnen worden geëxporteerd en geïmporteerd naar een ander apparaat, omdat er geen centrale servers zijn waar een back-up van wordt gemaakt. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is een versleutelde instant messenger die [connects](https://briarproject.org/how-it-works/) gebruikt voor andere clients via het Tor Netwerk. Briar kan ook verbinding maken via Wi-Fi of Bluetooth wanneer hij in de buurt is. Briar's lokale mesh-modus kan nuttig zijn wanneer de beschikbaarheid van internet een probleem is. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentatie} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Broncode" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donatiemogelijkheden staan onderaan de homepage" } } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +Om een contact toe te voegen aan Briar, moet je eerst beide elkaar toevoegen. Je kunt `briar://` links ruilen of de QR-code van een contactpersoon scannen als deze dichtbij zijn. + +De clientsoftware was onafhankelijk [gecontroleerd](https://briarproject.org/news/2017-beta-released-security-audit/), en het anonieme routing protocol maakt gebruik van het Tor netwerk dat ook is gecontroleerd. + +Briar heeft een volledig [gepubliceerde specificatie](https://code.briarproject.org/briar/briar-spec). + +Briar ondersteunt perfect forward secrecy door het gebruik van jet Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) en [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Aanvullende opties + +!!! warning + + Deze boodschappers hebben geen Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), en hoewel zij in bepaalde behoeften voorzien die onze vorige aanbevelingen niet hebben, bevelen wij ze niet aan voor langdurige of gevoelige communicatie. Elke compromittering van sleutels tussen ontvangers van berichten zou de vertrouwelijkheid van **alle** eerdere communicaties aantasten. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is de referentieclient voor het [Matrix](https://matrix.org/docs/guides/introduction) protocol, een [open standaard](https://matrix.org/docs/spec) voor veilige gedecentraliseerde real-time communicatie. + + Berichten en bestanden die in privéruimten worden gedeeld (waarvoor een uitnodiging nodig is) zijn standaard E2EE, net als één-op-één spraak- en videogesprekken. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profielfoto's, reacties en bijnamen zijn niet versleuteld. + +Groepsgesprekken voor spraak en video zijn [niet](https://github.com/vector-im/element-web/issues/12878) E2EE, en gebruiken Jitsi, maar dit zal naar verwachting veranderen met [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Groepsgesprekken hebben [momenteel geen authenticatie](https://github.com/vector-im/element-web/issues/13074), wat betekent dat ook deelnemers van buiten de zaal aan de gesprekken kunnen deelnemen. Wij raden je aan deze functie niet te gebruiken voor privévergaderingen. + +Het Matrix-protocol zelf [ondersteunt in theorie PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), maar dit wordt [momenteel niet ondersteund in Element](https://github.com/vector-im/element-web/issues/7101) omdat het sommige aspecten van de gebruikerservaring, zoals sleutelback-ups en gedeelde berichtgeschiedenis, hierdoor niet naar behoren functioneerd. + +Het protocol is in 2016 onafhankelijk [gecontroleerd](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last). De specificatie van het Matrix-protocol is te vinden in hun [documentatie](https://spec.matrix.org/latest/). De [Olm](https://matrix.org/docs/projects/other/olm) cryptografische ratel die door Matrix wordt gebruikt, is een implementatie van het [Double Ratchet-algoritme van Signal](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is een gedecentraliseerde messenger met een focus op private, veilige en anonieme communicatie. Session biedt ondersteuning voor directe berichten, groepschats en spraakoproepen. + + Session maakt gebruik van het gedecentraliseerde [Oxen Service Node Network](https://oxen.io/) om berichten op te slaan en te routeren. Elk versleuteld bericht wordt door drie knooppunten in het Oxen Service Node Network geleid, waardoor het voor de knooppunten vrijwel onmogelijk wordt zinvolle informatie te verzamelen over degenen die het netwerk gebruiken. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session maakt E2EE mogelijk in één-op-één chats of gesloten groepen met maximaal 100 leden. Open groepen hebben geen beperking wat het aantal leden betreft, maar zijn open van opzet. + +Session ondersteunt [geen](https://getsession.org/blog/session-protocol-technical-information) perfect forward secrecy, waarbij een encryptiesysteem de sleutels die het gebruikt om informatie te versleutelen en te ontsleutelen, automatisch en frequent wijzigt, zodat, indien de laatste sleutel wordt gecompromitteerd, een kleiner deel van de gevoelige informatie wordt blootgelegd. + +Oxen heeft een onafhankelijke audit aangevraagd voor Session in maart 2020. De audit [concludeerde](https://getsession.org/session-code-audit) in april van 2021: "Het algemene beveiligingsniveau van deze applicatie is goed en maakt het bruikbaar voor mensen die zich zorgen maken over privacy." + +Session heeft een [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) die de techniek van de app en het protocol beschrijft. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet open-source clients hebben. +- Moet standaard E2EE gebruiken voor privé-berichten. +- Moet E2EE ondersteunen voor alle berichten. +- Moet onafhankelijk gecontroleerd zijn. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet Perfect Forward Secrecy hebben. +- Moet open-source servers hebben. +- Moet gedecentraliseerd zijn, d.w.z. gefedereerd of P2P. +- Moet standaard E2EE gebruiken voor privé-berichten. +- Moet Linux, macOS, Windows, Android en iOS ondersteunen. diff --git a/i18n/nl/router.md b/i18n/nl/router.md new file mode 100644 index 00000000..2f86eef4 --- /dev/null +++ b/i18n/nl/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: Deze alternatieve besturingssystemen kunnen worden gebruikt om jouw router of Wi-Fi-toegangspunt te beveiligen. +--- + +Hieronder staan een paar alternatieve besturingssystemen, die gebruikt kunnen worden op routers, Wi-Fi access points, enz. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is een op Linux gebaseerd besturingssysteem; het wordt voornamelijk gebruikt op embedded apparaten om netwerkverkeer te routeren. De belangrijkste onderdelen zijn de Linux kernel, util-linux, uClibc, en BusyBox. Alle componenten zijn geoptimaliseerd voor afmetingen, zodat ze klein genoeg zijn om in de beperkte opslagruimte en het beperkte geheugen van thuisrouters te passen. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Broncode" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Bijdragen} + +Je kunt OpenWrt's [tabel van hardware](https://openwrt.org/toh/start) raadplegen om te controleren of jouw toestel ondersteund wordt. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is een open source, op FreeBSD gebaseerde firewall en routing platform dat veel geavanceerde functies bevat zoals traffic shaping, load balancing en VPN mogelijkheden, met nog veel meer functies beschikbaar in de vorm van plugins. OPNsense wordt gewoonlijk ingezet als perimeter firewall, router, draadloos toegangspunt, DHCP server, DNS server en VPN eindpunt. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Broncode" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Bijdrage leveren } + +OPNsense werd oorspronkelijk ontwikkeld als een fork van [pfSense](https://en.wikipedia.org/wiki/PfSense), en beide projecten staan bekend als vrije en betrouwbare firewall-distributies die mogelijkheden bieden die vaak alleen in dure commerciële firewalls te vinden zijn. De ontwikkelaars van OPNsense [, gelanceerd in 2015, noemden](https://docs.opnsense.org/history/thefork.html) een aantal beveiligings- en code-kwaliteitsproblemen met pfSense die volgens hen een fork van het project noodzakelijk maakten, evenals zorgen over de meerderheidsovername van pfSense door Netgate en de toekomstige richting van het pfSense-project. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Moet open source zijn. +- Moet regelmatig updates ontvangen. +- Moet een grote verscheidenheid aan hardware ondersteunen. diff --git a/i18n/nl/search-engines.md b/i18n/nl/search-engines.md new file mode 100644 index 00000000..97358a6a --- /dev/null +++ b/i18n/nl/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Zoekmachines" +icon: material/search-web +description: Deze privacy respecterende zoekmachines bouwen geen advertentieprofiel op basis van jouw zoekopdrachten. +--- + +Gebruik een zoekmachine die geen advertentieprofiel opbouwt op basis van jouw zoekopdrachten. + +De aanbevelingen hier zijn gebaseerd op de verdiensten van het privacybeleid van elke dienst. Er is **geen garantie** dat dit privacybeleid wordt nageleefd. + +Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org/) als jouw dreigingsmodel vereist dat je jouw IP-adres verbergt voor de zoekprovider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is ontwikkeld door Brave en levert voornamelijk resultaten van zijn eigen, onafhankelijke index. De index is geoptimaliseerd voor Google Search en kan daarom contextueel nauwkeurigere resultaten bieden dan andere alternatieven. + + Brave Search bevat unieke functies zoals Discussies, die resultaten accentueert die gericht zijn op conversatie, zoals forumberichten. + + Wij raden je aan [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) uit te schakelen, aangezien deze standaard is ingeschakeld en kan worden uitgeschakeld in de instellingen. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentatie} + +Brave Search is gevestigd in de Verenigde Staten. In hun [privacybeleid](https://search.brave.com/help/privacy-policy) staat dat zij geaggregeerde gebruiksgegevens verzamelen, waaronder het besturingssysteem en de gebruikte browser, maar dat geen persoonlijk identificeerbare informatie wordt verzameld. IP-adressen worden tijdelijk verwerkt, maar niet bewaard. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is een van de meer mainstream privé zoekmachine opties. Opmerkelijke DuckDuckGo-zoekfuncties zijn [bangs](https://duckduckgo.com/bang) en vele [instant antwoorden](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). De zoekmachine maakt gebruik van een commerciële Bing API voor de meeste resultaten, maar gebruikt ook talrijke [andere bronnen](https://help.duckduckgo.com/results/sources/) voor directe antwoorden en andere niet-primaire resultaten. + + DuckDuckGo is de standaard zoekmachine voor de Tor Browser en is één van de weinige beschikbare opties op Apple's Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentatie} + +DuckDuckGo is gevestigd in de Verenigde Staten. In hun [privacybeleid](https://duckduckgo.com/privacy) staat dat zij **wel** jouw zoekopdrachten registreren voor productverbetering, maar niet jouw IP-adres of enige andere persoonlijk identificeerbare informatie. + +DuckDuckGo biedt twee [andere versies](https://help.duckduckgo.com/features/non-javascript/) van hun zoekmachine, die beide geen JavaScript vereisen. Deze versies missen echter functies. Deze versies kunnen ook worden gebruikt in combinatie met hun [Tor onion adres](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) door [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) of [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) toe te voegen voor de respectieve versie. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is een open-source, zelf-hostbare, metasearch engine, die de resultaten van andere zoekmachines aggregeert, maar zelf geen informatie opslaat. Het is een actief onderhouden vork van [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Broncode" } + +SearXNG is een proxy tussen jij en de zoekmachines waarvan het aggregeert. Jouw zoekopdrachten zullen nog steeds worden verzonden naar de zoekmachines waar SearXNG zijn resultaten van krijgt. + +Bij zelf-hosting is het belangrijk dat er ook andere mensen gebruik maken van jouw instantie, zodat je op kunt gaan in de menigte. Je moet voorzichtig zijn met waar en hoe je SearXNG host, omdat mensen die illegale inhoud op jouw instantie opzoeken, ongewenste aandacht van de autoriteiten kunnen trekken. + +Wanneer je een SearXNG-instantie gebruikt, moet je zeker hun privacybeleid lezen. Aangezien SearXNG-instanties door hun eigenaars kunnen worden gewijzigd, weerspiegelen zij niet noodzakelijk hun privacybeleid. Sommige instanties draaien als een verborgen Tor-service, die enige privacy kan bieden zolang jouw zoekopdrachten geen PII bevatten. + +## Startpage + +!!! recommendation + + ![Startpage-logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage-logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is een private zoekmachine die bekend staat om haar Google zoekresultaten. Eén van Startpage's unieke eigenschappen is de [Anonymous View](https://www.startpage.com/en/anonymous-view/), die inspanningen levert om gebruikersactiviteit te standaardiseren zodat het moeilijker is om uniek geïdentificeerd te worden. De functie kan nuttig zijn voor het verbergen van [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) netwerk- en browsereigenschappen. In tegenstelling tot wat de naam suggereert, mag deze functie niet worden gebruikt voor anonimiteit. Als u op zoek bent naar anonimiteit, gebruik dan de [Tor Browser](tor.md#tor-browser). + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentatie} + +!!! warning + + Startpage beperkt regelmatig de toegang tot de dienst tot bepaalde IP adressen, zoals IPs gereserveerd voor VPNs of Tor. [DuckDuckGo](#duckduckgo) en [Brave Search](#brave-search) zijn vriendelijker opties als jouw dreigingsmodel vereist dat je jouw IP-adres verbergt voor de zoekprovider. + +Startpage is gevestigd in Nederland. Volgens hun [privacybeleid](https://www.startpage.com/en/privacy-policy/)loggen zij gegevens zoals: besturingssysteem, type browser, en taal. Zij slaan jouw IP-adres, zoekopdrachten of andere persoonlijk identificeerbare informatie niet op. + +Startpage's meerderheidsaandeelhouder is System1, een adtech bedrijf. Wij denken niet dat dit een probleem is, aangezien zij een duidelijk gescheiden [privacybeleid hebben](https://system1.com/terms/privacy-policy). Het Privacy Guides team heeft contact opgenomen met Startpage [in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) om eventuele zorgen weg te nemen over System1's aanzienlijke investering in de dienst. We waren tevreden met de antwoorden die we kregen. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +### Minimale vereisten + +- Mag geen persoonlijk identificeerbare informatie verzamelen volgens hun privacybeleid. +- Mag niet toestaan dat gebruikers bij hen een account aanmaken. + +### Beste geval + +Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina. + +- Moet gebaseerd zijn op open-source software. +- Mag geen Tor exit node IP adressen blokkeren. diff --git a/i18n/nl/tools.md b/i18n/nl/tools.md new file mode 100644 index 00000000..1f7ba41c --- /dev/null +++ b/i18n/nl/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Hulpmiddelen" +icon: material/tools +hide: + - toc +description: Privacy Guides is de meest transparante en betrouwbare website voor het vinden van software, apps en diensten die jouw persoonlijke gegevens beschermen tegen massa surveillance programma's en andere internetbedreigingen. +--- + +Als je op zoek bent naar een specifieke oplossing voor iets, dan zijn dit de hardware en software tools die wij aanbevelen in verschillende categorieën. Onze aanbevolen privacytools zijn in de eerste plaats gekozen op basis van beveiligingskenmerken, met extra nadruk op gedecentraliseerde en open-source tools. Ze zijn van toepassing op een verscheidenheid aan dreigingsmodellen, variërend van bescherming tegen wereldwijde massasurveillanceprogramma's en het vermijden van grote technologiebedrijven tot het beperken van aanvallen, maar alleen jij kunt bepalen wat het beste werkt voor jouw behoeften. + +Als je hulp wilt bij het uitzoeken van de beste privacytools en alternatieve programma's voor jouw behoeften, start dan een discussie op ons [forum](https://discuss.privacyguides.net/) of onze [Matrix](https://matrix.to/#/#privacyguides:matrix.org) gemeenschap! + +Voor meer details over elk project, waarom ze werden gekozen, en extra tips of trucs die we aanbevelen, klik op de "Meer informatie"-link in elke sectie, of klik op de aanbeveling zelf om naar die specifieke sectie van de pagina te gaan. + +## Tor Netwerk + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake verhoogt de privacy niet, maar stelt je wel in staat om eenvoudig bij te dragen aan het Tor-netwerk en mensen in gecensureerde netwerken te helpen betere privacy te bereiken. + +[Meer informatie :material-arrow-right-drop-circle:](tor.md) + +## Desktop webbrowsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Extra bronnen + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobiele webbrowsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Extra bronnen + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard voor iOS](mobile-browsers.md#adguard) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Besturingssystemen + +### Mobiel + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](router.md) + +## Dienstverleners + +### Cloud opslag + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +Wij [bevelen](dns.md#recommended-providers) een aantal versleutelde DNS servers aan op basis van verschillende criteria, zoals [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) en [Quad9](https://quad9.net/) onder andere. Wij raden je aan onze pagina's over DNS te lezen voordat je een provider kiest. In veel gevallen wordt het gebruik van een alternatieve DNS-provider niet aanbevolen. + +[Meer informatie :material-arrow-right-drop-circle:](dns.md) + +#### Versleutelde DNS-proxy + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Zelf gehoste oplossingen + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](email.md) + +#### E-mail aliasing diensten + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Onze criteria + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financiële diensten + +#### Maskerende betalingsdiensten + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Meer informatie :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online marktplaatsen voor cadeaubonnen + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Zoekmachines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPN's zorgen niet voor anonimiteit" + + Het gebruik van een VPN houdt jouw surfgedrag niet anoniem, noch voegt het extra beveiliging toe aan niet-beveiligd (HTTP) verkeer. + + Als je op zoek bent naar **anonimiteit**, kunt je beter de Tor Browser **in plaats** van een VPN gebruiken. + + Als je op zoek bent naar extra **veiligheid**, moet je er altijd voor zorgen dat je verbinding maakt met websites via HTTPS. Een VPN is geen vervanging voor goede beveiligingspraktijken. + + [Meer informatie :material-arrow-right-drop-circle::](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Kalendersynchronisatie + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji }[Monero](cryptocurrency.md#monero) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Redactie van gegevens en metagegevens + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](data-redaction.md) + +### Email clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](email-clients.md) + +### Encryptie Software + +??? info "Schijfversleuteling besturingssysteem" + + Om de schijf van jouw besturingssysteem te versleutelen, raden wij je aan de versleutelingstool te gebruiken die jouw besturingssysteem biedt, of dat nu **BitLocker** in Windows, **FileVault** in macOS of **LUKS** in Linux is. Deze tools worden meegeleverd met het besturingssysteem en maken doorgaans gebruik van hardware-encryptie-elementen zoals een TPM, die andere software voor volledige schijfversleuteling, zoals VeraCrypt, niet gebruiken. VeraCrypt is nog steeds geschikt voor schijven die niet op een besturingssysteem werken, zoals externe schijven, vooral schijven die vanuit meerdere besturingssystemen kunnen worden benaderd. + + [Meer informatie :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP-clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Bestanden delen en synchroniseren + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](frontends.md) + +### Multi-factor authenticatie Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Nieuws Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![Gnome Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [Gnome Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![logo Newsboat](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notitieboekjes + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](notebooks.md) + +### Wachtwoord managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](passwords.md) + +### Productiviteitshulpmiddelen + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communicatie + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Apps + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Meer informatie :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/nl/tor.md b/i18n/nl/tor.md new file mode 100644 index 00000000..a52a1af3 --- /dev/null +++ b/i18n/nl/tor.md @@ -0,0 +1,117 @@ +--- +title: "Tor Netwerk" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +Het **Tor** netwerk is een groep servers beheerd door vrijwilligers waarmee je gratis verbinding kunt maken en je privacy en veiligheid op het internet kunt verbeteren. Individuen en organisaties kunnen ook informatie delen via het Tor-netwerk met ".onion hidden services" zonder hun privacy in gevaar te brengen. Omdat Tor-verkeer moeilijk te blokkeren en te traceren is, is Tor een effectief middel om censuur te omzeilen. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ [:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Broncode" } } [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Bijdragen } + +Tor werkt door je internetverkeer om te leiden via deze door vrijwilligers beheerde servers, in plaats van een directe verbinding te maken met de site die je probeert te bezoeken. Dit versluiert waar het verkeer vandaan komt, en geen enkele server in het verbindingspad kan het volledige pad zien van waar het verkeer vandaan komt en naartoe gaat, wat betekent dat zelfs de servers die je gebruikt om verbinding te maken jouw anonimiteit niet kunnen doorbreken. + +[Gedetailleerd Tor-overzicht :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Verbinding maken met Tor + +Er zijn verschillende manieren om verbinding te maken met het Tor-netwerk vanaf je apparaat. De meest gebruikte is de **Tor Browser**, een fork van Firefox ontworpen voor anoniem browsen voor desktop computers en Android. Naast de onderstaande apps zijn er ook besturingssystemen die speciaal zijn ontworpen om verbinding te maken met het Tor-netwerk, zoals [Whonix](desktop.md#whonix) op [Qubes OS](desktop.md#qubes-os), die nog meer veiligheid en bescherming bieden dan de standaard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is de keuze als je anonimiteit nodig hebt, omdat het je toegang geeft tot het Tor netwerk en bruggen, en het bevat standaard instellingen en extensies die automatisch geconfigureerd worden door de standaard beveiligingsniveaus: *Standard*, *Safer* en *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentatie } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Broncode" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger "Gevaar" + + Je moet **nooit** extra extensies installeren op Tor Browser of `about:config` instellingen bewerken, inclusief de extensies die we voorstellen voor Firefox. Browserextensies en niet-standaardinstellingen zorgen ervoor dat je je onderscheidt van anderen op het Tor-netwerk, waardoor je browser gemakkelijker te vinden is op [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +De Tor Browser is ontworpen om fingerprinting, of het identificeren van jou op basis van je browserconfiguratie, te voorkomen. **Daarom is het absoluut noodzakelijk dat je** de browser niet wijzigt buiten de standaard [beveiligingsniveaus](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is een gratis Tor VPN voor smartphones die het verkeer van elke app op je toestel door het Tor-netwerk leidt. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentatie} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Broncode" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Bijdragen } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips voor Android" + + Orbot kan individuele apps proxyen als ze SOCKS of HTTP proxying ondersteunen. Het kan ook al uw netwerkverbindingen proxyen met behulp van [VpnService](https://developer.android.com/reference/android/net/VpnService) en kan worden gebruikt met de VPN killswitch in :gear: **Instellingen** → **Netwerk & internet** → **VPN** → :gear: → **Blokkeer verbindingen zonder VPN**. + + Orbot is vaak verouderd op de [F-Droid repository](https://guardianproject.info/fdroid) en [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) van het Guardian Project, dus overweeg in plaats daarvan direct te downloaden van de [GitHub repository](https://github.com/guardianproject/orbot/releases). + + Alle versies zijn ondertekend met dezelfde handtekening, zodat ze onderling compatibel zouden moeten zijn. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Met Snowflake** kun je bandbreedte doneren aan het Tor Project door een "Snowflake proxy" in je browser te gebruiken. + + Mensen die gecensureerd worden kunnen Snowflake proxies gebruiken om verbinding te maken met het Tor-netwerk. Snowflake is een geweldige manier om bij te dragen aan het netwerk, zelfs als je niet de technische know-how hebt om een Tor relay of bridge te runnen. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentatie} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Broncode" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Documentatie} + + ??? downloads "Downloaden" + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Laat deze pagina open om een Snowflake proxy te zijn") + +??? tip "Embedded Snowflake" + + Je kunt Snowflake in jouw browser inschakelen door op de schakelaar hieronder te klikken en ==deze pagina open laten==. Je kunt Snowflake ook installeren als een browserextensie om het altijd te laten draaien terwijl jouw browser open is, maar het toevoegen van extensies van derden kan uw aanvalsoppervlak vergroten. + +
+ Als de embed niet voor je verschijnt, zorg er dan voor dat je het frame van derden van `torproject.org` niet blokkeert. Of bezoek [deze pagina](https://snowflake.torproject.org/embed.html). + +Snowflake verhoogt jouw privacy op geen enkele manier, en wordt ook niet gebruikt om verbinding te maken met het Tor-netwerk binnen jouw persoonlijke browser. Als jouw internetverbinding echter ongecensureerd is, zou je moeten overwegen het te gebruiken om mensen in gecensureerde netwerken te helpen zelf betere privacy te krijgen. Je hoeft je geen zorgen te maken over welke websites mensen via je proxy bezoeken- hun zichtbare surf IP adres zal overeenkomen met hun Tor exit node, niet met die van jou. + +Het runnen van een Snowflake proxy is weinig riskant, zelfs meer dan het runnen van een Tor relay of bridge, wat al geen bijzonder riskante onderneming is. Het stuurt echter nog steeds verkeer door jouw netwerk, wat in sommige opzichten gevolgen kan hebben, vooral als jouw netwerk een beperkte bandbreedte heeft. Zorg ervoor dat je [begrijpt hoe Snowflake werkt](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) voordat je beslist of je een proxy wilt gebruiken. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/nl/video-streaming.md b/i18n/nl/video-streaming.md new file mode 100644 index 00000000..17fed8b7 --- /dev/null +++ b/i18n/nl/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Videostreaming" +icon: material/video-wireless +description: Met deze netwerken kunt je internet content streamen zonder een advertentieprofiel op te bouwen op basis van jouw interesses. +--- + +Het grootste gevaar bij het gebruik van een videostreamingplatform is dat uw streaminggewoonten en abonneelijsten kunnen worden gebruikt om u te profileren. Je zou deze tools moeten combineren met een [VPN](vpn.md) of [Tor](https://www.torproject.org/) om het moeilijker te maken je gebruik te profileren. + +## Cliënten + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **Het LBRY netwerk** is een gedecentraliseerd video-sharing netwerk. Het gebruikt een [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-achtig netwerk om de video-inhoud op te slaan, en een [blockchain](https://wikipedia.org/wiki/Blockchain) om de indexen voor die video's op te slaan. Het belangrijkste voordeel van dit ontwerp is de censuurbestendigheid. + + **De LBRY desktop client** helpt je bij het streamen van video's van het LBRY netwerk en slaat jouw abonnementenlijst op in jouw eigen LBRY portemonnee. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Alleen de **LBRY desktop client** wordt aanbevolen, aangezien de [Odysee](https://odysee.com) website en de LBRY clients in F-Droid, Play Store, en de App Store verplichte synchronisatie en telemetrie hebben. + +!!! warning + + Tijdens het bekijken en hosten van video's is jouw IP-adres zichtbaar voor het LBRY-netwerk. Overweeg het gebruik van een [VPN](vpn.md) of [Tor](https://www.torproject.org) als jouw [bedreigingsmodel](basics/threat-modeling.md) het verbergen van jouw IP-adres vereist. + +Wij adviseren **tegen** het synchroniseren van jouw portemonnee met LBRY Inc., omdat het synchroniseren van versleutelde portemonnees nog niet wordt ondersteund. Als je je portemonnee synchroniseert met LBRY Inc., moet je erop vertrouwen dat ze niet in je abonnementenlijst kijken, [LBC](https://lbry.com/faq/earn-credits) fondsen, of de controle over je kanaal overnemen. + +Je kunt de optie *Hostinggegevens opslaan om het LBRY-netwerk te helpen* uitschakelen in :gear: **Instellingen** → **Geavanceerde instellingen**, om te voorkomen dat jouw IP-adres en bekeken video's worden blootgesteld wanneer je LBRY langere tijd gebruikt. + +## Criteria + +**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt. + +!!! example "Deze sectie is nieuw" + + We werken aan het vaststellen van gedefinieerde criteria voor elk deel van onze site, en dit kan onderhevig zijn aan verandering. Als je vragen hebt over onze criteria, stel ze dan [op ons forum](https://discuss.privacyguides.net/latest) en neem niet aan dat we iets niet in overweging hebben genomen bij het opstellen van onze aanbevelingen als het hier niet vermeld staat. Er zijn veel factoren die worden overwogen en besproken wanneer wij een project aanbevelen, en het documenteren van elke factor is een werk in uitvoering. + +- Mag geen gecentraliseerde account vereisen om video's te bekijken. + - Gedecentraliseerde authenticatie, bijvoorbeeld via de privésleutel van een mobiele portemonnee, is aanvaardbaar. diff --git a/i18n/nl/vpn.md b/i18n/nl/vpn.md new file mode 100644 index 00000000..7e087ace --- /dev/null +++ b/i18n/nl/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN-diensten" +icon: material/vpn +description: Dit zijn de beste VPN-diensten om jouw privacy en veiligheid online te beschermen. Vind hier een provider die er niet op uit is om je te bespioneren. +--- + +Als je op zoek bent naar extra **privacy** van uw ISP, op een openbaar Wi-Fi-netwerk, of tijdens het torrenten van bestanden, kan een VPN de oplossing voor je zijn, zolang je de risico's ervan begrijpt. Wij denken dat deze aanbieders een stuk beter zijn dan de rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPN's zorgen niet voor anonimiteit" + + Het gebruik van een VPN houdt jouw surfgedrag niet anoniem, ook voegt het geen extra beveiliging toe aan niet-beveiligd (HTTP) verkeer. + + Als je op zoek bent naar **anonimiteit**, moet je de Tor Browser gebruiken **in plaats** van een VPN. + + Als je op zoek bent naar extra **veiligheid**, moet je er altijd voor zorgen dat je verbinding maakt met websites via HTTPS. Een VPN is geen vervanging voor goede beveiligingspraktijken. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Mythen & FAQ](advanced/tor-overview.md){ .md-button } + +[Gedetailleerd VPN-overzicht :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Aanbevolen Providers + +Onze aanbevolen providers gebruiken encryptie, accepteren Monero, ondersteunen WireGuard & OpenVPN, en hebben een no logging beleid. Lees onze [volledige lijst met criteria](#criteria) voor meer informatie. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is een premium VPN-provider en zijn actief sinds 2009. IVPN is gevestigd in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Landen + +IVPN heeft [servers in 35 landen](https://www.ivpn.net/server-locations).(1) Door een VPN-provider te kiezen met een server die het dichtst bij je in de buurt staat, verminder je de vertraging van het netwerkverkeer die je verstuurt. Dit komt door een kortere route (minder hops) naar de bestemming. +{ .annotate } + +1. Laatst gecontroleerd: 2022-09-16 + +Wij denken ook dat het beter is voor de veiligheid van de privésleutels van de VPN-provider als ze [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service) gebruiken, in plaats van goedkopere gedeelde servers (met andere klanten) zoals [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Onafhankelijk geaudit + +IVPN heeft een [no-logging audit ondergaan van Cure53](https://cure53.de/audit-report_ivpn.pdf) die concludeerde in overeenstemming met de no-logging claim van IVPN. IVPN heeft ook een [uitgebreid pentest rapport afgerond Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in januari 2020. IVPN heeft ook gezegd dat het van plan is om in de toekomst [jaarverslagen](https://www.ivpn.net/blog/independent-security-audit-concluded) te publiceren. In april 2022 werd een verdere evaluatie uitgevoerd [](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) en door Cure53 [geproduceerd op hun website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-source clients + +Vanaf februari 2020 zijn [IVPN-toepassingen nu open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Broncode kan worden verkregen van hun [GitHub organisatie](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepteert contant geld en Monero + +Mullvad accepteert naast creditcards en PayPal ook Bitcoin, Bitcoin Cash, **Monero** en **contant geld/lokale valuta** als anonieme vormen van betaling. + +#### :material-check:{ .pg-green } WireGuard ondersteuning + +IVPN ondersteunt het WireGuard® protocol. [WireGuard](https://www.wireguard.com) is een nieuwer protocol dat gebruik maakt van geavanceerde [cryptografie](https://www.wireguard.com/protocol/). Bovendien streeft WireGuard ernaar om eenvoudiger en sneller te zijn. + +IVPN [adviseert](https://www.ivpn.net/wireguard/) het gebruik van WireGuard met hun dienst en daarom is het protocol de standaard op alle apps van IVPN. IVPN biedt ook een WireGuard configuratie generator voor gebruik met de officiële WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is mogelijk met een Pro-abonnement. Port forwarding [kan](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) geactiveerd worden via de client area. Port forwarding is alleen beschikbaar op IVPN bij gebruik van WireGuard- of OpenVPN-protocollen en is [uitgeschakeld op Amerikaanse servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobiele Clients + +Naast het leveren van standaard OpenVPN-configuratiebestanden, heeft IVPN mobiele clients voor [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), en [GitHub](https://github.com/ivpn/android-app/releases) die gemakkelijke verbindingen met hun servers mogelijk maken. + +#### :material-information-outline:{ .pg-blue } Aanvullende functionaliteit + +IVPN-clients ondersteunen tweefactorauthenticatie (de clients van Mullvad niet). IVPN biedt ook "[AntiTracker](https://www.ivpn.net/antitracker)" functionaliteit, die advertentienetwerken en trackers op netwerkniveau blokkeert. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is een snelle en goedkope VPN met een serieuze focus op transparantie en veiligheid. Zij zijn in bedrijf sinds **2009**. Mullvad is gevestigd in Zweden en heeft geen gratis proefversie. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacybeleid" }. + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Landen + +Mullvad heeft [servers in 41 landen](https://mullvad.net/servers/).(1) Door een VPN-provider te kiezen met een server die het dichtst bij je in de buurt staat, verminder je de vertraging van het netwerkverkeer die je verstuurt. Dit komt door een kortere route (minder hops) naar de bestemming. +{ .annotate } + +1. Laatst gecontroleerd: 2023-01-19 + +Wij denken ook dat het beter is voor de veiligheid van de privésleutels van de VPN-provider als ze [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service) gebruiken, in plaats van goedkopere gedeelde servers (met andere klanten) zoals [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Onafhankelijk geaudit + +De VPN-clients van Mullvad zijn geaudit door Cure53 en Assured AB in een pentest-rapport [gepubliceerd op cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). De beveiligingsonderzoekers concludeerden: + +> Cure53 en Assured AB zijn blij met de resultaten van de audit en de software laat over het algemeen een positieve indruk achter. Dankzij de inzet van het interne team van Mullvad VPN, twijfelen de testers er niet aan dat het project vanuit een beveiligingsoogpunt op het juiste spoor zit. + +In 2020 werd een tweede audit [aangekondigd](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) en werd het [definitieve auditverslag ](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) beschikbaar gesteld op de website van Cure53: + +> De resultaten van dit mei-juni 2020-project gericht op het Mullvad-complex zijn vrij positief. [...] Het totale applicatie-ecosysteem dat door Mullvad wordt gebruikt, laat een goede en gestructureerde indruk achter. De algemene structuur van de applicatie maakt het gemakkelijk om patches en fixes op een gestructureerde manier uit te rollen. De bevindingen van Cure53 laten vooral zien hoe belangrijk het is om de huidige lekken voortdurend te controleren en opnieuw te beoordelen, om de privacy van de eindgebruikers altijd te waarborgen. Dat gezegd hebbende, Mullvad beschermt de eindgebruiker uitstekend tegen veelvoorkomende lekken van PII en privacygerelateerde risico's. + +In 2020 werd een infstrastructuuraudit [aangekondigd](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) en werd het [definitieve auditverslag ](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) beschikbaar gesteld op de website van Cure53. Een ander rapport werd in opdracht gegeven [in juni 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) en is beschikbaar op [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-source clients + +Mullvad levert de broncode voor hun desktop en mobiele clients in hun [GitHub organisatie](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepteert contant geld en Monero + +Mullvad accepteert naast creditcards en PayPal ook Bitcoin, Bitcoin Cash, **Monero** en **contant geld/lokale valuta** als anonieme vormen van betaling. Ze aanvaarden ook Swish en bankoverschrijvingen. + +#### :material-check:{ .pg-green } WireGuard ondersteuning + +Mullvad ondersteunt het WireGuard® protocol. [WireGuard](https://www.wireguard.com) is een nieuwer protocol dat gebruik maakt van geavanceerde [cryptografie](https://www.wireguard.com/protocol/). Bovendien streeft WireGuard ernaar om eenvoudiger en sneller te zijn. + +Mullvad [adviseert](https://mullvad.net/en/help/why-wireguard/) het gebruik van WireGuard met hun dienst. Het is het standaard of enige protocol op Mullvad's Android, iOS, macOS en Linux apps, maar op Windows moet je [handmatig](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard inschakelen. Mullvad biedt ook een WireGuard configuratiegenerator voor gebruik met de officiële WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6-ondersteuning + +Mullvad ondersteunt de toekomst van netwerken [IPv6](https://en.wikipedia.org/wiki/IPv6). Hun netwerk geeft u [toegang tot diensten die gehost worden op IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) in tegenstelling tot andere providers die IPv6-verbindingen blokkeren. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is toegestaan voor mensen die eenmalige betalingen doen, maar niet voor rekeningen met een terugkerende/abonnementsgebaseerde betalingsmethode. Dit is om te voorkomen dat Mullvad je kan identificeren op basis van jouw poortgebruik en opgeslagen abonnementsinformatie. Zie [Port forwarding met Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) voor meer informatie. + +#### :material-check:{ .pg-green } Mobiele Clients + +Mullvad heeft [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) en [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients gepubliceerd, die beide een gebruiksvriendelijke interface ondersteunen in plaats van dat je jouw WireGuard-verbinding handmatig moet configureren. De Android client is ook beschikbaar op [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Aanvullende functionaliteit + +Mullvad is zeer transparant over welke knooppunten zij [bezitten of huren](https://mullvad.net/en/servers/). Ze gebruiken [ShadowSocks](https://shadowsocks.org/) in hun ShadowSocks + OpenVPN-configuratie, waardoor ze beter bestand zijn tegen firewalls met [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) die VPN's proberen te blokkeren. Vermoedelijk moet [China een andere methode gebruiken om ShadowSocks servers te blokkeren](https://github.com/net4people/bbs/issues/22). Mullvad's website is ook toegankelijk via Tor via [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is een sterke speler in de VPN-ruimte en is in bedrijf sinds 2016. Proton AG is gevestigd in Zwitserland en biedt een beperkte gratis versie aan en ook een meer uitgebreide premium optie. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacybeleid" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentatie} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Broncode" } + + ??? downloads "Downloaden" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Landen + +Proton VPN heeft [servers in 67 landen](https://protonvpn.com/vpn-servers).(1) Door een VPN-provider te kiezen met een server die het dichtst bij je in de buurt staat, verminder je de vertraging van het netwerkverkeer die je verstuurt. Dit komt door een kortere route (minder hops) naar de bestemming. +{ .annotate } + +1. Laatst gecontroleerd: 2022-09-16 + +Wij denken ook dat het beter is voor de veiligheid van de privésleutels van de VPN-provider als ze [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service) gebruiken, in plaats van goedkopere gedeelde servers (met andere klanten) zoals [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Onafhankelijk geaudit + +Vanaf januari 2020, heeft Proton VPN een onafhankelijke audit door SEC Consult ondergaan. SEC Consult vond enkele kwetsbaarheden met een gemiddeld en laag risico in de Windows-, Android- en iOS-applicaties van Proton VPN, die allemaal door Proton VPN "naar behoren waren verholpen" voordat de rapporten werden gepubliceerd. Geen van de geconstateerde problemen zou een aanvaller op afstand toegang hebben verschaft tot jouw apparaat of verkeer. Je kunt individuele rapporten voor elk platform bekijken op [protonvpn.com](https://protonvpn.com/blog/open-source/). In april 2022 onderging Proton VPN [nog een audit](https://protonvpn.com/blog/no-logs-audit/) en het rapport werd [opgesteld door Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). Een [attestatiebrief](https://proton.me/blog/security-audit-all-proton-apps) werd op 9 november 2021 voor de apps van Proton VPN verstrekt door [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-source clients + +Proton VPN levert de broncode voor hun desktop en mobiele clients in hun [GitHub organisatie](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepteert contant geld + +Proton VPN accepteert, naast credit/debit cards, PayPal en [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), ook **contant geld** als anonieme vorm van betaling. + +#### :material-check:{ .pg-green } WireGuard ondersteuning + +Proton VPN ondersteunt hoofdzakelijk het WireGuard® protocol. [WireGuard](https://www.wireguard.com) is een nieuwer protocol dat gebruik maakt van geavanceerde [cryptografie](https://www.wireguard.com/protocol/). Bovendien streeft WireGuard ernaar om eenvoudiger en sneller te zijn. + +Proton VPN [adviseert](https://protonvpn.com/blog/wireguard/) het gebruik van WireGuard met hun dienst. Op de Windows, macOS, iOS, Android, ChromeOS en Android TV apps van Proton VPN is WireGuard het standaardprotocol; [ondersteuning](https://protonvpn.com/support/how-to-change-vpn-protocols/) voor het protocol is echter niet aanwezig in hun Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN ondersteunt momenteel alleen remote [port forwarding](https://protonvpn.com/support/port-forwarding/) op Windows, wat van invloed kan zijn op sommige toepassingen. Vooral Peer-to-peer-toepassingen zoals Torrent-cliënten. + +#### :material-check:{ .pg-green } Mobiele Clients + +Naast het leveren van standaard OpenVPN-configuratiebestanden, heeft Proton VPN mobiele clients voor [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), en [GitHub](https://github.com/ProtonVPN/android-app/releases) die eenvoudige verbindingen met hun servers mogelijk maken. + +#### :material-information-outline:{ .pg-blue } Aanvullende functionaliteit + +Proton VPN heeft eigen servers en datacenters in Zwitserland, IJsland en Zweden. Ze bieden adblocking en het blokkeren van bekende malware domeinen met hun DNS service. Ze bieden adblocking en blokkering van bekende malwaredomeinen met hun DNS-dienst. Bovendien biedt Proton VPN ook "Tor" -servers waarmee je eenvoudig verbinding kunt maken met. onion sites, maar we raden je nog steeds ten zeerste aan om hiervoor [de officiële Tor Browser](https://www.torproject.org/) te gebruiken. + +#### :material-alert-outline:{ .pg-orange } Killswitch-functie is kapot op Intel-gebaseerde Macs + +Systeemcrashes [kunnen optreden](https://protonvpn.com/support/macos-t2-chip-kill-switch/) op Intel-gebaseerde Macs bij het gebruik van de VPN killswitch. Als je deze functie nodig hebt, en je gebruikt een Mac met Intel-chipset, moet je overwegen een andere VPN-dienst te gebruiken. + +## Criteria + +!!! danger "Gevaar" + + Het is belangrijk op te merken dat het gebruik van een VPN provider je niet anoniem maakt, maar het geeft je wel een betere privacy in bepaalde situaties. Een VPN is geen instrument voor illegale activiteiten. Vertrouw niet op een "no log" beleid. + +**Wij zijn niet verbonden aan de providers die wij aanbevelen. Hierdoor kunnen wij volledig objectieve aanbevelingen doen.** Naast [onze standaardcriteria](about/criteria.md), hebben we een duidelijke reeks vereisten ontwikkeld voor elke VPN-provider die aanbevolen wil worden, waaronder sterke encryptie, onafhankelijke beveiligingsaudits, moderne technologie en meer. Wij raden je aan deze lijst goed door te nemen voordat je een VPN-provider kiest, en jouw eigen onderzoek te doen om er zeker van te zijn dat de VPN-provider die je kiest zo betrouwbaar mogelijk is. + +### Technologie + +Wij eisen dat al onze aanbevolen VPN-providers OpenVPN-configuratiebestanden leveren die in elke client kunnen worden gebruikt. **Als** een VPN met een eigen aangepaste client aanbiedt, is een killswitch vereist om het lekken van netwerkgegevens te blokkeren wanneer de verbinding wordt verbroken. + +**Minimum om in aanmerking te komen:** + +- Ondersteuning voor sterke protocollen zoals WireGuard & OpenVPN. +- Killswitch ingebouwd in clients. +- Multihop ondersteuning. Multihopping is belangrijk om gegevens privé te houden in het geval van een compromittering door één knooppunt. +- Als er VPN-clients worden verstrekt, moeten dat [open-source](https://en.wikipedia.org/wiki/Open_source)zijn, zoals de VPN-software die er doorgaans in is ingebouwd. Wij zijn van mening dat de beschikbaarheid van [broncode](https://en.wikipedia.org/wiki/Source_code) meer transparantie biedt over wat uw apparaat feitelijk doet. + +**Beste geval:** + +- Ondersteuning voor WireGuard en OpenVPN. +- Killswitch met in hoge mate configureerbare opties (inschakelen/uitschakelen op bepaalde netwerken, bij opstarten, enz.) +- Gemakkelijk te gebruiken VPN-clients +- Ondersteunt [IPv6](https://en.wikipedia.org/wiki/IPv6). Wij verwachten dat servers inkomende verbindingen via IPv6 zullen toestaan en u toegang zullen verschaffen tot diensten die op IPv6-adressen worden gehost. +- De mogelijkheid van [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) helpt bij het maken van verbindingen bij het gebruik van P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software, Freenet, of het hosten van een server (bv. Mumble). + +### Privacy + +Wij geven er de voorkeur aan dat de door ons aanbevolen aanbieders zo weinig mogelijk gegevens verzamelen. Er worden geen persoonlijke gegevens verzameld bij de registratie en er worden anonieme betalingsvormen aanvaard. + +**Minimum om in aanmerking te komen:** + +- [Anonieme cryptocurrency](cryptocurrency.md) **of** cash betalingsoptie. +- Geen persoonlijke informatie nodig om te registreren: Hooguit gebruikersnaam, wachtwoord en e-mail. + +**Beste geval:** + +- Accepteert meerdere [anonieme betalingsopties](advanced/payments.md). +- Er wordt geen persoonlijke informatie geaccepteerd (automatisch gegenereerde gebruikersnaam, geen e-mail vereist, enz.). + +### Veiligheid + +Een VPN is zinloos als het niet eens voldoende beveiliging kan bieden. Wij eisen van al onze aanbevolen providers dat zij zich houden aan de huidige beveiligingsstandaarden voor hun OpenVPN-verbindingen. Idealiter zouden zij standaard meer toekomstbestendige encryptiesystemen gebruiken. Wij eisen ook dat een onafhankelijke derde partij de beveiliging van de aanbieder controleert, idealiter op zeer uitgebreide wijze en herhaaldelijk (jaarlijks). + +**Minimum om in aanmerking te komen:** + +- Sterke coderingsschema's: OpenVPN met SHA-256 authenticatie; RSA-2048 of betere handshake; AES-256-GCM of AES-256-CBC data-encryptie. +- Perfect Forward Secrecy (PFS). +- Gepubliceerde veiligheidscontroles van een gerenommeerde derde partij. + +**Beste geval:** + +- Sterkste encryptie: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Uitgebreide gepubliceerde veiligheidscontroles door een gerenommeerde derde partij. +- Programma's voor bug-bounty's en/of een gecoördineerd proces voor de openbaarmaking van kwetsbaarheden. + +### Vertrouwen + +Je zou jouw financiën niet toevertrouwen aan iemand met een valse identiteit, dus waarom zou je hen jouw internetgegevens toevertrouwen? Wij eisen van onze aanbevolen aanbieders dat zij hun eigendom of leiderschap openbaar maken. Wij zouden ook graag zien dat regelmatig verslag wordt uitgebracht over de transparantie, met name wat betreft de wijze waarop verzoeken van de overheid worden behandeld. + +**Minimum om in aanmerking te komen:** + +- Publiekelijk leiderschap of eigendom. + +**Beste geval:** + +- Publieksgericht leiderschap. +- Frequente transparantieverslagen. + +### Marketing + +Bij de VPN providers die wij aanbevelen zien wij graag verantwoorde marketing. + +**Minimum om in aanmerking te komen:** + +- Moet zelf analytics hosten (d.w.z., geen Google Analytics). De site van de aanbieder moet ook voldoen aan [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) voor mensen die zich willen afmelden. + +Mag geen marketing hebben die onverantwoord is: + +- Garanties van 100% bescherming van de anonimiteit. Wanneer iemand beweert dat iets 100% is, betekent dit dat er geen zekerheid is voor mislukking. We weten dat mensen zichzelf vrij gemakkelijk kunnen deanonimiseren op een aantal manieren, bv.: + - Hergebruik van persoonlijke informatie (bv. e-mailaccounts, unieke pseudoniemen, enz.) waartoe zij toegang hadden zonder anonimiteitssoftware (Tor, VPN, enz.) + - [Browser vingerafdrukken](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Beweren dat een VPN met één circuit "anoniemer" is dan Tor, dat een circuit van drie of meer hops is dat regelmatig verandert. +- Gebruik verantwoordelijk taalgebruik: d.w.z. het is oké om te zeggen dat een VPN "losgekoppeld" of "niet aangesloten" is, maar beweren dat iemand "blootgesteld", "kwetsbaar" of "gecompromitteerd" is, is nodeloos gebruik van alarmerende taal die onjuist kan zijn. Die persoon kan bijvoorbeeld gewoon gebruik maken van de service van een andere VPN-provider of Tor gebruiken. + +**Beste geval:** + +Verantwoorde marketing die zowel educatief als nuttig is voor de consument zou kunnen bestaan uit: + +- Een nauwkeurige vergelijking met wanneer Tor of andere [op zichzelf staande netwerken](tor.md) moeten worden gebruikt. +- Beschikbaarheid van de website van de VPN-provider via een .onion [Verborgen service](https://en.wikipedia.org/wiki/.onion) + +### Extra functionaliteit + +Hoewel het geen strikte vereisten zijn, zijn er enkele factoren die wij in aanmerking hebben genomen bij het bepalen van de aanbieders die wij aanbevelen. Deze omvatten adblocking/tracker-blocking-functionaliteit, warrant canaries, multihop-verbindingen, uitstekende klantenondersteuning, het aantal toegestane gelijktijdige verbindingen, enz. diff --git a/i18n/pl/404.md b/i18n/pl/404.md new file mode 100644 index 00000000..3c0a285c --- /dev/null +++ b/i18n/pl/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Nie znaleziono + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Wprowadzenie do modelowania zagrożeń](basics/threat-modeling.md) +- [Polecani dostawcy DNS](dns.md) +- [Najlepsze przeglądarki internetowe na komputer](desktop-browsers.md) +- [Najlepszy VPN](vpn.md) +- [Forum Privacy Guides](https://discuss.privacyguides.net) +- [Nasz blog](https://blog.privacyguides.org) diff --git a/i18n/pl/CODE_OF_CONDUCT.md b/i18n/pl/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/pl/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/pl/about/criteria.md b/i18n/pl/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/pl/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/pl/about/donate.md b/i18n/pl/about/donate.md new file mode 100644 index 00000000..192953b8 --- /dev/null +++ b/i18n/pl/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Wspieranie nas +--- + + +Potrzeba wiele [osób](https://github.com/privacyguides/privacyguides.org/graphs/contributors) oraz sporo [pracy](https://github.com/privacyguides/privacyguides.org/pulse/monthly), aby na bieżąco aktualizować Privacy Guides oraz udostępniać informacje o prywatności i masowej inwigilacji. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Na Open Collective możesz płacić poprzez karty płatnicze, PayPal oraz przelewy bankowe. + +[Przekaż darowiznę na OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Wspieranie przez GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Wspierający + +Szczególne podziękowania kierujemy do każdej osoby, która wspiera naszą misję! :heart: + +*Uwaga: Ta sekcja wczytuje widżet bezpośrednio z Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## Na co przeznaczamy darowizny + +Privacy Guides to organizacja **pożytku publicznego**. Przeznaczamy darowizny na różne cele, w tym: + +**Rejestracja domen** +: + +Posiadamy kilka domen, takich jak `privacyguides.org`, których utrzymanie rejestracji kosztuje nas około 10 dolarów rocznie. + +**Hosting WWW** +: + +Ruch na tej witrynie zużywa setki gigabajtów danych miesięcznie, a do obsługi tak dużego ruchu korzystamy z usług różnych dostawców usług. + +**Usługi online** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Zakup produktów** +: + +Od czasu do czasu kupujemy produkty oraz usługi w celu przetestowania naszych [polecanych narzędzi](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/pl/about/index.md b/i18n/pl/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/pl/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/pl/about/notices.md b/i18n/pl/about/notices.md new file mode 100644 index 00000000..bac0666e --- /dev/null +++ b/i18n/pl/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Zastrzeżenie prawne + +Privacy Guides nie jest kancelarią prawną. W związku z tym, strona internetowa Privacy Guides oraz jej współtwórcy nie udzielają porad prawnych. Materiały i zalecenia umieszczone na naszej stronie internetowej oraz w poradnikach nie stanowią porady prawnej, a współtworzenie strony internetowej oraz komunikowanie się z Privacy Guides lub innymi współtwórcami w sprawach dotyczących strony internetowej nie ustanawiają relacji prawnik-klient. + +Prowadzenie tej strony, jak każde ludzkie przedsięwzięcie, wiąże się z niepewnością i kompromisami. Mamy nadzieję, że ta strona internetowa jest pomocna, ale może zawierać pomyłki i może nie odnosić się do każdej sytuacji. Jeśli masz jakiekolwiek pytania dotyczące swojej sytuacji, zachęcamy do przeprowadzenia własnego rozeznania, skonsultowania z innymi ekspertami oraz wzięcia udziału w dyskusjach ze społecznością Privacy Guides. Jeśli masz jakiekolwiek zapytania prawne, należy skonsultować się ze swoim własnym radcą prawnym przed podjęciem dalszych działań. + +Privacy Guides to projekt o otwartym źródle współtworzony na licencjach, które zawierają warunki, które w celu ochrony strony internetowej oraz jej współtwórców, jasno stwierdzają, że projekt Privacy Guides i strona internetowa są oferowane "tak jak są", bez gwarancji oraz zrzekają się odpowiedzialności poniesionej z uwagi na szkody powstałe w wyniku korzystania ze strony internetowej oraz jakichkolwiek rekomendacji na niej zawartych. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Ponadto Privacy Guides nie gwarantuje że strona internetowa będzie dostępna cały czas lub wcale. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Nie dotyczy to kodu z zewnętrznych źródeł osadzonego w tym repozytorium lub kodu, w którym określono inną licencję zastępczą. Poniżej przedstawiono warte uwagi przykłady, ale ta lista może nie być wyczerpująca: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. Znaki towarowe marki Privacy Guides obejmują znak słowny "Privacy Guides" oraz logo tarczy. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +Uważamy, że loga i inne obrazy w `zasobach` pozyskanych od zewnętrznych dostawców znajdują się w domenie publicznej lub zaliczają się do **dozwolonego użytku**. W skrócie, prawnie [dozwolony użytek](https://www.copyright.gov/fair-use/more-info.html) umożliwia używanie zastrzeżonych prawem autorskim treści w celu identyfikacji tematu na potrzeby wyrażenia publicznej opinii. Jednakże te loga i inne obrazy mogą nadal podlegać prawom dotyczącym znaków towarowych w jednej lub kilku jurysdykcjach. Przed wykorzystaniem tych treści należy upewnić się, że służą one identyfikacji podmiotu lub organizacji będącej właścicielem znaku towarowego oraz że masz prawo do ich wykorzystania zgodnie z przepisami prawa, które mają zastosowanie w okolicznościach zamierzonego wykorzystania. *Kopiując treści z tej strony internetowej ponosisz wyłączną odpowiedzialność za zapewnienie, że nie naruszasz cudzego znaku towarowego lub prawa autorskiego.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/pl/about/privacy-policy.md b/i18n/pl/about/privacy-policy.md new file mode 100644 index 00000000..c1522756 --- /dev/null +++ b/i18n/pl/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Polityka prywatności" +--- + +Privacy Guides to projekt społecznościowy prowadzony przez wielu aktywnych wolontariuszy. Publiczna lista członków zespołu [jest dostępna na GitHub](https://github.com/orgs/privacyguides/people). + +## Dane zbierane od odwiedzających + +Prywatność osób odwiedzających naszą witrynę jest dla nas ważna, więc nie śledzimy żadnych indywidualnych osób. Gdy odwiedzasz naszą witrynę: + +- Nie zbieramy o Tobie żadnych danych osobowych +- No information such as cookies are stored in the browser +- Nie udostępniamy, nie przesyłamy i nie sprzedajemy żadnych informacji zewnętrznym podmiotom +- Nie udostępniamy żadnych danych firmom reklamowym +- Nie wydobywamy i nie gromadzimy danych w celu personalizacji i analizy zachowań +- Nie zarabiamy na żadnych informacjach + +You can view the data we collect on our [statistics](statistics.md) page. + +Posiadamy własną instalację [Plausible Analytics](https://plausible.io) w celu gromadzenia pewnych anonimowych danych o użytkowaniu w celach statystycznych. Ma to na celu badanie ogólnych trendów ruchu na naszej stronie internetowej, a nie śledzenie indywidualnych użytkowników. Wszelkie dane są tylko i wyłącznie gromadzone. Nie są gromadzone żadne dane osobowe. + +Gromadzone dane obejmują źródła wizyt, najpopularniejsze strony, czas trwania odwiedzin, informacje o urządzeniu (typ urządzenia, system operacyjny, państwo oraz przeglądarka), z którego korzystasz podczas odwiedzin i więcej. [Tutaj](https://plausible.io/data-policy) możesz dowiedzieć się więcej o tym, jak działa Plausible i jak gromadzą informacje z poszanowaniem prywatności. + +## Dane gromadzone od posiadaczy kont + +Wiele funkcji na niektórych ze świadczonych przez nas witrynach i usługach może wymagać posiadania konta. Na przykład może być wymagane konto do publikowania i odpowiadania na tematy na forum. + +W celu rejestracji większości kont gromadzimy imię i nazwisko, nazwę użytkownika, adres e-mail oraz hasło. Jeśli witryna będzie wymagać więcej informacji niż te, zostanie to wyraźnie zaznaczone i odnotowane w oddzielnym oświadczeniu o prywatności danej witryny. + +Używamy danych Twojego konta do identyfikacji użytkownika w witrynie oraz w celu utworzenia indywidualnych dla Ciebie stron, takich jak strona Twojego profilu. Twoich danych użyjemy również do opublikowania Twojego profilu w naszych usługach. + +Używamy Twojego adresu e-mail do: + +- Powiadamiania o wpisach oraz innej aktywności w witrynach oraz usługach. +- Wyzerowania Twojego hasła, aby zadbać o bezpieczeństwo Twojego konta. +- Kontaktowania przy zaistnieniu szczególnych okoliczności związanych z Twoim kontem. +- Kontaktu w sprawie wniosków prawnych, takich jak nakaz usunięcia zgodnie z DMCA. + +Na niektórych stronach internetowych i usługach możesz podać dodatkowe informacje dla swojego konta, takie jak krótka biografia, obraz użytkownika, swoją lokalizację oraz datę urodzenia. Udostępniamy te informacje wszystkim osobom, które mają dostęp do danej strony internetowej lub usługi. Te informacje nie są wymagane do korzystania z naszych usług i mogą zostać wykasowane w dowolnym momencie. + +Będziemy przechowywać dane Twojego konta, dopóki nie zostanie ono zamknięte. Po zamknięciu konta możemy zachować pewne lub wszystkie dane Twojego konta w formie kopii zapasowych lub archiwów nie dłużej niż 90 dni. + +## Kontakt z nami + +Zespół Privacy Guides zasadniczo nie ma dostępu do danych osobowych poza ograniczonym dostępem udzielonym przez niektóre panele moderacyjne. Zapytania dotyczące Twoich danych osobowych należy kierować bezpośrednio do: + +```text +Jonah Aragon +Administrator usług +jonah@privacyguides.org +``` + +Dla wszystkich innych zapytań możesz skontaktować się z dowolnym członkiem naszego zespołu. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## O tej Polityce + +We will post any new versions of this statement [here](privacy-policy.md). Zastrzegamy sobie prawo do zmiany sposobu ogłaszania zmian w przyszłych wersjach tego dokumentu. W międzyczasie możemy aktualizować nasze informacje kontaktowe w dowolnym momencie bez ogłaszania tej zmiany. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/pl/about/privacytools.md b/i18n/pl/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/pl/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/pl/about/services.md b/i18n/pl/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/pl/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/pl/about/statistics.md b/i18n/pl/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/pl/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/pl/advanced/communication-network-types.md b/i18n/pl/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/pl/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/pl/advanced/dns-overview.md b/i18n/pl/advanced/dns-overview.md new file mode 100644 index 00000000..8457d85b --- /dev/null +++ b/i18n/pl/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## Co to jest DNS? + +Gdy odwiedzasz stronę internetową, zwracany jest adres w postaci dziesiętnej. Na przykład, gdy odwiedzasz `privacyguides.org`, zwracany jest adres `192.98.54.105`. + +DNS istnieje od [wczesnych lat](https://en.wikipedia.org/wiki/Domain_Name_System#History) istnienia Internetu. Zapytania DNS wysyłane i odbierane z serwerów DNS zazwyczaj **nie są** szyfrowane. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | ------------ | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | Wyszukiwarki | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | Wyszukiwarki | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | Wyszukiwarki | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | Wyszukiwarki | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](threat-modeling.md). **Nie zalecamy** używania szyfrowanego DNS w tym celu. Zamiast tego skorzystaj z sieci [Tor](https://torproject.org) lub [VPN](../vpn.md). Jeśli korzystasz z sieci VPN, należy użyć serwerów DNS jej dostawcy. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### Adres IP + +Najprostszym sposobem na określenie aktywności przeglądania może być sprawdzenie adresów IP, z którymi łączą się Twoje urządzenia. Na przykład, jeśli obserwator wie, że `privacyguides.org` znajduje się pod adresem `198.98.54.105`, a Twoje urządzenie pobiera dane z adresu `198.98.54.105`, istnieje duże prawdopodobieństwo, że odwiedzasz witrynę Privacy Guides. + +Ta metoda jest użyteczna tylko wtedy, gdy adres IP należy do serwera, na którym znajduje się tylko kilka stron internetowych. Nie pomaga również to, jeśli witryna jest umieszczona na współdzielonej platformie (np. GitHub Pages, Cloudflare Pages, Netlify, WordPress, Blogger itd.). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[Lista polecanych serwerów DNS](../dns.md ""){.md-button} + +## Co to jest DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) to funkcja DNS uwierzytelniająca odpowiedzi na zapytania o nazwę domen. Nie zapewnia ona ochrony prywatności tych zapytań, ale uniemożliwia atakującym manipulowanie lub zatruwanie odpowiedzi na zapytania DNS. + +Innymi słowy, DNSSEC podpisuje cyfrowo dane, aby zapewnić ich spójność. W celu zapewnienia bezpiecznego wyszukiwania, podpisywanie odbywa się na każdym poziomie procesu zapytania DNS. Dzięki temu wszystkie odpowiedzi z DNS są zaufane. + +Proces podpisywania DNSSEC jest podobny do podpisywania dokumentu prawnego długopisem; osoba składająca podpis używa niepowtarzalnego podpisu, a ekspert sądowy może spojrzeć na ten podpis i zweryfikować, czy dokument został podpisany przez tę osobę. Te podpisy cyfrowe są gwarancją, że dane nie zostały naruszone. + +DNSSEC wprowadza hierarchiczną politykę podpisywania cyfrowego we wszystkich warstwach DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/pl/advanced/payments.md b/i18n/pl/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/pl/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/pl/advanced/tor-overview.md b/i18n/pl/advanced/tor-overview.md new file mode 100644 index 00000000..379f6fe0 --- /dev/null +++ b/i18n/pl/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Android + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/pl/android.md b/i18n/pl/android.md new file mode 100644 index 00000000..690f8e8e --- /dev/null +++ b/i18n/pl/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'fontawesome/brands/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +**Android Open Source Project** to system operacyjny o otwartym kodzie źródłowym przeznaczony na urządzenia mobilne, który jest rozwijany przez Google i działa na większości urządzeń mobilnych na Ziemi. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. rekomendacja + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## Pochodne AOSP + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + Urządzenia z zakończonym okresem wsparcia (takie jak urządzenia z "rozszerzonym wsparciem" dla GrapheneOS lub CalyxOS) nie posiadają pełnych poprawek bezpieczeństwa (aktualizacji oprogramowania), ponieważ ich producenci przestali je wspierać. Te urządzenia nie mogą być uznawane za w pełni bezpieczne niezależnie od zainstalowanego oprogramowania. + +### GrapheneOS + +!!! rekomendacja + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** jest najlepszym wyborem w kwestii prywatności i bezpieczeństwa. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! rekomendacja + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Urządzenia z Androidem + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! rekomendacja + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! rekomendacja + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! rekomendacja + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! rekomendacja + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! rekomendacja + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Źródła aplikacji + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! rekomendacja + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### GrapheneOS App Store + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### Aurora Store + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/pl/assets/img/account-deletion/exposed_passwords.png b/i18n/pl/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/pl/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/pl/assets/img/android/rss-apk-dark.png b/i18n/pl/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/pl/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/pl/assets/img/android/rss-apk-light.png b/i18n/pl/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/pl/assets/img/android/rss-apk-light.png differ diff --git a/i18n/pl/assets/img/android/rss-changes-dark.png b/i18n/pl/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/pl/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/pl/assets/img/android/rss-changes-light.png b/i18n/pl/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/pl/assets/img/android/rss-changes-light.png differ diff --git a/i18n/pl/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/pl/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/how-tor-works/tor-encryption.svg b/i18n/pl/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/how-tor-works/tor-path-dark.svg b/i18n/pl/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/pl/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/pl/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/how-tor-works/tor-path.svg b/i18n/pl/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/pl/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pl/assets/img/multi-factor-authentication/fido.png b/i18n/pl/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/pl/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/pl/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/pl/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/pl/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/pl/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/pl/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/pl/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/pl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/pl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/pl/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/pl/basics/account-creation.md b/i18n/pl/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/pl/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/pl/basics/account-deletion.md b/i18n/pl/basics/account-deletion.md new file mode 100644 index 00000000..ead15df3 --- /dev/null +++ b/i18n/pl/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Dostawcy sieci VPN + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/pl/basics/common-misconceptions.md b/i18n/pl/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/pl/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/pl/basics/common-threats.md b/i18n/pl/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/pl/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/pl/basics/email-security.md b/i18n/pl/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/pl/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/pl/basics/multi-factor-authentication.md b/i18n/pl/basics/multi-factor-authentication.md new file mode 100644 index 00000000..9259d8b7 --- /dev/null +++ b/i18n/pl/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Uwierzytelnianie wieloskładnikowe" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Uwierzytelnianie wieloskładnikowe** to mechanizm zabezpieczeń, który wymaga dodatkowych czynności poza wprowadzeniem nazwy użytkownika (lub e-maila) oraz hasła. Najczęściej spotykaną metodą są ograniczone czasowo kody otrzymywane poprzez wiadomość SMS lub aplikację. + +W większości przypadków, jeśli haker (lub przeciwnik) jest w stanie odgadnąć Twoje hasło, zyskuje on dostęp do konta, do którego to hasło należy. Konto z MFA zmusza hakera do posiadania zarówno hasła (coś co *wiesz*) oraz urządzenia, które posiadasz (coś co *masz*), takiego jak Twój telefon. + +Metody MFA różnią się pod względem bezpieczeństwa, ale opierają się na założeniu, że im trudniej jest atakującemu uzyskać dostęp do Twojej metody MFA, tym lepiej. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Ogólne zalecenia + +Przedstawiamy następujące ogólne zalecenia: + +### Z której metody mam skorzystać? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Kopie zapasowe + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Konfiguracja początkowa + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### E-mail i SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## Więcej miejsc do ustawienia MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/pl/basics/passwords-overview.md b/i18n/pl/basics/passwords-overview.md new file mode 100644 index 00000000..a18b788e --- /dev/null +++ b/i18n/pl/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Kopie zapasowe + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/pl/basics/threat-modeling.md b/i18n/pl/basics/threat-modeling.md new file mode 100644 index 00000000..2b52e6ae --- /dev/null +++ b/i18n/pl/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Czym są modele zagrożeń" +icon: 'material/target-account' +description: Osiągnięcie kompromisu pomiędzy bezpieczeństwem, prywatnością oraz łatwością korzystania jest pierwszym, a zarazem najtrudniejszym zadaniem z jakim przyjdzie Ci się zmierzyć na swojej drodze do prywatności. +--- + +Osiągnięcie kompromisu pomiędzy bezpieczeństwem, prywatnością oraz łatwością korzystania jest pierwszym, a zarazem najtrudniejszym zadaniem z jakim przyjdzie Ci się zmierzyć na swojej drodze do prywatności. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +Chcąc korzystać z **najbezpieczniejszych** narzędzi należy poświęcić *ogromną ilość* funkcji. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. Z tego powodu, modele zagrożeń są ważne. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. Co chcę chronić? +2. Przed kim chcę to chronić? +3. Na ile prawdopodobne jest to, że zajdzie potrzeba to chronić? +4. Jak poważne będą konsekwencje, jeśli mi się nie uda? +5. Co jestem w stanie znieść, aby zapobiec potencjalnym konsekwencjom? + +### Co chcę chronić? + +"Zasobem" jest wszystko, co jest dla Ciebie cenne i chcesz to chronić. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Twoje urządzenia również mogą stanowić zasoby. + +*Sporządź listę swoich zasobów: przechowywanych danych, gdzie są one przechowywane, kto ma do nich dostęp oraz co zapobiega uzyskaniu do nich dostępu przez inne osoby.* + +### Przed kim chcę to chronić? + +Przed odpowiedzeniem na te pytania warto ustalić, kto może chcieć próbować dotrzeć do Ciebie lub Twoich danych. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Twoja lista może zawierać osoby fizyczne, agencje rządowe lub korporacje.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### Na ile prawdopodobne jest to, że zajdzie potrzeba to chronić? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. Mimo tego, że Twój dostawca usług mobilnych posiada możliwości dostępu do wszystkich Twoich danych to ryzyko, że opublikują Twoje prywatne dane w sieci w celu zaszkodzenia Twojej reputacji jest niskie. + +Ważne jest, aby rozróżnić to, co może się wydarzyć i to, jak prawdopodobne jest, że się wydarzy. Na przykład istnieje zagrożenie, że Twój budynek ulegnie zawaleniu, ale ryzyko wystąpienia tego jest o wiele większe w San Francisco (gdzie trzęsienia ziemi są częste) niż w Sztokholmie (gdzie nie są). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. W innych przypadkach osoby lekceważą wysokie ryzyko, ponieważ nie postrzegają zagrożenia jako problemu. + +*Zapisz, które zagrożenia zamierzasz traktować poważnie, a które mogą być zbyt rzadkie lub zbyt mało szkodliwe (lub zbyt trudne do zwalczenia), by się nimi przejmować.* + +### Jak poważne będą konsekwencje, jeśli mi się nie uda? + +Twój przeciwnik może uzyskać dostęp do Twoich danych na wiele sposobów. Na przykład: przeciwnik może czytać Twoją prywatną komunikację w trakcie jej podróży poprzez sieć lub usunąć oraz uszkodzić Twoje dane. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. Haker może uzyskać dostęp do Twojej nieszyfrowanej komunikacji, gdy korzystasz z otwartej sieci Wi-Fi. Twój rząd może mieć większe możliwości. + +*Zapisz, co Twój przeciwnik może chcieć zrobić z Twoimi danymi.* + +### Co jestem w stanie znieść, aby zapobiec potencjalnym konsekwencjom? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**Co chcesz chronić? (lub *co w Twoim posiadaniu jest warte ochrony?*)** +: + +Twoim mieniem mogą być biżuteria, elektronika, ważne dokumenty oraz zdjęcia. + +**Przed kim chcesz to chronić?** +: + +Twoimi przeciwnikami mogą być włamywacze, współlokatorzy oraz goście. + +**Na ile prawdopodobne jest to, że będziesz musieć to chronić?** +: + +Czy w Twojej dzielnicy mają miejsce włamania? How trustworthy are your roommates or guests? Co są w stanie zrobić Twoi przeciwnicy? Jakie zagrożenia należy wziąć pod uwagę? + +**Jak poważne będą konsekwencję, jeśli Ci się nie uda?** +: + +Czy posiadasz w swoim domu coś, czego nie da się zastąpić? Do you have the time or money to replace those things? Czy posiadasz ubezpieczenie, które obejmuje ochronę Twojego mienia od kradzieży? + +**Ile czasu jesteś w stanie poświęcić, aby zapobiec tym konsekwencjom?** +: + +Czy jesteś w stanie kupić sejf na wrażliwe dokumenty? Czy możesz sobie pozwolić na zakup wysokiej jakości kłódki? Czy masz czas na założenie skrytki bankowej w swoim lokalnym banku, aby przechowywać tam swoje kosztowności? + +Dopiero po odpowiedzeniu sobie na te pytania, będziesz mieć możliwość oceny, jakie działania należy podjąć. Jeśli Twoja własność jest cenna, ale prawdopodobieństwo włamania jest niskie, nie warto inwestować zbyt wiele pieniędzy w zamek. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Stworzenie planu bezpieczeństwa pomoże Ci zrozumieć zagrożenia, które są unikalne dla Twojej osoby oraz oszacować Twoje zasoby, przeciwników, ich możliwości oraz prawdopodobieństwo wystąpienia ryzyka. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Źródła + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/pl/basics/vpn-overview.md b/i18n/pl/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/pl/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/pl/calendar.md b/i18n/pl/calendar.md new file mode 100644 index 00000000..4d5b9f55 --- /dev/null +++ b/i18n/pl/calendar.md @@ -0,0 +1,71 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! rekomendacja + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Funkcje obejmują: automatyczne szyfrowanie E2E wszystkich danych, funkcje udostępniania, importowanie/eksportowanie, uwierzytelnianie wieloskładnikowe i [więcej](https://tutanota.com/calendar-app-comparison/). + + Wiele kalendarzy oraz rozszerzone funkcje udostępniania są ograniczone do płatnych subskrybentów. + + [:octicons-home-16: Strona WWW](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Polityka prywatności" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Kod źródłowy" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Darowizna } + + ??? do pobrania + + - [:octicons-browser-16: Internet](https://mail.tutanota.com/) + - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:fontawesome-brands-google-play: Sklep Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + +## Proton Calendar + +!!! rekomendacja + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/pl/cloud.md b/i18n/pl/cloud.md new file mode 100644 index 00000000..b478e3bb --- /dev/null +++ b/i18n/pl/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! rekomendacja + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! rekomendacja + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/pl/cryptocurrency.md b/i18n/pl/cryptocurrency.md new file mode 100644 index 00000000..8721af78 --- /dev/null +++ b/i18n/pl/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! rekomendacja + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/pl/data-redaction.md b/i18n/pl/data-redaction.md new file mode 100644 index 00000000..4cace524 --- /dev/null +++ b/i18n/pl/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! rekomendacja + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! rekomendacja + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! rekomendacja + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! rekomendacja + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! rekomendacja + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/pl/desktop-browsers.md b/i18n/pl/desktop-browsers.md new file mode 100644 index 00000000..39979584 --- /dev/null +++ b/i18n/pl/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! rekomendacja + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! rekomendacja + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! rekomendacja + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Android + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! rekomendacja + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/pl/desktop.md b/i18n/pl/desktop.md new file mode 100644 index 00000000..7466b4b8 --- /dev/null +++ b/i18n/pl/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Magazyny chmurowe" +icon: fontawesome/brands/linux +description: Dystrybucje systemu Linux są powszechnie polecane, jeśli chodzi o ochronę prywatności oraz wolne oprogramowanie. +--- + +Dystrybucje systemu Linux są powszechnie polecane, jeśli chodzi o ochronę prywatności oraz wolne oprogramowanie. Jeśli nie korzystasz jeszcze z systemu Linux, poniżej znajdziesz kilka dystrybucji, które polecamy wypróbować oraz kilka ogólnych porad dotyczących lepszej prywatności i bezpieczeństwa, które mają zastosowanie dla wielu dystrybucji systemu Linux. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Tradycyjne dystrybucje + +### Fedora Workstation + +!!! rekomendacja + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. Podczas gdy aktualizacja niektórych pakietów, takich jak [GNOME](https://www.gnome.org) jest wstrzymywana do następnego wydania Fedora, większość pakietów (w tym jądro) jest często aktualizowanych podczas okresu wsparcia dla wydania. Każde wydanie Fedora jest wspierane przez jeden rok, a nowe wersje są wydawane co 6 miesięcy. + +### openSUSE Tumbleweed + +!!! rekomendacja + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. Podczas aktualizacji systemu pobierany jest nowy punkt kontrolny. Każdy z nich jest poddawany serii testów przez [openQA](https://openqa.opensuse.org), aby zapewnić o jego jakości. + +### Arch Linux + +!!! rekomendacja + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! rekomendacja + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! rekomendacja + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! rekomendacja + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! rekomendacja + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! rekomendacja + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/pl/dns.md b/i18n/pl/dns.md new file mode 100644 index 00000000..0275f479 --- /dev/null +++ b/i18n/pl/dns.md @@ -0,0 +1,139 @@ +--- +title: "Rekursywne serwery nazw" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Szyfrowany DNS nie pomoże Ci w ukryciu jakiejkolwiek aktywności w Internecie. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Rekomendowani dostawcy + +| Dostawca DNS | Polityka prywatności | Protokoły | Rejestrowane dane | ECS | Filtrowanie | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ----------------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Niektóre[^1] | Nie | Zależne od wybranego serwera. Listę filtrowania możesz znaleźć tutaj: [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Niektóre[^2] | Nie | Zależne od wybranego serwera. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Do wyboru[^3] | Nie | Zależne od wybranego serwera. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Żadne[^4] | Nie | Zależne od wybranego serwera. Listę filtrowania możesz znaleźć tutaj: [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Do wyboru[^5] | Do wyboru | Zależne od wybranego serwera. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Niektóre[^6] | Do wyboru | Zależne od wybranego serwera. Złośliwe zasoby blokowane automatycznie. | + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Najnowsze wersje systemów iOS, iPadOS, tvOS oraz macOS obsługują zarówno DoT oraz DoH. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Urządzenia Apple + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! rekomendacja + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! rekomendacja + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! rekomendacja + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! rekomendacja + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/pl/email-clients.md b/i18n/pl/email-clients.md new file mode 100644 index 00000000..db8baa99 --- /dev/null +++ b/i18n/pl/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! rekomendacja + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! rekomendacja + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! rekomendacja + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! rekomendacja + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! rekomendacja + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! rekomendacja + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! rekomendacja + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! rekomendacja + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! rekomendacja + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/pl/email.md b/i18n/pl/email.md new file mode 100644 index 00000000..a6576352 --- /dev/null +++ b/i18n/pl/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! rekomendacja + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! rekomendacja + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! rekomendacja + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! rekomendacja + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! rekomendacja + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! rekomendacja + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! rekomendacja + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! rekomendacja + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/pl/encryption.md b/i18n/pl/encryption.md new file mode 100644 index 00000000..ac015322 --- /dev/null +++ b/i18n/pl/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Oprogramowanie szyfrujące" +icon: material/file-lock +description: Szyfrowanie danych to jedyny sposób na kontrolowanie tego, kto ma do nich dostęp. These tools allow you to encrypt your emails and any other files. +--- + +Szyfrowanie danych to jedyny sposób na kontrolowanie tego, kto ma do nich dostęp. Jeśli obecnie nie używasz oprogramowania szyfrującego dla swojego dysku, e-maili lub plików, możesz wybrać jedną z tych opcji. + +## Międzyplatformowe + +Wymienione tutaj opcje są międzyplatformowe i świetnie nadają się do tworzenia szyfrowanych kopii zapasowych sowich danych. + +### Cryptomator (Chmura) + +!!! rekomendacja + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** to rozwiązanie szyfrujące zaprojektowane do prywatnego zapisywania plików do dowolnego dostawcy usług chmury. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator wykorzystuje szyfrowanie AES-256 do szyfrowania zarówno plików, jak i nazw plików. Cryptomator nie może szyfrować metadanych, takich jak daty dostępu, modyfikacji oraz utworzenia, ani liczby i rozmiaru plików i folderów. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! rekomendacja + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! rekomendacja + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! rekomendacja + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** to funkcja pełnego szyfrowania woluminów dołączona do systemów Microsoft Windows. Głównym powodem naszej rekomendacji tego rozwiązania jest {wykorzystanie modułu TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! rekomendacja + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! rekomendacja + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! rekomendacja + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! rekomendacja + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! rekomendacja + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! rekomendacja + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! rekomendacja + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! rekomendacja + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! rekomendacja + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/pl/file-sharing.md b/i18n/pl/file-sharing.md new file mode 100644 index 00000000..1868bf2f --- /dev/null +++ b/i18n/pl/file-sharing.md @@ -0,0 +1,155 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Dowiedz się, jak prywatnie udostępniać piki pomiędzy swoimi urządzeniami, ze znajomymi lub rodziną lub anonimowo w sieci. +--- + +Dowiedz się, jak prywatnie udostępniać piki pomiędzy swoimi urządzeniami, ze znajomymi lub rodziną lub anonimowo w sieci. + +## Udostępnianie plików + +### Send + +!!! rekomendacja + + ![Magic Wormhole logo](assets/img/file-sharing-sync/magic_wormhole.png){ align=right } + + **Magic Wormhole** to pakiet, który dostarcza bibliotekę i narzędzie konsolowe o nazwie wormhole, które umożliwia wysyłanie plików i katalogów (lub kawałków tekstu) o dowolnym rozmiarze z jednego komputera na drugi. [:octicons-repo-16: Repozytorium](https://github.com/magic-wormhole/magic-wormhole){ .md-button .md-button--primary } + [:octicons-info-16:](https://magic-wormhole.readthedocs.io/){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/magic-wormhole/magic-wormhole){ .card-link title="Kod źródłowy" } + + ??? pobieranie + + - [:fontawesome-brands-windows: Windows](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation) + - [:fontawesome-brands-apple: macOS](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#macos-os-x) + - [:fontawesome-brands-linux: Linux](https://magic-wormhole.readthedocs.io/en/latest/welcome.html#installation) You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! rekomendacja + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! rekomendacja + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! rekomendacja + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! rekomendacja + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/pl/financial-services.md b/i18n/pl/financial-services.md new file mode 100644 index 00000000..95af41ad --- /dev/null +++ b/i18n/pl/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! rekomendacja + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! rekomendacja + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! rekomendacja + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! rekomendacja + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/pl/frontends.md b/i18n/pl/frontends.md new file mode 100644 index 00000000..dd2122b6 --- /dev/null +++ b/i18n/pl/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Menedżery haseł" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## Klienty + +### Librarian + +!!! rekomendacja + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! rekomendacja + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! rekomendacja + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! rekomendacja + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! rekomendacja + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! rekomendacja + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Ostrzeżenie + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! rekomendacja + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! rekomendacja + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/pl/index.md b/i18n/pl/index.md new file mode 100644 index 00000000..515177a1 --- /dev/null +++ b/i18n/pl/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.pl.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## A kogo to obchodzi? + +##### "Ja nie mam nic do ukrycia. Po co mam się martwić o swoją prywatność?" + +Podobnie jak prawo do małżeństw różnych ras, prawo wyborcze kobiet, wolność słowa i wiele innych, nasze prawo do prywatności nie zawsze było egzekwowane. W części dyktatur nadal nie jest. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/pl/kb-archive.md b/i18n/pl/kb-archive.md new file mode 100644 index 00000000..e588f3c5 --- /dev/null +++ b/i18n/pl/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integracja usuwania metadanych](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/pl/meta/brand.md b/i18n/pl/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/pl/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/pl/meta/git-recommendations.md b/i18n/pl/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/pl/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/pl/meta/uploading-images.md b/i18n/pl/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/pl/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/pl/meta/writing-style.md b/i18n/pl/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/pl/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/pl/mobile-browsers.md b/i18n/pl/mobile-browsers.md new file mode 100644 index 00000000..6b01a480 --- /dev/null +++ b/i18n/pl/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Przeglądarki mobilne" +icon: octicons/device-mobile-16 +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +Oto obecnie polecane przez nas przeglądarki mobilne oraz ich konfiguracje. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. Ogólnie rzecz biorąc, zalecamy ograniczenie rozszerzeń do minimum; posiadają one uprzywilejowany dostęp do Twojej przeglądarki, wymagają zaufania do twórcy, mogą wspomóc [personalizowanie](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) oraz [osłabić](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) izolację witryn. + +## Android + +Na Androidzie, Firefox jest nadal mniej bezpieczna od alternatyw bazujących na silniku Chromium: Silnik od Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), nie posiada jeszcze wsparcia dla [izolowania witryn](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) oraz włączonego [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! rekomendacja + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +W systemie iOS każda aplikacja, która umożliwia przeglądanie Internetu [ma obowiązek](https://developer.apple.com/app-store/review/guidelines) korzystać z [platformy WebKit](https://developer.apple.com/documentation/webkit) dostarczonej przez Apple, więc nie ma zbyt wielu powodów na używanie zewnętrznych przeglądarek. + +### Safari + +!!! rekomendacja + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! rekomendacja + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/pl/multi-factor-authentication.md b/i18n/pl/multi-factor-authentication.md new file mode 100644 index 00000000..f0980cc8 --- /dev/null +++ b/i18n/pl/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! rekomendacja + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! rekomendacja + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! rekomendacja + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! rekomendacja + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/pl/news-aggregators.md b/i18n/pl/news-aggregators.md new file mode 100644 index 00000000..8068bf49 --- /dev/null +++ b/i18n/pl/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! rekomendacja + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! rekomendacja + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! rekomendacja + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! rekomendacja + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! rekomendacja + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! rekomendacja + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! rekomendacja + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/pl/notebooks.md b/i18n/pl/notebooks.md new file mode 100644 index 00000000..cb812f44 --- /dev/null +++ b/i18n/pl/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notatniki" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Prowadź swoje notatniki i dzienniki bez udostępniania ich stronom trzecim. + +Jeśli obecnie używasz aplikacji, takiej jak Evernote, Google Keep lub Microsoft OneNote, sugerujemy, aby wybrać jedną z tych alternatyw, która obsługuje E2EE. + +## Oparte na chmurze + +### Joplin + +!!! rekomendacja + + ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ align=right } + + **EteSync Notes** to bezpieczna, szyfrowana od końca do końca i respektująca prywatność aplikacja do robienia notatek. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! rekomendacja + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! rekomendacja + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! rekomendacja + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/pl/os/android-overview.md b/i18n/pl/os/android-overview.md new file mode 100644 index 00000000..7787caaf --- /dev/null +++ b/i18n/pl/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: fontawesome/brands/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android to bezpieczny system operacyjny, który posiada silną [izolację aplikacji](https://source.android.com/security/app-sandbox), [Weryfikację rozruchu](https://source.android.com/security/verifiedboot) (AVB), oraz solidny system kontroli [uprawnień](https://developer.android.com/guide/topics/permissions/overview). + +## Wybór dystrybucji Androida + +System Android na zakupionym telefonie często zawiera zintegrowane inwazyjne aplikacje oraz usługi, które nie są częścią [Android Open Source Project](https://source.android.com/). Jedną z nich są Usługi Google Play, która ma niezbywalne uprawnienia dostępu do Twoich plików, magazynu kontaktów, rejestru połączeń, wiadomości SMS, lokalizacji, aparatu, mikrofonu, identyfikatorów sprzętowych oraz wiele więcej. Te aplikacje i usługi zwiększają możliwości ataku na Twoje urządzenie oraz są źródłem wielu obaw związanych z prywatnością systemu Android. + +Ten problem można rozwiązać instalując niestandardową dystrybucję Androida, która nie zawiera tak inwazyjnej integracji. Niestety, ale wiele niestandardowych dystrybucji Androida narusza model bezpieczeństwa systemu nie wspierając funkcji bezpieczeństwa, takich jak AVB, ochrona przed cofnięciem aktualizacji, aktualizacje oprogramowania i innych. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Wybierając niestandardową dystrybucję Androida, należy upewnić się, że jest ona zgodna z modelem bezpieczeństwa tego systemu. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Polecane przez nas dystrybucje Androida :hero-arrow-circle-right-fill:](../android.md ""){.md-button} + +## Unikaj rootowania + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Blokery reklam, które modyfikują [plik hosts](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) oraz zapory sieciowe (AFWall+), które wymagają ciągłego dostępu do roota są niebezpieczne i nie powinny być używane. Nie są one również właściwym sposobem na rozwiązanie ich zamierzonych celów. Zamiast tego do blokowania reklam polecamy szyfrowany [DNS](../dns.md) lub [sieć VPN](../vpn.md) z blokowaniem serwerów. RethinkDNS, TrackerControl oraz AdAway bez dostępu do roota zajmą miejsce sieci VPN (używając interfejsu zwrotnego VPN) uniemożliwiając Ci korzystanie z usług zwiększających prywatność, takich jak Orbot lub prawdziwej sieci VPN. + +AFWall+ działa w oparciu o [filtrowanie pakietów](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter), które może w niektórych przypadkach zostać ominięte. + +Naszym zdaniem, wady zdecydowanie przewyższają zalety rootowania telefonu w celu korzystania z tych aplikacji. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +W Androidzie 10 i nowszych zrezygnowano z szyfrowania całego dysku na rzecz bardziej elastycznego [szyfrowania plików](https://source.android.com/security/encryption/file-based). Twoje dane są zaszyfrowane za pomocą niepowtarzalnych kluczy szyfrujących, a pliki systemu operacyjnego pozostają niezaszyfrowane. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Aktualizacje oprogramowania mają kluczowe znaczenie dla zachowania bezpieczeństwa. Producenci urządzeń zawierają umowy ze swoimi partnerami na dostarczanie komponentów o zamkniętym kodzie źródłowym przez ograniczony czas. This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Aktualizacje oprogramowania + +Firmware updates are critical for maintaining security and without them your device cannot be secure. Dlatego ważne jest, aby zakupić urządzenie, które jest nadal wspierane. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) oraz [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) oferując wsparcie dla swoich urządzeń przez 4 lata, podczas gdy tańsze produkty często mają krótszy okres wsparcia. + +Urządzenia bez aktywnego wsparcia producenta układów nie otrzymują już aktualizacji oprogramowania od producentów urządzeń lub niestandardowych dystrybucji Androida. Oznacza to, że luki bezpieczeństwa w tych urządzeniach nie zostaną naprawione. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +Ważne jest, aby nie korzystać z [niewspieranej](https://endoflife.date/android) wersji Androida. Nowsze wersje Androida nie tylko otrzymują poprawki bezpieczeństwa dla systemu operacyjnego, ale także ważne aktualizacje poprawiające prywatność. + +[Uprawnienia systemu Android](https://developer.android.com/guide/topics/permissions/overview) umożliwiają Ci kontrolę nad tym, do czego mają dostęp Twoje aplikacje. Firma Google regularnie wprowadza [poprawki](https://developer.android.com/about/versions/11/privacy/permissions) do systemu zabezpieczeń z każdą kolejną wersją. Wszystkie instalowane przez Ciebie aplikacje są ściśle [izolowane](https://source.android.com/security/app-sandbox), więc nie ma potrzeby instalowania żadnych aplikacji antywirusowych. + +## Wersje Androida + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Uprawnienia systemu Android + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Profile użytkowników + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. Jeśli w danej chwili z nich nie korzystasz, zalecamy wyłączenie tych funkcji. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). To umożliwi Ci otrzymywanie **niektórych** poprawek bezpieczeństwa od Google bez naruszania modelu zabezpieczeń Androida poprzez używanie systemu pochodnego od Androida i zwiększanie ryzyka na atak. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Aktualizacje systemowe Google Play + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/pl/os/linux-overview.md b/i18n/pl/os/linux-overview.md new file mode 100644 index 00000000..e0d85bc3 --- /dev/null +++ b/i18n/pl/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: fontawesome/brands/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Ogólne zalecenia + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/pl/os/qubes-overview.md b/i18n/pl/os/qubes-overview.md new file mode 100644 index 00000000..1325d97c --- /dev/null +++ b/i18n/pl/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Android + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/pl/passwords.md b/i18n/pl/passwords.md new file mode 100644 index 00000000..55d89ed8 --- /dev/null +++ b/i18n/pl/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Oparte na chmurze + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! rekomendacja + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! rekomendacja + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! rekomendacja + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! rekomendacja + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! rekomendacja + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! rekomendacja + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! rekomendacja + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/pl/productivity.md b/i18n/pl/productivity.md new file mode 100644 index 00000000..1b6b6db2 --- /dev/null +++ b/i18n/pl/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! rekomendacja + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! rekomendacja + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! rekomendacja + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! rekomendacja + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! rekomendacja + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/pl/real-time-communication.md b/i18n/pl/real-time-communication.md new file mode 100644 index 00000000..7e9c8a31 --- /dev/null +++ b/i18n/pl/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! rekomendacja + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! rekomendacja + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! rekomendacja + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! rekomendacja + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! rekomendacja + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/pl/router.md b/i18n/pl/router.md new file mode 100644 index 00000000..7653b9ac --- /dev/null +++ b/i18n/pl/router.md @@ -0,0 +1,51 @@ +--- +title: "Oprogramowanie routera" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Poniżej wymieniono kilka alternatywnych systemów operacyjnych, które możesz zainstalować na swoim routerze, punkcie dostępowym Wi-Fi itp. + +## OpenWrt + +!!! rekomendacja + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** to system operacyjny oparty na oprogramowaniu Linux; jest używany głównie w urządzeniach wbudowanych do kierowania ruchem sieciowym. Zawiera util-linux, uClibc oraz BusyBox. Wszystkie komponenty zostały zoptymalizowane pod kątem routerów domowych. + + [:octicons-home-16: Strona WWW](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Kod źródłowy" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Wesprzyj } + +Zapoznaj się z [listą obsługiwanych urządzeń](https://openwrt.org/toh/start), aby sprawdzić, czy Twoje urządzenie jest obsługiwane. + +## OPNsense + +!!! rekomendacja + + ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense to otwarte oprogramowanie zapory sieciowej/routera bazujące na FreeBSD. Po zainstalowaniu na komputerze pełni rolę dedykowanej zapory sieciowej/routera dla sieci i wyróżnia się niezawodnością oraz oferuje funkcje, które można często znaleźć tylko w drogich zaporach sieciowych. + + [:octicons-home-16: Strona WWW](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Kod źródłowy" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Wesprzyj } + +OPNsense zostało pierwotnie opracowane na podstawie [pfSense](https://en.wikipedia.org/wiki/PfSense), a oba te projekty są znane z bycia bezpłatnymi i niezawodnymi dystrybucjami zapór sieciowych, które oferują funkcje dostępne często tylko w drogich komercyjnych zaporach sieciowych. Począwszy od 2015 roku programiści OPNsense [ujawnili](https://docs.opnsense.org/history/thefork.html) wiele problemów dotyczących bezpieczeństwa i jakości kodu pfSense, co popchnęło ich w stronę utworzenia pochodnego projektu, jak również obawy związane z większościowym zakupem pfSense przez Netgate i przyszłym kierunkiem rozwoju projektu. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Wymagane jest otwarte źródło. +- Wymagane są regularne aktualizacje. +- Must support a wide variety of hardware. diff --git a/i18n/pl/search-engines.md b/i18n/pl/search-engines.md new file mode 100644 index 00000000..22c86ff0 --- /dev/null +++ b/i18n/pl/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! rekomendacja + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! rekomendacja + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! rekomendacja + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! rekomendacja + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/pl/tools.md b/i18n/pl/tools.md new file mode 100644 index 00000000..8d9384e8 --- /dev/null +++ b/i18n/pl/tools.md @@ -0,0 +1,477 @@ +--- +title: "Narzędzia ochrony prywatności" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +Jeśli szukasz konkretnego rozwiązania, oto polecane przez nas narzędzia oraz oprogramowanie w różnych kategoriach. Polecane przez nas narzędzia zostały wybrane głównie na podstawie funkcji zabezpieczeń z dodatkowym naciskiem na te o zdecentralizowane i o otwartym kodzie żródłowym. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake nie zwiększa prywatności, ale ułatwia udzielenie się w sieci Tor, aby wspomóc inne osoby w cenzurowanych sieciach w osiągnięciu lepszej prywatności. + +[Dowiedz się więcej :hero-arrow-circle-right-fill:](tor.md) + +## Systemy operacyjne + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](desktop-browsers.md) + +### Android + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](desktop-browsers.md#additional-resources) + +## Dostawcy usług + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](mobile-browsers.md) + +### Android + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](android.md#general-apps) + +### Magazyny chmurowe + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](desktop.md) + +### Oprogramowanie routera + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](cloud.md) + +### Wyszukiwarki + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Dowiedz się więcej :hero-arrow-circle-right-fill:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](dns.md#self-hosted-solutions) + +### Dostawcy sieci VPN + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](email-clients.md) + +### Oprogramowanie szyfrujące + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](file-sharing.md) + +### Menedżery haseł + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](news-aggregators.md) + +### Notatniki + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Dowiedz się więcej :hero-arrow-circle-right-fill:](video-streaming.md) diff --git a/i18n/pl/tor.md b/i18n/pl/tor.md new file mode 100644 index 00000000..7a278205 --- /dev/null +++ b/i18n/pl/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +Sieć **Tor** to grupa serwerów dostarczanych przez wolontariuszy, która umożliwia bezpłatne łączenie się z Internetem oraz wzmacnia prywatność i bezpieczeństwo. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! rekomendacja + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! rekomendacja + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! rekomendacja + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/pl/video-streaming.md b/i18n/pl/video-streaming.md new file mode 100644 index 00000000..a89a6ffd --- /dev/null +++ b/i18n/pl/video-streaming.md @@ -0,0 +1,53 @@ +--- +title: "Strumieniowanie filmów" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +Podstawowym zagrożeniem związanym z korzystaniem z platformy do strumieniowania filmów jest to, że Twoje nawyki dotyczące strumieniowania oraz listy subskrypcyjne mogą zostać wykorzystane do profilowania Ciebie. Warto połączyć te narzędzia z [VPN](vpn.md) lub [Tor](https://www.torproject.org/), aby utrudnić profilowanie. + +## Klienty + +!!! rekomendacja + + ![FreeTube logo](assets/img/video-streaming/freetube.svg){ align=right } + + **FreeTube** to bezpłatna i otwarta aplikacja komputerowa dla [YouTube](https://youtube.com). Podczas korzystania z FreeTube, Twoja lista subskrypcji i listy odtwarzania są zapisywane lokalnie na Twoim urządzeniu. FreeTube domyślnie blokuje wszystkie reklamy na YouTube. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Strona WWW](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Polityka prywatności" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Dokumentacja} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Kod źródłowy" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Darowizna } + + ??? do pobrania + + - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) + - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/pl/vpn.md b/i18n/pl/vpn.md new file mode 100644 index 00000000..8f4738b0 --- /dev/null +++ b/i18n/pl/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Rekomendowani dostawcy + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! rekomendacja + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! rekomendacja + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/pt-BR/404.md b/i18n/pt-BR/404.md new file mode 100644 index 00000000..a2ee2ba0 --- /dev/null +++ b/i18n/pt-BR/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Não encontrado + +Não conseguimos encontrar a página que você estava procurando! Talvez você estivesse procurando por uma dessas? + +- [Introdução à Modelo de Ameças](basics/threat-modeling.md) +- [Serviços de DNS recomendados](dns.md) +- [Melhores navegadores de Internet no desktop](desktop-browsers.md) +- [Melhores serviços de VPN](vpn.md) +- [Fórum do Privacy Guides](https://discuss.privacyguides.net) +- [Nosso Blog](https://blog.privacyguides.org) diff --git a/i18n/pt-BR/CODE_OF_CONDUCT.md b/i18n/pt-BR/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..0f3e1b94 --- /dev/null +++ b/i18n/pt-BR/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Código de Conduta da Comunidade + +** Nós nos comprometemos ** a fazer de nossa comunidade uma experiência sem assédios para todos. + +**Nós nos esforçamos** para criar um ambiente positivo, usando uma linguagem acolhedora e inclusiva, e respeitando os pontos de vista dos outros. + +** Nós não permitimos ** comportamentos inadequados ou inaceitáveis, tais como linguagem sexualizada, "trolling" e comentários ofensivos, ou que promovam a intolerância ou o assédio. + +## Regras da Comunidade + +O que esperamos dos membros de nossas comunidades: + +1. **Não espalhe desinformação** + + Estamos criando uma comunidade educacional baseada em evidências em torno da privacidade e segurança da informação, não um lar para teorias conspiratórias. Por exemplo, ao afirmar que um determinado “software” é malicioso ou que certos dados de telemetria são invasivos à privacidade, explique em detalhes o que é coletado e como é coletado. Alegações desta natureza devem ser comprovadas por provas técnicas. + +1. **Não abuse da nossa intenção de ajudar** + + Os membros da nossa comunidade não são o seu suporte técnico gratuito. Estamos felizes em ajudá-lo com etapas específicas em sua jornada de privacidade, se você estiver disposto a se esforçar do seu lado. Não estamos dispostos a responder perguntas intermináveis sobre problemas genéricos de computadores que você mesmo poderia ter respondido com uma busca de 30 segundos na Internet. Não seja um [vampiro de ajuda](https://slash7.com/2006/12/22/vampires/). + +1. **Comporte-se de um modo positivo e construtivo** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/pt-BR/about/criteria.md b/i18n/pt-BR/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/pt-BR/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/pt-BR/about/donate.md b/i18n/pt-BR/about/donate.md new file mode 100644 index 00000000..32e48ff0 --- /dev/null +++ b/i18n/pt-BR/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Nos Apoiando +--- + + +São necessárias muitas [pessoas](https://github.com/privacyguides/privacyguides.org/graphs/contributors) e muito [trabalho](https://github.com/privacyguides/privacyguides.org/pulse/monthly) para manter o Privacy Gudes atualizado e a divulgar informações sobre privacidade e vigilância em massa. Se gosta do que nós fazemos, a melhor forma de ajudar é participando da [edição do site](https://github.com/privacyguides/privacyguides.org) ou [contribuindo com as traduções](https://crowdin.com/project/privacyguides). + +Se quiser apoiar-nos financeiramente, o método mais conveniente para nós são contribuições através do Open Collective, um website operado pelo nosso anfitrião fiscal. O Open Collective aceita pagamentos através de cartão de crédito/débito, PayPal e transferências bancárias. + +[Doar na OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +As doações feitas diretamente a nós no Open Collective são geralmente dedutíveis de imposto nos EUA, porque o nosso anfitrião fiscal (a Open Collective Foundation) é uma organização registada 501(c)3. Você irá receber um recibo da Open Collective Foundation após a doação. O Privacy Guides não fornece aconselhamento financeiro e você deve entrar em contato com seu consultor fiscal para descobrir se isso é aplicável a você. + +Se você já usa os patrocínios do GitHub, também pode patrocinar nossa organização lá. + +[Patrocine-nos no GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Contribuidores + +Um agradecimento especial a todos aqueles que apoiam a nossa missão! :heart: + +*Nota: Esta seção carrega um widget diretamente do Open Collective. Esta seção não reflete donativos feitos por fora do Open Collective e nós não temos controle sobre os doadores específicos que são destacados nesta seção.* + + + +## Como Usamos as Doações + +O Privacy Guides é uma organização **sem fins lucrativos**. Usamos as doações para diversos propósitos, incluindo: + +**Registo de Domínios** +: + +Temos alguns domínios como `privacyguides.org` que nos custam cerca de US$ 10 por ano para manter seu registro. + +**Hospedagem Web** +: + +O tráfego para este website usa centenas de gigabytes de dados por mês e nós usamos vários provedores de serviço para lidar com ele. + +**Serviços Online** +: + +Nós hospedamos [serviços de internet](https://privacyguides.net) para teste e demonstração de diferentes produtos de privacidade que gostamos e [recomendamos](../tools.md). Alguns deles são disponibilizados publicamente para uso da nossa comunidade (SearXNG, Tor, etc.) e alguns são para uso dos membros da nossa equipe (e-mail, etc.). + +**Compras de Produtos** +: + +Ocasionamente adquirimos produtos e serviços com o propósito de testar as nossas [ferramentas recomendadas](../tools.md). + +Ainda estamos a trabalhar com o nosso anfitrião fiscal (a Open Collective Foundation) para receber doações em criptomoeda. No momento a contabilidade não é viável para muitas transações menores, mas isso deve mudar no futuro. Enquanto isso, se você deseja fazer uma doação de criptomoeda considerável (> $100), entre em contato com [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/pt-BR/about/index.md b/i18n/pt-BR/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/pt-BR/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/pt-BR/about/notices.md b/i18n/pt-BR/about/notices.md new file mode 100644 index 00000000..a98f2b9a --- /dev/null +++ b/i18n/pt-BR/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Ressalva Legal + +O Privacy Guides não é um escritório de advocacia. Como tal, o website do Privacy Guides e seus colaboradores não estão prestando aconselhamento jurídico. O material e as recomendações em nosso site e guias não constituem aconselhamento jurídico, nem a contribuição para o site ou a comunicação com o Privacy Guides ou outros colaboradores sobre nosso site criam um relacionamento advogado-cliente. + +A gestão deste website, como qualquer esforço humano, envolve incerteza e contrapartidas. Esperamos que este website ajude, mas pode conter erros e não pode abordar todas as situações. Se você tiver alguma dúvida sobre sua situação, incentivamos você a fazer sua própria pesquisa, procurar outros especialistas e participar de discussões com a comunidade de Privacy Guides. Se tiver quaisquer questões jurídicas, deve consultar o seu próprio consultor jurídico antes de avançar. + +O Privacy Guides é um projeto de código aberto para o qual contribuíram sob licenças que incluem termos que, para protecção do website e dos seus contribuintes, tornam claro que o projeto Privacy Guides e o website é oferecido "tal como está", sem garantia, e excluindo a responsabilidade por danos resultantes da utilização do website ou quaisquer recomendações contidas no mesmo. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Além disso, Privacy Guides não garante que este site esteja constantemente disponível ou completamente disponível. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Isto não inclui o código de terceiros incorporado neste repositório, ou código onde uma licença de substituição é de outro modo anotada. Os exemplos seguintes são notáveis, mas esta lista pode não incluir tudo: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Isso significa que você pode utilizar o conteúdo legível por humanos neste repositório para o seu próprio projeto, nos termos descritos no texto da licença Creative Commons Attribution-NoDerivatives 4.0 International Public License. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Uso Aceitável + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Varreduras Automatizadas Excessivas +* Ataques de Negação de Serviço +* Scraping +* Mineração de dados +* 'Framing' (IFrames) + +--- + +*Partes deste aviso foram adotadas a partir de [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) no GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/pt-BR/about/privacy-policy.md b/i18n/pt-BR/about/privacy-policy.md new file mode 100644 index 00000000..e8c74d87 --- /dev/null +++ b/i18n/pt-BR/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Política de Privacidade" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- Nenhuma informação pessoal é coletada +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- Nenhuma informação é monetizada + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +Nós usamos o seu e-mail para: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Fale Conosco + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +Para queixas no âmbito da GDPR em geral, você pode apresentar queixas às suas autoridades supervisoras locais de proteção de dados. Na França, é a Commission Nationale de l'Informatique et des Libertés que cuida e lida com as queixas. Eles fornecem um [modelo de carta de reclamação](https://www.cnil.fr/en/plaintes) para usar. + +## Sobre esta Política + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/pt-BR/about/privacytools.md b/i18n/pt-BR/about/privacytools.md new file mode 100644 index 00000000..dc483628 --- /dev/null +++ b/i18n/pt-BR/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Porque abandonamos o PrivacyTools + +Em setembro de 2021, todos os colaboradores ativos concordaram por unanimidade em migrar do PrivacyTools para trabalhar neste site: Privacy Guides. Esta decisão foi tomada porque o fundador e controlador do nome de domínio da PrivacyTools desapareceu por um longo período de tempo e não pôde ser contatado. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/pt-BR/about/services.md b/i18n/pt-BR/about/services.md new file mode 100644 index 00000000..48ee99c4 --- /dev/null +++ b/i18n/pt-BR/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domínio: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Disponibilidade: Semi-Público + Hospedamos o Invidious principalmente para veicular vídeos incorporados do YouTube em nosso site, esta instância não se destina ao uso geral e pode ser limitada a qualquer momento. +- Fonte: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/pt-BR/about/statistics.md b/i18n/pt-BR/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/pt-BR/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/pt-BR/advanced/communication-network-types.md b/i18n/pt-BR/advanced/communication-network-types.md new file mode 100644 index 00000000..f440706c --- /dev/null +++ b/i18n/pt-BR/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Tipos de Redes de Comunicação" +icon: 'material/transit-connection-variant' +description: Uma visão geral de várias estruturas de rede normalmente usadas por aplicativos de mensagens instantâneas. +--- + +Existem várias arquiteturas de rede comumente usadas para retransmitir mensagens entre pessoas. Essas redes podem fornecer diferentes garantias de privacidade, e é por isso que vale a pena considerar seu [modelo de ameaça](../basics/threat-modeling.md) ao decidir qual aplicativo usar. + +[Mensageiros Instantâneos Recomendados](../real-time-communication.md ""){.md-button} + +## Redes Centralizadas + +![Diagrama de redes centralizadas](../assets/img/layout/network-centralized.svg){ align=left } + +Mensageiros centralizados são aqueles em que todos os participantes estão no mesmo servidor ou rede de servidores controlados pela mesma organização. + +Alguns mensageiros podem ser auto-hospedados e permitem que você configure seu próprio servidor. A auto-hospedagem pode fornecer garantias adicionais de privacidade, como nenhum registro de uso ou acesso limitado a metadados (dados sobre quem está falando com quem). Mensageiros centralizados auto-hospedados são isolados e todos devem estar no mesmo servidor para se comunicar. + +**Vantagens:** + +- Novos recursos e mudanças podem ser implementados mais rapidamente. +- Mais fácil de começar e de encontrar contatos. +- Ecossistemas mais maduros e estáveis, já que são mais fáceis de serem implementados em um software centralizado. +- Problemas de privacidade podem ser reduzidos quando você confia em um servidor que você está hospedando. + +**Desvantagens:** + +- Pode incluir [controle ou acesso restrito](https://drewdevault.com/2018/08/08/Signal.html). Isto pode incluir coisas como: +- Ser [proibido de conectar clientes alternativos](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) à rede, mesmo podendo oferecer uma melhor customização ou até mesmo uma melhor experiência. Muitas vezes definido nos Termos e Condições de uso. +- Documentação pobre ou inexistente para desenvolvedores de terceiros. +- O [proprietário](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), a política de privacidade e operações podem ser facilmente mudadas quando uma só entidade controla tudo, podendo comprometer o serviço mais tarde. +- A auto-hospedagem requer esforço e conhecimento de como configurar um serviço. + +## Redes Federadas + +![Diagrama de redes federadas](../assets/img/layout/network-decentralized.svg){ align=left } + +Os mensageiros federados usam vários servidores independentes e descentralizados que podem conversar entre si (o e-mail é um exemplo de um serviço federado). A federação permite que os administradores do sistema controlem seu próprio servidor e ainda façam parte da rede de comunicações principal. + +Quando auto-hospedados, os membros de um servidor federado podem descobrir e se comunicar com membros de outros servidores, embora alguns servidores possam optar por permanecer privados e não serem federados (por exemplo, servidor de uma equipe de trabalho). + +**Vantagens:** + +- Permite maior controle sobre seus próprios dados ao usar seu próprio servidor. +- Permite que você escolha com quem confiar seus dados, escolhendo entre vários servidores "públicos". +- Muitas vezes permitem clientes de terceiros que podem fornecer uma experiência mais nativa, personalizada ou acessível. +- O software do servidor pode ser verificado para saber se ele corresponde ao código-fonte original, assumindo que você tem acesso ao servidor ou confia na pessoa que o mantém (por exemplo, um membro de sua família). + +**Desvantagens:** + +- A adição de novos recursos é mais complexa porque esses recursos precisam ser padronizados e testados para garantir que funcionem com todos os servidores da rede. +- Devido ao ponto anterior, os recursos podem estar faltando, ou incompletos ou funcionando de maneiras inesperadas em comparação com plataformas centralizadas, como retransmissão de mensagens quando offline ou exclusão de mensagens. +- Alguns metadados podem estar disponíveis (por exemplo, informações como "quem está falando com quem", mas não o conteúdo real da mensagem se E2EE for usado). +- Os servidores federados geralmente exigem confiar no administrador do seu servidor. Eles podem ser um amador ou não ser um "profissional de segurança" e podem não servir documentos padrão, como uma política de privacidade ou termos de serviço detalhando como seus dados são usados. +- Os administradores de servidores às vezes optam por bloquear outros servidores, que são uma fonte de abuso não moderado ou quebram as regras gerais de comportamento aceito. Isso prejudicará sua capacidade de se comunicar com os membros desses servidores. + +## Rede Peer-to-Peer + +![Diagrama P2P](../assets/img/layout/network-distributed.svg){ align=left } + +Os mensageiros P2P se conectam a uma [ rede distribuída](https://en.wikipedia.org/wiki/Distributed_networking) de nós para retransmitir uma mensagem ao destinatário sem um servidor de terceiros. + +Clientes (peers) geralmente encontram um ao outro através do uso de um [sistema de processamento distribuído](https://pt.wikipedia.org/wiki/Sistema_de_processamento_distribu%C3%ADdo). Exemplos disso incluem [Distributed hash table](https://pt.wikipedia.org/wiki/Distributed_hash_table) (DHT), usado por [torrents](https://pt.wikipedia.org/wiki/BitTorrent) e [IPFS](https://pt.wikipedia.org/wiki/Sistema_de_Arquivos_Interplanet%C3%A1rio) por exemplo. Outra abordagem é redes baseadas em proximidade, onde uma conexão é estabelecida através de WiFi ou Bluetooth (por exemplo, Briar ou o protocolo de rede social [Scuttlebutt](https://www.scuttlebutt.nz)). + +Uma vez que um peer tenha encontrado uma rota para o seu contato através de qualquer um desses métodos, uma conexão direta entre eles é feita. Embora as mensagens sejam geralmente criptografadas, um observador ainda pode deduzir a localização e a identidade do remetente e do destinatário. + +As redes P2P não usam servidores, pois os peers se comunicam diretamente entre si e, portanto, não podem ser auto-hospedados. No entanto, alguns serviços adicionais podem contar com servidores centralizados, como descoberta de usuários ou retransmissão de mensagens off-line, que podem se beneficiar da auto-hospedagem. + +**Vantagens:** + +- Informações mínimas são expostas a terceiros. +- Plataformas P2P modernas implementam E2EE por padrão. Não há servidores que possam interceptar e descriptografar suas transmissões, ao contrário de modelos centralizados e federados. + +**Desvantagens:** + +- Conjunto de recursos reduzido: +- As mensagens só podem ser enviadas quando ambos os peers estão online, no entanto, seu cliente pode armazenar mensagens localmente enquanto espera o contato ficar online. +- Geralmente aumenta o uso da bateria em dispositivos móveis, porque o cliente deve permanecer conectado à rede para saber quem está online. +- Alguns recursos comuns em mensageiros podem não ser implementados ou estar incompletos, como a exclusão de mensagens. +- Seu endereço IP e o dos contatos com os quais você está se comunicando podem ser expostos se você não usar o software em conjunto com uma [VPN](../vpn.md) ou [Tor](../tor.md). Muitos países têm alguma forma de vigilância em massa e/ou retenção de metadados. + +## Roteamento Anônimo + +![Diagrama de roteamento anônimo](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +Um mensageiro usando [roteamento anônimo](https://doi.org/10.1007/978-1-4419-5906-5_628) oculta a identidade do remetente, do destinatário ou a evidência de que eles estão se comunicando. Idealmente, um mensageiro deve esconder todos os três. + +Existem [muitas](https://doi.org/10.1145/3182658) maneiras diferentes de implementar o roteamento anônimo. Um dos mais famosos é o [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (ou seja, [Tor](tor-overview.md)), que comunica mensagens criptografadas através de uma [rede sopbreposta](https://pt.wikipedia.org/wiki/Rede_sobreposta) virtual, que esconde a localização de cada nó, bem como o destinatário e o remetente de cada mensagem. O remetente e o destinatário nunca interagem diretamente e só se encontram através de um nó de encontro secreto para que não haja vazamento de endereços IP ou localização física. Os nós não podem descriptografar mensagens, nem o destino final; apenas o destinatário pode. Cada nó intermediário só pode descriptografar uma parte que indica para onde enviar a mensagem criptografada, até chegar ao destinatário que pode descriptografá-la totalmente, daí as "onion layers." + +A auto-hospedagem de um nó em uma rede de roteamento anônimo não fornece ao hoster benefícios adicionais de privacidade, mas contribui para a resiliência de toda a rede contra ataques de identificação para o benefício de todos. + +**Vantagens:** + +- Pouca ou nenhuma informação é exposta a outras partes. +- As mensagens podem ser retransmitidas de forma descentralizada, mesmo que uma das partes esteja offline. + +**Desvantagens:** + +- Propagação lenta da mensagem. +- Muitas vezes limitado a menos tipos de mídia, principalmente texto, uma vez que a rede é lenta. +- Menos confiável se os nós são selecionados por roteamento randomizado, alguns nós podem estar muito longe do remetente e do receptor, adicionando latência ou mesmo não transmitindo mensagens se um dos nós ficar offline. +- Mais complexo para começar, pois é necessária a criação e o backup seguro de uma chave privada criptográfica. +- Assim como outras plataformas descentralizadas, adicionar recursos é mais complexo para os desenvolvedores do que em uma plataforma centralizada. Assim, os recursos podem estar faltando ou incompletamente implementados, como retransmissão de mensagens offline ou exclusão de mensagens. diff --git a/i18n/pt-BR/advanced/dns-overview.md b/i18n/pt-BR/advanced/dns-overview.md new file mode 100644 index 00000000..bd4061cc --- /dev/null +++ b/i18n/pt-BR/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "Introdução ao DNS" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## O que é DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### DNS não Criptografado + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## O que é "DNS criptografado"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS sobre TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS sobre HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Por que **não deveria** usar DNS criptografado? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### Endereço IP + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## O que é DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/pt-BR/advanced/payments.md b/i18n/pt-BR/advanced/payments.md new file mode 100644 index 00000000..cbc1846f --- /dev/null +++ b/i18n/pt-BR/advanced/payments.md @@ -0,0 +1,85 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Criptomoedas + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/pt-BR/advanced/tor-overview.md b/i18n/pt-BR/advanced/tor-overview.md new file mode 100644 index 00000000..4f792a77 --- /dev/null +++ b/i18n/pt-BR/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Recursos Adicionais + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [Como funciona o Tor - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Serviços Tor Onion - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/pt-BR/android.md b/i18n/pt-BR/android.md new file mode 100644 index 00000000..ca51fe7b --- /dev/null +++ b/i18n/pt-BR/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: Você pode substituir o sistema operacional do seu celular Android por essas alternativas seguras e que respeitam a privacidade. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +O **Android Open Source Project** é um sistema operacional de código aberto liderado pelo Google que é usado na maioria dos dispositivos móveis do mundo. A maioria dos celulares vendidos com Android são modificados para incluir integrações invasivas e aplicativos como o Google Play Services. Você pode melhorar a privacidade de seu dispositivo significativamente ao usar uma versão do Android sem esses recursos invasivos. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +Estes são os sistemas operacionais, dispositivos e aplicações Android que recomendamos para maximizar a segurança e privacidade do seu dispositivo móvel. Para saber mais sobre o Android: + +[Visão Geral do Android :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Por que recomendamos o GrapheneOS em vez do CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## Derivados do AOSP + +Recomendamos instalar um desses sistemas operacionais Android personalizados em seu dispositivo, listados em ordem de preferência, dependendo da compatibilidade do seu dispositivo com esses sistemas operacionais. + +!!! nota + + Os dispositivos em fim de vida útil (como os dispositivos GrapheneOS ou "suporte estendido" da CalyxOS) não possuem patches de segurança completos (atualizações de firmware) devido à interrupção do suporte do OEM. Estes dispositivos não podem ser considerados completamente seguros, independentemente do software instalado. + +### GrapheneOS + +!!! recomendação + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS*** é a melhor escolha quando se trata de privacidade e segurança. + + O GrapheneOS conta com um [hardening](https://pt.wikipedia.org/wiki/Hardening) adicional e melhorias de privacidade. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. Isso significa que você pode tirar proveito da maioria dos Google Play Services, como [notificações push](https://firebase.google.com/docs/cloud-messaging/), enquanto lhe dá controle total sobre suas permissões e acesso, e ao mesmo tempo contê-los para um perfil de trabalho [específico](os/android-overview.md#work-profile) ou [perfil de usuário](os/android-overview.md#user-profiles) de sua escolha. + +Os telefones Google Pixel são os únicos dispositivos que atualmente atendem aos [requisitos de segurança de hardware do GrapheneOS](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recomendação + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +O DivestOS implementa alguns patches de fortalecimento desenvolvidos originalmente para o GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 e superior apresenta a opção de [ randomização do MAC](https://en.wikipedia.org/wiki/MAC_address#Randomization) completa por rede do GrapheneOS, controle [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) e [opções de tempo limite](https://grapheneos.org/features) de reinicialização automática/Wi-Fi/Bluetooth. + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! aviso + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +Ao adquirir um dispositivo, recomendamos que o adquira o mais novo possível. O software e o firmware dos dispositivos móveis são suportados apenas por um tempo limitado, de modo que a compra de aparelhos recém-lançados prolonga ao máximo a sua vida útil. + +Evite comprar telefones de operadoras de redes móveis. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Tenha muito **cuidado** ao comprar celulares usados nas lojas online. Sempre verifique a reputação do vendedor. Se for um dispositivo roubado, o [IMEI pode estar na lista proibida](https://www.gsma.com/security/resources/imei-blacklisting/). Também existe o risco de você ser associado com a atividade do proprietário anterior. + +Mais algumas dicas sobre os aparelhos Android e a compatibilidade do sistema operacional: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + Em alguns raros casos, o desenvolvedor só vai disponibilizar o app no F-Droid ([Gadgetbridge](https://gadgetbridge.org/) é um exemplo). Se você realmente precisa de um aplicativo assim, recomendamos que use a [Neo Store](https://github.com/NeoApplications/Neo-Store/) ao invés do aplicativo oficial do F-Droid. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Sistemas Operacionais + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Dispositivos + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/pt-BR/assets/img/account-deletion/exposed_passwords.png b/i18n/pt-BR/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/pt-BR/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/pt-BR/assets/img/android/rss-apk-dark.png b/i18n/pt-BR/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/pt-BR/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/pt-BR/assets/img/android/rss-apk-light.png b/i18n/pt-BR/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/pt-BR/assets/img/android/rss-apk-light.png differ diff --git a/i18n/pt-BR/assets/img/android/rss-changes-dark.png b/i18n/pt-BR/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/pt-BR/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/pt-BR/assets/img/android/rss-changes-light.png b/i18n/pt-BR/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/pt-BR/assets/img/android/rss-changes-light.png differ diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-encryption.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-path-dark.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/how-tor-works/tor-path.svg b/i18n/pt-BR/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/pt-BR/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt-BR/assets/img/multi-factor-authentication/fido.png b/i18n/pt-BR/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/pt-BR/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/pt-BR/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/pt-BR/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/pt-BR/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/pt-BR/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/pt-BR/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/pt-BR/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/pt-BR/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/pt-BR/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/pt-BR/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/pt-BR/basics/account-creation.md b/i18n/pt-BR/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/pt-BR/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/pt-BR/basics/account-deletion.md b/i18n/pt-BR/basics/account-deletion.md new file mode 100644 index 00000000..d1463f8a --- /dev/null +++ b/i18n/pt-BR/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Exclusão de Conta" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Com o tempo, pode ser fácil acumular várias contas online, muitas das quais você pode não mais usar. Excluir essas contas não utilizadas é um passo importante para recuperar sua privacidade, pois contas inativas são vulneráveis a violações de dados. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Localizando Contas Antigas + +### Gerenciador de Senhas + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Excluindo Contas Antigas + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Sobrescrevendo Informações da Conta + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Exclusão + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Evite Novas Contas + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/pt-BR/basics/common-misconceptions.md b/i18n/pt-BR/basics/common-misconceptions.md new file mode 100644 index 00000000..61d3464a --- /dev/null +++ b/i18n/pt-BR/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Equívocos Comuns" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Software de código aberto é sempre seguro" ou "Software proprietário é mais seguro" + +Estes mitos resultam de uma série de preconceitos, mas se o código fonte está disponível e a forma como o software é licenciado não afecta de modo algum a sua segurança de forma inerente. ==Software de código aberto tem o *potencial* para ser mais seguro do que um software proprietário, mas não existe qualquer garantia de que assim seja.== Quando se avalia o software, se deve olhar a reputação e a segurança de cada ferramenta numa base individual. + +O software de código aberto *pode* ser auditado por terceiros, e é muitas vezes mais transparente sobre potenciais vulnerabilidades do que os seus equivalentes proprietários. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/pt-BR/basics/common-threats.md b/i18n/pt-BR/basics/common-threats.md new file mode 100644 index 00000000..a2b297d4 --- /dev/null +++ b/i18n/pt-BR/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Ameaças Comuns" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonimato vs Privacidade + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Segurança e Privacidade + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacidade dos Prestadores de Serviços + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Programas de Vigilância em Massa + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + Na França, você pode dar uma olhada no [site da Technopolicy](https://technopolice.fr/villes/) mantido pela associação sem fins lucrativos La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limitação de Informações Públicas + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Evitando a Censura + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/pt-BR/basics/email-security.md b/i18n/pt-BR/basics/email-security.md new file mode 100644 index 00000000..24a8cfc3 --- /dev/null +++ b/i18n/pt-BR/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Segurança de Email +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Visão Geral da Criptografia de Email + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### Quais Clientes de Email Suportam E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### Como Protejo Minhas Chaves Privadas? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Visão Geral dos Metadados de Email + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Quem Pode Ver Metadados de Email? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Por Que os Metadados Não Podem Ser E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/pt-BR/basics/multi-factor-authentication.md b/i18n/pt-BR/basics/multi-factor-authentication.md new file mode 100644 index 00000000..0e9fb706 --- /dev/null +++ b/i18n/pt-BR/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Autenticação de Múltiplos Fatores" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Recomendações gerais + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/pt-BR/basics/passwords-overview.md b/i18n/pt-BR/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/pt-BR/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/pt-BR/basics/threat-modeling.md b/i18n/pt-BR/basics/threat-modeling.md new file mode 100644 index 00000000..0940d141 --- /dev/null +++ b/i18n/pt-BR/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Modelagem de Ameaças" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**Então, o que são esses modelos de ameaça afinal?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Criando seu modelo de ameaça + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Fontes + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/pt-BR/basics/vpn-overview.md b/i18n/pt-BR/basics/vpn-overview.md new file mode 100644 index 00000000..b1d59230 --- /dev/null +++ b/i18n/pt-BR/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Devo Usar Uma VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## Quando não deveria usar uma VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## E Quanto à Criptografia? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Devo usar DNS criptografado com uma VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Devo usar Tor *e* uma VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## E se eu precisar de anonimato? + +As VPNs não podem fornecer anonimato. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) em vez disso. + +## E os provedores de VPN que fornecem nós Tor? + +Não use esse recurso. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## Quando VPNs são úteis? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Fontes e Leituras Adicionais + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Informações Relacionadas a VPN + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/pt-BR/calendar.md b/i18n/pt-BR/calendar.md new file mode 100644 index 00000000..89b9e9ad --- /dev/null +++ b/i18n/pt-BR/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Agenda/Calendário Sincronizado" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/pt-BR/cloud.md b/i18n/pt-BR/cloud.md new file mode 100644 index 00000000..7f729830 --- /dev/null +++ b/i18n/pt-BR/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Armazenamento em nuvem" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/pt-BR/cryptocurrency.md b/i18n/pt-BR/cryptocurrency.md new file mode 100644 index 00000000..7c0606c8 --- /dev/null +++ b/i18n/pt-BR/cryptocurrency.md @@ -0,0 +1,54 @@ +--- +title: Criptomoedas +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/pt-BR/data-redaction.md b/i18n/pt-BR/data-redaction.md new file mode 100644 index 00000000..961594a8 --- /dev/null +++ b/i18n/pt-BR/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/pt-BR/desktop-browsers.md b/i18n/pt-BR/desktop-browsers.md new file mode 100644 index 00000000..1148279e --- /dev/null +++ b/i18n/pt-BR/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Navegadores Desktop" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! aviso + O Firefox inclui um token exclusivo de [download](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) pelo site da Mozilla e usa telemetria no Firefox para enviar o token. O token é **não** incluído nas versões do [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Firefox + +Se você quiser permanecer conectado a sites específicos, você pode permitir exceções em **Cookies e Dados do Site** → **Gerenciar Exceções...** + +##### Proteção Reforçada de Rastreio (ETP) + +- Selecione **Strict** + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitizar ao Fechar + +O serviço [Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) usa E2EE. + +- Selecione **Excluir cookies e dados do site quando o Firefox estiver fechado** + +Geralmente, não recomendamos a instalação de nenhuma extensão, pois elas aumentam sua superfície de ataque; no entanto, se você deseja o bloqueio de conteúdo, o [uBlock Origin](#additional-resources) pode ser útil para você. A extensão também é uma extensão :trophy: [recomendada](https://support.mozilla.org/kb/add-on-badges#w_recommended-extensions) pela Mozilla. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Desativar Sugestão de Pesquisa + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Desativar Telemetria + +- Limpar **Permitir que o Firefox envie dados técnicos e de interação para o Mozilla** +- Limpar **Permitir que o Firefox instale e execute estudos** +- Limpar **Permitir que o Firefox envie relatórios de falhas identificadas em seu nome** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### Modo Somente HTTPS + +- Selecione **Ativar modo somente HTTPS em todas as janelas** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Extensões + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Firefox + +These options can be found in :material-menu: → **Settings**. + +##### Modo Somente HTTPS + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensões + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Recursos Adicionais + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/pt-BR/desktop.md b/i18n/pt-BR/desktop.md new file mode 100644 index 00000000..97020f7e --- /dev/null +++ b/i18n/pt-BR/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Computador/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/pt-BR/dns.md b/i18n/pt-BR/dns.md new file mode 100644 index 00000000..33452954 --- /dev/null +++ b/i18n/pt-BR/dns.md @@ -0,0 +1,138 @@ +--- +title: "Introdução ao DNS" +icon: material/dns +description: Estes são alguns provedores de DNS criptografados para os quais recomendamos mudar, para substituir a configuração padrão de seu ISP. +--- + +DNS criptografado com servidores de terceiros só deve ser usado para contornar o [bloqueio básico de DNS](https://en.wikipedia.org/wiki/DNS_blocking) quando você pode ter certeza de que não haverá nenhuma consequência. DNS criptografado não ajudará você a esconder nenhuma de suas atividades de navegação. + +[Saiba mais sobre DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Provedores Recomendados + +| Provedor de DNS | Política de Privacidade | Protocolos | Registro | ECS | Filtragem | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Alguns[^1] | Não | Baseado na escolha do servidor. As listas de filtragem usadas podem ser encontradas aqui. [**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Alguns[^2] | Não | Baseado na escolha do servidor. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Opcional[^3] | Não | Baseado na escolha do servidor. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Não[^4] | Não | Baseado na escolha do servidor. As listas de filtragem usadas podem ser encontradas aqui. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Opcional[^5] | Opcional | Baseado na escolha do servidor. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH/
DoT
DNSCrypt | Alguns[^6] | Opcional | Baseado na escolha do servidor, bloqueio de vírus (malware) por padrão. | + +## Requisitos + +**Por favor, note que não somos parceiros de nenhum dos produtos que recomendamos.** Além de [nossos requisitos básicos](about/criteria.md), desenvolvemos um conjunto claro de requisitos para nos permitir fornecer recomendações objetivas. Recomendamos que você se familiarize com esta lista antes de escolher usar um produto, e que faça sua própria pesquisa para garantir que o produto escolhido é o ideal para você. + +!!! example "Esta é uma nova seção" + + Estamos trabalhando para estabelecer requisitos definidos para cada seção de nosso site, e isto pode estar sujeito a mudanças. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Deve suportar [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [Minimização QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- Permitir que [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) seja desativado. +- Prefira suporte a [Anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) ou suporte a orientação geográfica. + +## DNSCrypt + +### Android + +Android 9 e superior suportam DNS sobre TLS. As configurações podem ser encontradas em: **Configurações** → **Rede & Internet** → **DNS particular**. + +### Dispositivos Apple + +As versões mais recentes do iOS, iPadOS, tvOS e macOS, suportam DoT e DoH. Ambos os protocolos são suportados nativamente através dos [perfis de configuração](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) ou através das [configurações de DNS API](https://developer.apple.com/documentation/networkextension/dns_settings). + +Após a instalação de um perfil de configuração ou de um aplicativo que usa a API de configurações de DNS, a configuração de DNS pode ser selecionada. Se uma VPN estiver ativa, a resolução no túnel VPN usará as configurações de DNS da VPN e não suas configurações gerais do sistema. + +#### Signed Profiles + +A Apple não fornece uma interface nativa para a criação de perfis DNS criptografados. Info Perfis assinados são preferidos; a assinatura valida a origem de um perfil e ajuda a garantir a integridade dos perfis. Uma marca de "Verificado" na cor verde é dada aos perfis de configuração assinados. Para mais informações sobre assinatura de código, ver [Sobre Assinatura de Código](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Perfis assinados** são oferecidos por [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), e [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, que muitas distribuições Linux usam para fazer suas pesquisas de DNS, ainda não [suporta DoH](https://github.com/systemd/systemd/issues/8639). Se você deseja usar o DoH, você precisará instalar um proxy como [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) e [configurá-lo](https://wiki. rchlinux.org/title/Dnscrypt-proxy) para pegar todas as consultas de DNS do resolvedor do sistema e encaminhá-los por HTTPS. + +## Proxy DNS criptografado + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### DNS + +!!! recommendation + + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### DNS + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Soluções auto-hospedadas + +Uma solução de DNS auto-hospedada é útil para fornecer filtragem em plataformas limitadas como Smart TVs e outros dispositivos IoT, já que não é necessário nenhum “software” do lado do cliente. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** é um programa de código aberto [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) que utiliza [filtragem DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) para bloquear conteúdos web indesejados, tais como anúncios. + + AdGuard Home apresenta um painel web amigável para ver informações e gerenciar conteúdos bloqueados. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** é um programa de código aberto [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) que usa [filtragem DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) para bloquear conteúdos web indesejados, como anúncios. + + O Pi-hole foi projetado para ser hospedado em um Raspberry Pi, mas não se limita a esse "hardware". O “software” apresenta uma interface web amigável para visualizar informações e gerenciar conteúdo bloqueado. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: O AdGuard armazena métricas de desempenho agregadas de seus servidores DNS, ou seja, o número de solicitações completas para um determinado servidor, o número de solicitações bloqueadas, e a velocidade de processamento dos pedidos. Eles também coletam e armazenam a base de dados de domínios solicitados nas últimas 24 horas. "Precisamos desta informação para identificar e bloquear novos rastreadores e ameaças". "Também registramos quantas vezes este ou aquele rastreador foi bloqueado. Precisamos desta informação para remover regras desatualizadas dos nossos filtros". [https://adguard-dns.io/pt_br/privacy.html](https://adguard.com/en/privacy/dns.html) +[^2]: O Cloudflare coleta e armazena apenas os dados limitados de consulta de DNS que são enviados para o resolvedor 1.1.1.1. O serviço de resolução 1.1.1.1 não registra dados pessoais, e a maior parte dos limitados dados de consulta, não pessoalmente identificáveis, é armazenado por apenas 25 horas. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: ControlD somente coleta e armazena métricas para resolvedores "Premium" com perfis DNS personalizados. Resolvedores gratuitos não registram dados. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: O serviço DNS do Mullvad está disponível tanto para assinantes quanto para não assinantes do Mullvad VPN. A sua política de privacidade afirma explicitamente que não armazenam as solicitações DNS de maneira nenhuma. [https://mullvad.net/pt/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS pode disponibilizar informações e recursos de registo mediante adesão opcional. Você pode escolher o tempo de retenção e os locais de armazenamento dos registros para quaisquer registros que você decidir manter. Se não for especificamente solicitado, nenhum dado é armazenado. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 coleta alguns dados para fins de monitoramento e resposta a ameaças. Esses dados podem então ser misturados e divulgados, por exemplo, para fins de pesquisas de segurança. Quad9 não coleta ou grava endereços IP, ou outros dados que eles considerem pessoalmente identificáveis. [https://www.quad9.net/pt/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/pt-BR/email-clients.md b/i18n/pt-BR/email-clients.md new file mode 100644 index 00000000..715a2194 --- /dev/null +++ b/i18n/pt-BR/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Clientes de Email" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Firefox + +We recommend changing some of these settings to make Thunderbird a little more private. + +Se você quiser permanecer conectado a sites específicos, você pode permitir exceções em **Cookies e Dados do Site** → **Gerenciar Exceções...** + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Desativar Telemetria + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/pt-BR/email.md b/i18n/pt-BR/email.md new file mode 100644 index 00000000..2477e91c --- /dev/null +++ b/i18n/pt-BR/email.md @@ -0,0 +1,501 @@ +--- +title: "Serviços de Email" +icon: material/email +description: Esses provedores de email oferecem um ótimo lugar para armazenar seus emails de forma segura, e muitos oferecem criptografia OpenPGP compatível com outros provedores. +--- + +O "email" é praticamente uma necessidade para usar qualquer serviço “online”, contudo não o recomendamos para conversas pessoais. Ao invés de utilizar email para falar com outras pessoas, considere utilizar um meio de mensagens instantâneas que suporte sigilo encaminhado. + +[Mensageiros Instantâneos Recomendados](real-time-communication.md ""){.md-button} + +Para qualquer outra coisa, recomendamos uma variedade de provedores de email baseados em modelos de negócio sustentáveis e recursos de segurança e privacidade incorporados. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## Serviços Compatíveis com OpenPGP + +Esses provedores suportam nativamente a criptografia/descriptografia OpenPGP e o padrão Web Key Directory (WKD), permitindo e-mails E2E independentes do provedor. Por exemplo, um usuário do Proton Mail pode mandar uma mensagem E2E para um usuário de Mailbox.org, ou você pode receber notificações criptografadas por OpenPGP de serviços de internet que suportam isso. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! Alerta + + Ao usar a tecnologia E2EE, como OpenPGP, o e-mail ainda terá alguns metadados que não são criptografados no cabeçalho do e-mail. Leia mais sobre [metadados de email](basics/email-security.md#email-metadata-overview). + + OpenPGP também não suporta Sigilo Encaminhado, isso significa que se a sua chave ou a do destinatário é alguma vez roubada, todas as mensagens anteriores encriptadas com essa chave serão expostas. [Como eu protejo minhas chaves privadas?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![logo do Proton Mail](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** é um serviço de email com foco na privacidade, criptografia, segurança, e facilidade de uso. Eles estão operando desde **2013**. Proton AG é localizado em Genève, Suíça. As contas começam com 500 MB de armazenamento com seu plano grátis. + + [:octicons-home-16: Página Inicial](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Serviço Onion" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Política de Privacidade" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Código-Fonte" } + + ??? - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Contas gratuitas têm algumas limitações, como não poderem pesquisar no corpo de texto e não ter acesso à [Ponte Proton Mail](https://proton.me/mail/bridge), o que é requerido para usar um [cliente de email desktop recomendado](email-clients.md) (ex. Thunderbird). Contas pagas incluem funcionalidades como a Ponte Proton Mail, mais armazenamento, e suporte para domínios customizados. Um [certificado de segurança](https://proton.me/blog/security-audit-all-proton-apps) foi concedido para os aplicativos do Proton Mail em 9 de Novembro de 2021 pela [Securitium](https://research.securitum.com). + +Se você tem o Proton Unlimited, Bussiness, ou Visionary Plan, você também ganha o [SimpleLogin](#simplelogin) Premium de graça. + +O Proton Mail tem relatórios internos de travamento que eles **não** compartilham com terceiros. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail tem [criptografia de acesso zero](https://proton.me/blog/zero-access-encryption) em repouso para seus e-mails e [calendários](https://proton.me/news/protoncalendar-security-model). Os dados protegidos com criptografia de acesso zero só são acessíveis por você. + +Certas informações armazenadas no [Proton Contacts](https://proton.me/support/proton-contacts), como nomes de exibição e endereços de e-mail, não são protegidas com criptografia de acesso zero. Campos de contatos que suportam criptografia de acesso zero, tais como números de telefone, são indicados com um ícone de cadeado. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Serviços de Disfarce de Email + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Nossos Critérios + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Aceita [opções de pagamento anônimas](advanced/payments.md) ([criptomoedas](cryptocurrency.md), dinheiro, cartões-presente, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/pt-BR/encryption.md b/i18n/pt-BR/encryption.md new file mode 100644 index 00000000..aba09710 --- /dev/null +++ b/i18n/pt-BR/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Softwares de Criptografia" +icon: material/file-lock +description: A criptografia de dados é a única maneira de controlar quem pode acessá-los. These tools allow you to encrypt your emails and any other files. +--- + +A criptografia de dados é a única maneira de controlar quem pode acessá-los. Se você atualmente não está usando “software” de criptografia para seu disco rígido, e-mails ou arquivos, você deve escolher uma opção aqui. + +## Aplicativos multiplataforma + +As opções listadas aqui suportam múltiplas plataformas e são ótimas para criar backups criptografados de seus dados. + +### Cryptomator (Nuvem) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** é uma solução de criptografia projetada para salvar arquivos de forma privada em qualquer provedor de nuvem. Ele permite que você crie cofres armazenados em uma unidade virtual (virtual disk), cujo conteúdo é criptografado e sincronizado com seu provedor de armazenamento em nuvem. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +O Cryptomator usa criptografia AES-256 para criptografar arquivos e nomes de arquivos. O Cryptomator não pode criptografar metadados, como histórico de data/hora de acesso, modificação e criação, nem o número e o tamanho de arquivos e pastas. + +Algumas bibliotecas criptográficas do Cryptomator foram [auditadas](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) pela Cure53. O âmbito das bibliotecas auditadas inclui: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) e [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). A auditoria não se estendeu a [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), que é uma biblioteca usada pelo Cryptomator para o iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (Arquivo) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** é uma ferramenta de criptografia pequena e simples que fornece criptografia moderna. O Picocrypt usa a cifra segura XChaCha20 e a função de derivação de chave do Argon2id para fornecer um alto nível de segurança. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repositório](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribuir } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/pt-BR/file-sharing.md b/i18n/pt-BR/file-sharing.md new file mode 100644 index 00000000..aafc6486 --- /dev/null +++ b/i18n/pt-BR/file-sharing.md @@ -0,0 +1,148 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/pt-BR/financial-services.md b/i18n/pt-BR/financial-services.md new file mode 100644 index 00000000..f930ee20 --- /dev/null +++ b/i18n/pt-BR/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Serviços Financeiros +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Serviços de Disfarce de Pagamento + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/pt-BR/frontends.md b/i18n/pt-BR/frontends.md new file mode 100644 index 00000000..9638c15a --- /dev/null +++ b/i18n/pt-BR/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! anotar recomendação + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/pt-BR/index.md b/i18n/pt-BR/index.md new file mode 100644 index 00000000..91f6347a --- /dev/null +++ b/i18n/pt-BR/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.pt-BR.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Por que devo me importar? + +##### "Não tenho nada a esconder. Por que eu deveria me preocupar com a minha privacidade?” + +Assim como o direito ao casamento inter-racial, o direito feminino de votar, a liberdade de expressão e muitos outros, nosso direito à privacidade nem sempre foi respeitado. Em várias ditaduras, ainda não é. Gerações anteriores à nossa lutaram pelo nosso direito à privacidade. ==Privacidade é um direito humano, inerente a todos nós,== ao qual temos direito (sem discriminação). + +Você não deve confundir privacidade com sigilo. Sabemos o que acontece no banheiro, mas você ainda fecha a porta. Isso é porque você quer privacidade, não sigilo. **Todo mundo** tem algo para proteger. Privacidade é algo que nos torna humanos. + +[:material-target-account: Ameaças comuns na Internet](basics/common-threats.md ""){.md-button.md-button--primary} + +## O que eu deveria fazer? + +##### Primeiro, você precisa fazer um plano + +Tentar proteger todos os seus dados de todos — o tempo todo — é impraticável, caro e exaustivo. Mas não se preocupe! A segurança é um processo e, ao pensar no futuro, você pode montar um plano que seja certo para você. Segurança não é apenas sobre as ferramentas que você usa ou o software que você baixa. Em vez disso, começa por entender as ameaças que você enfrenta e como você pode mitigá-las. + +==Este processo de identificação de ameaças e definição de contramedidas é chamado de **threat modeling**==, e forma a base de todo bom plano de segurança e privacidade. + +[:material-book-outline: Saiba mais sobre Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Precisamos de você! Veja como participar do projeto: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Participe do nosso fórum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Siga-nos no Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribua para este site" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Ajude a traduzir este site" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Converse conosco no Matrix" } +[:material-information-outline:](about/index.md){ title="Saiba mais sobre nós" } +[:material-hand-coin-outline:](about/donate.md){ title="Apoie o projeto" } + +É importante que um site como o Privacy Guides esteja sempre atualizado. Precisamos que nosso público fique de olho nas atualizações de software para os aplicativos listados em nosso site e acompanhe as notícias recentes sobre os serviços que recomendamos. É difícil acompanhar o ritmo acelerado da internet, mas tentamos o nosso melhor. Se você detectar um erro, achar que um serviço não deve ser listado, notar que um serviço qualificado está faltando, acreditar que uma extensão de navegador não é mais a melhor escolha ou descobrir qualquer outro problema, informe-nos. diff --git a/i18n/pt-BR/kb-archive.md b/i18n/pt-BR/kb-archive.md new file mode 100644 index 00000000..9cb406b2 --- /dev/null +++ b/i18n/pt-BR/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Algumas páginas que costumavam estar em nossa base de conhecimento agora podem ser encontradas em nosso blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrando a remoção de metadados](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/pt-BR/meta/brand.md b/i18n/pt-BR/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/pt-BR/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/pt-BR/meta/git-recommendations.md b/i18n/pt-BR/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/pt-BR/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/pt-BR/meta/uploading-images.md b/i18n/pt-BR/meta/uploading-images.md new file mode 100644 index 00000000..7003af70 --- /dev/null +++ b/i18n/pt-BR/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Enviando Imagens +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Imagens + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Otimização + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. Salvar Arquivo Como.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/pt-BR/meta/writing-style.md b/i18n/pt-BR/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/pt-BR/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/pt-BR/mobile-browsers.md b/i18n/pt-BR/mobile-browsers.md new file mode 100644 index 00000000..84150da7 --- /dev/null +++ b/i18n/pt-BR/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Modo Somente HTTPS + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Firefox + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/pt-BR/multi-factor-authentication.md b/i18n/pt-BR/multi-factor-authentication.md new file mode 100644 index 00000000..9a8254ae --- /dev/null +++ b/i18n/pt-BR/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- O código-fonte deve estar publicamente disponível. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/pt-BR/news-aggregators.md b/i18n/pt-BR/news-aggregators.md new file mode 100644 index 00000000..2dad5ac0 --- /dev/null +++ b/i18n/pt-BR/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/pt-BR/notebooks.md b/i18n/pt-BR/notebooks.md new file mode 100644 index 00000000..19e867a3 --- /dev/null +++ b/i18n/pt-BR/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Blocos de Notas" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Mantenha o controle de suas anotações e registros de atividades sem entregá-los a terceiros. + +Se você estiver usando atualmente um aplicativo como Evernote, Google Keep, ou Microsoft OneNote, sugerimos que escolha uma alternativa que suporte E2EE. + +## Baseado na nuvem + +### Joplin + +!!! recommendation + + ![Logotipo Joplin](assets/img/notebooks/joplin.svg){ align=right } + + * *Joplin** é um aplicativo de anotações e tarefas gratuito, de código aberto e com todos os recursos que pode lidar com um grande número de anotações organizadas em blocos de anotações e tags. Ele oferece E2EE e pode sincronizar através do Nextcloud, Dropbox e muito mais. Oferece também uma importação fácil a partir do Evernote e notas de texto simples. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Política de privacidade" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Código fonte" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribua } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +O Joplin não suporta proteção por senha/PIN para o [próprio aplicativo ou notas e blocos de anotações individuais](https://github.com/laurent22/joplin/issues/289). No entanto, seus dados ainda são criptografados em trânsito e no local de sincronização usando sua chave mestra. Desde janeiro de 2023, Joplin suporta bloqueio de aplicativo por biometria no [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) e [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Logotipo do Standard Notes](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** é um aplicativo de notas simples e privado que torna suas notas fáceis e disponíveis em qualquer lugar que você esteja. Possui E2EE em todas as plataformas e uma poderosa experiência de desktop com temas e editores personalizados. Também foi [auditado independentemente (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Política de privacidade" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Código fonte" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribua } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Criptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/pt-BR/os/android-overview.md b/i18n/pt-BR/os/android-overview.md new file mode 100644 index 00000000..d6eeef27 --- /dev/null +++ b/i18n/pt-BR/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Visão geral do Android +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Escolhendo uma Distribuição Android + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Evite Roteamento + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Atualizações de Firmware + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## Perfis de Usuário + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Perfil de Trabalho + +Os [Perfis de Trabalho](https://support.google.com/work/android/answer/6191949) são outra forma de isolar aplicações individuais e podem ser mais convenientes do que perfis de usuário separados. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/pt-BR/os/linux-overview.md b/i18n/pt-BR/os/linux-overview.md new file mode 100644 index 00000000..f2fc40aa --- /dev/null +++ b/i18n/pt-BR/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Recomendações gerais + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/pt-BR/os/qubes-overview.md b/i18n/pt-BR/os/qubes-overview.md new file mode 100644 index 00000000..ae4916df --- /dev/null +++ b/i18n/pt-BR/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Como funciona o Qubes OS? + +Qubes usa [compartimentação](https://www.qubes-os.org/intro/) para manter o sistema seguro. Os Qubes são criados a partir de modelos, sendo as predefinições para Fedora, Debian e [Whonix](../desktop.md#whonix). O Qubes OS também permite que você crie máquinas virtuais [descartáveis](https://www.qubes-os.org/doc/how-to-use-disposables/) de uso único. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Borda colorida](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Por Que Devo Usar Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Cópia e Colagem de Texto + +Você pode [copiar e colar texto](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) usando `qvm-copy-to-vm` ou as instruções abaixo: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Recursos Adicionais + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Artigos Relacionados*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/pt-BR/passwords.md b/i18n/pt-BR/passwords.md new file mode 100644 index 00000000..d149e6b7 --- /dev/null +++ b/i18n/pt-BR/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Gerenciador de Senhas + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Gerenciador de Senhas + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Gerenciador de Senhas + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Gerenciador de Senhas + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Gerenciador de Senhas + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Gerenciador de Senhas + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Gerenciador de Senhas + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/pt-BR/productivity.md b/i18n/pt-BR/productivity.md new file mode 100644 index 00000000..2fd0637e --- /dev/null +++ b/i18n/pt-BR/productivity.md @@ -0,0 +1,156 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/pt-BR/real-time-communication.md b/i18n/pt-BR/real-time-communication.md new file mode 100644 index 00000000..68f9d767 --- /dev/null +++ b/i18n/pt-BR/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/pt-BR/router.md b/i18n/pt-BR/router.md new file mode 100644 index 00000000..6fae038a --- /dev/null +++ b/i18n/pt-BR/router.md @@ -0,0 +1,50 @@ +--- +title: "Firmware para Roteadores" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Abaixo estão alguns sistemas operacionais alternativos, que podem ser usados em roteadores, pontos de acesso Wi-Fi, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark. vg#only-dark){ align=right } + + **OpenWrt** é um sistema operacional baseado em Linux; ele é usado principalmente em dispositivos incorporados (embedded) para rotear o tráfego de rede. Inclui util-linux, uClibc e BusyBox. Todos os componentes foram otimizados para roteadores domésticos. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribuir } + +Você pode consultar a tabela [de hardware](https://openwrt.org/toh/start) do OpenWrt para verificar se o seu dispositivo é compatível. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** é uma plataforma de firewall e roteamento de código aberto baseada em FreeBSD que incorpora muitos recursos avançados, como modelagem de tráfego, balanceamento de carga e recursos de VPN, com muitos outros recursos disponíveis na forma de plugins. O OPNsense é comumente implantado como um firewall de perímetro, roteador, ponto de acesso wireless, servidor DHCP, servidor DNS e endpoint de VPN. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribuir } + +OPNsense foi originalmente desenvolvido como um fork do [pfSense](https://en.wikipedia.org/wiki/PfSense), e ambos os projetos são conhecidos por serem distribuições de firewall gratuitas e confiáveis que oferecem recursos frequentemente encontrados apenas em firewalls comerciais caros. Lançado em 2015, os desenvolvedores do OPNsense [citaram](https://docs.opnsense.org/history/thefork.html) uma série de problemas de segurança e qualidade de código com o pfSense. Assim, eles sentiram necessário criar um fork do projeto, além de terem preocupações sobre a aquisição majoritária do pfSense pela Netgate e a direção futura do projeto pfSense. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Deve ser de código aberto. +- Deve receber atualizações regulares. +- Must support a wide variety of hardware. diff --git a/i18n/pt-BR/search-engines.md b/i18n/pt-BR/search-engines.md new file mode 100644 index 00000000..392dd4db --- /dev/null +++ b/i18n/pt-BR/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Motores de busca" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + [brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search*** é desenvolvido pela Brave e serve resultados principalmente a partir do seu próprio índice independente. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Página inicial + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Requisitos Mínimos + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/pt-BR/tools.md b/i18n/pt-BR/tools.md new file mode 100644 index 00000000..ceb53fd1 --- /dev/null +++ b/i18n/pt-BR/tools.md @@ -0,0 +1,477 @@ +--- +title: "Ferramentas de Privacidade" +icon: material/tools +hide: + - toc +description: Privacy Guides é o site mais transparente e confiável para encontrar programas, aplicativos e serviços que protejam seus dados pessoais contra programas de vigilância em massa e outras ameaças da Internet. +--- + +Se você está procurando uma solução específica para algo, estas são as ferramentas de hardware e software que recomendamos em uma variedade de categorias. Nossas ferramentas de privacidade recomendadas são principalmente escolhidas com base em recursos de segurança, com ênfase adicional em ferramentas descentralizadas e de código aberto. São aplicáveis a uma variedade de modelos de ameaça que vão desde a proteção contra programas globais de vigilância em massa e evitar grandes empresas de tecnologia, até à atenuação de ataques, mas só você pode determinar o que funcionará melhor para as suas necessidades. + +Se estiver à procura de orientação para descobrir as melhores ferramentas de privacidade e programas alternativos para suas necessidades, inicie uma discussão em nosso [fórum](https://discuss.privacyguides.net/) ou em nossa comunidade [Matrix](https://matrix.to/#/#privacyguides:matrix.org)! + +Para mais detalhes sobre cada projeto, porque foram escolhidos, e dicas ou truques adicionais que recomendamos, clique no link "Saiba mais" em cada seção, ou clique na própria recomendação para ser levado a essa seção específica da página. + +## Rede Tor + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. O Snowflake não aumenta a privacidade, no entanto, permite que você contribua facilmente para a rede Tor e ajude as pessoas em redes censuradas a obter melhor privacidade. + +[Saiba mais :material-arrow-right-drop-circle:](tor.md) + +## Navegadores de Internet para Computador + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Recursos Adicionais + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Recursos Adicionais + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Sistemas Operacionais + +### Celular + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](android.md) + +#### Aplicativos Android + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](android.md#general-apps) + +### Computador/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](desktop.md) + +### Firmware para Roteadores + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](router.md) + +## Provedores de Serviços + +### Armazenamento em nuvem + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### Serviços DNS + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Saiba mais :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Soluções auto-hospedadas + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](email.md) + +#### Serviços de Disfarce de Email + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Nossos Critérios + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Serviços Financeiros + +#### Serviços de Disfarce de Pagamento + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Saiba mais :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Lojas de Vale-Presente Pré-Pago (Gift Card) + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Motores de Pesquisa + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](search-engines.md) + +### Serviços VPN + +??? perigo "VPNs não dão anonimato" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](vpn.md) + +## Programa (Software) + +### Agenda/Calendário Sincronizado + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](calendar.md) + +### Criptomoedas + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Edição de Dados e Metadados + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](data-redaction.md) + +### Clientes de Email + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](email-clients.md) + +### Softwares de Criptografia + +??? info "Criptografia de Disco do Sistema Operacional" + + Para criptografar sua unidade de disco do sistema operacional, normalmente recomendamos usar qualquer aplicativo de criptografia que seu sistema operacional forneça, seja **BitLocker** no Windows, **FileVault** no macOS ou **LUKS** no Linux. Esses programas vem com o sistema operacional e normalmente usam componentes de criptografia do equipamento físico (hardware), como o TPM, que outros programas de criptografia de disco completo, como o VeraCrypt, não usam. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Saiba mais :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/pt-BR/tor.md b/i18n/pt-BR/tor.md new file mode 100644 index 00000000..17a39e95 --- /dev/null +++ b/i18n/pt-BR/tor.md @@ -0,0 +1,126 @@ +--- +title: "Rede Tor" +icon: simple/torproject +description: Proteja a sua navegação na Internet de olhares curiosos utilizando a rede Tor, uma rede segura que contorna a censura. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +A rede **Tor** é um grupo de servidores operados por voluntários que permite que você se conecte gratuitamente para melhorar a sua privacidade e segurança na Internet. Os indivíduos e organizações também podem compartilhar informações através da rede Tor com "serviços ocultos .onion", sem comprometer sua privacidade. Como o tráfego do Tor é difícil de bloquear e rastrear, o Tor é uma ferramenta eficaz para contornar a censura. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +O Tor funciona roteando seu tráfego de internet através desses servidores operados por voluntários, em vez de fazer uma conexão direta com o site que você está tentando visitar. Isto esconde de onde vem o tráfego, e nenhum servidor no caminho de conexão consegue ver toda a trajetória de onde o tráfego vem e para onde vai, isto significa que mesmo os servidores que você está usando para conectar não podem quebrar seu anonimato. + +[Detalhes do Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Conectando-se ao Tor + +Existem várias maneiras de se conectar à rede Tor a partir do seu dispositivo, a mais usada é o **Navegador Tor**, um garfo do Firefox projetado para navegação anônima em computadores e em celulares Android. Além dos aplicativos listados abaixo, também existem sistemas operacionais projetados especificamente para se conectar à rede Tor, como [Whonix](desktop.md#whonix) no [Qubes OS](desktop.md#qubes-os), que proporcionam ainda mais segurança e proteção do que o tradicional Navegador Tor. + +### Navegador Tor + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + O **Navegador Tor** é a melhor opção se você quer anonimato, pois ele fornece acesso à rede Tor e pontes, e inclui configurações padrão e extensões que são configuradas automaticamente pelos níveis de segurança: *Padrão*, *Mais seguro* e *O Mais Seguro*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + Você nunca deve instalar outras extensões no Navegador Tor ou editar as configurações em `about:config`, incluindo as que sugerimos para o Firefox. downloads + + - [:fontawesome-brands-windows: Windows](https://www.mozilla.org/firefox/windows) + - [:fontawesome-brands-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:fontawesome-brands-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox) + - [:fontawesome-brands-git: Fonte](https://hg.mozilla.org/mozilla-central) + +Este navegador dá acesso às Pontes Tor (Tor Bridges) e a \[Rede Tor\](https://en.wikipedia.org/wiki/Tor_(rede)), juntamente com extensões que podem ser configuradas automaticamente para se adaptarem aos três níveis de segurança propostos - *Standard*, *Safer* e *Safest*. Portanto, é importante que você **não** modifique o navegador fora dos [níveis de segurança disponíveis](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![logótipo Orbot](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** é uma VPN Tor gratuita para celulares que encaminha o tráfego de qualquer aplicativo no seu dispositivo através da Rede Tor. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +Antes, recomendávamos habilitar a opção *"Isolar os endereços de destino"* (Isolate Destination Address) nas configurações do Orbot. Embora essa configuração possa, teoricamente, melhorar a privacidade, impondo o uso de um circuito diferente para cada endereço IP ao qual você se conecta, ela não fornece uma vantagem prática para a maioria dos aplicativos (especialmente a navegação na Internet), podendo vir com uma significativa perda de desempenho, e aumento da sobrecarga na rede Tor. Nós não mais recomendamos que você mude esta configuração do seu valor padrão, a menos que você saiba que precisa disso.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot costuma estar desatualizado no [repositório F-Droid, do Projeto Guardian](https://guardianproject.info/fdroid) e na [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), então, considere baixar diretamente do [repositório GitHub](https://github.com/guardianproject/orbot/releases) em vez disso. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: A configuração `"Isolar os endereços de destino"` (IsolateDestAddr) é discutida na [lista de e-mails do Tor](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) e na documentação ["Whonix's Stream Isolation"](https://www.whonix.org/wiki/Stream_Isolation), onde ambos os projetos sugerem que, normalmente, essa não é uma boa opção para a maioria das pessoas. diff --git a/i18n/pt-BR/video-streaming.md b/i18n/pt-BR/video-streaming.md new file mode 100644 index 00000000..8f8ebd0b --- /dev/null +++ b/i18n/pt-BR/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! recommendation + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/pt-BR/vpn.md b/i18n/pt-BR/vpn.md new file mode 100644 index 00000000..6568ce94 --- /dev/null +++ b/i18n/pt-BR/vpn.md @@ -0,0 +1,328 @@ +--- +title: "Serviços de VPN" +icon: material/vpn +description: Estes são os melhores serviços VPN para proteger sua privacidade e segurança on-line. Encontre aqui um provedor que não tem como objetivo espionar você. +--- + +Se você está procurando mais **privacidade** do seu ISP, em uma rede Wi-Fi pública, ou ao fazer torrent de arquivos, uma VPN pode ser a solução para você, desde que entenda os riscos envolvidos. Nós entendemos que estes provedores estão acima dos demais: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "As VPNs não proporcionam anonimato" + + Usar uma VPN **não** manterá seus hábitos de navegação anônimos, nem adicionará segurança ao tráfego não seguro (HTTP). + + Se você está procurando por **anonimato**, você deve usar o Navegador Tor **ao invés de ** de uma VPN. + + Se você está procurando por * * segurança * * adicional, você sempre deve verificar se está se conectando a sites que usam HTTPS. Uma VPN não substitui boas práticas de segurança. + + [Baixar Tor Browser](https://www.torproject.org/){ .md-button .md-button--primary } [Mitos sobre o Tor Browser & FAQ](advanced/tor-overview.md){ .md-button } + +[Detalhes sobre VPNs :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Provedores Recomendados + +Nossos fornecedores recomendados usam encriptação, aceitam Monero, suportam WireGuard e OpenVPN, e têm uma política de não-rastreamento. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. A IVPN está sediada em Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Isto deve-se a um caminho mais curto (menos pulos) até ao destino. +{ .annotate } + +1. Última verificação: 16-09-2022 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Isto deve-se a um caminho mais curto (menos pulos) até ao destino. +{ .annotate } + +1. Última verificação: 16-09-2022 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad suporta o protocolo WireGuard®. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! anotar recomendação + + ![Logomarca ProtonVPN](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** é um forte concorrente no espaço VPN, e estão em funcionamento desde 2016. Proton AG está sediada na Suíça e oferece um plano gratuito limitado, bem como uma opção paga com mais recursos. + + [:octicons-home-16: Página Inicial](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Política de Privacidade" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentação} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Código Fonte" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Isto deve-se a um caminho mais curto (menos pulos) até ao destino. +{ .annotate } + +1. Última verificação: 16-09-2022 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Em Janeiro de 2020, ProtonVPN foi submetida a uma auditoria independente pela SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN suporta principalmente o protocolo WireGuard®. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! aviso + Você **nunca** deve instalar quaisquer extensões adicionais no Tor Browser, incluindo as que sugerimos para o Firefox. + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Não confie somente numa política de "não-rastreamento". + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Criptomoeda anônima](cryptocurrency.md) **ou** opção de pagamento em dinheiro. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Aceita múltiplas [opções de pagamento anônimas](advanced/payments.md). +- Nenhuma informação pessoal é aceita (nome de usuário gerado automaticamente, nenhum e-mail necessário, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/pt/404.md b/i18n/pt/404.md new file mode 100644 index 00000000..cdd20ee4 --- /dev/null +++ b/i18n/pt/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Não Encontrado + +Não conseguimos encontrar a página que procura! Talvez esteja à procura de alguma destas? + +- [Introdução à Modelação de Ameaças](basics/threat-modeling.md) +- [Provedores de DNS Recomendados](dns.md) +- [Melhores Navegadores da Web para Computadores](desktop-browsers.md) +- [Melhores Provedores de VPN](vpn.md) +- [Fórum do Privacy Guides](https://discuss.privacyguides.net) +- [O Nosso Blogue](https://blog.privacyguides.org) diff --git a/i18n/pt/CODE_OF_CONDUCT.md b/i18n/pt/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/pt/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/pt/about/criteria.md b/i18n/pt/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/pt/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/pt/about/donate.md b/i18n/pt/about/donate.md new file mode 100644 index 00000000..08986f13 --- /dev/null +++ b/i18n/pt/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Apoiar-nos +--- + + +São precisas muitas [pessoas](https://github.com/privacyguides/privacyguides.org/graphs/contributors) e muito [trabalho](https://github.com/privacyguides/privacyguides.org/pulse/monthly) para manter o Privacy Gudes atualizado e a divulgar informações sobre privacidade e vigilância em massa. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Se quiser apoiar-nos financeiramente, o método mais conveniente para nós são contribuições através do Open Collective, um website operado pelo nosso anfitrião fiscal. O Open Collective aceita pagamentos através de cartão de crédito/débito, PayPal e transferências bancárias. + +[Doar no OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. Irá receber um recibo da Open Collective Foundation após a doação. O Privacy Guides não fornece aconselhamento financeiro. Como tal, deverá consultar um contablista para determinar se está abrangido pelo regime. + +Se já utiliza os patrocínios do GitHub, pode também patrocinar a nossa organização por lá. + +[Patrocine-nos no GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Contribuidores + +Um agradecimento especial a todos aqueles que apoiam a nossa missão! :heart: + +*Nota: Esta secção carrega um widget diretamente do Open Collective. Esta secção não reflete donativos feitos por fora do Open Collective e nós não temos controlo sobre os doadores específicos que são destacados nesta seção.* + + + +## Como usamos os donativos + +O Privacy Guides é uma organização **sem fins lucrativos**. Utilizamos os donativos que recebemos para uma variedade de propósitos, entre eles: + +**Registos de Domínio** +: + +Temos alguns domínios tais como o `privacyguides.org`, que nos custam aproximadamente 10 USD para manter o seu registo. + +**Alojamento Web** +: + +O tráfego para este website usa centenas de gigabytes de dados por mês. Nós usamos vários provedores de serviço para lidar com este tráfego. + +**Serviços Online** +: + +Nós alojamos [ serviços na internet ](https://privacyguides.net) para teste e demonstração de diferentes produtos de privacidade que gostamos e [recomendamos](../tools.md). Alguns deles são disponibilizados publicamente para uso da nossa comunidade (SearXNG, Tor, etc.) e alguns são para uso dos membros da nossa equipa (e-mail, etc.). + +**Compras de Produtos** +: + +Ocasionamente adquirimos produtos e serviços com o propósito de testar as nossas [ferramentas recomendadas](../tools.md). + +Ainda estamos a trabalhar com o nosso anfitrião fiscal (a Open Collective Foundation) para receber donativos em criptomoeda, neste momento a contabilidade não é viável para muitas transacções mais pequenas, mas isso deverá mudar no futuro. Entretanto, se desejar fazer um donativo considerável em criptomoeda (> 100 USD), por favor contacte [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/pt/about/index.md b/i18n/pt/about/index.md new file mode 100644 index 00000000..5f0f6fcd --- /dev/null +++ b/i18n/pt/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Você **não pode** utilizar a marca Privacy Guides no seu próprio projecto sem a aprovação expressa deste projecto. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/pt/about/notices.md b/i18n/pt/about/notices.md new file mode 100644 index 00000000..51799d17 --- /dev/null +++ b/i18n/pt/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Aviso Legal + +O Privacy Guides não é um escritório de advocacia. Como tal, o website Privacy Guides e os seus colaboradores não estão a prestar aconselhamento jurídico. O material e as recomendações do nosso website e guias não constituem aconselhamento legal nem contribuem para o website ou comunicam com Guias de Privacidade ou outros colaboradores sobre o nosso website criam uma relação advogado-cliente. + +Gerir este website, como qualquer esforço humano, envolve incerteza e contrapartidas. Esperamos que este site ajude, mas ele pode incluir erros e não pode resolver todas as situações. Se você tiver alguma dúvida sobre sua situação, nós o encorajamos a fazer sua própria pesquisa, procurar outros especialistas e participar de discussões com a comunidade do Privacy Guides. Se você tiver alguma questão legal, você deve consultar seu próprio advogado antes de seguir adiante. + +O Privacy Guides é um projeto de código aberto para o qual contribuíram sob licenças que incluem termos que, para a proteção do website e seus colaboradores, deixam claro que o projeto Privacy Guides e o website é oferecido "como está", sem garantia, e isentando-se de responsabilidade por danos resultantes da utilização do website ou de quaisquer recomendações contidas no mesmo. Os Guias de Privacidade não garantem ou fazem quaisquer declarações relativas à precisão, resultados prováveis ou fiabilidade do uso dos materiais no site ou de qualquer outra forma relacionados com tais materiais no site ou em quaisquer sites de terceiros ligados a este site. + +Além disso, os Guias de Privacidade não garantem que este website esteja constantemente disponível, ou disponível de todo. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Isto não inclui código de terceiros embutido neste repositório, ou código onde uma licença substituta é de outra forma anotada. Os exemplos a seguir são notáveis, mas esta lista pode não incluir tudo: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Isto significa que você pode usar o conteúdo legível por humanos neste repositório para seu próprio projeto, de acordo com os termos descritos no CC0 1.0 Texto Universal. Você **não pode** utilizar a marca Privacy Guides no seu próprio projecto sem a aprovação expressa deste projecto. As marcas registradas da Privacy Guides incluem a palavra-chave "Privacy Guides" e o logotipo do escudo. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +Acreditamos que os logotipos e outras imagens em `activos` obtidos de fornecedores terceiros são de domínio público ou **uso justo**. Em resumo, legal [doutrina de uso justo](https://en.wikipedia.org/wiki/Fair_use) permite o uso de imagem protegida por direitos autorais, a fim de identificar o assunto para fins de comentário público. No entanto, estes logotipos e outras imagens podem ainda estar sujeitos às leis de marcas em uma ou mais jurisdições. Antes de usar este conteúdo, certifique-se de que ele é usado para identificar a entidade ou organização que possui a marca registrada e que você tem o direito de usá-lo sob as leis que se aplicam nas circunstâncias de seu uso pretendido. *Ao copiar conteúdo deste site, você é o único responsável por garantir que não infrinja a marca registrada ou os direitos autorais de outra pessoa.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Utilização aceitável + +Você não pode usar este website de nenhuma forma que cause ou possa causar danos ao website ou prejudicar a disponibilidade ou acessibilidade dos Guias de Privacidade, ou de qualquer forma que seja ilegal, ilegal, fraudulenta, prejudicial, ou em conexão com qualquer propósito ou atividade ilegal, ilegal, fraudulenta, ou prejudicial. + +Você não deve conduzir nenhuma atividade sistemática ou automatizada de coleta de dados neste website ou em relação a ele sem o consentimento expresso por escrito da Aragon Ventures LLC, incluindo: + +* Varreduras Automatizadas Excessivas +* Ataques de Negação de Serviço +* Raspagem +* Mineração de dados +* "Enquadramento" (IFrames) + +--- + +*Partes deste aviso em si foram adotadas de [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) no GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/pt/about/privacy-policy.md b/i18n/pt/about/privacy-policy.md new file mode 100644 index 00000000..7a165f69 --- /dev/null +++ b/i18n/pt/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Política de Privacidade" +--- + +O Privacy Guides é um projeto comunitário operado por uma série de colaboradores voluntários ativos. A lista pública de membros da equipe [pode ser encontrada no GitHub](https://github.com/orgs/privacyguides/people). + +## Quem são os Guias de Privacidade? + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- Quando você navega em um site, fórum ou outro serviço de Guias de Privacidade. +- No information such as cookies are stored in the browser +- Quando você postar, enviar mensagens privadas ou participar de qualquer outra forma de um serviço de Guias de Privacidade. +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Como é que os Guias de Privacidade recolhem dados sobre mim? + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +Dados brutos como páginas visitadas, IPs de visitantes anonimizados e ações de visitantes serão retidos por 60 dias. Em circunstâncias especiais - tais como investigações prolongadas relativas a um ataque técnico - podemos preservar os dados registados por períodos mais longos para análise. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Que páginas você visita, +- O seu endereço IP anonimizado: Nós anonimizamos os últimos 3 bytes do seu IP, por exemplo 192.xxx.xxx.xxx.xxx. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +Usamos os dados da sua conta para identificá-lo no site e para criar páginas específicas para você, como a sua página de perfil. Também utilizaremos os dados da sua conta para publicar um perfil público para você em nossos serviços. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Que dados você coleta e por quê? + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Administrador de Serviços, Aragon Ventures LLC +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Com quem é que os meus dados são partilhados? + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/pt/about/privacytools.md b/i18n/pt/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/pt/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/pt/about/services.md b/i18n/pt/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/pt/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/pt/about/statistics.md b/i18n/pt/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/pt/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/pt/advanced/communication-network-types.md b/i18n/pt/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/pt/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/pt/advanced/dns-overview.md b/i18n/pt/advanced/dns-overview.md new file mode 100644 index 00000000..1a63dc47 --- /dev/null +++ b/i18n/pt/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +O [Domain Name System (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) é a 'lista telefónica da Internet'. DNS traduz nomes de domínio para [IP](https://en.wikipedia.org/wiki/Internet_Protocol) endereços para que os navegadores e outros serviços possam carregar recursos da Internet, através de uma rede descentralizada de servidores. + +## O que é DNS? + +Quando você visita um site, um endereço numérico é devolvido. Por exemplo, quando você visita `privacyguides.org`, o endereço `192.98.54.105` é retornado. + +O DNS existe desde o [dos primeiros dias](https://en.wikipedia.org/wiki/Domain_Name_System#History) da Internet. Os pedidos DNS feitos para e dos servidores DNS são **não** geralmente encriptados. Em uma configuração residencial, um cliente recebe servidores pelo [ISP](https://en.wikipedia.org/wiki/Internet_service_provider) via [Dynamic Host Configuration Protocol (DHCP)](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Os pedidos DNS não encriptados são capazes de ser facilmente **surveilled** e **modificados** em trânsito. Em algumas partes do mundo, os ISPs são solicitados a fazer [filtragem DNS](https://en.wikipedia.org/wiki/DNS_blocking). Quando um usuário solicita o IP de um domínio que está bloqueado, o servidor pode não responder ou pode responder com um endereço IP diferente. Como o protocolo DNS não é criptografado, o ISP (ou qualquer operador de rede) pode usar [deep packet inspection (DPI)](https://en.wikipedia.org/wiki/Deep_packet_inspection) para monitorar as solicitações. Os ISPs também podem bloquear pedidos com base em características comuns, independentemente do servidor DNS utilizado. DNS não encriptado usa sempre [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 e usa sempre o [User Datagram Protocol (UDP)](https://en.wikipedia.org/wiki/User_Datagram_Protocol). + +Abaixo, discutimos e fornecemos um tutorial para provar o que um observador externo pode ver usando DNS regular não criptografado e [DNS criptografado](#what-is-encrypted-dns). + +### DNS não criptografado + +1. Usando [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (parte do [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) podemos monitorar e gravar o fluxo de pacotes da Internet. Este comando registra os pacotes que atendem às regras especificadas: + + ```bash + tshark -w /tmp/dns.pcap udp porto 53 e host 1.1.1.1 ou host 8.8.8.8 + ``` + +2. Podemos então usar [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) ou [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) para enviar a pesquisa DNS para ambos os servidores. Software como navegadores web fazem estas pesquisas automaticamente, a menos que estejam configurados para usar [DNS encriptado](#what-is-encrypted-dns). + + === "Linux, macOS" + + ``` + dig noall answer privacyguides.org @1.1.1.1.1 + dig noall answer privacyguides.org @8.8.8.8 + ``` + ==== "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. A seguir, queremos [analisar](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) os resultados: + + ==== "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +Se você executar o comando Wireguard acima, o painel superior mostra o "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", e o painel inferior mostra todos os dados sobre o frame selecionado. Soluções de filtragem e monitoramento empresarial (como as adquiridas pelos governos) podem fazer o processo automaticamente, sem interação humana, e podem agregar esses quadros para produzir dados estatísticos úteis para o observador da rede. + +| Não. | Hora | Fonte | Destino | Protocolo | Comprimento | Informações | +| ---- | -------- | --------- | --------- | --------- | ----------- | -------------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Consulta padrão 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Resposta de consulta padrão 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Consulta padrão 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Resposta de consulta padrão 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +Um observador pode modificar qualquer um destes pacotes. + +## O que é "DNS criptografado"? + +DNS criptografado pode se referir a um de vários protocolos, sendo os mais comuns: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) foi um dos primeiros métodos de encriptação de consultas DNS. O [protocolo](https://en.wikipedia.org/wiki/DNSCrypt#Protocol) opera em [porta 443](https://en.wikipedia.org/wiki/Well-known_ports) e funciona tanto com o [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) ou [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) protocolos de transporte. DNSCrypt nunca foi submetido ao processo [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nem foi submetido ao processo [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) , portanto não tem sido usado amplamente fora de alguns [implementações](https://dnscrypt.info/implementations). Como resultado, foi amplamente substituído pelo mais popular [DNS sobre HTTPS (DoH)](#dns-over-https-doh). + +### DNS sobre TLS (DoT) + +[**DNS sobre TLS (DoT)**](https://en.wikipedia.org/wiki/DNS_over_TLS) é outro método para encriptar a comunicação DNS que é definida em [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). O suporte foi implementado inicialmente em [Android 9](https://en.wikipedia.org/wiki/Android_Pie), [iOS 14](https://en.wikipedia.org/wiki/IOS_14), e no Linux em [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) na versão 237. A preferência na indústria tem se afastado do DoT para [DNS sobre HTTPS](#dns-over-https-doh) nos últimos anos, pois o DoT é um [protocolo complexo](https://dnscrypt.info/faq/) e tem conformidade variável com a RFC nas implementações que existem. DoT também opera em uma porta dedicada 853 e que pode ser facilmente bloqueada por firewalls restritivos. + +### DNS sobre HTTPS (DoH) + +[**DNS sobre HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) como definido em [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) consultas de pacotes no protocolo [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) e fornece segurança com [HTTPS](https://en.wikipedia.org/wiki/HTTPS). O suporte foi adicionado pela primeira vez em navegadores web como [Firefox 60](https://support.mozilla.org/en-US/kb/firefox-dns-over-https) e [Chrome 83](https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html). + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## O que é que uma festa exterior pode ver? + +Neste exemplo vamos registar o que acontece quando fazemos um pedido DoH: + +1. Primeiro, iniciar `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https e host 1.1.1.1" + ``` + +2. Segundo, faça um pedido com `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. Após fazer o pedido, podemos parar a captura de pacotes com CTRL C. + +4. Analisar os resultados em Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +Podemos ver o estabelecimento de conexão [e](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) e [aperto de mão TLS](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) que ocorre com qualquer conexão criptografada. Ao olhar para os pacotes de "dados de aplicação" que se seguem, nenhum deles contém o domínio que solicitamos ou o endereço IP devolvido. + +## Porque **não deveria** Eu uso DNS encriptado? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). Fazemos **não** sugerimos o uso de DNS criptografado para este fim. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. Se você estiver usando uma VPN, você deve usar os servidores DNS da sua VPN. Ao utilizar uma VPN, já está a confiar-lhes toda a sua actividade na rede. + +Quando fazemos uma pesquisa DNS, geralmente é porque queremos aceder a um recurso. Abaixo, discutiremos alguns dos métodos que podem revelar as suas actividades de navegação mesmo quando utiliza DNS encriptado: + +### Endereço IP + +A maneira mais simples de determinar a atividade de navegação pode ser olhar para os endereços IP que seus dispositivos estão acessando. Por exemplo, se o observador sabe que `privacyguides.org` está em `198.98.54.105`, e o seu dispositivo está solicitando dados de `198.98.54.105`, há uma boa chance de você estar visitando os Guias de Privacidade. + +Este método só é útil quando o endereço IP pertence a um servidor que só hospeda poucos sites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). Também não é muito útil se o servidor estiver hospedado atrás de um [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), o que é muito comum na Internet moderna. + +### Indicação do nome do servidor (SNI) + +A indicação do nome do servidor é normalmente usada quando um endereço IP hospeda muitos sites. Este pode ser um serviço como o Cloudflare, ou algum outro [ataque de negação de serviço](https://en.wikipedia.org/wiki/Denial-of-service_attack) protecção. + +1. Comece a capturar novamente com `tshark`. Adicionamos um filtro com nosso endereço IP para que você não capture muitos pacotes: + + ```bash + tshark -w /tmp/pg.pcap porto 443 e host 198.98.54.105 + ``` + +2. Depois visitamos [https://privacyguides.org](https://privacyguides.org). + +3. Depois de visitar o site, nós o que parar a captura de pacotes com CTRL C. + +4. A seguir queremos analisar os resultados: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + Veremos o [estabelecimento de conexão](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment), seguido pelo [aperto de mão TLS](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) para o site Guias de Privacidade. Em redor da moldura 5. verás um "Olá Cliente". + +5. Expandir o triângulo ▸ ao lado de cada campo: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Protocolo de Aperto de Mãos: Cliente Olá + ▸ Protocolo de Aperto de Mãos: Cliente Olá + ▸ Extensão: Server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. Podemos ver o [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication) valor que revela o site que estamos visitando. O comando `tshark` pode dar-lhe o valor directamente para todos os pacotes que contenham um valor SNI: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +Isto significa que mesmo que estejamos usando servidores DNS "Encriptados", o domínio provavelmente será divulgado através do SNI. O protocolo [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) traz consigo [Cliente Encriptado Olá](https://blog.cloudflare.com/encrypted-client-hello/), o que evita este tipo de fuga. + +Governos, em particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) e [Rússia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), ou já [começaram a bloquear](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) ou manifestaram o desejo de o fazer. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. Isto porque o [QUIC](https://en.wikipedia.org/wiki/QUIC) protocolo que faz parte do HTTP/3 requer que `ClientHello` também seja criptografado. + +### Protocolo de Status de Certificado Online (OCSP) + +Outra forma do seu navegador poder divulgar suas atividades de navegação é com o [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. Isto geralmente é feito através do protocolo [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) , significando que é **não** encriptado. + +O pedido OCSP contém o certificado "[número de série](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", que é único. Ele é enviado ao "OCSP respondedor" para verificar o seu estado. + +Podemos simular o que um navegador faria usando o comando [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) . + +1. Obtenha o certificado do servidor e use [`sed`](https://en.wikipedia.org/wiki/Sed) para manter apenas a parte importante e escrevê-la em um arquivo: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Obter o certificado intermediário. [Autoridades Certificadoras (AC)](https://en.wikipedia.org/wiki/Certificate_authority) normalmente não assinam um certificado diretamente; eles usam o que é conhecido como certificado "intermediário". + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. O primeiro certificado em `pg_and_intermediate.cert` é na verdade o certificado do servidor do passo 1. Podemos usar `sed` novamente para apagar até a primeira instância de TERMINAR: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Obtenha o OCSP respondedor para o certificado do servidor: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + O nosso certificado mostra o Lets Encrypt Responder ao certificado. Se quisermos ver todos os detalhes do certificado, podemos usar: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Comece a captura do pacote: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http + ``` + +6. Faça o pedido OCSP: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Abra a captura: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". Para o "Request" podemos ver o "serial number", expandindo o triângulo ▸ ao lado de cada campo: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ request + ▸ reqCert + serialNumber + ``` + + Para a "Resposta" também podemos ver o "número de série": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ Respostas Simples + ▸ certID + serialNumber + ``` + +8. Ou use `tshark` para filtrar os pacotes para o Número de Série: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +Se o observador da rede tiver o certificado público, que está disponível publicamente, ele pode fazer corresponder o número de série com esse certificado e, portanto, determinar o site que você está visitando a partir daí. O processo pode ser automatizado e pode associar endereços IP com números de série. Também é possível verificar [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs para o número de série. + +## Devo utilizar DNS encriptado? + +Nós fizemos este fluxograma para descrever quando você *deve* usar DNS criptografado: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN ou Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacidade --> | Yes | vpnOrTor + privacidade --> | No | obnoxious{ISP makes
obnoxious
redirecciona?} + obnóxio --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnóxio --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
DNS encriptado
com ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[Lista de servidores DNS recomendados](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## O que é a minimização do QNAME? + +Um QNAME é um "nome qualificado", por exemplo `privacyguides.org`. A minimização do QNAME reduz a quantidade de informação enviada do servidor DNS para o [servidor de nomes autorizado](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Em vez de enviar o domínio inteiro `privacyguides.org`, a minimização do QNAME significa que o servidor DNS irá pedir todos os registos que terminem em `.org`. Descrição técnica adicional é definida em [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## O que é a Sub-Rede do Cliente EDNS (ECS)? + +O [subrede do cliente EDNS](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) é um método para um resolvedor DNS recursivo para especificar um [sub-rede](https://en.wikipedia.org/wiki/Subnetwork) para o [host ou cliente](https://en.wikipedia.org/wiki/Client_(computing)) que está fazendo a consulta DNS. + +O objectivo é "acelerar" a entrega de dados, dando ao cliente uma resposta que pertence a um servidor que lhes está próximo, tal como um [content delivery network (CDN)](https://en.wikipedia.org/wiki/Content_delivery_network), que são frequentemente utilizados em streaming de vídeo e em aplicações web JavaScript. + +Este recurso tem um custo de privacidade, pois informa ao servidor DNS algumas informações sobre a localização do cliente. diff --git a/i18n/pt/advanced/payments.md b/i18n/pt/advanced/payments.md new file mode 100644 index 00000000..9d974bff --- /dev/null +++ b/i18n/pt/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/pt/advanced/tor-overview.md b/i18n/pt/advanced/tor-overview.md new file mode 100644 index 00000000..9c115a83 --- /dev/null +++ b/i18n/pt/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Recursos Adicionais + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/pt/android.md b/i18n/pt/android.md new file mode 100644 index 00000000..c94ec2f0 --- /dev/null +++ b/i18n/pt/android.md @@ -0,0 +1,438 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Perfis de usuário + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Perfil de trabalho + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Bota Verificada + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: VPN Killswitch + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +Notavelmente, o GrapheneOS suporta [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Os Serviços Google Play podem ser executados como um aplicativo de usuário regular e contidos em um perfil de trabalho ou usuário [perfil](/android/#android-security-privacy) de sua escolha. + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## Derivados AOSP + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + ![GrapheneOS logo](/assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](/assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS*** é a melhor escolha quando se trata de privacidade e segurança. GrapheneOS fornece [endurecimento adicional de segurança](https://en.wikipedia.org/wiki/Hardening_(computação)) e melhorias na privacidade. + +### GrapheneOS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Os dispositivos de "suporte estendido" da GrapheneOS não possuem patches de segurança completos (atualizações de firmware) devido à descontinuação do suporte por parte do fabricante do equipamento original (OEM). + + Estes dispositivos não podem ser considerados completamente seguros. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### CalyxOS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo CalyxOS](/assets/img/android/calyxos.svg){ align=right } + + **CalyxOS*** é uma alternativa decente ao GrapheneOS. + Possui alguns recursos de privacidade no topo do AOSP, incluindo [Datura firewall](https://calyxos.org/docs/tech/datura-details), [Signal](https://signal.org) integração no aplicativo discador, e um botão de pânico embutido. CalyxOS também vem com atualizações de firmware e compilações assinadas, portanto [boot verificado](https://source.android.com/security/verifiedboot) é totalmente suportado. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Recursos de segurança e privacidade do Android + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### DivestOS + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![DivestOS logo](/assets/img/android/divestos.svg){ align=right } + + **DivestOS** é um [soft-fork](https://en.wikipedia.org/wiki/Fork_(software_development)#Forking_of_free_and_open-source_software) de [LineageOS](https://lineageos.org/). + + DivestOS herda muitos [dispositivos suportados](https://divestos.org/index.php?page=devices&base=LineageOS) do LineageOS. + + Ele assinou builds, tornando possível ter [boot verificado](https://source.android.com/security/verifiedboot) em alguns dispositivos não-Pixel. + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## Aplicações recomendadas + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Perfis de usuário + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + DivestOS atualização de firmware [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) varia entre os dispositivos que suporta. + + Para telefones Pixel, ainda recomendamos o uso de GrapheneOS ou CalyxOS. + + Para outros dispositivos suportados, o DivestOS é uma boa alternativa. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + ![logo Orbot](/assets/img/android/orbot.svg){ align=right } + + **Orbot** é um aplicativo proxy gratuito que roteia suas conexões através da Rede Tor. + + [Visite orbot.app](https://orbot.app/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid) + - [:fontawesome-brands-github: GitHub](https://github.com/guardianproject/orbot) + - [:fontawesome-brands-gitlab: GitLab](https://gitlab.com/guardianproject/orbot) + +### Perfil de trabalho + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Orbot está frequentemente desatualizado no [repositório F-Droid](https://guardianproject.info/fdroid) e [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) do Projeto Guardian, então considere fazer o download diretamente do [repositório GitHub](https://github.com/guardianproject/orbot). Todas as versões são assinadas usando a mesma assinatura, portanto devem ser compatíveis umas com as outras. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Bota Verificada + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logotipo do Abrigo](/assets/img/android/shelter.svg){ align=right } + + **Shelter** é um aplicativo que ajuda você a aproveitar o perfil de trabalho do Android para isolar outros aplicativos. O Shelter suporta o bloqueio de busca de contatos entre perfis e compartilhamento de arquivos entre perfis através do gerenciador de arquivos padrão ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Como CalyxOS inclui um controlador de dispositivos, recomendamos o uso de seu perfil de trabalho embutido. + + Recomenda-se um abrigo sobre [Insular](https://secure-system.gitlab.io/Insular/) e [Island](https://github.com/oasisfeng/island) pois suporta [bloqueio de busca de contatos](https://secure-system.gitlab.io/Insular/faq.html). If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### VPN Killswitch + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logótipo do auditor](/assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](/assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** é um aplicativo que utiliza recursos de segurança de hardware para fornecer monitoramento de integridade de dispositivos para [dispositivos suportados](https://attestation.app/about#device-support). Atualmente trabalha com GrapheneOS e com o sistema operacional de estoque do dispositivo. [Visite attestation.app](https://attestation.app){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor) + - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Auditor) + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### Alternativas Globais + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Orbot + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Secure camera logo](/assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](/assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** é um aplicativo de câmera focado em privacidade e segurança que pode capturar imagens, vídeos e códigos QR. + + As extensões do fornecedor CameraX (Portrait, HDR, Night Sight Sight, Face Retouch e Auto) também são suportadas nos dispositivos disponíveis. [Visite github.com](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:fontawesome-brands-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Abrigo + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### Droid-ify + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### Auditor + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Software + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/pt/assets/img/account-deletion/exposed_passwords.png b/i18n/pt/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/pt/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/pt/assets/img/android/rss-apk-dark.png b/i18n/pt/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/pt/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/pt/assets/img/android/rss-apk-light.png b/i18n/pt/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/pt/assets/img/android/rss-apk-light.png differ diff --git a/i18n/pt/assets/img/android/rss-changes-dark.png b/i18n/pt/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/pt/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/pt/assets/img/android/rss-changes-light.png b/i18n/pt/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/pt/assets/img/android/rss-changes-light.png differ diff --git a/i18n/pt/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/pt/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/how-tor-works/tor-encryption.svg b/i18n/pt/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/how-tor-works/tor-path-dark.svg b/i18n/pt/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/pt/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/pt/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/how-tor-works/tor-path.svg b/i18n/pt/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/pt/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/pt/assets/img/multi-factor-authentication/fido.png b/i18n/pt/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/pt/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/pt/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/pt/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/pt/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/pt/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/pt/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/pt/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/pt/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/pt/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/pt/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/pt/basics/account-creation.md b/i18n/pt/basics/account-creation.md new file mode 100644 index 00000000..87b8b03a --- /dev/null +++ b/i18n/pt/basics/account-creation.md @@ -0,0 +1,82 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/pt/basics/account-deletion.md b/i18n/pt/basics/account-deletion.md new file mode 100644 index 00000000..aef13b8d --- /dev/null +++ b/i18n/pt/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Provedores de VPN + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/pt/basics/common-misconceptions.md b/i18n/pt/basics/common-misconceptions.md new file mode 100644 index 00000000..f5bc7733 --- /dev/null +++ b/i18n/pt/basics/common-misconceptions.md @@ -0,0 +1,95 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/pt/basics/common-threats.md b/i18n/pt/basics/common-threats.md new file mode 100644 index 00000000..bdb3b2de --- /dev/null +++ b/i18n/pt/basics/common-threats.md @@ -0,0 +1,151 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/pt/basics/email-security.md b/i18n/pt/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/pt/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/pt/basics/multi-factor-authentication.md b/i18n/pt/basics/multi-factor-authentication.md new file mode 100644 index 00000000..e9400dc1 --- /dev/null +++ b/i18n/pt/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'O uso de AMF forte pode parar mais de 99% dos acessos não autorizados à conta, e é fácil de configurar nos serviços que você já usa.' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +A idéia por trás do AMF é que mesmo que um hacker (ou adversário) seja capaz de descobrir sua senha (algo que você *sabe*), eles ainda precisarão de um dispositivo que você possui como o seu telefone (algo que você *tem*), a fim de gerar o código necessário para entrar na sua conta. Os métodos de AMF variam na segurança com base nesta premissa: quanto mais difícil for para um atacante ter acesso ao seu método AMF, melhor. + +Receber códigos de **SMS** ou **email** são uma das formas mais fracas de proteger as suas contas com AMF. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## Comparação do Método AMF + +### SMS ou e-mail MFA + +**Notificações Push** assume a forma de uma mensagem a ser enviada para um aplicativo no seu telefone pedindo-lhe para confirmar novos logins de conta. Este método é muito melhor que SMS ou e-mail, uma vez que um atacante normalmente não seria capaz de receber estas notificações push sem ter um dispositivo já conectado, o que significa que eles precisariam comprometer um dos seus outros dispositivos primeiro. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Notificações Push + +Todos nós cometemos erros, e há o risco de que um usuário possa aceitar a tentativa de login por acidente. As autorizações de login de notificação push são normalmente enviadas para *todos* seus dispositivos de uma só vez, ampliando a disponibilidade do código MFA se você tiver muitos dispositivos. + +A segurança da notificação push AMF depende tanto da qualidade do aplicativo, do componente servidor e da confiança do desenvolvedor que o produz. A instalação de um aplicativo também pode exigir que você aceite privilégios invasivos que concedam acesso a outros dados em seu dispositivo. + +**TOTP** é uma das formas mais comuns de AMF disponível. Quando um usuário configura o TOTP, ele geralmente é obrigado a digitalizar um [QR Code](https://en.wikipedia.org/wiki/QR_code) que estabelece um "segredo compartilhado" com o serviço que pretende utilizar. O segredo compartilhado é protegido dentro dos dados do aplicativo autenticador, e às vezes é protegido por uma senha. + +### Palavra-passe única baseada no tempo (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +Se você tem uma chave de segurança de hardware com suporte a TOTP (como uma YubiKey com [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), recomendamos que você armazene os seus "segredos compartilhados" no hardware. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +Ao contrário de [FIDO2 / U2F](#fido2-u2f), TOTP não oferece protecção contra [phishing](https://en.wikipedia.org/wiki/Phishing) ou ataques de reutilização. Se um adversário obtém um código válido de você, ele pode usá-lo quantas vezes quiser até que expire (geralmente 60 segundos). A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Um adversário poderia criar um site para imitar um serviço oficial, numa tentativa de enganá-lo para dar o seu nome de usuário, senha e código TOTP atual. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Chaves de segurança do hardware + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +Yubico OTP é um protocolo de autenticação tipicamente implementado em chaves de segurança de hardware. Quando um utilizador decide utilizar o Yubico OTP, a chave irá gerar um ID público, um ID privado e uma Chave Secreta que é depois carregada para o servidor Yubico OTP. + +#### Yubico OTP + +Ao entrar em um site, tudo o que um usuário precisa fazer é tocar fisicamente a chave de segurança. A chave de segurança irá emular um teclado e imprimir uma senha única no campo da senha. + +O serviço irá então reencaminhar a senha única para o servidor OTP Yubico para validação. Um contador é incrementado tanto na chave como no servidor de validação do Yubico. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](/assets/img/multi-factor-autenticação/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO2 / U2F + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. Ele usa autenticação de chave pública e é mais seguro que os segredos compartilhados usados nos métodos Yubico OTP e TOTP, pois inclui o nome de origem (geralmente, o nome do domínio) durante a autenticação. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +Se um site ou serviço suportar FIDO2 / U2F para a autenticação, é altamente recomendável que o utilize em relação a qualquer outra forma de AMF. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Ao configurar o seu método AMF, tenha em mente que ele é apenas tão seguro quanto o seu método de autenticação mais fraco que você usa. It also does not use any third-party cloud server for authentication. Por exemplo, se você já estiver usando TOTP, você deve desativar o e-mail e SMS MFA. Se já estiver a utilizar o FIDO2 / U2F, não deve utilizar o Yubico OTP ou TOTP na sua conta. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Recomendações Gerais + +Ao usar TOTP com um aplicativo autenticador, certifique-se de fazer backup das chaves de recuperação, do próprio aplicativo ou copie os "segredos compartilhados" para outra instância do aplicativo em um telefone diferente ou em um container criptografado (por exemplo [VeraCrypt](/encryption/#veracrypt)). + +### Qual o método a utilizar? + +Ao comprar uma chave de segurança, é importante que você altere as credenciais padrão, configure a proteção por senha para a chave e ative a confirmação por toque se a sua chave suportar tal recurso. Produtos como o [YubiKey](#yubikey) têm múltiplas interfaces com credenciais separadas para cada uma delas, portanto você deve passar por cima de cada interface e configurar a proteção também. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Cópias de segurança + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Configuração inicial + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email e SMS + +Além de proteger apenas os logins do seu site, a autenticação multi-factor pode ser usada para proteger os seus logins locais, chaves ssh ou mesmo bases de dados de senhas também. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## Mais lugares para configurar o AMF + +Yubico tem um guia [Usando o seu YubiKey como Smart Card em macOS](https://support.yubico.com/hc/en-us/articles/360016649059) que o pode ajudar a configurar o seu YubiKey em macOS. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool SIM +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. A maioria das coisas deve ser a mesma independentemente da distribuição, no entanto os comandos do gerenciador de pacotes, como "apt-get" e nomes de pacotes podem ser diferentes. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### SO Qubes + +As bases de dados KeePass e KeePassXC podem ser protegidas usando Challenge-Response ou HOTP como um segundo factor de autenticação. Yubico forneceu um documennt para KeePass [Usando a sua YubiKey com KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) e também existe um no website [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) . + +### SSH + +#### Chaves de Segurança de Hardware + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Palavra-passe única baseada no tempo (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (e KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/pt/basics/passwords-overview.md b/i18n/pt/basics/passwords-overview.md new file mode 100644 index 00000000..0c2c345f --- /dev/null +++ b/i18n/pt/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Redes Auto-Contidas + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Cópias de segurança + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/pt/basics/threat-modeling.md b/i18n/pt/basics/threat-modeling.md new file mode 100644 index 00000000..c93feab9 --- /dev/null +++ b/i18n/pt/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "evergreen" +icon: 'O que são modelos de ameaça?' +description: Equilibrar segurança, privacidade e usabilidade é uma das primeiras e mais difíceis tarefas que você enfrentará na sua jornada de privacidade. +--- + +Equilibrar segurança, privacidade e usabilidade é uma das primeiras e mais difíceis tarefas que você enfrentará na sua jornada de privacidade. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +Se você quisesse usar o **mais** ferramentas seguras disponíveis, você teria que sacrificar *muito* de usabilidade. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. É por isso que os modelos de ameaça são importantes. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. O que é que eu quero proteger? +2. De quem eu quero protegê-lo? +3. Qual é a probabilidade de eu precisar de o proteger? +4. Quão más são as consequências se eu falhar? +5. Quantos problemas estou disposto a enfrentar para tentar evitar possíveis consequências? + +### O que é que eu quero proteger? + +Um "bem" é algo que você valoriza e quer proteger. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Os seus próprios dispositivos também podem ser bens. + +*Faça uma lista dos seus bens: dados que você guarda, onde são guardados, quem tem acesso a eles e o que impede outros de acederem a eles.* + +### De quem eu quero protegê-lo? + +Para responder a esta pergunta, é importante identificar quem pode querer ter como alvo você ou suas informações. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. A sua lista pode incluir indivíduos, uma agência governamental ou corporações.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### Qual é a probabilidade de eu precisar de o proteger? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. Embora a sua operadora de celular tenha a capacidade de acessar todos os seus dados, o risco de que eles coloquem seus dados particulares online para prejudicar sua reputação é baixo. + +É importante distinguir entre o que pode acontecer e a probabilidade de acontecer. Por exemplo, há uma ameaça de colapso do seu edifício, mas o risco de isso acontecer é muito maior em São Francisco (onde os terremotos são comuns) do que em Estocolmo (onde eles não são). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. Em outros casos, as pessoas desconsideram os altos riscos porque não vêem a ameaça como um problema. + +*Escreva quais ameaças você vai levar a sério, e quais podem ser muito raras ou inofensivas (ou muito difíceis de combater) para se preocupar.* + +### Quão más são as consequências se eu falhar? + +Há muitas maneiras de um adversário poder ter acesso aos seus dados. Por exemplo, um adversário pode ler suas comunicações privadas enquanto elas passam pela rede, ou podem apagar ou corromper seus dados. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. Em contraste, um adversário político pode desejar ter acesso a conteúdo secreto e publicar esse conteúdo sem que você saiba. + +O planejamento de segurança envolve compreender quão ruins podem ser as conseqüências se um adversário conseguir ter acesso a um de seus ativos. Para determinar isso, você deve considerar a capacidade do seu adversário. For example, your mobile phone provider has access to all of your phone records. Um hacker em uma rede Wi-Fi aberta pode acessar suas comunicações não criptografadas. O seu governo pode ter capacidades mais fortes. + +*Escreva o que o seu adversário pode querer fazer com os seus dados privados.* + +### Quantos problemas estou disposto a enfrentar para tentar evitar possíveis consequências? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Sua avaliação de risco lhe permitirá planejar a estratégia certa para você, equilibrando conveniência, custo e privacidade. + +Por exemplo, um advogado que representa um cliente em um caso de segurança nacional pode estar disposto a ir mais longe para proteger as comunicações sobre esse caso, como o uso de e-mail criptografado, do que uma mãe que envia regularmente e-mails com vídeos engraçados de gatos para sua filha. + +*Escreva as opções que você tem disponíveis para ajudar a mitigar suas ameaças únicas. Observe se você tem alguma restrição financeira, técnica ou social.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**O que você quer proteger? (Ou, *o que é que você tem que vale a pena proteger?*)** +: + +Seus bens podem incluir jóias, eletrônicos, documentos importantes ou fotos. + +**De quem você quer protegê-lo?** +: + +Os seus adversários podem incluir assaltantes, companheiros de quarto ou convidados. + +**Qual é a probabilidade de precisar de o proteger?** +: + +O seu bairro tem um histórico de assaltos? How trustworthy are your roommates or guests? Quais são as capacidades dos seus adversários? Quais são os riscos que você deve considerar? + +**Quão más são as consequências se falhar?** +: + +Tem alguma coisa na sua casa que não possa substituir? Do you have the time or money to replace those things? Você tem um seguro que cobre bens roubados de sua casa? + +**Quantos problemas você está disposto a passar para evitar essas consequências?** +: + +Você está disposto a comprar um cofre para documentos sensíveis? Tem dinheiro para comprar um cadeado de alta qualidade? Tem tempo para abrir uma caixa de segurança no seu banco local e guardar lá os seus valores? + +Só depois de se ter feito estas perguntas é que estará em condições de avaliar que medidas tomar. Se os seus bens são valiosos, mas a probabilidade de um arrombamento é baixa, então você pode não querer investir muito dinheiro numa fechadura. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Fazer um plano de segurança o ajudará a entender as ameaças que são únicas para você e a avaliar seus ativos, seus adversários e as capacidades de seus adversários, juntamente com a probabilidade de riscos que você enfrenta. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Fontes + +- [Autodefesa de Vigilância EFF: Seu Plano de Segurança](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/pt/basics/vpn-overview.md b/i18n/pt/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/pt/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/pt/calendar.md b/i18n/pt/calendar.md new file mode 100644 index 00000000..de2f42e9 --- /dev/null +++ b/i18n/pt/calendar.md @@ -0,0 +1,88 @@ +--- +title: "Clientes de e-mail" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Software como um serviço (SaaS) apenas + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. [Visite tutanota.com](https://tutanota.com/calendar){ .md-button .md-button--primary } [Política de Privacidade](https://tutanota.com/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:fontawesome-brands-github: Source](https://github.com/tutao/tutanota) + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Auto-hospedagem + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Todos os dados armazenados dentro dele são encriptados de ponta a ponta quando armazenados nos servidores do ProtonMail. [Visite calendar.protonmail.com](https://calendar.protonmail.com){ .md-button .md-button--primary } [Política de Privacidade](https://protonmail.com/privacy-policy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:fontawesome-brands-github: Fonte](https://github.com/ProtonMail/WebClients) Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/pt/cloud.md b/i18n/pt/cloud.md new file mode 100644 index 00000000..1b81f776 --- /dev/null +++ b/i18n/pt/cloud.md @@ -0,0 +1,101 @@ +--- +title: "Email" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [Visite drive.protonmail.com](https://drive.protonmail.com){ .md-button .md-button--primary } [Política de Privacidade](https://protonmail.com/privacy-policy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/ProtonMail/WebClients) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/pt/cryptocurrency.md b/i18n/pt/cryptocurrency.md new file mode 100644 index 00000000..2566b514 --- /dev/null +++ b/i18n/pt/cryptocurrency.md @@ -0,0 +1,56 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/pt/data-redaction.md b/i18n/pt/data-redaction.md new file mode 100644 index 00000000..fabc8601 --- /dev/null +++ b/i18n/pt/data-redaction.md @@ -0,0 +1,163 @@ +--- +title: "Ferramentas de encriptação" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +Ao partilhar ficheiros, certifique-se de que remove os metadados associados. Os arquivos de imagem geralmente incluem [EXIF](https://en.wikipedia.org/wiki/Exif) dados. As fotos às vezes até incluem [GPS](https://en.wikipedia.org/wiki/Global_Positioning_System) coordenadas nos metadados do arquivo. + +## Desktop + +### ExifCleaner + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. Ele suporta processamento em lote de vários núcleos e modo escuro. + + [Visite exifcleaner.com](https://exifcleaner.com){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-github: Source](https://github.com/szTheory/exifcleaner) + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### Exif Scrambled Exif + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + Pode remover dados [EXIF](https://en.wikipedia.org/wiki/Exif) para muitos formatos de arquivo e foi traduzido para [many](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) idiomas. + + [Visite gitlab.com](https://gitlab.com/juanitobananas/scrambled-exif){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.jarsilio.android.scrambledeggsif) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.jarsilio.android.scrambledeggsif) + - [:fontawesome-brands-gitlab: Source](https://gitlab.com/juanitobananas/scrambled-exif) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. 17.1 e 18.1 característica GrapheneOS por rede completa [randomização MAC](https://en.wikipedia.org/wiki/MAC_address#Randomization) opção, e [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) controlo, e reinicialização automática/Wi-Fi/Bluetooth [opções de timeout](https://grapheneos.org/features). + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Imagepipe + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? Isto significa que não requer permissão para aceder directamente a conteúdos ou ficheiros. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + ![logotipo PrivacyBlur](/assets/img/android/privacyblur.svg){ align=right } + + **PrivacyBlur*** é uma aplicação gratuita que pode desfocar porções sensíveis de imagens antes de as partilhar online. [Visite privacyblur.app](https://privacyblur.app/){ .md-button .md-button--primary } + + **Downloads:** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.mathema.privacyblur/) + - [:fontawesome-brands-github: GitHub](https://github.com/MATHEMA-GmbH/privacyblur) For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Linha de comando + +### Metapho + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + Foi traduzido para [many](https://codeberg.org/Starfish/Imagepipe#translations) idiomas. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/pt/desktop-browsers.md b/i18n/pt/desktop-browsers.md new file mode 100644 index 00000000..088b234c --- /dev/null +++ b/i18n/pt/desktop-browsers.md @@ -0,0 +1,359 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bromite + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Bromite](/assets/img/browsers/bromite.svg){ align=right } + + **Bromite** é um navegador [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser))- com melhorias de privacidade e segurança, bloqueio de anúncios incorporado e algumas impressões digitais aleatórias. + + [Visite bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Política de Privacidade](https://www.bromite.org/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-android: Android](https://www.bromite.org/fdroid) + - [:fontawesome-brands-github: Fonte](https://github.com/bromite/bromite) downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Firefox + +Estas opções podem ser encontradas na página *Privacidade & Segurança* configurações ( ≡ → Configurações → Privacidade & Segurança). + +##### Enhanced Tracking Protection + +- Selecione: "Restrito". + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- Desligue: "Sugestões da web" + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- Selecione: "Activar o modo HTTPS-Only em todas as janelas". +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- Selecione: Use sempre ligações seguras. + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Extensões + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Bromite + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Safari](/assets/img/browsers/safari.svg){ align=right } + + **Safari** é o navegador padrão no iOS. + + Inclui [características de privacidade](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0), tais como Proteção de Rastreamento Inteligente, Relatório de Privacidade, abas isoladas de Navegação Privada, iCloud Private Relay, e atualizações automáticas de HTTPS. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Firefox + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- Selecione: "Abrir links em abas incógnitas sempre". + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensões + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Recursos Adicionais + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### AdGuard para Safari + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Não recomendamos a instalação do ToS;DR como uma extensão do navegador. + + A mesma informação é fornecida no site deles. downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/pt/desktop.md b/i18n/pt/desktop.md new file mode 100644 index 00000000..d77baa96 --- /dev/null +++ b/i18n/pt/desktop.md @@ -0,0 +1,181 @@ +--- +title: "Armazenamento em nuvem" +icon: fontawesome/brands/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Distribuições Tradicionais + +### Estação de Trabalho Fedora + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Fedora](/assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** é a nossa distribuição recomendada para usuários novos no Linux. A Fedora geralmente adota novas tecnologias antes de outras distribuições, por exemplo, [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), e em breve, [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). Estas novas tecnologias muitas vezes vêm com melhorias na segurança, privacidade e usabilidade em geral. + + [Visite getfedora.org](https://getfedora.org/){ .md-button .md-button--primary } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo do openSUSE Tumbleweed](/assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** é uma distribuição estável [lançamento rolante](https://en.wikipedia.org/wiki/Rolling_release). + + O openSUSE Tumbleweed tem um sistema [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) que usa [Btrfs](https://en.wikipedia.org/wiki/Btrfs) e [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) para garantir que os instantâneos possam ser rolados de volta caso haja algum problema. + + [Visite get.opensuse.org](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arco Linux + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Arch logo](/assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** é uma distribuição leve, faça-você-mesmo (faça você mesmo), o que significa que você só recebe o que você instala. Para mais informações consulte o seu [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [Visite archlinux.org](https://archlinux.org/){ .md-button .md-button--primary } + +Sendo uma distribuição DIY, o usuário é [esperado para configurar e manter](/linux-desktop/#arch-based-distributions) seu sistema. Arch tem um [instalador oficial](https://wiki.archlinux.org/title/Archinstall) para tornar o processo de instalação um pouco mais fácil. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Distribuições imutáveis + +### Fedora Silverblue + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Fedora Silverblue](/assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** e **Fedora Kinoite*** são variantes imutáveis do Fedora com um forte foco nos fluxos de trabalho dos contentores. Silverblue vem com o ambiente de trabalho [GNOME](https://www.gnome.org/) enquanto que a Kinoite vem com [KDE](https://kde.org/). Silverblue e Kinoite seguem o mesmo calendário de lançamento da Estação de Trabalho Fedora, beneficiando das mesmas atualizações rápidas e ficando muito perto do upstream. + + [Visite silverblue.fedoraproject.org](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + +Após a atualização estar completa, o usuário reiniciará o sistema para a nova implantação. `rpm-ostree` mantém duas implantações do sistema para que um usuário possa facilmente reverter se algo quebrar na nova implantação. Há também a opção de fixar mais implantações conforme necessário. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +Como alternativa aos Flatpaks, existe a opção de [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) para criar [Podman](https://podman.io) containers com um diretório home compartilhado com o sistema operacional host e imitar um ambiente Fedora tradicional, que é um [recurso útil](https://containertoolbx.org) para o desenvolvedor perspicaz. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo NixOS](/assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS é uma distribuição independente baseada no gerenciador de pacotes Nix com foco na reprodutibilidade e confiabilidade. + + [Visite nixos.org](https://nixos.org/){ .md-button .md-button--primary } + +O NixOS também fornece atualizações atômicas; primeiro ele baixa (ou constrói) os pacotes e arquivos para a nova geração do sistema e depois muda para ele. Existem diferentes maneiras de mudar para uma nova geração; você pode dizer ao NixOS para ativá-lo após o reinício ou você pode mudar para ele em tempo de execução. Você também pode *testar* a nova geração mudando para ela em tempo de execução, mas não definindo-a como a geração atual do sistema. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +Nix é um gerenciador de pacotes baseado no código fonte; se não houver um pré-cache binário disponível, Nix irá apenas construir o pacote a partir do código fonte usando sua definição. Ele constrói cada pacote em um ambiente sandboxed *puro* , que é o mais independente possível do sistema hospedeiro, tornando assim os binários reprodutíveis. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Distribuições Anónimas-Focusadas + +### Whonix + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Whonix logo](/assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** é baseado em [Kicksecure](https://www.whonix.org/wiki/Kicksecure), um garfo focado na segurança do Debian. O seu objectivo é proporcionar privacidade, segurança e anonimato na Internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +As futuras versões da Whonix provavelmente incluirão [políticas completas do sistema Apparmor](https://github.com/Whonix/apparmor-profile-everything) e um [lançador de aplicativos sandbox](https://www.whonix.org/wiki/Sandbox-app-launcher) para confinar totalmente todos os processos no sistema. + +Whonix é melhor usado [em conjunto com Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers). + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Caudas + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + !(/assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** é um sistema operacional live baseado no Debian que roteia todas as comunicações através do Tor. Pode arrancar em quase qualquer computador a partir de um DVD, pen USB ou sdcard. + + O seu objectivo é preservar a privacidade e o anonimato, contornando a censura e não deixando qualquer vestígio de si no computador em que é utilizado. + +Acredita-se frequentemente que [open source](https://en.wikipedia.org/wiki/Open-source_software) software é intrinsecamente seguro porque o código fonte está disponível. Há uma expectativa de que a verificação da comunidade ocorra regularmente; no entanto, isto nem sempre é [o caso](https://seirdy.one/2022/02/02/floss-security.html). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### SO Qubes + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo do SO Qubes](/assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes*** é um sistema operacional open-source projetado para fornecer uma forte segurança para a computação desktop. Qubes é baseado no Xen, o Sistema X Window e Linux, e pode executar a maioria das aplicações Linux e utilizar a maioria dos drivers Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/pt/dns.md b/i18n/pt/dns.md new file mode 100644 index 00000000..7726e2cc --- /dev/null +++ b/i18n/pt/dns.md @@ -0,0 +1,144 @@ +--- +title: "Introdução ao DNS" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. DNS criptografado não o ajudará a ocultar qualquer atividade de navegação. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Provedores recomendados + +| DNS | Política de Privacidade | Protocolo | Protocolos | Logging | ECS | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | --------- | ----------------------------------------------------------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Comercial | Cleartext
DoH
DoT
DNSCrypt | 4 | Não Filter list being used can be found here. [**DNS sobre HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) como definido em [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) consultas de pacotes no protocolo [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) e fornece segurança com [HTTPS](https://en.wikipedia.org/wiki/HTTPS). | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Comercial | Cleartext
DoH
DoT | 4 | Não | +| [**ControlID**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Comercial | Cleartext
DoH
DoT | 4 | Não | +| [**IVPN**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | Comercial | DoH
DoT | 4 | Não Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**PróximoDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Comercial | Cleartext
DoH
DoT
DNSCrypt | Opcional[^5] | Não | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Comercial | Some[^6] | Opcional[^5] | Based on server choice, Malware blocking by default. | + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Deve suportar [DNSSEC](technology/dns.md#what-is-dnssec-and-when-is-it-used) +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## DNS não criptografado + +### Android + +As últimas versões do iOS, iPadOS, tvOS e macOS, suportam tanto DoT como DoH. Ambos os protocolos são suportados nativamente através de [perfis de configuração](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) ou através de [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +### Dispositivos Apple + +Após a instalação de um perfil de configuração ou de um aplicativo que utiliza a API de configurações DNS, a configuração DNS pode ser selecionada. Se uma VPN estiver activa, a resolução dentro do túnel VPN utilizará as definições DNS da VPN e não as definições de todo o seu sistema. + +A Apple não fornece uma interface nativa para a criação de perfis DNS criptografados. [Criador de perfil DNS seguro](https://dns.notjakob.com/tool.html) é uma ferramenta não oficial para criar os seus próprios perfis DNS encriptados, no entanto eles não serão assinados. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. Informações Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + ![logótipo DNSCloak](/assets/img/ios/dnscloak.png){ align=right } + + **DNSCloak** é um cliente iOS de código aberto que suporta [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNSCrypt](/dns/#dnscrypt), e [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) opções como respostas DNS em cache, consultas DNS de registo local, e listas de blocos personalizadas. Os usuários podem [adicionar resolvedores personalizados por carimbo DNS](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5). + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### DNS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo dnscrypt-proxy](/assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** é um proxy DNS com suporte para [DNSCrypt](/dns/#dnscrypt), [DNS-over-HTTPS](/dns/#dns-over-https-doh), e [DNS anonimizado](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + [Visite github.com](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .md-button .md-button--primary } [Política de Privacidade](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/DNSCrypt/dnscrypt-proxy) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### DNSCrypt + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### RethinkDNS + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### DNSCloak + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: Armazenamos métricas agregadas de desempenho do nosso servidor DNS, nomeadamente o número de pedidos completos para um determinado servidor, o número de pedidos bloqueados, a velocidade de processamento dos pedidos. Nós mantemos e armazenamos a base de dados de domínios solicitados nas últimas 24 horas. Precisamos dessas informações para identificar e bloquear novos rastreadores e ameaças. Também registramos quantas vezes este ou aquele rastreador foi bloqueado. Precisamos desta informação para remover regras desactualizadas dos nossos filtros.[https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: O Cloudflare recolhe e armazena apenas os dados limitados da consulta DNS que são enviados para o resolvedor 1.1.1.1. O serviço resolver 1.1.1.1 não registra dados pessoais, e a maior parte dos dados de consulta limitados não identificáveis pessoalmente é armazenada apenas por 25 horas.[https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/pt/email-clients.md b/i18n/pt/email-clients.md new file mode 100644 index 00000000..49ff7135 --- /dev/null +++ b/i18n/pt/email-clients.md @@ -0,0 +1,269 @@ +--- +title: "Partilha de ficheiros" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Nossa lista de recomendações contém clientes de e-mail que suportam tanto [OpenPGP](/encryption/#openpgp) e autenticação forte como [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth permite-lhe utilizar [Multi-Factor Authentication](/multi-factor-authentication) e prevenir o roubo de contas. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo Thunderbird](/assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** é um cliente gratuito, de código aberto, email multiplataforma, newsgroup, news feed, e chat (XMPP, IRC, Twitter) desenvolvido pela comunidade Thunderbird, e anteriormente pela Fundação Mozilla. + + [Visite thunderbird.net](https://www.thunderbird.net){ .md-button .md-button--primary } [Política de Privacidade](https://www.mozilla.org/privacy/thunderbird){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.thunderbird.net) + - [:fontawesome-brands-apple: macOS](https://www.thunderbird.net) + - [:fontawesome-brands-linux: Linux](https://www.thunderbird.net) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird) + - [:fontawesome-brands-git: Source](https://hg.mozilla.org/comm-central) downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Firefox + +We recommend changing some of these settings to make Thunderbird a little more private. + +Estas opções podem ser encontradas na página *Privacidade & Segurança* configurações ( ≡ → Configurações → Privacidade & Segurança). + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo do Mailvelope](/assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** é uma extensão do navegador que permite a troca de e-mails criptografados seguindo o padrão de criptografia OpenPGP. + + [Visite mailvelope.com](https://www.mailvelope.com){ .md-button .md-button--primary } [Política de Privacidade](https://www.mailvelope.com/en/privacy-policy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Source](https://github.com/mailvelope/mailvelope) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![K-9 Logotipo do correio](/assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail*** é uma aplicação de correio independente que suporta tanto caixas de correio POP3 como IMAP, mas só suporta push mail para IMAP. [Visite k9mail.app](https://k9mail.app){ .md-button .md-button--primary } [Política de Privacidade](https://k9mail.app/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9) + - [:fontawesome-brands-github: Source](https://github.com/k9mail) + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo FairEmail](/assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** é uma aplicação de e-mail de código aberto mínima, utilizando padrões abertos (IMAP, SMTP, OpenPGP) com um baixo consumo de dados e bateria. + + [Visite email.faircode.eu](https://email.faircode.eu){ .md-button .md-button--primary } [Política de Privacidade](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/eu.faircode.email/) + - [:fontawesome-brands-github: Source](https://github.com/M66B/FairEmail) + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + ![logo Canary Mail](/assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** é um cliente de e-mail pago concebido para tornar a encriptação end-to-end sem falhas com funcionalidades de segurança, tais como um bloqueio biométrico da aplicação. [Visite canarymail.io](https://canarymail.io){ .md-button .md-button--primary } [Política de Privacidade](https://canarymail.io/privacy.html){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://download.canarymail.io/get_windows) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1236045954) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1236045954) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + +### Kontact (KDE) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/pt/email.md b/i18n/pt/email.md new file mode 100644 index 00000000..94950c84 --- /dev/null +++ b/i18n/pt/email.md @@ -0,0 +1,500 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Encontre um provedor de e-mail seguro que manterá sua privacidade em mente. Não se contente com plataformas suportadas por anúncios. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +Para tudo o resto, recomendamos uma variedade de fornecedores de e-mail baseados em modelos de negócio sustentáveis e que incorporem funcionalidades de segurança e de privacidade. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## Serviços de e-mail recomendados + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Ao utilizar tecnologia de criptografia de ponta a ponta (E2EE) como o OpenPGP, o e-mail ainda terá alguns metadados que não são criptografados no cabeçalho do e-mail. Leia mais sobre os metadados de e-mail. + + O OpenPGP também não suporta Forward secrecy, o que significa que se a sua chave privada ou a do destinatário for roubada, todas as mensagens anteriores criptografadas com ela serão expostas. Como posso proteger as minhas chaves privadas? + +### ProtonMail + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Ao invés de usar o e-mail para conversas prolongadas, considere a possibilidade de usar um meio que suporte o sigilo do Forward. [Mensageiros Instantâneos Recomendados](real-time-communication.md){ .md-button } Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + As contas gratuitas têm algumas limitações, tais como não ser capaz de procurar no corpo do texto e não ter acesso à [ProtonMail Bridge](https://protonmail.com/bridge), que requer um [cliente de e-mail recomendado](e-mail-clients.md) (por exemplo, Thunderbird). downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). verificar "Segurança da Conta". A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. Verifique "Criptografia de E-mail". + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). O uso de uma chave de segurança \[U2F\](https://en.wikipedia.org/wiki/Universal_2nd_Factor) ainda não é suportado. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Isto significa que as mensagens e outros dados armazenados na sua conta só são legíveis por si. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. No entanto, eles aceitam dinheiro pelo correio, pagamento em dinheiro para conta bancária, transferência bancária, cartão de crédito, PayPal e alguns processadores específicos da Alemanha: paydirekt e Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. Esta funcionalidade é útil quando o destinatário remoto não tem o OpenPGP e não consegue desencriptar uma cópia do e-mail na sua própria caixa de correio. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). O serviço é mantido por voluntários e sua comunidade. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Você pode acessar sua conta Mailbox.org via IMAP/SMTP usando seu \[.onion service\](https://kb.mailbox.org/display/MBOKBEN/The Tor exit node of mailbox.org). No entanto, a sua interface de webmail não pode ser acessada através do seu serviço .onion, e os usuários podem experimentar erros no certificado TLS. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. aviso "Criptografia de e-mail". + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### Desarraigar + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Disroot permite que os utilizadores utilizem o seu próprio domínio. Eles têm pseudônimos, porém você deve [aplicar manualmente](https://disroot.org/en/forms/alias-request-form) para eles. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +Disroot suporta \[TOTP\](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) autenticação de dois fatores apenas para webmail. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). No entanto, não parece ser "acesso zero", o que significa que é tecnicamente possível para eles descriptografar os dados que têm se não forem adicionalmente encriptados com uma ferramenta como OpenPGP. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. No entanto, Disroot não integrou um Web Key Directory (WKD) para os utilizadores na sua plataforma. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Software como um serviço (SaaS) apenas + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). O serviço é mantido por voluntários e sua comunidade. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Visão Geral da Criptografia de E-mail + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![Joplin logo](/assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](https://joplinapp.org/) +- ![Standard Notes logo](/assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](https://standardnotes.org/) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### StartMail + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- Criptografa os dados da conta em repouso. +- A criptografia integrada do webmail proporciona conveniência aos usuários que desejam melhorar ao não ter [E2EE](https://en.wikipedia.org/wiki/End-to-end_encryption) criptografia. +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### CTemplar + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- Criptografa os dados da conta em repouso com criptografia de acesso zero. +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Visão Geral dos Metadados de Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Framadate + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Jurisdição + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**O melhor caso:** + +- Operando fora dos EUA ou de outros países da Five Eyes. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Protecção do webmail com [autenticação de dois factores (2FA)](https://en.wikipedia.org/wiki/Multi-factor_authentication), tal como [TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm). +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Tecnologia + +We prefer our recommended providers to collect as little data as possible. + +**O melhor caso:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Privacidade + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**O melhor caso:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Programas de recompensa de bugs e/ou um processo coordenado de divulgação de vulnerabilidades. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Segurança + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**O melhor caso:** + +- Esquemas de Criptografia Fortes: OpenVPN com autenticação SHA-256; RSA-2048 ou melhor aperto de mão; AES-256-GCM ou AES-256-CBC encriptação de dados. + +**Best Case:** + +- A Encriptação mais forte: RSA-4096. +- Perfect Forward Secrecy (PFS). + +### Confiança + +With the email providers we recommend we like to see responsible marketing. + +**O melhor caso:** + +- Deve auto-instalar análises (sem Google Analytics, etc.). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Fazer garantias de protecção do anonimato a 100%. Quando alguém afirma que algo é 100%, significa que não há certeza de fracasso. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Impressão digital do navegador](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Deve auto-instalar análises (sem Google Analytics, etc.). This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Marketing + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/pt/encryption.md b/i18n/pt/encryption.md new file mode 100644 index 00000000..237f5673 --- /dev/null +++ b/i18n/pt/encryption.md @@ -0,0 +1,376 @@ +--- +title: "Software de encriptação" +icon: material/file-lock +description: A encriptação de dados é a única forma de controlar quem pode acessá-los. These tools allow you to encrypt your emails and any other files. +--- + +A encriptação de dados é a única forma de controlar quem pode acessá-los. Se você não estiver usando software de criptografia para o seu disco rígido, e-mails ou arquivos, você deve escolher uma opção aqui. + +## Multi-plataforma + +As opções listadas aqui são multi-plataforma e excelentes para criar backups criptografados dos seus dados. + +### VeraCrypt + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo VeraCrypt](/assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](/assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** é um utilitário freeware disponível na fonte, utilizado para encriptação on-the-fly. Ele pode criar um disco virtual encriptado dentro de um ficheiro, encriptar uma partição ou encriptar todo o dispositivo de armazenamento com autenticação pré-boot. + + [Visite veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-apple: macOS](https://www.veracrypt.fr/pt/Downloads.html) + - [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-git: Source](https://www.veracrypt.fr/code) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +O VeraCrypt é um garfo do projeto TrueCrypt descontinuado. De acordo com seus desenvolvedores, melhorias de segurança foram implementadas e questões levantadas pela auditoria inicial do código TrueCrypt foram abordadas. + +Ao encriptar com VeraCrypt, o utilizador tem a opção de seleccionar de diferentes [funções hash](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). Sugerimos aos utilizadores **apenas** seleccione [SHA-512](https://en.wikipedia.org/wiki/SHA-512) e deve ficar com o [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) cifra de bloco. The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Truecrypt foi [auditada várias vezes](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits) e VeraCrypt também foi [auditada separadamente](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +### Criptomador + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo do criptomator](/assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** facilita o carregamento de ficheiros para a nuvem num sistema de ficheiros virtual encriptado. [Visite cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Política de Privacidade](https://cryptomator.org/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads) + - [:fontawesome-brands-apple: macOS](https://cryptomator.org/downloads) + - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.cryptomator) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:fontawesome-brands-android: F-Droid repo](https://cryptomator.org/android) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:fontawesome-brands-github: Source](https://github.com/cryptomator) It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### Picocrypt + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Picocrypt](/assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** é uma pequena e simples ferramenta de encriptação que fornece uma encriptação moderna. Picocrypt usa a cifra segura XChaCha20 e a função de derivação da chave Argon2id para proporcionar um alto nível de segurança. + + Ele usa os módulos x/crypto padrão da Go para suas funcionalidades de criptografia. [Visite github.com](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + - [:fontawesome-brands-github: Source](https://github.com/HACKERALERT/Picocrypt) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Sistema operacional incluído Criptografia de disco completo (FDE) + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![BitLocker logo](/assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** é a solução de encriptação de volume completo, em conjunto com o Microsoft Windows. O principal motivo pelo qual o recomendamos é devido ao seu [uso do TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), uma empresa forense, escreveu sobre isso em [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [Visite microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary } + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. Também, FileVault deve ser habilitado **após** uma instalação macOS completa como mais gerador de números pseudorandomais ([PRNG](https://support.apple.com/guide/security/random-number-generation-seca0c73a75b/web)) [entropia](https://en.wikipedia.org/wiki/Entropy_(computing)) estará disponível. + + Para habilitar o BitLocker nas edições "Home" do Windows, você deve ter partições formatadas com um módulo [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) e ter um [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (v1.2, 2.0 ) dedicado. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powerhell Get-Disk 0 | findstr GPT && echo Este é um disco do sistema GPT! + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Feche o prompt de comando, e entre no PowerShell: + + ``` + manage-bde c: -protectores -add -rp -tpm + manage-bde -protectores -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![FileVault logo](/assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** é a solução de encriptação de volume on-the-fly integrada em macOS. FileVault é recomendado porque [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) recursos de segurança de hardware presentes em um SoC de silício Apple ou Chip de Segurança T2. + + [Visite support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary } + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Configuração da Chave Unificada Linux (LUKS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![LUKS logo](/assets/img/encryption-software/luks.png){ align=right } + + **LUKS*** é o método padrão de criptografia de disco completo para Linux. Ele pode ser usado para criptografar volumes completos, partições ou criar containers criptografados. + + [Visite gitlab.com](https://gitlab.com/cryptsetup/cryptsetup){ .md-button .md-button--primary } + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Abrindo recipientes encriptados + Recomendamos abrir recipientes e volumes com `udisksctl`, pois este utiliza [Polkit](https://en.wikipedia.org/wiki/Polkit). A maioria dos gestores de ficheiros, tais como os incluídos em ambientes de desktop populares, consegue desbloquear ficheiros encriptados. Ferramentas como [udiskie](https://github.com/coldfix/udiskie) podem ser executadas na bandeja do sistema e fornecer uma interface de usuário útil. + ``` + udisksctl loop-setup -f /path-tofile + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + Recomendamos que você sempre [faça backup dos seus cabeçalhos LUKS](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) em caso de falha parcial da unidade. Isto pode ser feito com: + + ``` + cryptsetup luksHeaderBackup /device/device --header-backup-file /mnt/backup/file.img + ``` + +## Navegador baseado em + +Ferramentas com interfaces de linha de comando são úteis para intergrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### chapéu.sh + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh*** é uma aplicação web que fornece criptografia segura de arquivos do lado do cliente no seu navegador. Também pode ser auto-hospedado e é útil se você precisar criptografar um arquivo, mas não pode instalar qualquer software no seu dispositivo, devido às políticas organizacionais. + + [Visite hat.sh](https://hat.sh){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/sh-dv/hat.sh) + +## Linha de comando + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Kryptor](/assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** é uma ferramenta de criptografia e assinatura de arquivos livre e de código aberto que faz uso de algoritmos criptográficos modernos e seguros. Pretende ser uma versão melhor de [age](https://github.com/FiloSottile/age) e [Minisign](https://jedisct1.github.io/minisign/) para fornecer uma alternativa simples e amigável ao GPG. + + [Visite kryptor.co.uk](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Política de Privacidade](https://www.kryptor.co.uk/features#privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk) + - [:fontawesome-brands-apple: macOS](https://www.kryptor.co.uk) + - [:fontawesome-brands-linux: Linux](https://www.kryptor.co.uk) + - [:fontawesome-brands-github: Fonte](https://github.com/samuel-lucas6/Kryptor) downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Túmulo + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logotipo da Tumba](/assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** é uma shell wrapper de linha de comando para LUKS. Ele suporta esteganografia através de [ferramentas de terceiros](https://github.com/dyne/Tomb#how-does-it-work). + + [Visite dyne.org](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/dyne/Tomb) + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. Dica "Use padrões futuros ao gerar uma chave". For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + Quando [gerando chaves](https://www.gnupg.org/gph/en/manual/c14.html) sugerimos utilizar o comando `future-default`, pois isto instruirá o GnuPG a utilizar criptografia moderna como [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) e [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### Guarda de Privacidade GNU + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![GNU Privacy Guard logo](/assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** é uma alternativa GPL-licenciada ao conjunto de software criptográfico PGP. GnuPG está em conformidade com [RFC 4880](https://tools.ietf.org/html/rfc4880), que é a especificação atual da IETF do OpenPGP. O projeto GnuPG tem trabalhado em um [rascunho atualizado](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) numa tentativa de modernizar o OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [Visite gnupg.org](https://gnupg.org){ .md-button .md-button--primary } [Política de Privacidade](https://gnupg.org/privacy-policy.html){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-apple: macOS](https://gpgtools.org) + - [:fontawesome-brands-linux: Linux](https://gnupg.org/download/index.html#binary) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:fontawesome-brands-git: Fonte](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![GPG4win logo](/assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** é um pacote para Windows da [Intevation and g10 Code](https://gpg4win.org/impressum.html). Inclui [várias ferramentas](https://gpg4win.org/about.html) que auxiliam os usuários do PGP no Microsoft Windows. O projeto foi iniciado e originalmente [financiado por](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) pelo Escritório Federal de Segurança da Informação (BSI) da Alemanha em 2005. + + [Visite gpg4win.org](https://gpg4win.org){ .md-button .md-button--primary } [Política de Privacidade](https://gpg4win.org/privacy-policy.html){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-git: Fonte](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary) downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### Suíte GPG + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo OpenKeychain](/assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** é uma implementação Android do GnuPG. É normalmente exigido por clientes de e-mail como [K-9 Mail](/email-clients/#k-9-mail) e [FairEmail](/email-clients/#fairemail) e outros aplicativos Android para fornecer suporte à criptografia. Cure53 concluiu uma [auditoria de segurança](https://www.openkeychain.org/openkeychain-3-6) da OpenKeychain 3.6 em outubro de 2015. Detalhes técnicos sobre a auditoria e as soluções OpenKeychain podem ser encontrados [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [Visite openkeychain.org](https://www.openkeychain.org){ .md-button .md-button--primary } [Política de Privacidade](https://www.openkeychain.org/help/privacy-policy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.sufficientlysecure.keychain/) + - [:fontawesome-brands-git: Source](https://github.com/open-keychain/open-keychain) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/pt/file-sharing.md b/i18n/pt/file-sharing.md new file mode 100644 index 00000000..b6081521 --- /dev/null +++ b/i18n/pt/file-sharing.md @@ -0,0 +1,168 @@ +--- +title: "Ferramentas de Autenticação Multi-Factor" +icon: material/share-variant +description: Descubra como partilhar os seus ficheiros em privado entre os seus dispositivos, com os seus amigos e família, ou anonimamente online. +--- + +Descubra como partilhar os seus ficheiros em privado entre os seus dispositivos, com os seus amigos e família, ou anonimamente online. + +## Gestores de senhas + +### OnionShare + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo OnionShare](/assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** é uma ferramenta de código aberto que lhe permite partilhar de forma segura e anónima um ficheiro de qualquer tamanho. Funciona iniciando um servidor web acessível como um serviço Tor onion, com um URL indiscutível que você pode compartilhar com os destinatários para baixar ou enviar arquivos. [Visite onionshare.org](https://onionshare.org){ .md-button .md-button--primary } [:pg-tor:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://onionshare.org/#download) + - [:fontawesome-brands-apple: macOS](https://onionshare.org/#download) + - [:fontawesome-brands-linux: Linux](https://onionshare.org/#download) + - [:fontawesome-brands-github: Fonte](https://github.com/onionshare/onionshare) You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### Buraco de Verme Mágico + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo FreedomBox](/assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** é um sistema operacional projetado para ser executado em um [computador de placa única (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). O objetivo é facilitar a configuração de aplicações de servidor que você pode querer auto-hospedar. + + [Visite freedombox.org](https://freedombox.org){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-git: Fonte](https://salsa.debian.org/freedombox-team/freedombox) downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## Sincronização de arquivos + +### Nextcloud (Client-Server) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo do LibreOffice](/assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** é uma suite de escritório gratuita e de código aberto com amplas funcionalidades. + + [Visite libreoffice.org](https://www.libreoffice.org){ .md-button .md-button--primary } [Política de Privacidade](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Source](https://www.libreoffice.org/about-us/source-code) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + ![OnlyOffice logo](/assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** é uma alternativa, é uma suite de escritório gratuita e de código aberto com uma extensa funcionalidade. + +### Syncthing (P2P) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/pt/financial-services.md b/i18n/pt/financial-services.md new file mode 100644 index 00000000..73602ba2 --- /dev/null +++ b/i18n/pt/financial-services.md @@ -0,0 +1,102 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/pt/frontends.md b/i18n/pt/frontends.md new file mode 100644 index 00000000..08ba1393 --- /dev/null +++ b/i18n/pt/frontends.md @@ -0,0 +1,282 @@ +--- +title: "Gestores de senhas" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## Clientes + +### Librarian + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Reddit + +### Nitter + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### FreeTube + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! aviso + Backup `BitLocker-Recovery-Key.txt` em um dispositivo de armazenamento separado. + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/pt/index.md b/i18n/pt/index.md new file mode 100644 index 00000000..4a17354d --- /dev/null +++ b/i18n/pt/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.pt.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/pt/kb-archive.md b/i18n/pt/kb-archive.md new file mode 100644 index 00000000..ffc1166d --- /dev/null +++ b/i18n/pt/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integração da Remoção de Metadados](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/pt/meta/brand.md b/i18n/pt/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/pt/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/pt/meta/git-recommendations.md b/i18n/pt/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/pt/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/pt/meta/uploading-images.md b/i18n/pt/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/pt/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/pt/meta/writing-style.md b/i18n/pt/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/pt/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/pt/mobile-browsers.md b/i18n/pt/mobile-browsers.md new file mode 100644 index 00000000..5d44212d --- /dev/null +++ b/i18n/pt/mobile-browsers.md @@ -0,0 +1,227 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Bromite + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Origem do uBlock + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Bromite + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Safari](/assets/img/browsers/safari.svg){ align=right } + + **Safari** é o navegador padrão no iOS. + + Inclui [características de privacidade](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0), tais como Proteção de Rastreamento Inteligente, Relatório de Privacidade, abas isoladas de Navegação Privada, iCloud Private Relay, e atualizações automáticas de HTTPS. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Firefox + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- Selecione: "Abrir links em abas incógnitas sempre". + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Origem do uBlock + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo AdGuard](/assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for Safari** é uma extensão gratuita e de código aberto para bloqueio de conteúdo do Safari que usa a API nativa [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). Sugerimos activar os filtros labled *#recommended* sob "Ad Blocking" e "Privacy" [bloqueadores de conteúdo](https://kb.adguard.com/en/safari/overview#content-blockers). + + Os filtros *#recommended* também podem ser ativados para os bloqueadores de conteúdo "Social Widgets" e "Annoyances", mas eles podem quebrar algumas funções das mídias sociais. + +#### Firefox + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/pt/multi-factor-authentication.md b/i18n/pt/multi-factor-authentication.md new file mode 100644 index 00000000..c7b00ed1 --- /dev/null +++ b/i18n/pt/multi-factor-authentication.md @@ -0,0 +1,145 @@ +--- +title: "Autenticadores Multi-Factor" +icon: 'O uso de AMF forte pode parar mais de 99% dos acessos não autorizados à conta, e é fácil de configurar nos serviços que você já usa.' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Chaves de Segurança de Hardware + +### YubiKey + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png) As **YubiKeys** estão entre as chaves de segurança mais populares. Alguns modelos YubiKey têm uma vasta gama de características, como por exemplo: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 WebAuthn](https://en.wikipedia.org/wiki/WebAuthn), [Yubico OTP](https://developers.yubico.com/OTP/), [PIV](https://en.wikipedia.org/wiki/FIPS_201), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP e HOTP](https://developers.yubico.com/OATH/) autenticação. + + Um dos benefícios do YubiKey é que uma chave pode fazer quase tudo (YubiKey 5), que você poderia esperar de uma chave de segurança de hardware. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. Recomendamos vivamente que seleccione chaves da série YubiKey 5. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +Para modelos que suportam HOTP e TOTP, existem 2 slots na interface OTP que podem ser utilizados para HOTP e 32 slots para armazenar segredos TOTP. Estes segredos são armazenados encriptados na chave e nunca os expõe aos dispositivos em que estão ligados. Uma vez que uma semente (segredo compartilhado) é dada ao Yubico Authenticator, ele só dará os códigos de seis dígitos, mas nunca a semente. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! atenção + O firmware do YubiKeys não são de código aberto e não são actualizáveis. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. O **Nitrokey 3** listado terá um conjunto de recursos combinados. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +Para os modelos que suportam HOTP e TOTP, existem 3 slots para HOTP e 15 para TOTP. Alguns Nitrokeys podem agir como um gerenciador de senhas. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Aplicativos Autenticadores + +As aplicações autenticadoras implementam um padrão de segurança adotado pela Internet Engineering Task Force (IETF) chamado **Senhas únicas baseadas no tempo**, ou **TOTP**. Este é um método onde os sites compartilham um segredo com você que é usado pelo seu aplicativo autenticador para gerar um código de seis (geralmente) dígitos baseado na hora atual, que você entra enquanto faz o login para que o site seja verificado. Normalmente estes códigos são regenerados a cada 30 segundos, e assim que um novo código é gerado, o antigo torna-se inútil. Mesmo que um hacker receba um código de seis dígitos, não há maneira de reverter esse código para obter o segredo original, ou ser capaz de prever o que qualquer código futuro pode ser. + +Recomendamos vivamente que utilize aplicações TOTP móveis em vez de alternativas de desktop, uma vez que o Android e o IOS têm melhor segurança e isolamento de aplicações do que a maioria dos sistemas operativos desktop. + +### Aegis Authenticator (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Aegis](/assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** é uma aplicação gratuita, segura e de código aberto para gerir os seus tokens de verificação em 2 passos para os seus serviços online. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo Raivo OTP](/assets/img/multi-factor-autenticação/raivo-otp.png){ align=right } + + **Raivo OTP*** é um cliente nativo, leve e seguro baseado no tempo (TOTP) & cliente com senha baseada em contador (HOTP) para iOS. Raivo OTP oferece backup iCloud opcional & sync. Raivo OTP também está disponível para MacOS na forma de um aplicativo de barra de status, porém o aplicativo Mac não funciona independentemente do aplicativo iOS. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/pt/news-aggregators.md b/i18n/pt/news-aggregators.md new file mode 100644 index 00000000..b28513ed --- /dev/null +++ b/i18n/pt/news-aggregators.md @@ -0,0 +1,184 @@ +--- +title: "Comunicação em Tempo Real" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Clientes agregadores + +### Leitor Fluente + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Fluent Reader](/assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** é um agregador de notícias seguro em várias plataformas que possui recursos de privacidade úteis, como exclusão de cookies na saída, [políticas de segurança de conteúdo (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) e suporte a proxy, o que significa que você pode usá-lo sobre [Tor](/self-contained-networks/#tor). [Visite hyliu.me](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Política de Privacidade](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://hyliu.me/fluent-reader) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1520907427) + - [:fontawesome-brands-github: Source](https://github.com/yang991178/fluent-reader.git) + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Alimentadores GNOME + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo GNOME Feeds](/assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds*** é um [RSS](https://en.wikipedia.org/wiki/RSS) e [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) leitor de notícias para [GNOME](https://www.gnome.org). Tem uma interface simples e é bastante rápida. + + [Visite gfeeds.gabmus.org](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.gabmus.gfeeds) + - [:fontawesome-brands-gitlab: Fonte](https://gitlab.gnome.org/World/gfeeds) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Akregator + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo Akregator](/assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** é um leitor de notícias que faz parte do projecto [KDE](https://kde.org). + + Ele vem com uma pesquisa rápida, funcionalidade avançada de arquivamento e um navegador interno para facilitar a leitura de notícias. [Visite kde.org](https://apps.kde.org/akregator){ .md-button .md-button--primary } [Política de Privacidade](https://kde.org/privacypolicy-apps){ .md-button } + + **Downloads*** + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.kde.akregator) + - [:fontawesome-brands-git: Fonte](https://invent.kde.org/pim/akregator) + +### Leitor de Notícias Handy + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logotipo do Handy News Reader](/assets/img/news-aggregators/handy-news-reader.svg){ align=right } + + **Handy News Reader** é um garfo de [Flym](https://github.com/FredJul/Flym) que tem muitos [features](https://github.com/yanus171/Handy-News-Reader#features) e funciona bem com pastas de feeds RSS. Ele suporta [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) e [RDF](https://en.wikipedia.org/wiki/RDF%2FXML). + + [Visite yanus171.github.io](https://yanus171.github.io/Handy-News-Reader/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=ru.yanus171.feedexfork) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/ru.yanus171.feedexfork/) + - [:fontawesome-brands-github: Source](https://github.com/yanus171/Handy-News-Reader) downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### NetNewsWire + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![NetNewsWire logo](/assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** um leitor de alimentação livre e de código aberto para macOS e iOS com foco em um design nativo e conjunto de recursos. Tem uma interface simples e é bastante rápida. + + [Visite netnewswire.com](https://netnewswire.com/){ .md-button .md-button--primary } [Política de Privacidade](https://netnewswire.com/privacypolicy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-apple: macOS](https://netnewswire.com) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:fontawesome-brands-github: Source](https://github.com/Ranchero-Software/NetNewsWire) + +### Miniflux + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Miniflux](/assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Logotipo Miniflux](/assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** é um agregador de notícias baseado na web que você pode auto-hospedar. Ele suporta [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) e [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [Visite miniflux.app](https://miniflux.app){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/miniflux) downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Barco de notícias + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo do Newsboat](/assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** é um leitor de RSS/Atom feed para a consola de texto. É um garfo mantido ativamente de [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). É muito leve, e ideal para uso sobre [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [Visite newsboat.org](https://newsboat.org){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-github: Fonte](https://github.com/newsboat/newsboat) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Youtube + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Reddit + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Escolha uma instância e defina `nitter_instance`. + 2. Substitua `twitter_account` pelo nome da conta. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### Twitter + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/pt/notebooks.md b/i18n/pt/notebooks.md new file mode 100644 index 00000000..601d9063 --- /dev/null +++ b/i18n/pt/notebooks.md @@ -0,0 +1,124 @@ +--- +title: "Cadernos de notas" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Mantenha um registo das suas notas e diários sem os entregar a terceiros. + +Se você está usando atualmente uma aplicação como Evernote, Google Keep ou Microsoft OneNote, sugerimos que você escolha uma alternativa aqui que suporte [Encriptação de ponta a ponta (E2EE)](https://en.wikipedia.org/wiki/End-to-end_encryption). + +## Baseado nas nuvens + +### Joplin + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Joplin logo](/assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** é uma aplicação gratuita, de código aberto e com todas as funcionalidades de tomar e fazer notas, que pode lidar com um grande número de notas marcadas organizadas em cadernos e tags. Ele oferece criptografia de ponta a ponta e pode sincronizar através de Nextcloud, Dropbox, e muito mais. Também oferece fácil importação do Evernote e de notas de texto simples. + + [Visite joplinapp.org](https://joplinapp.org/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-firefox-browser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:pg-f-droid: F-Droid](https://f-droid.org/pt/packages/net.cozic.joplin) + - [:fontawesome-brands-android: Android](https://joplinapp.org/#mobile-applications) + - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). aviso Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Notas Padrão + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Nota: A partir de Dezembro de 2018, o Joplin não suporta a protecção por senha/pino para a aplicação em si ou para as notas/portáteis individuais. Os dados ainda estão criptografados em trânsito e em local sincronizado usando sua chave mestra. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo Standard Notes](/assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes é uma aplicação simples e privada que torna as suas notas fáceis e disponíveis onde quer que esteja. Possui criptografia de ponta a ponta em cada plataforma, e uma poderosa experiência de desktop com temas e editores personalizados. + + Também tem sido [auditado independentemente (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). [Visite standardnotes.org](https://standardnotes.org/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://standardnotes.org/#get-started) + - [:fontawesome-brands-apple: macOS](https://standardnotes.org/#get-started) + - [:fontawesome-brands-linux: Linux](https://standardnotes.org/#get-started) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1285392450) + - [:octicons-browser-16: Browser](https://app.standardnotes.org/) + - [:fontawesome-brands-github: GitHub](https://github.com/standardnotes) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Vale a pena mencionar + +### Org-mode + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/pt/os/android-overview.md b/i18n/pt/os/android-overview.md new file mode 100644 index 00000000..941d7b81 --- /dev/null +++ b/i18n/pt/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. atenção This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/pt/os/linux-overview.md b/i18n/pt/os/linux-overview.md new file mode 100644 index 00000000..74d8025d --- /dev/null +++ b/i18n/pt/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Visão geral do Linux +icon: fontawesome/brands/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +Existe uma crença comum que o *software* de [código aberto](https://pt. wikipedia. org/wiki/Software_de_c%C3%B3digo_aberto) é intrinsecamente seguro porque o código-fonte está disponível. Existe uma expectativa de que a verificação por parte da comunidade ocorre regularmente; contudo, esse nem sempre é [o caso](https://seirdy. one/2022/02/02/floss-security. html). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +Neste momento, a utilização de GNU/Linux em computadores pessoais tem algumas áreas que poderiam ser melhoradas quando comparadas com os seus equivalentes proprietários, por exemplo: + +- Uma cadeia de inicialização verificada, ao contrário do [Secure Boot](https://support. apple. com/guide/security/startup-security-utility-secc7b34e5b5/web) (com o [Secure Enclave](https://support. apple. com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), o [Verified Boot](https://source. android. com/security/verifiedboot) do Android ou [processo de boot](https://docs. microsoft. com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) com [TPM](https://docs. microsoft. com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm) do Microsoft Windows. Estas funcionalidades e tecnologias de hardware podem ajudar a prevenir manipulações persistentes por malware ou a "[evil maid attacks](https://en. wikipedia. org/wiki/Evil_Maid_attack)" +- Solução de sandboxing forte como a encontrada no [macOS](https://developer. apple. com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox. html), [ChromeOS](https://chromium. googlesource. com/chromiumos/docs/+/HEAD/sandboxing. md) e [Android](https://source. android. com/security/app-sandbox). As soluções de sandboxing mais comuns em Linux, tais como [Flatpak](https://docs. flatpak. org/en/latest/sandbox-permissions. html) e [Firejail](https://firejail. wordpress. com/) ainda têm um longo caminho a percorrer +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Recomendações Gerais + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/pt/os/qubes-overview.md b/i18n/pt/os/qubes-overview.md new file mode 100644 index 00000000..06847aba --- /dev/null +++ b/i18n/pt/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Recursos Adicionais + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/pt/passwords.md b/i18n/pt/passwords.md new file mode 100644 index 00000000..09d3bcf2 --- /dev/null +++ b/i18n/pt/passwords.md @@ -0,0 +1,366 @@ +--- +title: "Redes Auto-Contidas" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeepassXC + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeepassDX + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Vaultwarden + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Fique seguro e protegido on-line com um gerenciador de senhas criptografado e de código aberto. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + ![logotipo KeepassXC](/assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** é um garfo comunitário do KeePassX, uma porta nativa multi-plataforma do KeePass Password Safe, com o objectivo de o alargar e melhorar com novas funcionalidades e correcções de bugs para fornecer um gestor de senhas moderno, totalmente multi-plataforma e de código aberto. [Visite keepassxc.org](https://keepassxc.org){ .md-button .md-button--primary } [Política de Privacidade](https://keepassxc.org/privacy){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://keepassxc.org/download/#windows) + - [:fontawesome-brands-apple: macOS](https://keepassxc.org/download/#mac) + - [:fontawesome-brands-linux: Linux](https://keepassxc.org/download/#linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + - [:fontawesome-brands-github: Source](https://github.com/keepassxreboot/keepassxc) + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Baseado nas nuvens + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### KeepassXC + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + KeepassXC armazena seus dados de exportação como [comma-separated values (CSV)](https://en.wikipedia.org/wiki/Comma-separated_values). Isto pode significar perda de dados se você importar este arquivo para outro gerenciador de senhas. Aconselhamo-lo a verificar cada registo manualmente. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### KeepassDX + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo KeepassDX](/assets/img/password-management/keepassdx.svg){ align=right } + + **KeepassDX*** é um gerenciador de senhas leve para Android, permite editar dados criptografados em um único arquivo no formato KeePass e pode preencher os formulários de uma forma segura. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) permite desbloquear conteúdos cosméticos e recursos de protocolo não-padrão, mas, mais importante, ajuda e incentiva o desenvolvimento. Para mais detalhes, recomendamos que veja o seu [FAQ](https://github.com/Kunzisoft/KeePassDX/wiki/FAQ). [Visite keepassdx.com](https://www.keepassdx.com){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:pg-f-droid: F-Droid](https://www.f-droid.org/packages/com.kunzisoft.keepass.libre) + - [:fontawesome-brands-github: Source](https://github.com/Kunzisoft/KeePassDX) + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Bitwarden + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Bitwarden logo](/assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** é um gerenciador de senhas gratuito e de código aberto. Visa resolver problemas de gerenciamento de senhas para indivíduos, equipes e organizações empresariais. Bitwarden está entre as soluções mais fáceis e seguras para armazenar todos os seus logins e senhas, mantendo-os convenientemente sincronizados entre todos os seus dispositivos. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Gestores locais de senhas + +These options allow you to manage an encrypted password database locally. + +### Vaultwarden + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Linha de comando + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must be cross-platform. diff --git a/i18n/pt/productivity.md b/i18n/pt/productivity.md new file mode 100644 index 00000000..c00cc264 --- /dev/null +++ b/i18n/pt/productivity.md @@ -0,0 +1,181 @@ +--- +title: "Clientes de streaming de vídeo" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Suítes de Escritório + +### LibreOffice + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logotipo do LibreOffice](/assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** é uma suite de escritório gratuita e de código aberto com amplas funcionalidades. + + [Visite libreoffice.org](https://www.libreoffice.org){ .md-button .md-button--primary } [Política de Privacidade](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Source](https://www.libreoffice.org/about-us/source-code) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + ![OnlyOffice logo](/assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** é uma alternativa, é uma suite de escritório gratuita e de código aberto com uma extensa funcionalidade. [Visite apenasoffice.com](https://www.onlyoffice.com){ .md-button .md-button--primary } [Política de Privacidade](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://www.onlyoffice.com/download-desktop.aspx?from=default) + - [:fontawesome-brands-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx?from=default) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/wwww/onlyoffice-documentserver/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/onlyoffice-documents/id944896972) + - [:fontawesome-brands-github: Source](https://github.com/ONLYOFFICE) + +### OnlyOffice + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo Framadate](/assets/img/productivity/framadate.svg){ align=right } + + **Framadate** é um serviço online gratuito e de código aberto para planejar uma consulta ou tomar uma decisão de forma rápida e fácil. Não é necessário registo. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Planejamento + +### PrivateBin + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/pt/real-time-communication.md b/i18n/pt/real-time-communication.md new file mode 100644 index 00000000..df81180a --- /dev/null +++ b/i18n/pt/real-time-communication.md @@ -0,0 +1,214 @@ +--- +title: "Clientes de streaming de vídeo" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Mensageiros Instantâneos Criptografados + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Logotipo do sinal](/assets/img/messengers/signal.svg){ align=right } + + **Sinal*** é uma aplicação móvel desenvolvida pela Signal Messenger LLC. O aplicativo fornece mensagens instantâneas, bem como chamadas de voz e vídeo. + + Todas as comunicações são E2EE. As listas de contatos são criptografadas usando seu PIN de login e o servidor não tem acesso a elas. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Element logo](/assets/img/messengers/element.svg){ align=right } + + **Element** é o cliente de referência para o protocolo [Matrix](https://matrix.org/docs/guides/introduction), um [padrão aberto](https://matrix.org/docs/spec) para comunicação segura descentralizada em tempo real. As mensagens e ficheiros partilhados em salas privadas (aquelas que requerem um convite) são, por defeito, E2EE, tal como as chamadas de voz e vídeo de 1 para 1. + + [Visit element.io](https://element.io/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://element.io/get-started) + - [:fontawesome-brands-apple: macOS](https://element.io/get-started) + - [:fontawesome-brands-linux: Linux](https://element.io/get-started) + - [:fontawesome-brands-android: Android](https://f-droid.org/packages/im.vector.app/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:fontawesome-brands-github: Source](https://github.com/vector-im/element-web) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo Briar](/assets/img/messengers/briar.svg){ align=right } + + **Briar** é um mensageiro instantâneo encriptado que [connects](https://briarproject.org/how-it-works/) para outros clientes que utilizam a Rede Tor. Briar também pode se conectar via Wi-Fi ou Bluetooth quando em proximidade local. O modo de rede local do Briar pode ser útil quando a disponibilidade da Internet é um problema. + + [Visite briarproject.org](https://briarproject.org/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-android: Android](https://f-droid.org/packages/org.briarproject.briar.android) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:fontawesome-brands-git: Source](https://code.briarproject.org/briar/briar) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Tipos de Redes de Comunicação + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. [Visite getession.org](https://getsession.org/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-windows: Windows](https://getsession.org/windows) + - [:fontawesome-brands-apple: macOS](https://getsession.org/mac) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1470168868) + - [:fontawesome-brands-linux: Linux](https://www.getession.org/linux) + - [:fontawesome-brands-android: Android](https://fdroid.getsession.org/) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:pg-f-droid: F-Droid](https://fdroid.getsession.org) + - [:fontawesome-brands-github: Source](https://github.com/oxen-io/session-desktop) + +### Element + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/pt/router.md b/i18n/pt/router.md new file mode 100644 index 00000000..510b26a8 --- /dev/null +++ b/i18n/pt/router.md @@ -0,0 +1,52 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Abaixo estão alguns sistemas operacionais alternativos, que podem ser usados em roteadores, pontos de acesso Wi-Fi, etc. + +## OpenWrt + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo OpenWrt](/assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](/assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt*** é um sistema operacional (em particular, um sistema operacional embarcado) baseado no kernel Linux, usado principalmente em dispositivos embarcados para rotear o tráfego da rede. Os principais componentes são o kernel Linux, util-linux, uClibc, e BusyBox. Todos os componentes foram optimizados em tamanho, para serem suficientemente pequenos para se adaptarem ao armazenamento limitado e à memória disponível nos routers domésticos. + + [Visite openwrt.org](https://openwrt.org){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-git: Fonte](https://git.openwrt.org) + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo pfSense](/assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](/assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense é uma distribuição de software de firewall/router de computador de código aberto baseada no FreeBSD. Ele é instalado em um computador para fazer um firewall/router dedicado para uma rede e é notado por sua confiabilidade e oferecendo recursos muitas vezes encontrados apenas em firewalls comerciais caros. + + O pfSense é normalmente implantado como firewall perimetral, roteador, ponto de acesso sem fio, servidor DHCP, servidor DNS e VPN endpoint. + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/pt/search-engines.md b/i18n/pt/search-engines.md new file mode 100644 index 00000000..a0953385 --- /dev/null +++ b/i18n/pt/search-engines.md @@ -0,0 +1,110 @@ +--- +title: "Motores de Busca" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use um motor de busca que não construa um perfil publicitário baseado nas suas pesquisas. + +As recomendações aqui são baseadas nos méritos da política de privacidade de cada serviço. Há **sem garantia** de que estas políticas de privacidade sejam honradas. + +Considere usar um [VPN](/vpn) ou [Tor](https://www.torproject.org/) se o seu modelo de ameaça requer esconder o seu endereço IP do fornecedor de pesquisa. + +## Brave Search + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo DuckDuckGo](/assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo*** é um motor de busca popular e é o padrão para o Tor Browser. DuckDuckGo usa uma API comercial Bing e várias [outras fontes](https://help.duckduckgo.com/results/sources) para fornecer seus dados de pesquisa. + + [Visite duckduckgo.com](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Política de Privacidade](https://duckduckgo.com/privacy){ .md-button } + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + DuckDuckGo está sediado em 🇺🇸 US. Sua [Política de Privacidade](https://duckduckgo.com/privacy) declara que eles registram sua consulta de pesquisa, mas não o seu IP ou qualquer outra informação de identificação. The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logo da página inicial](/assets/img/search-engines/startpage.svg){ align=right } + + **Startpage** é um motor de pesquisa que fornece resultados de pesquisa do Google. É uma forma muito conveniente de obter resultados de pesquisa no Google sem experimentar padrões escuros, tais como capturas difíceis ou acesso recusado porque você usou um [VPN](/vpn) ou [Tor](https://www.torproject.org/download/). + + [Visite startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Política de Privacidade](https://www.startpage.com/en/privacy-policy){ .md-button } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/pt/tools.md b/i18n/pt/tools.md new file mode 100644 index 00000000..a3eea02b --- /dev/null +++ b/i18n/pt/tools.md @@ -0,0 +1,488 @@ +--- +title: "Ferramentas de Privacidade" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +Se você está procurando uma solução específica para algo, estas são as ferramentas de hardware e software que recomendamos em uma variedade de categorias. Nossas ferramentas de privacidade recomendadas são escolhidas principalmente com base em recursos de segurança, com ênfase adicional em ferramentas descentralizadas e de código aberto. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Logótipo do Navegador Tor](/assets/img/browsers/tor.svg){ .twemoji } [Navegador Tor](https://www.torproject.org/) +- ![Logótipo do Firefox](/assets/img/browsers/firefox.svg){ .twemoji } [Firefox (Desktop)](https://firefox.com/) +- ![Logotipo Bromite](/assets/img/browsers/bromite.svg){ .twemoji } [Bromite (Android)](https://www.bromite.org/) +- ![Logotipo Safari](/assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](https://www.apple.com/safari/) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Saiba mais...](tor.md) + +## Sistemas Operacionais + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Saiba mais...](desktop-browsers.md) + +### Recursos Adicionais + +
+ +- ![GrapheneOS logo](/assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](/assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](https://grapheneos.org/) +- ![logo CalyxOS](/assets/img/android/calyxos.svg){ .twemoji } [CalyxOS](https://calyxos.org/) +- ![DivestOS logo](/assets/img/android/divestos.svg){ .twemoji } [DivestOS](https://divestos.org/) + +
+ +[Saiba mais...](desktop-browsers.md#additional-resources) + +## Prestadores de serviços + +
+ +- ![Droid-ify logo](/assets/img/android/droid-ify.png){ .twemoji } [Droid-ify (F-Droid Client)](https://github.com/Iamlooker/Droid-ify) +- ![Logo Orbot](/assets/img/android/orbot.svg){ .twemoji } [Orbot (Tor Proxy)](https://orbot.app/) +- ![Shelter logo](/assets/img/android/shelter.svg){ .twemoji } [Shelter (Work Profiles)](https://gitea.angry.im/PeterCxy/Shelter) +- ![Logótipo do auditor](/assets/img/android/auditor.svg#only-light){ .twemoji }![Logotipo GrapheneOS](/assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (dispositivos suportados)](https://attestation.app/) +- ![Logotipo da câmera segura](/assets/img/android/secure_camera.svg#only-light){ .twemoji }![Logotipo da câmera segura](/assets/img/android/secure_camera-dark).svg#only-dark){ .twemoji } [Secure Camera](https://github.com/GrapheneOS/Camera) +- ![Secure PDF Viewer logo](/assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](/assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](https://github.com/GrapheneOS/PdfViewer) +- ![PrivacyBlur logo](/assets/img/android/privacyblur.svg){ .twemoji } [PrivacyBlur](https://privacyblur.app/) + +
+ +[Saiba mais...](mobile-browsers.md) + +### Recursos Adicionais + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Saiba mais...](mobile-browsers.md#adguard) + +## Software + +### Mobile + +
+ +- ![Logótipo OpenWrt](/assets/img/router/openwrt.svg#only-light){ .twemoji }![Logótipo OpenWrt](/assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](https://openwrt.org/) +- ![logótipo pfSense](/assets/img/router/pfsense.svg#only-light){ .twemoji }![logótipo pfSense](/assets/img/router/pfsense-dark.svg#only-dark){ .twemoji } [pfSense](https://www.pfsense.org/) + +
+ +[Saiba mais...](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Saiba mais...](android.md#general-apps) + +### Armazenamento em nuvem + +
+ +- ![Logotipo ProtonMail](/assets/img/email/mini/protonmail.svg){ .twemoji } [ProtonMail](https://protonmail.com/) +- ![Logotipo mailbox.org](/assets/img/email/mini/mailboxorg.svg){ .twemoji } [Mailbox.org](https://mailbox.org/) +- ![Logotipo de raiz](/assets/img/img/email/mini/disroot.svg#only-light){ .twemoji }![Logotipo de raiz](/assets/img/email/mini/disroot-dark.svg#only-dark){ .twemoji } [Disroot](https://disroot.org/) +- ![Logotipo Tutanota](/assets/img/email/mini/tutanota.svg){ .twemoji } [Tutanota](https://tutanota.com/) +- ![Logotipo StartMail](/assets/img/email/mini/tutanota.svg#only-light){ .twemoji }![StartMail logo](/assets/img/email/mini/startmail-dark.svg#only-dark){ .twemoji } [StartMail](https://startmail.com/) +- ![CTemplar logo](/assets/img/email/mini/ctemplar.svg#only-light){ .twemoji }![CTemplar logo](/assets/img/email/mini/ctemplar-dark.svg#only-dark){ .twemoji } [CTemplar](https://ctemplar.com/) + +
+ +[Saiba mais...](desktop.md) + +### Router Firmware + +
+ +- ![AnonAddy logo](/assets/img/img/email/mini/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](/assets/img/email/mini/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](https://anonaddy.com/) +- ![SimpleLogin logo](/assets/img/email/mini/simplelogin.svg){ .twemoji } [SimpleLogin](https://simplelogin.io/) + +
+ +[Saiba mais...](router.md) + +## Service Providers + +### Email + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Saiba mais...](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Saiba mais...](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![logo DuckDuckGo](/assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](https://duckduckgo.com/) +- ![logo Startpage](/assets/img/search-engines/startpage.svg){ .twemoji } [Startpage](https://www.startpage.com/) +- ![Mojeek logo](/assets/img/search-engines//mini/mojeek.svg){ .twemoji } [Mojeek](https://www.mojeek.com/) +- ![Searx logo](/assets/img/search-engines/searx.svg){ .twemoji } [Searx](https://searx.me/) + +
+ +[Saiba mais...](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![Logótipo Mullvad](/assets/img/vpn/mini/mullvad.svg){ .twemoji } [Mullvad](https://mullvad.net/) +- ![Logótipo ProtonVPN](/assets/img/vpn/mini/protonvpn.svg){ .twemoji } [ProtonVPN](https://protonvpn.com/) +- ![Logotipo IVPN](/assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](https://www.ivpn.net/) + +
+ +[Saiba mais...](dns.md#self-hosted-solutions) + +### Provedores de VPN + +
+ +- ![logo Tutanota](/assets/img/calendar-contactos/tutanota.svg){ .twemoji } [Tutanota (SaaS)](https://tutanota.com/calendar) +- ![logo Proton Calendar](/assets/img/calendar-contactos/proton-calendar.svg){ .twemoji } [Calendário Proton (SaaS)](https://calendar.protonmail.com/) +- ![Logotipo EteSync](/assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](https://www.etesync.com/) +- ![Logotipo Tutanota](/assets/img/calendar-contacts/nextcloud.svg){ .twemoji } [Nextcloud](https://nextcloud.com/) +- ![Logotipo DecSync CC](/assets/img/calendar-contacts/decsync.svg){ .twemoji } [DecSync](https://github.com/39aldo39/DecSync) + +
+ +[Saiba mais...](email.md) + +#### Visão Geral da Criptografia de E-mail + +
+ +- ![Joplin logo](/assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](https://joplinapp.org/) +- ![Standard Notes logo](/assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](https://standardnotes.org/) + +
+ +[Saiba mais...](email.md#email-aliasing-services) + +#### Visão Geral dos Metadados de Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Saiba mais...](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Saiba mais...](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Saiba mais...](financial-services.md#gift-card-marketplaces) + +### Motores de Busca + +
+ +- ![VeraCrypt logo](/assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](/assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](https://veracrypt.fr/) +- ![Logotipo do criptomator](/assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](https://cryptomator.org/) +- ![Logotipo do Picocrypt](/assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](https://evansu.cc/picocrypt) +- ![Hat.sh logo](/assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](/assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (baseado no navegador)](https://hat.sh/) +- ![Logotipo Kryptor](/assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](https://www.kryptor.co.uk/) +- ![Logotipo Tomb](/assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](https://www.dyne.org/software/tomb) + +
+ +[Saiba mais...](search-engines.md) + +### VPN Providers + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. perigo "As VPNs não proporcionam anonimato". + + Usando uma VPN **não*** manterá seus hábitos de navegação anônimos, nem adicionará segurança adicional ao tráfego não seguro (HTTP). + + Se você está procurando por **anonimato**, você deve usar o Navegador Tor **em vez de** de uma VPN. + + Se você está procurando por **security** adicionado, você deve sempre garantir que você está se conectando a sites usando [HTTPS](https://en.wikipedia.org/wiki/HTTPS). Uma VPN não é um substituto para as boas práticas de segurança. + + [Saiba mais](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Saiba mais...](vpn.md) + +## Software + +### Clientes de e-mail + +
+ +- ![logótipo OnionShare](/assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](https://onionshare.org/) +- ![logótipo Magic Wormhole](/assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](https://magic-wormhole.readthedocs.io/) +- ![Logotipo FreedomBox](/assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](https://freedombox.org/) +- ![Syncthing logo](/assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](https://syncthing.net/) +- ![git-annex logo](/assets/img/file-sharing-sync/gitannex.svg){ .twemoji } [git-annex](https://git-annex.branchable.com/) + +
+ +[Saiba mais...](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Saiba mais...](cryptocurrency.md) + +### Ferramentas de encriptação + +
+ +- ![MAT2 logo](/assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](https://0xacab.org/jvoisin/mat2) +- ![ExifCleaner logo](/assets/img/metadata-removal/exifcleaner.svg){ .twemoji } [ExifCleaner](https://exifcleaner.com/) +- ![Scrambled Exif logo](/assets/img/metadata-removal/scrambled-exif.svg){ .twemoji } [Scrambled Exif (Android)](https://gitlab.com/juanitobananas/scrambled-exif) +- ![Logótipo Imagepipe](/assets/img/metadata-removal/imagepipe.svg){ .twemoji } [Imagepipe (Android)](https://codeberg.org/Starfish/Imagepipe) +- ![Logotipo Metapho](/assets/img/metadata-removal/metapho.jpg){ .twemoji } [Metapho (iOS)](https://zininworks.com/metapho) +- ![Logotipo ExifTool](/assets/img/metadata-removal/exiftool.png){ .twemoji } [ExifTool (CLI)](https://exiftool.org/) + +
+ +[Saiba mais...](data-redaction.md) + +### Partilha de ficheiros + +
+ +- ![YubiKeys](/assets/img/multi-factor-authentication/yubikey.png){ .twemoji } [YubiKey](https://www.yubico.com/) +- ![Nitrokey](/assets/img/multi-factor-authentication/nitrokey.jpg){ .twemoji } [Nitrokey](https://www.nitrokey.com/) +- ![Aegis logo](/assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](https://getaegis.app/) +- ![Raivo OTP logo](/assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](https://github.com/raivo-otp/ios-application) + +
+ +[Saiba mais...](email-clients.md) + +### Software de encriptação + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. info "Operating System Disk Encryption" + + Para criptografar a unidade do seu sistema operacional, normalmente recomendamos usar qualquer ferramenta de criptografia que o seu sistema operacional forneça, seja **BitLocker** no Windows, **FileVault** no MacOS, ou **LUKS*** no Linux. Estas ferramentas estão disponíveis fora da caixa e normalmente utilizam elementos de encriptação de hardware como um TPM que outros softwares de encriptação de disco completo como o VeraCrypt não utilizarão. O VeraCrypt ainda é adequado para discos de sistemas não operacionais, como acionamentos externos, especialmente acionamentos que podem ser acessados de vários sistemas operacionais. + + [Saiba mais](encryption.md###operating-system-included-full-disk-encryption-fde) + +
+ +- ![logótipo KeePassXC](/assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](https://keepassxc.org/) +- ![logótipo KeePassDX](/assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](https://www.keepassdx.com/) +- ![Bitwarden logo](/assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](https://bitwarden.com/) +- ![Psono logo](/assets/img/password-management/psono.svg){ .twemoji } [Psono](https://psono.com/) +- ![gopass logo](/assets/img/password-management/gopass.svg){ .twemoji } [gopass](https://www.gopass.pw/) +- ![Vaultwarden logo](/assets/img/password-management/vaultwarden.svg#only-light){ .twemoji }![Vaultwarden logo](/assets/img/password-management/vaultwarden-dark.svg#only-dark){ .twemoji } [Vaultwarden (Bitwarden Server)](https://github.com/dani-garcia/vaultwarden) + +
+ +[Saiba mais...](encryption.md) + +#### OpenPGP Clients + +
+ +- ![logótipo LibreOffice](/assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](https://www.libreoffice.org/) +- ![logótipo OnlyOffice](/assets/img/productivity/libreoffice.svg){ .twemoji } [OnlyOffice](https://www.onlyoffice.com/) +- ![Framadate logo](/assets/img/productivity/framadate.svg){ .twemoji } [Framadate (Appointment Planning)](https://framadate.org/) +- ![PrivateBin logo](/assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](https://privatebin.info/) +- ![CryptPad logo](/assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](https://cryptpad.fr/) +- ![Write.as logo](/assets/img/productivity/writeas.svg#only-light){ .twemoji }![Write.as logo](/assets/img/productivity/writeas-dark.svg#only-dark){ .twemoji } [Write.as (Blogging Platform)](https://write.as/) +- ![VSCodium logo](/assets/img/productivity/vscodium.svg){ .twemoji } [VSCodium (Source-Code Editor)](https://vscodium.com/) + +
+ +[Saiba mais...](encryption.md#openpgp) + +### Ferramentas de Autenticação Multi-Factor + +
+ +- ![Logotipo do sinal](/assets/img/messengers/signal.svg){ .twemoji } [Signal](https://signal.org/) +- ![Logotipo do elemento](/assets/img/messengers/element.svg){ .twemoji } [Element](https://element.io/) +- ![Logotipo do Briar](/assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](https://briarproject.org/) +- ![Logotipo da sessão](/assets/img/messengers/session.svg){ .twemoji } [Session](https://getsession.org/) + +
+ +[Saiba mais...](file-sharing.md) + +### Gestores de senhas + +
+ +- ![Leitor Fluente](/assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Leitor Fluente](https://hyliu.me/fluent-reader) +- ![GNOME Feeds](/assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](https://gfeeds.gabmus.org) +- ![Akregator](/assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](https://apps.kde.org/akregator) +- ![Leitor de Notícias Handy](/assets/img/news-aggregators/handy-news-reader.svg){ .twemoji } [Leitor de Notícias Handy](https://github.com/yanus171/Handy-News-Reader) +- ![NetNewsWire](/assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](https://netnewswire.com) +- ![Miniflux](/assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](/assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](https://miniflux.app) +- ![Newsboat](/assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](https://newsboat.org/) + +
+ +[Saiba mais...](frontends.md) + +### Ferramentas de Produtividade + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Saiba mais...](multi-factor-authentication.md) + +### Comunicação em Tempo Real + +
+ +- ![FreeTube logo](/assets/img/video-streaming/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](https://freetubeapp.io/) +- ![LBRY logo](/assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](https://lbry.com/) +- ![logo NewPipe](/assets/img//video-streaming/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](https://newpipe.net/) +- ![logo NewPipe x SponsorBlock](/assets/img/video-streaming/newpipe.svg){ .twemoji } [NewPipe x SponsorBlock](https://github.com/polymorphicshade/NewPipe) +- ![Invidious logo](/assets/img/video-streaming/invideo-streaming/invidious.svg#only-light){ .twemoji }![Invidious logo](/assets/img/video-streaming/invideo-streaming/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](https://invidious.io/) +- ![Logótipo canalizado](/assets/img/video-streaming/piped.svg){ .twemoji } [Piped (YouTube, Web)](https://piped.kavin.rocks/) + +
+ +[Saiba mais...](news-aggregators.md) + +### Cadernos de notas + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Saiba mais...](notebooks.md) + +### Redes Auto-Contidas + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Saiba mais...](passwords.md) + +### Clientes de streaming de vídeo + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Saiba mais...](productivity.md) + +### Clientes de streaming de vídeo + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Saiba mais...](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Saiba mais...](video-streaming.md) diff --git a/i18n/pt/tor.md b/i18n/pt/tor.md new file mode 100644 index 00000000..de28076f --- /dev/null +++ b/i18n/pt/tor.md @@ -0,0 +1,128 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Navegador Tor + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +Este navegador fornece acesso às Pontes Tor e \[Rede Tor\](https://en.wikipedia.org/wiki/Tor_(rede)), juntamente com extensões que podem ser configuradas automaticamente para se ajustarem aos seus três níveis de segurança - *Standard*, *Safer* e *Safest*. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Perfis de usuário + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Os dados de cada usuário são criptografados usando sua própria chave de criptografia exclusiva, e os arquivos do sistema operacional são deixados não criptografados. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + [Visite orbot.app](https://orbot.app/){ .md-button .md-button--primary } + + **Downloads*** + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:pg-f-droid: F-Droid](https://guardianproject.info/fdroid) + - [:fontawesome-brands-github: GitHub](https://github.com/guardianproject/orbot) + - [:fontawesome-brands-gitlab: GitLab](https://gitlab.com/guardianproject/orbot) + +## Relays and Bridges + +### Snowflake + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +Recomendamos armazenar uma chave de recuperação local em um local seguro, em vez de utilizar a recuperação do iCloud FileVault. tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/pt/video-streaming.md b/i18n/pt/video-streaming.md new file mode 100644 index 00000000..df2d5f54 --- /dev/null +++ b/i18n/pt/video-streaming.md @@ -0,0 +1,52 @@ +--- +title: "Transmissão de vídeo" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +A principal ameaça ao usar uma plataforma de streaming de vídeo é que os seus hábitos de streaming e listas de assinaturas podem ser usados para traçar o seu perfil. Você deve combinar estas ferramentas com um [VPN](/vpn) ou [Tor](https://www.torproject.org/) para tornar mais difícil o perfil do seu uso. + +## Clientes + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + Ao usar o Freetube, seu endereço IP ainda é conhecido pelo YouTube, [Invidious](https://instances.invidious.io) e as instâncias SponsorBlock que você usa. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! Recomendamos que você verifique o [documentação](https://developers.yubico.com/SSH/) de Yubico sobre como configurar isso. + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Considere o auto-hospedagem para mitigar esta ameaça. + + ![logo PrivateBin](/assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** é um pastebin online minimalista e de código aberto onde o servidor tem zero conhecimento de dados colados. Os dados são criptografados/descriptografados no navegador usando AES de 256 bits. Psono suporta compartilhamento seguro de senhas, arquivos, marcadores e e-mails. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/pt/vpn.md b/i18n/pt/vpn.md new file mode 100644 index 00000000..59b37a3e --- /dev/null +++ b/i18n/pt/vpn.md @@ -0,0 +1,312 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! perigo "As VPNs não proporcionam anonimato". + + Usando uma VPN **não*** manterá seus hábitos de navegação anônimos, nem adicionará segurança adicional ao tráfego não seguro (HTTP). + + Se você está procurando por **anonimato**, você deve usar o Navegador Tor **em vez de** de uma VPN. + + Se você está procurando por **security** adicionado, você deve sempre garantir que você está se conectando a sites usando [HTTPS](https://en.wikipedia.org/wiki/HTTPS). Uma VPN não é um substituto para as boas práticas de segurança. + + [Baixar Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Mitos Tor & FAQ](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Provedores recomendados + +Nossos provedores recomendados estão fora dos EUA, usam criptografia, aceitam Monero, suportam WireGuard & OpenVPN, e têm uma política de não registro. Read our [full list of criteria](#criteria) for more information. + +### ProtonVPN + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![ProtonVPN logo](/assets/img/vpn/protonvpn.svg){ align=right } + + **ProtonVPN*** é um forte concorrente no espaço VPN, e estão em operação desde 2016. ProtonVPN está baseado na Suíça e oferece um nível de preços livre limitado, bem como opções premium. + + Eles oferecem mais 14 iscount para a compra de uma assinatura de 2 anos. Também achamos que é melhor para a segurança das chaves privadas do provedor de VPN se ele usar [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), ao invés de soluções compartilhadas mais baratas (com outros clientes), como [servidores virtuais privados](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Isto é devido a uma rota mais curta (menos lúpulo) para o destino. +{ .annotate } + +1. Ocultar o seu tráfego de **apenas** o seu fornecedor de serviços de Internet. + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +ProtonVPN suporta principalmente o protocolo WireGuard®. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Além disso, o WireGuard pretende ser mais simples e mais performante. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +ProtonVPN têm seus próprios servidores e datacenters na Suíça, Islândia e Suécia. IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### IVPN + +!!! nota + Consulte o [Tabela de Hardware](https://openwrt.org/toh/start) para verificar se o seu dispositivo é suportado. + + ![logótipo IVPN](/assets/img/vpn/ivpn.svg){ align=right } + + **IVPN*** é outro provedor VPN premium, e estão em operação desde 2009. A IVPN está sediada em Gibraltar. **Padrão USD $60/ano*** - **Pro USD $100/ano*** + + [Visite IVPN.net](https://www.ivpn.net/){ .md-button .md-button--primary } + + Também achamos que é melhor para a segurança das chaves privadas do provedor de VPN se ele usar [servidores dedicados](https://en.wikipedia.org/wiki/Dedicated_hosting_service), ao invés de soluções compartilhadas mais baratas (com outros clientes), como [servidores virtuais privados](https://en.wikipedia.org/wiki/Virtual_private_server). downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Isto é devido a uma rota mais curta (menos lúpulo) para o destino. +{ .annotate } + +1. Ocultar o seu tráfego de **apenas** o seu fornecedor de serviços de Internet. + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. \[WireGuard\](https://www.wireguard.com)\[^1] é um protocolo mais recente que utiliza o estado da arte [cryptography\](https://www.wireguard.com/protocol/). + +#### :material-check:{ .pg-green } WireGuard Support + +O IVPN suporta o protocolo WireGuard®. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Além disso, o WireGuard pretende ser mais simples e mais performante. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. O cliente móvel no Android também está disponível em \[F-Droid\](https://f-droid.org/en/packages/net.ivpn.client), o que garante que ele seja compilado com \[builds reproduzíveis\](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Mullvad + +!!! recommendation annotate + + ![logo Mullvad](/assets/img/vpn/mullvad.svg#only-light){ align=right } + ![Mullvad logo](/assets/img/vpn/mullvad-dark.svg#only-dark){ align=right } + + **Mullvad** é uma VPN rápida e barata com um foco sério na transparência e segurança. Eles estão em operação desde **2009***. + + Mullvad está sediada na Suécia e não tem um teste gratuito. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Isto é devido a uma rota mais curta (menos lúpulo) para o destino. +{ .annotate } + +1. Ocultar o seu tráfego de **apenas** o seu fornecedor de serviços de Internet. + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Os clientes VPN da Mullvad foram auditados pela Cure53 e Assured AB num relatório de pentest \[publicado na cure53.de\](https://cure53.de/pentest-report_mullvad_v2.pdf). Os investigadores de segurança concluíram: + +> Cure53 e Assured AB estão satisfeitos com os resultados da auditoria e o software deixa uma impressão geral positiva. Com a dedicação da equipe interna do complexo Mullvad VPN, os testadores não têm dúvidas de que o projeto está no caminho certo do ponto de vista de segurança. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +A Mullvad suporta o protocolo WireGuard®. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Além disso, o WireGuard pretende ser mais simples e mais performante. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Sua rede permite aos usuários \[acessar serviços hospedados em IPv6\](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) em oposição a outros provedores que bloqueiam conexões IPv6. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +A Mullvad publicou clientes \[App Store\](https://apps.apple.com/app/mullvad-vpn/id1488466513) e \[Google Play\](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn), ambos com suporte a uma interface fácil de usar, em vez de exigir que os usuários configurem manualmente suas conexões do WireGuard. O cliente móvel no Android também está disponível em \[F-Droid\](https://f-droid.org/packages/net.mullvad.mullvadvpn), o que garante que ele seja compilado com \[builds reproduzíveis\](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html). They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. Eles usam \[ShadowSocks\](https://shadowsocks.org/en/index.html) na sua configuração ShadowSocks OpenVPN, tornando-os mais resistentes contra firewalls com \[Deep Packet Inspection\](https://en.wikipedia.org/wiki/Deep_packet_inspection) tentando bloquear VPNs. + +## Framadate + +!!! Isto permite-nos fornecer recomendações completamente objectivas. Desenvolvemos um conjunto claro de requisitos para qualquer provedor de VPN que deseje ser recomendado, incluindo criptografia forte, auditorias de segurança independentes, tecnologia moderna, e muito mais. + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +Operar fora dos cinco/nove/quatro países não é necessariamente uma garantia de privacidade, e existem outros factores a considerar. No entanto, acreditamos que evitar esses países é importante se você deseja evitar a vigilância de arrastão do governo em massa, especialmente dos Estados Unidos. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Jurisdição + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**O melhor caso:** + +- Operando fora dos EUA ou de outros países da Five Eyes. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- Operando fora dos EUA ou de outros 14 países da 14 Eyes. +- Operando dentro de um país com fortes leis de proteção ao consumidor. +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Tecnologia + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**O melhor caso:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- Killswitch construído para os clientes. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Privacidade + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**O melhor caso:** + +- Monero ou opção de pagamento em dinheiro. +- Não é necessária nenhuma informação pessoal para se registar: Somente nome de usuário, senha e e-mail, no máximo. +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Aceita Monero, dinheiro e outras formas de pagamento anônimo (cartões presente, etc.) +- Não é necessária nenhuma informação pessoal para se registar: Somente nome de usuário, senha e e-mail, no máximo. +- Comprehensive published security audits from a reputable third-party firm. +- Programas de recompensa de bugs e/ou um processo coordenado de divulgação de vulnerabilidades. + +### Segurança + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**O melhor caso:** + +- Esquemas de Criptografia Fortes: OpenVPN com autenticação SHA-256; RSA-2048 ou melhor aperto de mão; AES-256-GCM ou AES-256-CBC encriptação de dados. + +**Best Case:** + +- A Encriptação mais forte: RSA-4096. +- Perfect Forward Secrecy (PFS). + +### Confiança + +With the VPN providers we recommend we like to see responsible marketing. + +**O melhor caso:** + +- Deve auto-instalar análises (sem Google Analytics, etc.). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Fazer garantias de protecção do anonimato a 100%. Quando alguém afirma que algo é 100%, significa que não há certeza de fracasso. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Impressão digital do navegador](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Relatórios de transparência frequentes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Marketing + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/ru/404.md b/i18n/ru/404.md new file mode 100644 index 00000000..880e2fcc --- /dev/null +++ b/i18n/ru/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Страница Не Найдена + +Мы не смогли найти страницу, которую вы искали! Может быть, вы искали что-то из этого? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Форум Privacy Guides](https://discuss.privacyguides.net) +- [Наш блог](https://blog.privacyguides.org) diff --git a/i18n/ru/CODE_OF_CONDUCT.md b/i18n/ru/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/ru/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/ru/about/criteria.md b/i18n/ru/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/ru/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/ru/about/donate.md b/i18n/ru/about/donate.md new file mode 100644 index 00000000..54eda387 --- /dev/null +++ b/i18n/ru/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Поддержать нас +--- + + +Нам нужно много [людей](https://github.com/privacyguides/privacyguides.org/graphs/contributors) и [работы](https://github.com/privacyguides/privacyguides.org/pulse/monthly) чтобы поддерживать Priacy Guides в актуальном состоянии и распространять информацию о безопасности и массовой слежке. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Если вы хотите помочь нам материально, лучшим способом будет пожертвование через Open Collective, ресурс, управляемый нашим фискальным агентом. Open Collective поддерживает оплату через кредитную или дебетовую карту, PayPal, банковские переводы. + +[Пожертвовать на OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. После пожертвования вы получите чек от Фонда Open Collective. Privacy Guides не предоставляет финансовых консультаций, и вам следует обратиться к своему налоговому консультанту, чтобы узнать, применимо ли это к вам. + +Если вы уже пользуетесь спонсорством на GitHub, вы также можете спонсировать нашу организацию там. + +[Спонсировать нас на GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Спонсоры + +Особая благодарность тем, кто поддерживает нашу миссию! :heart: + +*Внимание: этот раздел загружает виджет непосредственно из Open Collective. В этом разделе нет пожертвований, которые сделаны за пределами Open Collective, и мы не контролируем конкретных спонсоров, указанных в этом разделе.* + + + +## Как мы используем пожертвования + +Privacy Guides - это **некоммерческая** организация. Мы используем пожертвования в различных целях, в том числе для: + +**Регистрации доменов** +: + +У нас есть несколько доменных имен, таких как `privacyguides.org`, регистрация которых обходится нам примерно в 10 долларов в год. + +**Хостинга** +: + +Трафик этого сайта составляет сотни гигабайт данных в месяц, и мы используем различных поставщиков услуг для поддержания этого трафика. + +**Онлайн-сервисов** +: + +Мы хостим [интернет сервисы](https://privacyguides.net) для тестирования и демонстрации разных конфиденциальных продуктов, которые мы предпочитаем и [рекомендуем](../tools.md). Некоторые из них общедоступны для использования сообществом (SearXNG, Tor, и т. д.) а некоторые предоставляются для членов нашей команды (почта, и т. д.). + +**Покупки продукции** +: + +Иногда мы приобретаем продукты и услуги для тестирования [рекомендуемых нами инструментов](../tools.md). + +Мы всё ещё работаем над нашим фискальным хостом (Фонд Open Collective), чтобы получать пожертвования в криптовалюте, сейчас учёт множества мелких операций невозможен, но мы постараемся изменить это в будущем. А пока, если вы хотите сделать большое (> $100) пожертвование в криптовалюте, пожалуйста обратитесь по адресу [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/ru/about/index.md b/i18n/ru/about/index.md new file mode 100644 index 00000000..4a16f58a --- /dev/null +++ b/i18n/ru/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Однако вы **не можете** использовать бренд PrivacyGuides в своем проекте без нашего специального разрешения. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/ru/about/notices.md b/i18n/ru/about/notices.md new file mode 100644 index 00000000..0938e440 --- /dev/null +++ b/i18n/ru/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Отказ от ответственности + +Privacy Guides не является юридической организацией. Следовательно, Privacy Guides не предоставляет вам юридическую помощь. Материалы и рекомендации на нашем сайте никоим образом не являются юридическими советами, равно как и участие в работе сайта/общение с PrivacyGuides или её участниками не являются правозащитными отношениями. + +Работа этого сайта, как и любая другая деятельность человека, связана с неопределенностью и компромиссами. Мы надеемся, что этот ресурс поможет вам, однако он может содержать некоторые ошибки и не может охватить все ситуации. Если у вас возникли какие-либо вопросы по той или иной ситуации, мы рекомендуем вам провести своё собственное исследование, обратиться к другим экспертам и принять участие в обсуждении с сообществом PrivacyGuides. Если у вас есть какие-либо юридические вопросы, вам следует проконсультироваться с вашим собственным юристом, прежде чем двигаться дальше. + +PrivacyGuides - это проект с открытым исходным кодом, созданный на основе лицензий, включающих условия, которые, в целях защиты сайта и его участников, ясно дают понять, что проект PrivacyGuides и его сайт предлагаются "как есть", без каких-либо гарантий и отказа от ответственности за ущерб, возникший в результате использования сайта или любых рекомендаций, содержащихся в нем. PrivacyGuides не гарантирует и не делает никаких заявлений о точности, возможных результатах или надежности использования материалов на сайте или иным образом связанных с такими материалами сайтах или на любых сторонних сайтах, отмеченных на данной веб-странице. + +Кроме того, PrivacyGuides не гарантирует, что данный веб-сайт будет постоянно доступен или доступен вообще. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Это не относится к коду сторонних разработчиков, встроенному в данный репозиторий, или к коду, в котором так или иначе указана другая лицензия. Ниже приведены яркие примеры, но этот список не является исчерпывающим: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Это означает, что вы можете использовать контент из этого репозитория в личных целях на условиях, изложенных в тексте Creative Commons Attribution-NoDerivatives 4.0 International Public License. Вы можете делать это любым способом в рамках разумного, но не говорить, что Privacy Guides одобряет ваш проект или ваше использование материалов. Однако вы **не можете** использовать бренд PrivacyGuides в своем проекте без нашего специального разрешения. Торговые марки бренда PrivacyGuides включают в себя название "Privacy Guides" и логотип в виде щита. + +Мы считаем, что логотипы и другие изображения в `assets`, полученные от сторонних лиц, являются либо публичным достоянием, либо находятся в **добросовестном использовании**. В двух словах, правовая доктрина [добросовестного использования](https://ru.wikipedia.org/wiki/Добросовестное_использование) разрешает использование изображений, защищенных авторским правом, для идентификации предмета в целях общественного обсуждения. Тем не менее, эти логотипы и другие изображения могут подпадать под действие законов о товарных знаках в тех или иных юрисдикциях. Перед использованием этого контента, пожалуйста, убедитесь, что он используется для идентификации юридического лица или организации, которой принадлежит товарный знак, и что у вас есть право использовать его в соответствии с законами, которые применяются в обстоятельствах вашего предполагаемого использования. *При копировании материалов с этого сайта вы несете полную ответственность за то, что не нарушаете авторские права.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Допустимое использование + +Вы не должны использовать данный веб-сайт любым способом, который наносит или может нанести ущерб сайту или нарушить его доступность, или любым способом, являющимся незаконным, мошенническим, вредным, или в связи с любой незаконной, мошеннической или вредной целью/деятельностью. + +Вы не можете осуществлять какие-либо автоматизированные действия по сбору данных на этом сайте или на связанных с ним элементах без письменного согласия, включая: + +* Чрезмерное автоматическое сканирование +* DoS-атаки +* Скрейпинг +* Data mining (просев информации, добыча данных, извлечение данных) +* "Фрейминг" (IFrames) + +--- + +*Часть этого описания была взята из [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) на GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/ru/about/privacy-policy.md b/i18n/ru/about/privacy-policy.md new file mode 100644 index 00000000..7288aaca --- /dev/null +++ b/i18n/ru/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Политика конфиденциальности" +--- + +Privacy Guides - это общественный проект, управляемый несколькими активными добровольцами. Актуальный список участников нашей команды [вы можете найти на GitHub](https://github.com/orgs/privacyguides/people). + +## Какие данные мы собираем от посетителей + +Конфиденциальность посетителей нашего сайта очень важна для нас, поэтому мы не отслеживаем конкретных людей. Если вы посетитель нашего сайта: + +- Никакая персональная информация о вас не собирается +- No information such as cookies are stored in the browser +- Никакая информация не передаётся третьим лицам +- Никакая информация не передаётся рекламным компаниям +- Никакая информация не собирается для изучения личных и поведенческих тенденций +- Ваша информация не монетизируется + +You can view the data we collect on our [statistics](statistics.md) page. + +Мы используем self-hosted установку [Plausible Analytics](https://plausible.io) для сбора некоторых анонимных данных об использовании в статистических целях. Цель заключается в отслеживании общих тенденций посещаемости нашего сайта, а не в отслеживании отдельных посетителей. Все данные приведены только в агрегированном виде. Никакие личные данные не собираются. + +Собранные данные включают в себя источники, с которых вы пришли, самые популярные страницы, продолжительность посещения, информацию об устройствах (тип устройства, операционная система, страна и браузер), использованных во время посещения, и так далее. Вы можете узнать больше о том, как Plausible работает и собирает информацию не нарушая вашу приватность [здесь](https://plausible.io/data-policy). + +## Какие данные мы собираем от владельцев аккаунтов + +На некоторых веб-сайтах и сервисах, которые мы предоставляем, для работы многих функций может потребоваться учетная запись. Например, учетная запись может потребоваться для размещения сообщений и ответов на темы на форуме. + +Для регистрации большинства учетных записей мы собираем имя, никнейм, адрес электронной почты и пароль. В случае если веб-сайт требует больше информации, то это будет четко отмечено в отдельном пункте политики конфиденциальности. + +Мы используем данные вашей учетной записи для идентификации вас на сайте и для создания страниц, предназначенных именно для вас, например, страницы вашего профиля. Мы также используем данные вашей учетной записи для публикации вашего публичного профиля на наших сервисах. + +Мы используем вашу электронную почту для: + +- Уведомления вас о сообщениях и другой активности на веб-сайтах и проектах. +- Сброса пароля и обеспечения безопасности вашей учетной записи. +- Связи с вами в особых случаях, связанных с вашей учетной записью. +- Связи с вами по юридическим запросам, например, по вопросам DMCA. + +На некоторых веб-сайтах и проектах вы можете предоставить дополнительную информацию о вашей учетной записи, например, краткую биографию, аватар, ваше местоположение или день рождения. Эта информация доступна каждому, кто может получить доступ к веб-сайту или проекту. Однако эта информация не нужна для использования наших сайтов и может быть удалена вами в любое время. + +Мы храним данные вашей учетной записи до тех пор, пока ваша учетная запись открыта. После закрытия учетной записи мы можем сохранить некоторые данные о вашем аккаунте в виде резервной копии или архива на срок до 90 дней. + +## Как с нами связаться + +Команда Privacy Guides обычно не имеет доступа к персональным данным, за исключением ограниченного доступа, предоставляемого через некоторые панели модерации. Запросы, касающиеся вашей личной информации, следует направлять непосредственно по адресу: + +```text +Jonah Aragon +Services Administrator, Aragon Ventures LLC +jonah@privacyguides.org +``` + +По другим вопросам вы можете обратиться к любому члену нашей команды. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Об этой политике + +We will post any new versions of this statement [here](privacy-policy.md). Мы можем изменить способ объявления изменений в будущих версиях политики. В то же время мы можем обновить контактные данные в любое время без объявления об изменениях. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/ru/about/privacytools.md b/i18n/ru/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/ru/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/ru/about/services.md b/i18n/ru/about/services.md new file mode 100644 index 00000000..7046475d --- /dev/null +++ b/i18n/ru/about/services.md @@ -0,0 +1,38 @@ +# Сервисы Privacy Guides + +Мы держим ряд веб-сервисов для тестирования возможностей и продвижения классных децентрализованных, федеративных и/или открытых проектов. Многие из этих сервисов доступны публично и описаны ниже. + +[:material-comment-alert: Сообщить о проблеме](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Адрес: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Доступ: Публичный +- Исходный код: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Адрес: [code.privacyguides.dev](https://code.privacyguides.dev) +- Доступ: Только по приглашению + Доступ может быть предоставлен по запросу любой команде, работающей над разработкой или контентом связанными с *Privacy Guides*. +- Исходный код: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Адрес: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Доступ: Только по приглашению + Доступ может быть предоставлен по запросу членам команды Privacy Guides, модераторам чатов в Matrix, сторонним администраторам сообществ Matrix, операторам Matrix-ботов и другим лицам, нуждающимся в надежном Matrix-сервере. +- Исходный код: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Адрес: [search.privacyguides.net](https://search.privacyguides.net) +- Доступ: Публичный +- Исходный код: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/ru/about/statistics.md b/i18n/ru/about/statistics.md new file mode 100644 index 00000000..efcec7bd --- /dev/null +++ b/i18n/ru/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Статистика посещений +--- + +## Статистика сайта + + +
Статистика от Plausible Analytics
+ + + + +## Статистика блога + + +
Статистика от Plausible Analytics
+ + + diff --git a/i18n/ru/advanced/communication-network-types.md b/i18n/ru/advanced/communication-network-types.md new file mode 100644 index 00000000..0b800360 --- /dev/null +++ b/i18n/ru/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Рекомендуемые мессенджеры](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/ru/advanced/dns-overview.md b/i18n/ru/advanced/dns-overview.md new file mode 100644 index 00000000..63d85a91 --- /dev/null +++ b/i18n/ru/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## Что такое DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Незашифрованный DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS через TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS через HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Почему **не следует** использовать зашифрованный DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP-адрес + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/ru/advanced/payments.md b/i18n/ru/advanced/payments.md new file mode 100644 index 00000000..0948c652 --- /dev/null +++ b/i18n/ru/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! recommendation + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/ru/advanced/tor-overview.md b/i18n/ru/advanced/tor-overview.md new file mode 100644 index 00000000..4cc189aa --- /dev/null +++ b/i18n/ru/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Дополнительные советы + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/ru/android.md b/i18n/ru/android.md new file mode 100644 index 00000000..163b7c24 --- /dev/null +++ b/i18n/ru/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## Деривативы AOSP + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Политика Конфиденциальности" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Документация} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Внести свой вклад } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! note + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! note + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Программное обеспечение + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/ru/assets/img/account-deletion/exposed_passwords.png b/i18n/ru/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/ru/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/ru/assets/img/android/rss-apk-dark.png b/i18n/ru/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/ru/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/ru/assets/img/android/rss-apk-light.png b/i18n/ru/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/ru/assets/img/android/rss-apk-light.png differ diff --git a/i18n/ru/assets/img/android/rss-changes-dark.png b/i18n/ru/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/ru/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/ru/assets/img/android/rss-changes-light.png b/i18n/ru/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/ru/assets/img/android/rss-changes-light.png differ diff --git a/i18n/ru/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/ru/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/how-tor-works/tor-encryption.svg b/i18n/ru/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/how-tor-works/tor-path-dark.svg b/i18n/ru/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/ru/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/ru/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/how-tor-works/tor-path.svg b/i18n/ru/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/ru/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/ru/assets/img/multi-factor-authentication/fido.png b/i18n/ru/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/ru/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/ru/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/ru/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/ru/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/ru/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/ru/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/ru/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/ru/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/ru/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/ru/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/ru/basics/account-creation.md b/i18n/ru/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/ru/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/ru/basics/account-deletion.md b/i18n/ru/basics/account-deletion.md new file mode 100644 index 00000000..e32160b2 --- /dev/null +++ b/i18n/ru/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### VPN сервисы + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/ru/basics/common-misconceptions.md b/i18n/ru/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/ru/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/ru/basics/common-threats.md b/i18n/ru/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/ru/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/ru/basics/email-security.md b/i18n/ru/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/ru/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/ru/basics/multi-factor-authentication.md b/i18n/ru/basics/multi-factor-authentication.md new file mode 100644 index 00000000..9bae2263 --- /dev/null +++ b/i18n/ru/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push-уведомления + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Общие рекомендации + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! note + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Аппаратные ключи безопасности + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (и KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/ru/basics/passwords-overview.md b/i18n/ru/basics/passwords-overview.md new file mode 100644 index 00000000..944921cf --- /dev/null +++ b/i18n/ru/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Анонимные сети + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/ru/basics/threat-modeling.md b/i18n/ru/basics/threat-modeling.md new file mode 100644 index 00000000..bd784b8f --- /dev/null +++ b/i18n/ru/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Моделирование угроз" +icon: 'material/target-account' +description: Баланс между безопасностью, конфиденциальностью и удобством использования - одна из первых и самых сложных задач, с которыми вы столкнетесь на пути к конфиденциальности. +--- + +Баланс между безопасностью, конфиденциальностью и удобством использования - одна из первых и самых сложных задач, с которыми вы столкнетесь на пути к конфиденциальности. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +Если вы хотите использовать **наиболее** безопасные инструменты, то вам придется пожертвовать *множеством* удобств. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. Поэтому модели угроз очень важны. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. Что я хочу защитить? +2. От кого я хочу это защитить? +3. Насколько вероятно, что мне понадобится это защищать? +4. Насколько серьезными будут последствия, если я потерплю неудачу? +5. Через какие трудности я готов пройти, чтобы попытаться предотвратить возможные последствия? + +### Что я хочу защитить? + +То, что вы хотите защитить, должно быть ценным и нуждаться в защите. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Ваши устройства также могут являться объектом защиты. + +*Составьте список с данными, которые вы хотите защитить, и ответьте на вопросы: где они хранятся, кто имеет к ним доступ и что мешает другим получить к ним доступ.* + +### От кого я хочу это защитить? + +Чтобы ответить на этот вопрос, важно определить, кто может хотеть вашу информацию. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. В ваш список могут входить отдельные люди, государственные учреждения или корпорации.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### Насколько вероятно, что мне понадобится это защищать? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. Например: ваш мобильный оператор имеет возможность получить доступ ко всем вашим данным, но риск того, что они разместят ваши личные данные в Интернете, чтобы нанести ущерб вашей репутации, невелик. + +Важно понимать различие между тем, что может произойти, и вероятностью того, что это может произойти. Например, существует угроза обрушения вашего здания, но риск того, что это произойдет гораздо выше в Сан-Франциско (где землетрясения происходят часто), чем в Стокгольме (где их нет). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. В других случаях люди могут игнорировать высокие риски, потому что не считают угрозу проблемой. + +*Запишите, какие угрозы вы собираетесь воспринимать всерьез, а какие могут быть слишком редкими или слишком безобидными (или слишком сложными для борьбы), чтобы беспокоиться о них.* + +### Насколько серьезными будут последствия, если я потерплю неудачу? + +Существует множество способов, с помощью которых противники могут получить доступ к вашим данным. Например, противник может прочитать ваши личные сообщения, проходящие через сеть, или удалить или повредить ваши данные. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. А политический противник может захотеть получить доступ к секретному контенту и опубликовать его без вашего ведома. + +Моделирование угроз предполагает понимание того, насколько серьезными могут быть последствия, если противник успешно получит доступ к вашему защищаемому объекту. Чтобы определить последствия, вы должны рассмотреть возможности вашего противника. For example, your mobile phone provider has access to all of your phone records. Хакер, находящийся в открытой Wi-Fi-сети, может получить доступ к вашим незашифрованным сообщениям. Ваше правительство может иметь более мощные возможности. + +*Подумайте, что ваш противник может захотеть сделать с вашими конфиденциальными данными.* + +### Через какие трудности я готов пройти, чтобы попытаться предотвратить возможные последствия? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Оценка рисков позволит вам разработать правильную стратегию лично для вас, которая будет сочетать в себе и удобство, и цену, и конфиденциальность. + +Например: адвокат, представляющий клиента в деле о национальной безопасности, готов приложить больше усилий для защиты сообщений (например, использовать зашифрованную электронную почту), чем мать, которая регулярно отправляет своей дочери смешные видео с котиками. + +*Запишите, какими способами вы можете справиться с вашими уникальными угрозами. Обратите внимание на то, есть ли у вас финансовые, технические или социальные ограничения.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**Что вы хотите защитить? (Или *что у вас есть такого, что стоит защищать?*)** +: + +Ваше имущество может включать ювелирные изделия, электронику, важные документы или фотографии. + +**От кого вы хотите это защитить?** +: + +Среди ваших противников могут быть грабители, соседи или гости. + +**Насколько вероятно, что вам понадобится это защищать?** +: + +Есть ли в вашем районе история краж со взломом? How trustworthy are your roommates or guests? Каковы возможности ваших противников? Какие риски вы должны учитывать? + +**Насколько серьезными будут последствия, если вы потерпите неудачу?** +: + +Есть ли у вас в доме что-то, что вы не можете заменить? Do you have the time or money to replace those things? Есть ли у вас страховка, покрывающая вещи, украденные из вашего дома? + +**Через какие трудности вы готовы пройти, чтобы попытаться предотвратить возможные последствия?** +: + +Готовы ли вы купить сейф для секретных документов? Можете ли вы позволить себе купить высококачественный замок? Есть ли у вас время открыть банковскую ячейку в банке и хранить там свои ценности? + +Только после того, как вы зададите себе эти вопросы, вы сможете оценить, какие меры следует предпринять. Если ваше имущество ценно, но вероятность взлома мала, то, возможно, вы не захотите тратить слишком много денег на хороший замок. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Составление плана безопасности поможет вам понять, какие угрозы характерны только для вас, оценить ваше имущество, ваших противников и их возможности, а также вероятность рисков, с которыми вы можете столкнуться. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Источники + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/ru/basics/vpn-overview.md b/i18n/ru/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/ru/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/ru/calendar.md b/i18n/ru/calendar.md new file mode 100644 index 00000000..eee93684 --- /dev/null +++ b/i18n/ru/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Синхронизация календаря" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Ваши события в календаре - одни из самых конфиденциальных данных. Используйте продукты с поддержкой автоматического E2EE, чтобы предотвратить их чтение провайдером. + +## Tutanota + +!!! recommendation + + ![Логотип Tutanota](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Логотип Tutanota](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** предлагает бесплатный и зашифрованный календарь на поддерживаемых ими платформах. Среди его функций: автоматическое шифрование всех данных, совместный доступ, импорт/экспорт данных, многофакторная аутентификация и [другие функции](https://tutanota.com/calendar-app-comparison/). + + Создание нескольких календарей и расширенный совместный доступ доступны только платным подписчикам. + + [:octicons-home-16: Домашняя страница](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** - это зашифрованный календарь, доступный пользователям Proton через мобильные и веб-клиенты. Среди его функций: автоматическое шифрование всех данных, совместный доступ, импорт/экспорт данных и [другие функции](https://proton.me/support/proton-calendar-guide). Бесплатно доступен один календарь, а платные подписчики могут создавать до 20 календарей. Расширенные функции совместного доступа также доступны только по подписке. + + [:octicons-home-16: Домашняя страница](https://proton.me/ru/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/ru/legal/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования + +- Сервис должен синхронизировать и хранить информацию с E2EE, чтобы она не была доступна команде сервиса и третьим лицам. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- По возможности должна быть интеграция с родными приложениями "календарь" и "контакты" в операционной системе. diff --git a/i18n/ru/cloud.md b/i18n/ru/cloud.md new file mode 100644 index 00000000..26b36af0 --- /dev/null +++ b/i18n/ru/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Электронная почта" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Многие сервисы облачного хранилища требуют от вас полного доверия, что они не будут просматривать ваши файлы. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Ищете Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Домашняя страница](https://proton.me/ru/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/ru/legal/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://proton.me/ru/support/drive){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования к сервисам + +- Должны использовать обязательное сквозное шифрование. +- Должны иметь бесплатную версию или пробный период для тестирования. +- Должны поддерживать многофакторную аутентификацию TOTP или FIDO2, а также вход с помощью Passkey. +- Должны иметь веб-интерфейс, поддерживающий основные функции управления файлами. +- Должны обеспечивать легкий экспорт всех файлов/документов. +- Должно использоваться стандартное, проверенное шифрование. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Клиенты должны иметь открытый код. +- Клиенты должны быть полностью проверены независимой третьей стороной. +- Должны предлагать нативные клиенты для Linux, Android, Windows, macOS и iOS. + - Эти клиенты должны интегрироваться с собственными инструментами ОС для сервисов облачных хранилищ, такими как интеграция приложения Files на iOS или функциональность DocumentsProvider на Android. +- Должны поддерживать простой обмен файлами с другими пользователями. +- Должны предлагать, по крайней мере, базовые функции предварительного просмотра и редактирования файлов в веб-интерфейсе. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/ru/cryptocurrency.md b/i18n/ru/cryptocurrency.md new file mode 100644 index 00000000..6616a28e --- /dev/null +++ b/i18n/ru/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! recommendation + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/ru/data-redaction.md b/i18n/ru/data-redaction.md new file mode 100644 index 00000000..42ec0dcb --- /dev/null +++ b/i18n/ru/data-redaction.md @@ -0,0 +1,139 @@ +--- +title: "Инструменты для шифрования" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +Когда вы делитесь с кем-то файлами, то не забудьте удалить связанные с ними метаданные. Файлы изображений обычно содержат [данные EXIF](https://ru.wikipedia.org/wiki/Exif). Иногда фотографии даже включают ваши [GPS](https://ru.wikipedia.org/wiki/GPS) координаты в метаданные файла. + +## Для компьютеров + +### ExifCleaner + +!!! recommendation + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. Он поддерживает многоядерную обработку нескольких файлов одновременно, а также темную тему. + + [Посетить exifcleaner.com](https://exifcleaner.com){ .md-button .md-button--primary } + + downloads + + - [:fontawesome-brands-windows: Windows](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-github: Исходный код](https://github.com/szTheory/exifcleaner) downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Прошивки для роутера + +### Scrambled Exif + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + Он может удалять данные [EXIF](https://ru.wikipedia.org/wiki/Exif) из многих форматов файлов и переведен на [множество](https://gitlab.com/juanitobananas/scrambled-exif/-/tree/master/app/src/main/res) языков. + + [Перейти на gitlab.com](https://gitlab.com/juanitobananas/scrambled-exif){ .md-button .md-button--primary } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. recommendation + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Imagepipe + +!!! recommendation + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [Перейти на codeberg.org](https://codeberg.org/Starfish/Imagepipe){ .md-button .md-button--primary } downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! note + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Шифрование через командную строку + +### Metapho + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + Оно переведено на [множество](https://codeberg.org/Starfish/Imagepipe#translations) языков. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/ru/desktop-browsers.md b/i18n/ru/desktop-browsers.md new file mode 100644 index 00000000..0ea28973 --- /dev/null +++ b/i18n/ru/desktop-browsers.md @@ -0,0 +1,352 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +Если вам нужна анонимность в сети, используйте [Tor](tor.md). We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Логотип Bromite](assets/img/browsers/bromite.svg){ align=right } + + **Bromite** - это браузер, основанный на [Chromium](https://en.wikipedia.org/wiki/Chromium_(web_browser)), с основой на конфиденциальность и безопасность, встроенную блокировку рекламы и некоторую рандомизацию цифровых отпечатков. + + [Перейти на bromite.org](https://www.bromite.org){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.bromite.org/privacy){ .md-button } downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Каждый установщик Firefox с веб-сайта Mozilla имеет в себе уникальный идентификатор, который используется для телеметрии. Идентификатор **не** включен в релизы браузера из [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Рекомендованные настройки + +Эти параметры можно найти на странице настроек *Приватность и защита* ( ≡ → Настройки → Приватность и защита). + +##### Улучшенная защита от отслеживания: + +- Выберите «Строгая» + +Это защищает вас, блокируя трекеры социальных сетей, скрипты отпечатков пальцев (обратите внимание, что это не защищает вас от *всех* отпечатков пальцев), криптомайнеры, межсайтовые файлы cookie для отслеживания и некоторые другие средства отслеживания. Улучшенная защита от отслеживания защищает от многих распространенных угроз, но не блокирует все пути отслеживания, поскольку разработан таким образом, чтобы минимально или вообще не влиять на удобство использования сайта. + +##### Куки и данные сайтов: + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) использует сквозное шифрование. + +- Выберите «Удалять куки и данные сайтов при закрытии Firefox» + +Это защищает вас от постоянных файлов cookie, но не защищает вас от файлов cookie, полученных в течение одного сеанса просмотра. Когда эта функция включена, можно легко очистить куки браузера, просто перезапустив Firefox. Вы можете установить исключения для каждого сайта, если вы хотите оставаться зарегистрированным на определенном сайте, который вы часто посещаете. + +##### Отключение поисковых предложений + +- [ ] Uncheck **Provide search suggestions** + +Функции предложения поиска могут быть недоступны в вашем регионе. + +Поисковые предложения отправляют все, что вы набираете в адресной строке, в поисковую систему по умолчанию, независимо от того, отправляете ли вы фактический поиск. Отключение поисковых предложений позволяет более точно контролировать данные, которые вы отправляете поставщику поисковых систем. + +##### Отключение телеметрии + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### Режим «Только HTTPS»: + +- Выберите: "Включить режим «Только HTTPS» во всех окнах". + +Это предотвращает непреднамеренное подключение к веб-сайту с обычным HTTP-текстом. Протокол HTTP в настоящее время используется крайне редко, поэтому это практически не должно повлиять на ваш ежедневный просмотр веб-страниц. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Расширения + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Логотип Brave](assets/img/browsers/brave.svg){ align=right } + + **Браузер Brave** включает встроенный блокировщик контента и [инструменты приватности](https://brave.com/privacy-features/), многие из которых включены по умолчанию. + + Brave основан на Chromium, поэтому он покажется вам знакомым, а также у него не должно быть проблем с совместимостью. + + [:octicons-home-16: Официальный сайт](https://brave.com/ru/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion-сайт" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Исходный код" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Рекомендованные настройки + +These options can be found in :material-menu: → **Settings**. + +##### Режим «Только HTTPS»: + +Brave включает несколько инструментов защиты от отслеживания в разделе [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Мы рекомендуем включить эти настройки [на всех сайтах](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-), которые вы посещаете. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Постоянно включенный режим инкогнито + +- [ ] Отключите все компоненты социальных сетей + +##### Предотвращение перекрестного отслеживания + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Отчет о конфиденциальности + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Apple Pay + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) позволяет синхронизировать данные браузера (историю, закладки и т. д.) между несколькими устройствами без необходимости создавать аккаунт, а также защищает их при помощи E2EE. + +## Дополнительные советы + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### AdGuard для Safari + +!!! recommendation + + ![Логотип Snowflake](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Логотип Snowflake](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** - это расширение для браузера, которое позволяет вам отдавать свою скорость интернета проекту Tor, используя "прокси Snowflake" в вашем браузере. + + Люди, подвергающиеся цензуре, могут использовать прокси-серверы Snowflake для подключения к сети Tor. downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования к сервисам + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/ru/desktop.md b/i18n/ru/desktop.md new file mode 100644 index 00000000..5b9320e4 --- /dev/null +++ b/i18n/ru/desktop.md @@ -0,0 +1,179 @@ +--- +title: "Облачные хранилища" +icon: fontawesome/brands/linux +description: Дистрибутивы Linux часто рекомендуются для защиты конфиденциальности и свободы пользователей. +--- + +Дистрибутивы Linux часто рекомендуются для защиты конфиденциальности и свободы пользователей. Если вы еще не используете Linux, ниже приведены некоторые дистрибутивы, которые мы рекомендуем попробовать, а также несколько общих советов по улучшению конфиденциальности и безопасности, которые применимы ко многим дистрибутивам Linux. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Традиционные дистрибутивы + +### Fedora Workstation + +!!! recommendation + + ![Логотип Fedora](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** - наш рекомендуемый дистрибутив для начинающих пользователей Linux. Fedora обычно внедряет новые технологии раньше других дистрибутивов, например, [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org), и скоро [FS-Verity](https://fedoraproject.org/wiki/Changes/FsVerityRPM). Эти новые технологии часто улучшают безопасность, конфиденциальность и удобство использования в целом. + + [Перейти на getfedora.org](https://getfedora.org/){ .md-button .md-button--primary } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Каждый выпуск Fedora поддерживается в течение одного года, а новая версия выходит каждые 6 месяцев. + +### openSUSE Tumbleweed + +!!! recommendation + + ![Логотип openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** - стабильный дистрибутив с [плавающей системой релизов](https://ru.wikipedia.org/wiki/Rolling_release). + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [Перейти на get.opensuse.org](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Логотип Qubes OS](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** - это операционная система с открытым исходным кодом, разработанная для обеспечения сильной безопасности персональных компьютеров. Qubes основан на Xen, X Window System и Linux, и может запускать большинство Linux-приложений и использовать большинство драйверов для Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/ru/dns.md b/i18n/ru/dns.md new file mode 100644 index 00000000..3bcf0584 --- /dev/null +++ b/i18n/ru/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS-провайдеры" +icon: material/dns +description: Здесь показаны некоторые провайдеры DNS с шифрованием, к которым мы рекомендуем перейти, чтобы заменить конфигурацию вашего интернет-провайдера по умолчанию. +--- + +Зашифрованный DNS со сторонними серверами следует использовать только для обхода базовой [блокировки DNS](https://en.wikipedia.org/wiki/DNS_blocking), если вы уверены, что это не повлечет за собой никаких последствий. Зашифрованный DNS не поможет вам скрыть какую-либо активность в интернете. + +[Узнайте больше о DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Рекомендованные провайдеры + +| DNS-провайдер | Политика конфиденциальности | Протоколы | Логирование | ECS | Фильтрация | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | ---------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Без шифрования
DoH/3
DoT
DNSCrypt | Частичное[^1] | Нет | Нет Используемый список фильтрации можно найти здесь. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Без шифрования
DoH/3
DoT | Частичное[^2] | Нет | Нет | +| [**ControlID**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Без шифрования
DoH/3
DoT
DoQ | Опциональное[^3] | Нет | Зависит от выбранного сервера. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Нет[^4] | Нет | Нет Используемый список фильтрации можно найти здесь. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Без шифрования
DoH/3
DoT | Опциональное[^5] | Необязательное[^5] | Нет | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Без шифрования
DoH
DoT
DNSCrypt | Частичное[^6] | Необязательное[^5] | Зависит от выбранного сервера, по умолчанию блокирует вредоносные программы. | + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним проектом, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md) мы разработали четкий набор требований, позволяющий давать объективные рекомендации. Мы рекомендуем ознакомиться с данным списком перед выбором и провести самостоятельное исследование, чтобы убедиться, что для вас это правильный выбор. + +!!! example "Это новый раздел" + + Мы работаем над установлением определенных критериев для каждого раздела сайта, и они могут поменяться в будущем. Если у вас есть вопросы относительно наших критериев, [задайте вопрос на нашем форуме](https://discuss.privacyguides.net/latest), и не считайте, что мы что-то не учли при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Поддержка [DNSSEC](technology/dns.md#what-is-dnssec-and-when-is-it-used) +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Нативная поддержка в операционных системах + +### Android + +Android 9 и новее поддерживает DNS over TLS. Его можно включить в **Настройках** → **Сеть и интернет** → **Персональный DNS-сервер**. + +### Устройства Apple + +Последние версии iOS, iPadOS, tvOS и macOS поддерживают протоколы DoT и DoH. Оба протокола можно настроить при помощи [профилей конфигурации](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) или [API настроек DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +После установки профиля конфигурации или приложения, использующего API настроек DNS, можно выбрать конфигурацию DNS. Если включен VPN, будут использоваться настройки DNS вашего VPN-сервиса, а не системные настройки. + +#### Подписанные профили + +Apple не предоставляет нативного интерфейса для создания профилей зашифрованного DNS. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) — это неофициальный инструмент создания собственных профилей зашифрованного DNS, однако они не будут подписаны. Предпочтительнее использовать подписанные профили, так как подпись подтверждает надёжность источника профиля и помогает обеспечить его целостность. Зеленая метка «Проверено» присваивается подписанным профилям конфигурации. Чтобы получить больше информации о подписанном коде, смотрите статью [«О подписывании кода»](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Подписанные профили** предлагают [AdGuard](https://adguard.com/ru/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io) и [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info "Информация" + + `systemd-resolved`, используемый во многих дистрибутивах Linux для DNS-запросов, всё еще [не поддерживает DoH](https://github.com/systemd/systemd/issues/8639). Если вы хотите использовать DoH, вам следует установить [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) и [настроить его](https://wiki.archlinux.org/title/Dnscrypt-proxy) для обработки всех DNS-запросов в системе по протоколу HTTPS. + +## Зашифрованные DNS-прокси + +Зашифрованные DNS-прокси создают локальный прокси-сервер, на который будут перенаправляться запросы с вашего системного [незашифрованного DNS-резолвера](advanced/dns-overview.md#unencrypted-dns). Обычно они подходят для устройств, не поддерживающих [зашифрованный DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![Логотип RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![Логотип RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** — это открытый Android-клиент, поддерживающий [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) и DNS-прокси, кеширование, локальное сохранение истории DNS-запросов, а также может использоваться как файрвол. + + [:octicons-home-16: Домашняя страница](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Исходный код" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![Логотип dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** — это DNS-прокси с поддержкой [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) и [анонимизированного DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "Функция анонимизированного DNS [**не**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) анонимизирует весь остальной трафик." + + [:octicons-repo-16: Репозиторий](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Поддержать } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![Логотип AdGuard Home](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** — это открытая [DNS-воронка](https://wikipedia.org/wiki/DNS_sinkhole), которая использует [фильтрацию DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/), чтобы блокировать такой нежелательный контент, как реклама. + + AdGuard Home предлагает продуманный интерфейс для просмотра развёрнутых отчетов и управления блокировкой контента. + + [:octicons-home-16: Официальный сайт](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Исходный код" } + +### Pi-hole + +!!! recommendation + + ![Логотип Pi-hole](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** — это открытая [DNS-воронка](https://wikipedia.org/wiki/DNS_sinkhole), которая использует [фильтрацию DNS](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/), чтобы блокировать такой нежелательный контент, как реклама. + + Pi-hole создана для развертывания на Raspberry Pi, но она не требует именно такого специфичного оборудования. Решение предлагает дружелюбный веб-интерфейс для просмотра подробных отчетов и управления блокировкой контента. + + [:octicons-home-16: Домашняя страница](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Поддержать } + +[^1]: AdGuard хранит показатели производительности их DNS серверов, содержащие в себе количество выполненных запросов к определенному серверу, количество заблокированных запросов и скорость обработки. Они также ведут и хранят базу данных доменов, запрошенных в течение последних 24 часов. "Нам нужна эта информация, чтобы выявлять и блокировать новые трекеры и угрозы." "Также мы храним информацию о том, сколько раз тот или иной трекер был заблокирован. Нам нужна эта информация, чтобы удалять устаревшие правила из наших фильтров." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare собирает и хранит только DNS-запросы, направленные на 1.1.1.1. Сервис не хранит персональные данные; большая часть неперсональных данных хранится только в течение 25 часов. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D ведет логи только на Premium-серверах с пользовательскими DNS-профилями. Бесплатные сервера не ведут логов. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: DNS-сервера Mullvad доступны и для пользователей Mullvad VPN, и для остальных пользователей Интернета. Их политика конфиденциальности утверждает, что они ни в каком виде не сохраняют DNS-запросы. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS предоставляет функции анализа и логирования по желанию. Вы можете самостоятельно выбрать время и место хранения ваши логов. Если же специально это не настраивать, никакие данные сохраняться не будут. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 собирает некоторые данные в целях обнаружения угроз и реагирования на них. Эти данные могут быть изменены и переданы, например, в целях исследования безопасности. Quad9 не собирает и не хранит IP-адреса и другую информацию, которую они считают идентифицирующей пользователя. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/ru/email-clients.md b/i18n/ru/email-clients.md new file mode 100644 index 00000000..9ff2ecf6 --- /dev/null +++ b/i18n/ru/email-clients.md @@ -0,0 +1,229 @@ +--- +title: "Обмен Файлами" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Наш список рекомендаций содержит только почтовые клиенты, которые поддерживают [OpenPGP](/encryption/#openpgp) и безопасную аутентификацию (например, [OAuth](https://ru.wikipedia.org/wiki/OAuth)). OAuth позволяет использовать [многофакторную аутентификацию](/multi-factor-authentication) и предотвратить кражу учетных записей. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** - бесплатный кроссплатформенный клиент электронной почты, новостных лент и чатов (XMPP, IRC, Twitter) с открытым исходным кодом, разработанный сообществом Thunderbird, а ранее - Mozilla Foundation. + + [Перейти на thunderbird.net](https://www.thunderbird.net){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.mozilla.org/privacy/thunderbird){ .md-button } downloads + + - [:fontawesome-brands-windows: Windows](https://www.thunderbird.net) + - [:fontawesome-brands-apple: macOS](https://www.thunderbird.net) + - [:fontawesome-brands-linux: Linux](https://www.thunderbird.net) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird) + - [:fontawesome-brands-git: Исходный код](https://hg.mozilla.org/comm-central) + +#### Рекомендованные настройки + +We recommend changing some of these settings to make Thunderbird a little more private. + +Эти параметры можно найти на странице настроек *Приватность и защита* ( ≡ → Настройки → Приватность и защита). + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Отключение телеметрии + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! note + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![Логотип Mailvelope](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** - браузерное расширение, позволяющее обмениваться зашифрованными письмами по стандарту OpenPGP. + + [Перейти на mailvelope.com](https://www.mailvelope.com){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.mailvelope.com/en/privacy-policy){ .md-button } + + **Скачать** + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Исходный код](https://github.com/mailvelope/mailvelope) [Перейти на kontact.kde.org](https://kontact.kde.org){ .md-button .md-button--primary } [Политика конфиденциальности](https://kde.org/privacypolicy-apps){ .md-button } + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** - независимое почтовое приложение, которое поддерживает и POP3, и IMAP (только push). [Перейти на k9mail.app](https://k9mail.app){ .md-button .md-button--primary } [Политика конфиденциальности](https://k9mail.app/privacy){ .md-button } + + downloads + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Исходный код](https://github.com/mailvelope/mailvelope) downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** — минимальное почтовое приложение с открытым исходным ходом, использующее открытые стандарты (IMAP, SMTP, OpenPGP) с малым потреблением памяти и заряда батареи. + + [Перейти на email.faircode.eu](https://email.faircode.eu){ .md-button .md-button--primary } [Политика конфиденциальности](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button } + + downloads + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9/) + - [:fontawesome-brands-github: Исходный код](https://github.com/k9mail) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! note + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** - платный почтовый клиент, разработанный для обеспечения сквозного шифрования с использованием таких функций, как биометрическая блокировка и т.д. [Перейти на canarymail.io](https://canarymail.io){ .md-button .md-button--primary } [Политика конфиденциальности](https://canarymail.io/privacy.html){ .md-button } + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/ru/email.md b/i18n/ru/email.md new file mode 100644 index 00000000..9c62fe03 --- /dev/null +++ b/i18n/ru/email.md @@ -0,0 +1,504 @@ +--- +title: "Электронная почта" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Электронная почта практически всегда необходима для использования любого онлайн-сервиса, однако мы не рекомендуем использовать её для общения с людьми. Вместо того, чтобы использовать электронную почту для связи с другими людьми, мы советуем использовать мессенджеры, которые поддерживают прямую секретность. + +[Рекомендуемые мессенджеры](real-time-communication.md ""){.md-button} + +Для всего остального мы рекомендуем различных провайдеров электронной почты, которые базируются на устойчивых бизнес-моделях и встроенных функциях безопасности и конфиденциальности. + +- [Провайдеры электронной почты, поддерживающие OpenPGP :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Другие провайдеры, поддерживающие шифрование :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Варианты самостоятельного хостинга :material-arrow-right-drop-circle:](#self-hosting-email) + +## Сервисы, поддерживающие OpenPGP + +Эти провайдеры поддерживают OpenPGP шифрование/дешифрование и стандарт Web Key Directory (WKD), позволяя обмениваться E2EE-сообщениями вне зависимости от провайдера. Например, пользователь Proton Mail может отправлять E2EE-зашифрованное сообщение пользователю Mailbox.org, или вы можете получить OpenPGP-зашифрованное уведомление от интернет-сервисов, поддерживающих такую функцию. + +
+ +- ![Логотип Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Логотип Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + При использовании технологии E2EE, такой как OpenPGP, сообщения все равно будут содержать некоторые незашифрованные метаданные в заголовках письма. Узнайте больше о [метаданных электронной почты](basics/email-security.md#email-metadata-overview). + + OpenPGP также не поддерживает прямую секретность: если ваш закрытый ключ или закрытый ключ получателя окажется украден, все предыдущие сообщения, зашифрованные с его помощью, будут раскрыты. [Как я могу защитить свои закрытые ключи?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Логотип Proton Mail](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** — это сервис электронной почты, фокусирующийся на приватности, шифровании, безопасности и простоте использования. Они работают с **2013** года. Компания Proton AG базируется в Женеве, Швейцария. Аккаунты получают от 500 МБ хранилища на бесплатном тарифе. + + [:octicons-home-16: Домашняя страница](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion-сервис" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Исходный код" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Веб-версия](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![Логотип Proton VPN](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#protonvpn) +- ![Логотип IVPN](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Логотип Mullvad](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/ru/encryption.md b/i18n/ru/encryption.md new file mode 100644 index 00000000..99d89405 --- /dev/null +++ b/i18n/ru/encryption.md @@ -0,0 +1,323 @@ +--- +title: "Инструменты для шифрования" +icon: material/file-lock +description: Шифрование данных - единственный способ контролировать доступ к ним. These tools allow you to encrypt your emails and any other files. +--- + +Шифрование данных - единственный способ контролировать доступ к ним. Если вы еще не используете какие-либо инструменты шифрования диска, электронной почты или файлов, то вы можете выбрать один из них тут. + +## Мультиплатформенные приложения + +Перечисленные здесь программы являются многоплатформенными и отлично подходят для создания зашифрованных резервных копий ваших данных. + +### VeraCrypt + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** - бесплатная и открытая программа, используемая для шифрования «на лету». Программа может создавать виртуальный зашифрованный диск в файле, зашифровать логический раздел или даже зашифровать все устройство с предзагрузочной аутентификацией. + + [Посетить veracrypt.fr](https://veracrypt.fr){ .md-button .md-button--primary } downloads + + - [:fontawesome-brands-windows: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-git: Исходный код](https://www.veracrypt.fr/code) + +VeraCrypt - это форк прекратившего свое существование проекта TrueCrypt. По словам разработчиков, были реализованы улучшения безопасности и решены проблемы, найденные в ходе первоначального аудита кода TrueCrypt. + +При шифровании с помощью VeraCrypt пользователь может выбирать различные [хэш-функции](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme) из их списка. Мы настоятельно рекомендуем выбирать [SHA-512](https://en.wikipedia.org/wiki/SHA-512) и блочное шифрование по алгоритму [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Аудит Truecrypt проводился [несколько раз](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits). Veracrypt [проходил](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit) аудит уже отдельно. + +### Cryptomator + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + **Cryptomator** позволяет легко загружать файлы в облако в виде зашифрованной файловой системы. [Посетить cryptomator.org](https://cryptomator.org){ .md-button .md-button--primary } [Privacy Policy](https://cryptomator.org/privacy){ .md-button } downloads + + - [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads) + - [:fontawesome-brands-apple: macOS](https://cryptomator.org/downloads) + - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:fontawesome-brands-android: F-Droid repo](https://cryptomator.org/android) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:fontawesome-brands-github: Исходный код](https://github.com/cryptomator) + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### Picocrypt + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** - небольшая и простая программа для современного шифрования. Picocrypt использует безопасный шифр XChaCha20 и функцию формирования ключа Argon2id для обеспечения высокого уровня безопасности. + + Для функций шифрования он использует стандартные модули Go x/crypto. [Посетить github.com](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + +VeraCrypt is a fork of the discontinued TrueCrypt project. recommendation + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Функции ОС для полного шифрования диска + +Современные ОС включают в себя [шифрование диска](https://en.wikipedia.org/wiki/Disk_encryption) и используют [безопасный криптопроцессор](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** - решение для полного шифрования логического тома в Microsoft Windows. Основная причина, по которой мы рекомендуем его, заключается в [использовании доверенного платформенного модуля](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://ru.wikipedia.org/wiki/ElcomSoft), криминалистическая компания, написала об этом в [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [Посетить microsoft.com](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .md-button .md-button--primary } + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![Логотип FileVault](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** - это решение для шифрования томов "на лету", встроенное в macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [Перейти на support.apple.com](https://support.apple.com/en-us/HT204837){ .md-button .md-button--primary } + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup (LUKS) + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Шифрование через браузер + +Шифрование через браузер может быть полезным, если вам нужно зашифровать файл, но вы не можете установить программу для шифрования на свое устройство. + +### hat.sh + +!!! recommendation + + ![Логотип hat.sh](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![Логотип hat.sh](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** - это сайт, который безопасно зашифровывает данные через браузер. Сайт может быть полезен, если вам нужно зашифровать файл, но вы не можете установить какое-либо программное обеспечение на свое устройство из-за политики организации. + + [Перейти на hat.sh](https://hat.sh){ .md-button .md-button--primary } + +## Шифрование через командную строку + +Инструменты с интерфейсом командной строки полезны для интеграции [сценариев оболочки](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Логотип Kryptor](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** - это бесплатный инструмент для шифрования и подписи файлов с открытым исходным кодом, использующий современные и безопасные криптографические алгоритмы. Его цель - стать улучшенной версией [age](https://github.com/FiloSottile/age) и [Minisign](https://jedisct1.github.io/minisign/), чтобы обеспечить простую, удобную для пользователя альтернативу GPG. + + [Перейти на kryptor.co.uk](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.kryptor.co.uk/features#privacy){ .md-button } downloads + + - [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk) + - [:fontawesome-brands-apple: macOS](https://www.kryptor.co.uk) + - [:fontawesome-brands-linux: Linux](https://www.kryptor.co.uk) + - [:fontawesome-brands-github: Исходный код](https://github.com/samuel-lucas6/Kryptor) + +### Tomb + +!!! recommendation + + ![Логотип Tomb](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** - это оболочка командной строки для LUKS. Он поддерживает стеганографию с помощью [сторонних инструментов] (https://github.com/dyne/Tomb#how-does-it-work). + + [Перейти на dyne.org](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP имеет множество функций и является [сложным](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) , поскольку существует уже долгое время. Для таких задач, как подписание или шифрование файлов, мы предлагаем использовать вышеуказанные варианты. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. Мы рекомендуем придерживаться стандартных опций, указанных в FAQ пользователя GnuPG [](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! совет "Использовать будущие значения по умолчанию при генерации ключа" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![Логотип GNU Privacy Guard](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** - это GPL-альтернатива криптографическому пакету PGP. GnuPG совместим с [RFC 4880] (https://tools.ietf.org/html/rfc4880), который является текущей спецификацией IETF для OpenPGP. Проект GnuPG работает над [обновленным проектом](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) в попытке улучшить OpenPGP. GnuPG является частью фонда свободного программного обеспечения GNU и получил крупное [финансирование](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) от правительства Германии. + + [Перейти на gnupg.org](https://gnupg.org){ .md-button .md-button--primary } [Политика конфиденциальности](https://gnupg.org/privacy-policy.html){ .md-button } + downloads + + - [:fontawesome-brands-windows: Windows](download.html) + - [:fontawesome-brands-apple: macOS](https://gpgtools.org) + - [:fontawesome-brands-linux: Linux](https://gnupg.org/download/index.html#binary) + - [:fontawesome-brands-google-play: Flatpak](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:fontawesome-brands-git: Исходный код](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [Перейти на gpg4win.org](https://gpg4win.org){ .md-button .md-button--primary } [Privacy Policy](https://gpg4win.org/privacy-policy.html){ .md-button } downloads + + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-git: Исходный код](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![Логотип OpenKeychain](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** - это Android-реализация GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [Перейти на openkeychain.org](https://www.openkeychain.org){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.openkeychain.org/help/privacy-policy){ .md-button } downloads + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.sufficientlysecure.keychain/) + - [:fontawesome-brands-git: Исходный код](https://github.com/open-keychain/open-keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/ru/file-sharing.md b/i18n/ru/file-sharing.md new file mode 100644 index 00000000..dab56bbf --- /dev/null +++ b/i18n/ru/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "Синхронизация и обмен файлами" +icon: material/share-variant +description: Узнайте, как конфиденциально обмениваться файлами между устройствами, с друзьями и родственниками или анонимно в Интернете. +--- + +Узнайте, как конфиденциально обмениваться файлами между устройствами, с друзьями и родственниками или анонимно в Интернете. + +## Обмен файлами + +### Send + +!!! recommendation + + ![Логотип Send](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** - это форк прекратившего свое существование сервиса Firefox Send от Mozilla, который позволяет отправлять файлы другим людям с помощью ссылки. Файлы шифруются на вашем устройстве, чтобы их не мог прочитать сервер, и по желанию могут быть защищены паролем. Разработчик Send держит [публичный экземпляр сайта](https://send.vis.ee/). Вы можете использовать другие публичные экземпляры или развернуть Send самостоятельно. + + [:octicons-home-16: Домашняя страница](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Публичные экземпляры"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Поддержать } + +Send можно использовать через веб-интерфейс или через CLI [ffsend](https://github.com/timvisee/ffsend). Если вы знакомы с командной строкой и часто отправляете файлы, мы рекомендуем использовать CLI-клиент, чтобы избежать небезопасного шифрования на основе JavaScript. Вы можете указать флаг `--host`, чтобы использовать определенный сервер: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![Логотип OnionShare](/assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** - это инструмент с открытым исходным кодом, позволяющий безопасно и анонимно передавать файлы любого размера. Он работает путем запуска веб-сервера, доступного как onion сервис в сети Tor, с неугадываемым URL, который вы можете передать получателям для загрузки или отправки файлов. + + [:octicons-home-16: Домашняя страница](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion сервис" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Расшифрованные данные не должны храниться на сервере. +- Исходный код сервиса должен быть открыт. +- Должны быть либо клиенты для Linux, macOS и Windows, либо веб-интерфейс. + +## FreedomBox + +!!! recommendation + + ![Логотип FreedomBox](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** - это операционная система, разработанная для запуска на [одноплатном компьютере](https://ru.wikipedia.org/wiki/%D0%9E%D0%B4%D0%BD%D0%BE%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%8B%D0%B9_%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80). Цель FreedomBox заключается в том, чтобы максимально облегчить настройку серверных приложений для самостоятельного хостинга. + + [:octicons-home-16: Домашняя страница](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Документация} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Поддержать } + +## Синхронизация файлов + +### Nextcloud (клиент-сервер) + +!!! recommendation + + ![Логотип Nextcloud](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** - это набор бесплатного клиент-серверного программного обеспечения с открытым исходным кодом для создания собственного сервиса хранилища файлов на приватном сервере, который вы контролируете. + + [:octicons-home-16: Домашняя страница](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! recommendation + + Мы не рекомендуем использовать [плагин E2EE](https://apps.nextcloud.com/apps/end_to_end_encryption) для Nextcloud, так как это может привести к потере данных; это очень экспериментальный продукт, который недостаточно качественен для полноценного использования. + +### Syncthing (P2P) + +!!! recommendation + + ![Логотип Syncthing](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** - это утилита для непрерывной пиринговой синхронизации файлов с открытым исходным кодом. Она используется для синхронизации файлов между двумя или более устройствами по локальной сети или через Интернет. Syncthing не использует централизованный сервер; он использует [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) для передачи данных между устройствами. Все данные шифруются с помощью протокола TLS. + + [:octicons-home-16: Домашняя страница](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +#### Минимальные требования к сервисам + +- Не должны требовать использования стороннего удаленного/облачного сервера. +- Должны иметь открытый исходный код. +- Должны быть либо клиенты для Linux, macOS и Windows, либо веб-интерфейс. + +#### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Есть мобильные клиенты для iOS и Android, которые, как минимум, поддерживают предварительный просмотр документов. +- Есть резервное копирование фотографий с iOS и Android, а также опциональная поддержка синхронизации файлов/папок на Android. diff --git a/i18n/ru/financial-services.md b/i18n/ru/financial-services.md new file mode 100644 index 00000000..45becd74 --- /dev/null +++ b/i18n/ru/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/ru/frontends.md b/i18n/ru/frontends.md new file mode 100644 index 00000000..d7df9bfc --- /dev/null +++ b/i18n/ru/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Менеджеры паролей" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## Клиенты + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! note + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Reddit + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! note + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! note + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! note + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! note + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/ru/index.md b/i18n/ru/index.md new file mode 100644 index 00000000..30c6a70f --- /dev/null +++ b/i18n/ru/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.ru.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Почему это должно меня волновать? + +##### «Мне нечего скрывать. Почему я должен беспокоиться о своей приватности?» + +Подобно праву на межрасовый брак, избирательному праву для женщин, свободе слова и многим другим правам, наше право на приватность не всегда соблюдалось. В некоторых диктатурах это всё ещё представляет проблему. Предыдущие поколения боролись за наше право на приватность. ==Приватность — это естественное право каждого человека,== и мы все без исключения должны им обладать. + +Не стоит путать приватность с секретностью. Все знают, что происходит в вашей ванной, но вы всё равно закрываете дверь. Это потому, что вы хотите приватности, а не секретности. **Каждому** есть что защищать. Приватность — это то, что делает вас человеком. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## И что же мне делать? + +##### Для начала, вам стоит составить план + +Попытка защитить все свои данные ото всех и в любой ситуации — это непрактично, дорого и утомительно. Но не переживайте! Безопасность — это процесс, и, думая наперёд, вы можете составить план, который подходит именно вам. Безопасность — это не только инструменты или программное обеспечение, которыми вы пользуетесь. На самом деле безопасность начинается с понимания специфичных угроз, с которыми вы сталкиваетесь, и нахождения способов, как им противостоять. + +==Процесс нахождения угроз и мер противодействия им называется **моделированием угроз**==, и он составляет основу каждого хорошего плана безопасности и приватности. + +[:material-book-outline: Узнайте больше о моделировании угроз](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Вы нужны нам! Вот как можно помочь нам: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Посетите наш форум" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Подпишитесь на нас в Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Помогите с разработкой" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Помогите перевести сайт" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Напишите нам в Matrix" } +[:material-information-outline:](about/index.md){ title="Узнайте о нас больше" } +[:material-hand-coin-outline:](about/donate.md){ title="Помогите проекту материально" } + +Такому сайту, как Privacy Guides, важно содержать наиболее актуальную информацию. Нам нужно, чтобы читатели следили за обновлениями программного обеспечения, перечисленного на сайте, и были в курсе новостей о сервисах, которые мы рекомендуем. Сложно угнаться за быстрым темпом развития интернета, но мы стараемся изо всех сил. Если вы встретите ошибку, посчитаете сервис недостойным упоминания на нашем сайте, заметите отсутствие хорошего сервиса, найдёте лучшую альтернативу браузерному расширению или обнаружите любую другую проблему, дайте нам знать. diff --git a/i18n/ru/kb-archive.md b/i18n/ru/kb-archive.md new file mode 100644 index 00000000..eb9bf209 --- /dev/null +++ b/i18n/ru/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Страницы перемещены в блог + +Некоторые страницы, которые раньше находились в базе знаний, теперь можно найти в нашем блоге: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Улучшение настроек Signal](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - укрепление системы](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - работа с песочницей](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Безопасное удаление данных](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [Руководство по настройке iOS](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/ru/meta/brand.md b/i18n/ru/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/ru/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/ru/meta/git-recommendations.md b/i18n/ru/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/ru/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/ru/meta/uploading-images.md b/i18n/ru/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/ru/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/ru/meta/writing-style.md b/i18n/ru/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/ru/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/ru/mobile-browsers.md b/i18n/ru/mobile-browsers.md new file mode 100644 index 00000000..fa39da4b --- /dev/null +++ b/i18n/ru/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +Здесь перечислены мобильные браузеры, которые мы рекомендуем, и руководства по их настройке для обычного (неанонимного) пользования интернетом. Если вам нужна анонимность в сети, используйте [Tor](tor.md). Мы рекомендуем использовать как можно меньше расширений, так как они имеют привилегированный доступ к браузеру, требуют доверия к их разработчикам, могут [идентифицировать вас](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), а также [ослабляют](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) изоляцию между сайтами. + +## Android + +На Android браузер Firefox менее безопасен, чем основанные на Chromium альтернативы: движок Mozilla, [GeckoView](https://mozilla.github.io/geckoview/), ещё не поддерживает [изоляцию сайтов](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) и не включает [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Логотип Brave](assets/img/browsers/brave.svg){ align=right } + + **Браузер Brave** включает встроенный блокировщик контента и [инструменты приватности](https://brave.com/privacy-features/), многие из которых включены по умолчанию. + + Brave основан на Chromium, поэтому он покажется вам знакомым, а также у него не должно быть проблем с совместимостью. + + [:octicons-home-16: Официальный сайт](https://brave.com/ru/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion-сайт" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Исходный код" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Рекомендованные настройки + +Tor Browser — это единственный способ действительно анонимно пользоваться интернетом. Если вы используете Brave, мы рекомендуем изменить следующие настройки, чтобы сохранить приватность, но все браузеры кроме [Tor](tor.md#tor-browser) могут *кем-нибудь* отслеживаться в том или ином виде. + +Эти настройки можно найти в :material-menu: → **Настройки** → **Brave Shields & privacy** + +##### Режим «Только HTTPS»: + +Brave включает несколько инструментов защиты от отслеживания в разделе [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Мы рекомендуем включить эти настройки [на всех сайтах](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-), которые вы посещаете. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Блокировка отслеживания через социальные сети + +- [ ] Отключите все компоненты социальных сетей + +##### Другие настройки приватности + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) позволяет синхронизировать данные браузера (историю, закладки и т. д.) между несколькими устройствами без необходимости создавать аккаунт, а также защищает их при помощи E2EE. + +## iOS + +На iOS любое приложение, которое может открывать веб-страницы, [использует](https://developer.apple.com/app-store/review/guidelines) только предоставляемый Apple [движок WebKit](https://developer.apple.com/documentation/webkit), поэтому нет особых причин использовать сторонний браузер. + +### Safari + +!!! recommendation + + ![Логотип Safari](assets/img/browsers/safari.svg){ align=right } + + **Safari** — браузер по умолчанию на iOS. Мы рекомендуем включить фильтры, помеченные *#recommended* в разделах "Блокировка рекламы" и "Антитрекинг" [блокировщики контента] (https://kb.adguard.com/en/safari/overview#content-blockers). + + [:octicons-home-16: Официальный сайт](https://www.apple.com/ru/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/ru/legal/privacy/data/ru/safari/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://support.apple.com/ru-ru/guide/safari/welcome/mac){ .card-link title=Документация} + +#### Рекомендованные настройки + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![Логотип AdGuard](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard для iOS** — это бесплатный и открытый блокировщик контента для Safari, который использует нативный [API блокировки контента](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard для iOS имеет несколько премиум-функций, хотя стандартные средства блокировки контента Safari бесплатны. + + [:octicons-home-16: Официальный сайт](https://adguard.com/ru/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/ru/privacy/ios.html){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Исходный код" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Дополнительные списки блокировки замедляют работу браузера и могут упростить атаку, поэтому пользуйтесь только тем, что вам необходимо. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования к сервисам + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/ru/multi-factor-authentication.md b/i18n/ru/multi-factor-authentication.md new file mode 100644 index 00000000..c4a06cd7 --- /dev/null +++ b/i18n/ru/multi-factor-authentication.md @@ -0,0 +1,137 @@ +--- +title: "Многофакторная аутентификация" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Аппаратные ключи безопасности + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + Ключи **YubiKeys** являются одними из самых популярных ключей безопасности. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! note + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! note + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +#### Минимальные требования к сервисам + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Приложение-аутентификатор + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Логотип Aegis](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** - это бесплатное и безопасное приложение с открытым исходным кодом для управления токенами двухфакторной аутентификации для ваших онлайн-сервисов. + + [Перейти на getaegis.app](https://getaegis.app){ .md-button .md-button--primary } [Политика конфиденциальности](https://getaegis.app/aegis/privacy.html){ .md-button } downloads + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.beemdevelopment.aegis) + - [:fontawesome-brands-github: GitHub](https://github.com/beemdevelopment/Aegis) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Логотип Raivo OTP](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** - это легкий и безопасный клиент TOTP & HOTP для iOS. Raivo OTP также может делать резервные копии в iCloud и синхронизировать эти данные. Raivo OTP также доступен для macOS в виде приложения в строке состояния, однако приложение для Mac не работает отдельно от приложения для iOS. + + [Перейти на github.com](https://github.com/raivo-otp/ios-application){ .md-button .md-button--primary } [Политика конфиденциальности](https://github.com/raivo-otp/ios-application/blob/master/PRIVACY.md){ .md-button } + downloads + + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/us/app/raivo-otp/id1498497896) + - [:fontawesome-brands-github: GitHub](https://github.com/raivo-otp/ios-application) downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/ru/news-aggregators.md b/i18n/ru/news-aggregators.md new file mode 100644 index 00000000..9b8a7622 --- /dev/null +++ b/i18n/ru/news-aggregators.md @@ -0,0 +1,177 @@ +--- +title: "Мессенджеры" +icon: octicons/rss-24 +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Клиенты-агрегаторы + +### Fluent Reader + +!!! recommendation + + ![Логотип Fluent Reader](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** - это защищенный кроссплатформенный агрегатор новостей, обладающий такими полезными функциями конфиденциальности, как удаление куки при закрытии, строгие [политики безопасности контента (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) и поддержка прокси, что означает, что вы можете использовать его через [Tor](self-contained-networks.md#tor). [Перейти на hyliu.me](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Политика конфиденциальности](https://adguard.com/en/privacy/safari.html){ .md-button } + + **Скачать** + - [:fontawesome-brands-windows: Safari](https://hyliu.me/fluent-reader) + - [:fontawesome-brands-app-store: App Store](https://apps.apple.com/app/id1520907427) + - [:fontawesome-brands-github: Source](https://github.com/yang991178/fluent-reader.git) + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### GNOME Feeds + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### YouTube + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Reddit + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### Twitter + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/ru/notebooks.md b/i18n/ru/notebooks.md new file mode 100644 index 00000000..ba0137f7 --- /dev/null +++ b/i18n/ru/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Заметки" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Сохраняйте свои заметки и дневники, не передавая их третьим лицам. + +Если вы в настоящее время используете такие приложения, как Evernote, Google Keep или Microsoft OneNote, то мы предлагаем вам выбрать альтернативу с поддержкой E2EE. + +## Облачные сервисы + +### Joplin + +!!! recommendation + + ![Логотип Joplin](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** - это бесплатное, открытое приложение с богатой функциональностью для ведения заметок и списков задач, которое может обрабатывать большое количество заметок в формате Markdown, упорядоченных по тегам и записным книжкам. Приложение предлагает E2EE и может синхронизироваться через Nextcloud, Dropbox и др. Приложение также предлагает легкий перенос данных из Evernote и простых текстовых заметок. + + [:octicons-home-16: Домашняя страница](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin [не поддерживает](https://github.com/laurent22/joplin/issues/289) защиту приложения и отдельных заметок паролем или PIN-кодом. Но ваши данные по-прежнему шифруются вашим секретным ключом при передаче и в месте синхронизации. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Логотип Standard Notes](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** - это простое и приватное приложение для заметок, которое делает ваши заметки легкими и доступными везде, где бы вы ни находились. Приложение имеет E2EE на каждой платформе, а также продвинутую систему работы с темами и пользовательскими редакторами. Программа также прошла [независимый аудит (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Домашняя страница](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Логотип Cryptee](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Логотип Cryptee](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** - это веб-редактор документов и приложение для хранения фотографий с поддержкой E2EE и открытым исходным кодом. Cryptee - это PWA, что означает, что он работает без проблем на всех современных устройствах, не требуя нативных приложений для каждой соответствующей платформы. + + [:octicons-home-16: Домашняя страница](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee предлагает 100 МБ хранилища бесплатно, а если вам нужно больше, вы можете воспользоваться платными опциями. Регистрация не требует указания электронной почты или другой персональной информации. + +## Локальные сервисы + +### Org-mode + +!!! recommendation + + ![Логотип Org-mode](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** - это [основной режим](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) для GNU Emacs. Org-mode предназначен для ведения заметок, списков задач, планирования проектов и создания документов с помощью быстрой и эффективной системы работы с обычным текстом. Синхронизация возможна с помощью инструментов [синхронизации файлов](file-sharing.md#синхронизация-файлов). + + [:octicons-home-16: Домашняя страница](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Документация} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Поддержать } + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Клиенты должны иметь открытый код. +- Облачная синхронизация должна использовать E2EE. +- Должна быть поддержка экспорта документов в стандартных форматах. + +### В лучшем случае + +- Функции локального резервного копирования/синхронизации должны поддерживать шифрование. +- Облачные платформы должны поддерживать обмен документами. diff --git a/i18n/ru/os/android-overview.md b/i18n/ru/os/android-overview.md new file mode 100644 index 00000000..97b44e98 --- /dev/null +++ b/i18n/ru/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! note + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/ru/os/linux-overview.md b/i18n/ru/os/linux-overview.md new file mode 100644 index 00000000..f7ed6c27 --- /dev/null +++ b/i18n/ru/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: fontawesome/brands/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Общие рекомендации + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/ru/os/qubes-overview.md b/i18n/ru/os/qubes-overview.md new file mode 100644 index 00000000..b5fee448 --- /dev/null +++ b/i18n/ru/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +description: Qubes - это операционная система, построенная на изоляции приложений в виртуальных машинах для обеспечения повышенной безопасности. +--- + +[**Qubes OS**](../desktop.md#qubes-os) - операционная система, использующая гипервизор [Xen](https://ru.wikipedia.org/wiki/Xen) для обеспечения надёжной защиты компьютера с помощью изолированных виртуальных машин (далее - ВМ). Каждая ВМ называется *Qube*, и вы можете назначить каждому Qube уровень доверия в зависимости от его назначения. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Как работает Qubes OS? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Дополнительные советы + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/ru/passwords.md b/i18n/ru/passwords.md new file mode 100644 index 00000000..f441334a --- /dev/null +++ b/i18n/ru/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Менеджеры паролей" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Менеджеры паролей позволяют безопасно хранить и управлять паролями и другими данными с помощью мастер-пароля. + +[Введение в безопасные пароли :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info "Информация" + + Встроенные менеджеры паролей, например в браузерах и операционных системах, иногда не так хороши, как специализированные программы для управления паролями. Преимуществом встроенных менеджеров паролей является хорошая интеграция с программным обеспечением, но зачастую они могут быть очень простыми и не иметь функций конфиденциальности и безопасности, которыми обладают отдельные программы. + + Например, менеджер паролей в Microsoft Edge вообще не поддерживает E2EE. Менеджер паролей Google имеет [опциональную](https://support.google.com/accounts/answer/11350823?hl=ru) поддержку E2EE, а менеджер паролей от Apple [предлагает](https://support.apple.com/ru-ru/HT202303) E2EE по умолчанию. + +## Облачные сервисы + +Эти менеджеры паролей синхронизируют ваши пароли с облаком для легкого доступа со всех ваших устройств и их безопасности в случае потери устройства. + +### Bitwarden + +!!! recommendation + + ![Логотип Bitwarden](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** - это свободный менеджер паролей с открытым исходным кодом. Он направлен на решение проблем управления паролями для отдельных лиц, команд и организаций. Bitwarden - одно из лучших и самых безопасных решений для хранения всех ваших логинов и паролей с удобной синхронизацией данных между всеми вашими устройствами. + + [:octicons-home-16: Домашняя страница](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden также имеет функцию [Bitwarden Send](https://bitwarden.com/products/send/), которая позволяет безопасно обмениваться текстом и файлами с использованием [сквозного шифрования](https://bitwarden.com/help/send-encryption). Отправленные через Bitwarden Send данные можно защитить [паролем](https://bitwarden.com/help/send-privacy/#send-passwords). Bitwarden Send также имеет функцию [автоматического удаления данных](https://bitwarden.com/help/send-lifespan). + +Чтобы иметь возможность обмениваться файлами, вам необходима [Премиум-подписка](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans). Бесплатный план позволяет обмениваться только текстом. + +Сервер Bitwarden имеет [открытый код](https://github.com/bitwarden/server), поэтому, если вы не хотите использовать официальное облако Bitwarden, вы можете легко развернуть свой собственный сервер для синхронизации. + +**Vaultwarden** — это альтернативная реализация сервера синхронизации Bitwarden, написанная на языке Rust и совместимая с официальными клиентами Bitwarden. Она идеально подходит для самостоятельного развертывания, когда запуск официального сервиса, требующего больших мощностей, не является оправданным решением. Если вы хотите самостоятельно развернуть Bitwarden на своем сервере, скорее всего, вам стоит использовать Vaultwarden вместо официального сервера Bitwarden. + +[:octicons-repo-16: Репозиторий Vaultwarden](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Документация} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Исходный код" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Поддержать } + +### 1Password + +!!! recommendation + + ![Логотип 1Password](assets/img/password-management/1password.svg){ align=right } + + **1Password** — это менеджер паролей с акцентом на безопасность и простоту использования, который позволяет хранить пароли, кредитные карты, лицензии на программное обеспечение и любую другую конфиденциальную информацию в надежном цифровом хранилище. Ваши данные хранятся на серверах 1Password за [ежемесячную плату](https://1password.com/ru/sign-up/). 1Password регулярно проходит [независимые проверки на безопасность](https://support.1password.com/security-assessments/) и обеспечивает прекрасную поддержку клиентов. 1Password имеет закрытый исходный код, но безопасность продукта подробно описана в их [вайт пейпере по безопасности](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Домашняя страница](https://1password.com/ru){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Документация} + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Изначально **1Password** предоставлял лучший функционал именно для пользователей macOS и iOS, однако теперь функционал одинаковый на всех платформах. В нем есть множество функций, как ориентированных на семьи и менее технически подкованных людей, так и более продвинутых возможностей. + +Ваше хранилище 1Password защищено одновременно мастер-паролем и случайным 34-символьным ключом безопасности для шифрования данных на серверах. Этот ключ добавляет вашим данным дополнительную защиту: они зашифрованы с высокой энтропией независимо от безопасности вашего мастер-пароля. Многие другие решения для управления паролями полностью полагаются на безопасность мастер-пароля для защиты ваших данных. + +Одно из преимуществ 1Password перед Bitwarden — первоклассная поддержка нативных клиентов. В то время как Bitwarden выносит многие функции, особенно управление учетными записями, в веб-интерфейс хранилища, 1Password предоставляет почти все функции в своих мобильных и настольных приложениях. Клиенты 1Password также имеют более понятный интерфейс, что облегчает их использование. + +### Psono + +!!! recommendation + + ![Логотип Psono](assets/img/password-management/psono.svg){ align=right } + + **Psono** - это свободный менеджер паролей с открытым исходным кодом из Германии, ориентированный на управление паролями для команд. Psono поддерживает безопасный обмен паролями, файлами, ссылками и электронной почтой. Вся секретная информация защищена мастер-паролем. + + [:octicons-home-16: Домашняя страница](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Документация} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Исходный код" } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono предоставляет подробную документацию по своему продукту. Веб-клиент для Psono может быть развернут самостоятельно; в качестве альтернативы вы можете приобрести полную версию Community Edition или Enterprise Edition с дополнительными возможностями. + +### Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +#### Минимальные требования к сервисам + +- Должны использовать сильное, современное/стандартизированное E2EE. +- Должны иметь тщательно документированные методы шифрования и обеспечения безопасности. +- Должен иметь опубликованный аудит от авторитетной, независимой третьей стороны. +- Вся телеметрия, не критичная для работы сервиса, должна быть необязательной. +- Не должны собирать больше ПД, чем необходимо для проведения оплаты. + +#### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Телеметрия должна собираться по желанию (отключена по умолчанию) или не собираться вообще. +- Исходный код должен быть открытым и пригодным для самостоятельной развёртки. + +## Локальные сервисы + +Эти программы позволяют управлять зашифрованной базой паролей локально. + +### KeePassXC + +!!! recommendation + + ![Логотип KeePassXC](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** - это форк KeePassX, нативного кроссплатформенного порта KeePass Password Safe, созданный с целью расширить и улучшить его новыми возможностями и исправлениями ошибок, чтобы предоставить многофункциональный, кроссплатформенный и современный менеджер паролей с открытым исходным кодом. + + [:octicons-home-16: Домашняя страница](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC хранит экспортированные данные в виде [CSV](https://ru.wikipedia.org/wiki/CSV) файлов. При импортировании этого файла в другой менеджер паролей, вы можете потерять часть данных. Мы советуем вам проверять каждую запись вручную. + +### KeePassDX (Android) + +!!! recommendation + + ![Логотип KeePassDX](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** - это легкий менеджер паролей для Android, который позволяет редактировать зашифрованные данные в одном файле в формате KeePass и безопасно заполнять формы. Покупка [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) позволяет разблокировать косметический контент и нестандартные функции протокола, но, что еще важнее, поддерживает развитие проекта. + + [:octicons-home-16: Домашняя страница](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS и macOS) + +!!! recommendation + + ![Логотип Strongbox](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** - это нативный менеджер паролей с открытым исходным кодом для iOS и macOS. Он поддерживает форматы KeePass и Password Safe, поэтому может быть использован совместно с другими менеджерами паролей, например KeePassXC, на устройствах не от Apple. Strongbox использует модель [freemium](https://strongboxsafe.com/pricing/), поэтому предлагает большинство функций бесплатно, но дополнительные [функции](https://strongboxsafe.com/comparison/) для удобства, например биометрическая аутентификация, доступны по подписке или единоразовой покупке. + + [:octicons-home-16: Домашняя страница](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Кроме того, предлагается и полностью оффлайн версия: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Эта версия урезана, чтобы уменьшить площадь атаки. + +### Для командной строки + +Это простые менеджеры паролей, которые можно использовать внутри скриптов. + +#### gopass + +!!! recommendation + + ![Логотип gopass](assets/img/password-management/gopass.svg){ align=right } + + **gopass** - это менеджер паролей для командной строки, написанный на языке Go. Он работает на всех основных операционных системах для ПК и серверов (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Домашняя страница](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Программа должна быть кроссплатформенной. diff --git a/i18n/ru/productivity.md b/i18n/ru/productivity.md new file mode 100644 index 00000000..948919ce --- /dev/null +++ b/i18n/ru/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Офисные пакеты + +### LibreOffice + +!!! recommendation + + ![Логотип Nextcloud](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** - это набор бесплатного клиент-серверного программного обеспечения с открытым исходным кодом для создания собственного сервиса хранилища файлов на приватном сервере, который вы контролируете. + + [:octicons-home-16: Домашняя страница](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Политика конфиденциальности" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Поддержать } + + ??? downloads "Скачать" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! recommendation + + Мы не рекомендуем использовать [плагин E2EE](https://apps.nextcloud.com/apps/end_to_end_encryption) для Nextcloud, так как это может привести к потере данных; это очень экспериментальный продукт, который недостаточно качественен для полноценного использования. [Перейти на onlyoffice.com](https://www.onlyoffice.com){ .md-button .md-button--primary } [Политика конфиденциальности](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button } + +### OnlyOffice + +!!! recommendation + + ![Логотип Framadate](assets/img/productivity/framadate.svg){ align=right } + + **Framadate** - это бесплатный онлайн-сервис с открытым исходным кодом для планирования встреч или легкого и быстрого принятия решений. Регистрация не требуется. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Инструменты планирования + +### PrivateBin + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Программа должна быть кроссплатформенной. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/ru/real-time-communication.md b/i18n/ru/real-time-communication.md new file mode 100644 index 00000000..989f6799 --- /dev/null +++ b/i18n/ru/real-time-communication.md @@ -0,0 +1,191 @@ +--- +title: "Мессенджеры" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Зашифрованные мессенджеры + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** - мобильное приложение, разработанное Signal Messenger LLC. Приложение обеспечивает мгновенный обмен сообщениями, а также голосовые и видеозвонки. + + Все коммуникации осуществляются в режиме E2EE. Списки контактов шифруются с помощью вашего PIN-кода входа в систему, и сервер не имеет к ним доступа. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Логотип Element](assets/img/messengers/element.svg){ align=right } + + **Element** является эталонным клиентом для протокола [Matrix](https://matrix.org/docs/guides/introduction), [открытого стандарта](https://matrix.org/docs/spec) для безопасного децентрализованного общения в реальном времени. Сообщения и файлы, которыми обмениваются в личных комнатах (те, которые требуют приглашения), по умолчанию являются E2EE, как и голосовые и видеозвонки 1 на 1. + + [Сайт](https://element.io/){ .md-button .md-button--primary } + [Политика конфиденциальности](https://element.io/privacy){ .md-button } + downloads + + - [:fontawesome-brands-windows: Windows](https://element.io/get-started) + - [:fontawesome-brands-apple: macOS](https://element.io/get-started) + - [:fontawesome-brands-linux: Linux](https://element.io/get-started) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/im.vector.app/) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:fontawesome-brands-github: Исходный код](https://github.com/vector-im/element-web) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. recommendation E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Логотип Briar](assets/img/messengers/briar.svg){ align=right } + + **Briar** - это зашифрованный мессенджер, который [соединяется с ](https://briarproject.org/how-it-works/) другими клиентам с помощью сети Tor. Briar также может передавать сообщения через Wi-Fi или Bluetooth, если получатель находится в непосредственной близости. Режим локальной сети Briar может быть полезен, когда Вы не имеете доступа к Интернету. + + [Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [Политика конфиденциальности](https://briarproject.org/privacy-policy){ .md-button } + downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Типы коммуникационных сетей + +!!! note + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/ru/router.md b/i18n/ru/router.md new file mode 100644 index 00000000..8fd062a2 --- /dev/null +++ b/i18n/ru/router.md @@ -0,0 +1,50 @@ +--- +title: "Прошивки для роутера" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Ниже приведены альтернативные операционные системы, которые могут использоваться на роутерах, точках доступа Wi-Fi и т. п. + +## OpenWrt + +!!! recommendation + + ![Логотип OpenWrt](/assets/img/router/openwrt.svg#only-light){ align=right } + ![Логотип OpenWrt](/assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** - это операционная система, основанная на ядре Linux, используемая в основном на встраиваемых устройствах для маршрутизации сетевого трафика. Основными компонентами являются ядро Linux, util-linux, uClibc и BusyBox. Все компоненты были оптимизированы по размеру, чтобы быть достаточно маленькими для установки в ограниченной памяти, доступной в домашних роутерах. + + [:octicons-home-16: Домашняя страница](https://openwrt.org/ru){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/ru/docs/start){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Поддержать } + +Вы можете обратиться к [таблице устройств](https://openwrt.org/toh/start) OpenWrt, чтобы проверить, поддерживается ли ваше устройство. + +## OPNsense + +!!! recommendation + + ![Логотип OPNsense](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** - это система для маршрутизации и файервола с открытым исходным кодом на базе FreeBSD, которая включает в себя множество дополнительных функций, таких как формирование трафика, балансировка нагрузки и поддержку VPN, а также множество других функций, доступных в виде плагинов. OPNsense часто используется для файерволов, роутеров, беспроводных точек доступа, серверов DHCP, DNS серверов и конечных точек VPN. + + [:octicons-home-16: Домашняя страница](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Документация} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Исходный код" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Поддержать } + +OPNsense был изначально разработан как форк [pfSense](https://en.wikipedia.org/wiki/PfSense), и оба проекта известны как бесплатные и надежные дистрибутивы файерволов, которые предлагают функции, часто встречающиеся только в дорогих коммерческих файерволах. Разработчики OPNsense [назвали](https://docs.opnsense.org/history/thefork.html) ряд проблем с безопасностью и качеством кода pfSense, из-за которых в 2015 году и был разработан форк, а также опасения по поводу приобретения pfSense компанией Netgate и направления, в котором движется разработка pfSense. + +## Критерии + +**Обратите внимание, что у нас нет связей ни с одним из проектов, которые мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md)мы разработали четкий набор требований, позволяющий нам давать объективные рекомендации. Мы рекомендуем вам ознакомиться с этим списком, прежде чем выбрать программу, и провести самостоятельное исследование, чтобы убедиться, что это правильный выбор для вас. + +!!! example "Это новый раздел" + + Мы пока работаем над установлением определенных критериев для каждого раздела нашего сайта, и они могут поменяться в будущем. Если у вас есть вопросы по поводу наших критериев, пожалуйста, [задавайте их на нашем форуме](https://discuss.privacyguides.net/latest) и не думайте, что мы не учли что-то при составлении наших рекомендаций, если это не указано здесь. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Исходный код проекта должен быть открыт. +- Проект должен регулярно обновляться. +- Проект должен поддерживать широкий спектр устройств. diff --git a/i18n/ru/search-engines.md b/i18n/ru/search-engines.md new file mode 100644 index 00000000..42828131 --- /dev/null +++ b/i18n/ru/search-engines.md @@ -0,0 +1,104 @@ +--- +title: "Поисковые системы" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Используйте поисковую систему, которая не строит рекламный профиль на основе ваших запросов. + +Приведенные здесь рекомендации основаны на политиках конфиденциальности этих сервисов. Не существует **никакой гарантии** того, что эти политики конфиденциальности будут соблюдены. + +Советуем использовать [VPN](/vpn) или [Tor](https://www.torproject.org/), если ваша модель угроз требует скрытия вашего IP-адреса от поискового провайдера. + +## Brave Search + +!!! recommendation + + ![Логотип DuckDuckGo](/assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** - популярная поисковая система, которая также используется по умолчанию в браузере Tor. DuckDuckGo использует коммерческий API Bing и [другие источники](https://help.duckduckgo.com/results/sources) для предоставления своих поисковых данных. + + [Перейти на duckduckgo.com](https://duckduckgo.com){ .md-button .md-button--primary } [:pg-tor:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .md-button } [Политика конфиденциальности](https://duckduckgo.com/privacy){ .md-button } + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. note IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + DuckDuckGo базируется в 🇺🇸 США. В их [Политике конфиденциальности](https://duckduckgo.com/privacy) говорится, что они хранят ваш поисковый запрос, но не ваш IP или любую другую идентифицирующую вас информацию. The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. note Они не хранят ваш IP-адрес, поисковые запросы или другую идентифицирующую вас информацию. + +## SearXNG + +!!! recommendation + + ![Логотип Startpage](/assets/img/search-engines/startpage.svg){ align=right } + + **Startpage** - это поисковая система, которая предоставляет результаты поиска из Google. Это очень удобный способ получить поисковые результаты Google, не сталкиваясь с такими темными паттернами, как сложные капчи или отказ в доступе из-за того, что вы используете [VPN](/vpn) или [Tor](https://www.torproject.org/download/). + + [Перейти на startpage.com](https://www.startpage.com){ .md-button .md-button--primary } [Политика конфиденциальности](https://www.startpage.com/en/privacy-policy){ .md-button } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. note + +When you are using a SearXNG instance, be sure to go read their privacy policy. recommendation Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! note + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +### Минимальные требования к сервисам + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### В лучшем случае + +Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/ru/tools.md b/i18n/ru/tools.md new file mode 100644 index 00000000..9f79272e --- /dev/null +++ b/i18n/ru/tools.md @@ -0,0 +1,487 @@ +--- +title: "Инструменты обеспечения приватности" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +Если вы ищете какое-либо решение, то в этом списке все аппаратные и программные средства, которые мы рекомендуем. Рекомендуемые инструменты для обеспечения приватности/конфиденциальности выбираются в первую очередь на основе функций безопасности с дополнительным акцентом на децентрализованные инструменты с открытым исходным кодом. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Логотип Tor Browser](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](browsers.md#tor-browser) +- ![Логотип Firefox](assets/img/browsers/firefox.svg){ .twemoji } [Firefox (ПК)](browsers.md#firefox) +- ![Логотип Brave](assets/img/browsers/brave.svg){ .twemoji } [Brave (ПК)](browsers.md#brave) +- ![Логотип Brave](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](browsers.md#brave-android) +- ![Логотип Safari](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](browsers.md#safari) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Подробнее :hero-arrow-circle-right-fill:](tor.md) + +## Операционные Системы + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](desktop-browsers.md) + +### Дополнительные советы + +
+ +- ![Логотип GrapheneOS](assets/img/android/grapheneos.svg#only-light){ .twemoji }![Логотип GrapheneOS](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![Логотип DivestOS](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](desktop-browsers.md#additional-resources) + +## Сервисы + +
+ +- ![Логотип Neo Store](assets/img/android/neo-store.png){ .twemoji } [Neo Store (Клиент F-Droid)](android.md#neo-store) +- ![Логотип Orbot](assets/img/android/orbot.svg){ .twemoji } [Orbot (Tor прокси)](android.md#orbot) +- ![Логотип Shelter](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Рабочие профили)](android.md#shelter) +- ![Логотип Auditor](assets/img/android/auditor.svg#only-light){ .twemoji }![Логотип Auditor](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (На поддерживаемых устройствах)](android.md#auditor) +- ![Логотип Secure Camera](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Логотип Secure Camera](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Логотип Secure PDF Viewer](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![Логотип Secure PDF Viewer](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) +- ![Логотип PrivacyBlur](assets/img/android/privacyblur.svg){ .twemoji } [PrivacyBlur](android.md#privacyblur) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](mobile-browsers.md) + +### Дополнительные советы + +
+ +- ![Логотип Fedora](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](linux-desktop.md#fedora-workstation) +- ![Логотип openSUSE Tumbleweed](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](linux-desktop.md#opensuse-tumbleweed) +- ![Логотип Arch](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](linux-desktop.md#arch-linux) +- ![Логотип Fedora Silverblue](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue и Kinoite](linux-desktop.md#fedora-silverblue) +- ![Логотип nixOS](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](linux-desktop.md#nixos) +- ![Логотип Whonix](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](linux-desktop.md#whonix) +- ![Логотип Tails](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](linux-desktop.md#tails) +- ![Логотип Qubes OS](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Дистрибутив ВМ Xen)](qubes.md) (1) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](mobile-browsers.md#adguard) + +## Программное обеспечение + +### Прошивки для роутера + +
+ +- ![Логотип OpenWrt](assets/img/router/openwrt.svg#only-light){ .twemoji }![Логотип OpenWrt](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![Логотип pfSense](assets/img/router/pfsense.svg#only-light){ .twemoji }![Логотип pfSense](assets/img/router/pfsense-dark.svg#only-dark){ .twemoji } [pfSense](router.md#pfsense) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](android.md#general-apps) + +### Облачные хранилища + +
+ +- ![Логотип RethinkDNS](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![Логотип RethinkDNS](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![Логотип DNSCloak](assets/img/ios/dnscloak.png){ .twemoji } [DNSCloak](dns.md#dnscloak) +- ![Логотип dnscrypt-proxy](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](desktop.md) + +### Прошивки для роутера + +
+ +- ![Логотип AdGuard Home](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Логотип Pi-hole](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](router.md) + +## Service Providers + +### Электронная почта + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Подробнее :hero-arrow-circle-right-fill:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![Логотип AnonAddy](assets/img/email/anonaddy.svg#only-light){ .twemoji }![Логотип AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![Логотип SimpleLogin](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![Логотип mailcow](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#самостоятельный-хостинг-почты) +- ![Логотип Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#самостоятельный-хостинг-почты) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](dns.md#self-hosted-solutions) + +### VPN сервисы + +
+ +- ![Логотип Brave Search](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![Логотип DuckDuckGo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![Логотип SearXNG](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Логотип Startpage](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Логотип Startpage](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](email.md) + +#### Email Aliasing Services + +
+ +- ![Логотип Proton VPN](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#protonvpn) +- ![Логотип IVPN](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Логотип Mullvad](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![Логотип Tutanota](assets/img/calendar-contacts/tutanota.svg){ .twemoji } [Tutanota](calendar-contacts.md#tutanota) +- ![Логотип EteSync](assets/img/calendar-contacts/etesync.svg){ .twemoji } [EteSync](calendar-contacts.md#etesync) +- ![Логотип Proton Calendar](assets/img/calendar-contacts/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar-contacts.md#proton-calendar) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Подробнее :hero-arrow-circle-right-fill:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](financial-services.md#gift-card-marketplaces) + +### Поисковые системы + +
+ +- ![Логотип EteSync Notes](assets/img/notebooks/etesync-notes.png){ .twemoji } [EteSync Notes](notebooks.md#etesync-notes) +- ![Логотип Joplin](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Логотип Standard Notes](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Логотип Org-mode](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](search-engines.md) + +### VPN Providers + +??? danger "VPN не обеспечивает анонимность" + + Использование VPN **не обеспечивает** анонимность ваших привычек при просмотре веб-страниц, а также **не прибавляет** безопасности при использовании незащищенного (HTTP) трафика. + + Если вам нужна **анонимность**, вам следует использовать браузер Tor **вместо** VPN. + + Если вам нужна дополнительная **безопасность**, убедитесь, что вы подключаетесь к веб-сайтам, используя [HTTPS](https://en.wikipedia.org/wiki/HTTPS). VPN не является заменой полезных привычек для обеспечения безопасности. + + [Узнать больше :material-arrow-right:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](vpn.md) + +## Software + +### Почтовые клиенты + +
+ +- ![Логотип Cryptomator](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator) +- ![Логотип Picocrypt](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt) +- ![Логотип VeraCrypt](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![Логотип VeraCrypt](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt) +- ![Логотип Hat.sh](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Логотип Hat.sh](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (В браузере)](encryption.md#hatsh) +- ![Логотип Kryptor](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Логотип Tomb](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](cryptocurrency.md) + +### Инструменты для шифрования + +
+ +- ![Логотип GnuPG](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![Логотип GPG4Win](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![Логотип GPG Suite](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![Логотип OpenKeychain](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](data-redaction.md) + +### Обмен Файлами + +
+ +- ![Логотип Magic Wormhole](assets/img/file-sharing-sync/magic_wormhole.png){ .twemoji } [Magic Wormhole](file-sharing.md#magic-wormhole) +- ![Логотип Bitwarden](assets/img/file-sharing-sync/bitwarden.svg){ .twemoji } [Bitwarden](file-sharing.md#bitwarden-send) +- ![Логотип OnionShare](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![Логотип FreedomBox](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Логотип Syncthing](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](email-clients.md) + +### Инструменты для шифрования + +??? info "Operating System Disk Encryption" + + Для шифрования диска операционной системы мы обычно рекомендуем использовать тот инструмент шифрования, который предоставляет ваша операционная система, будь то **BitLocker** в Windows, **FileVault** в macOS или **LUKS** в Linux. Эти инструменты доступны "из коробки" и обычно используют аппаратные элементы шифрования, такие как TPM, чего не делают другие программы для шифрования диска, такие как VeraCrypt. Однако VeraCrypt по-прежнему подходит для дисков, не относящихся к операционной системе (внешние диски), и к таким дискам, доступ к которым может осуществляться из нескольких операционных систем. + + [Узнать больше :material-arrow-right:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Логотип ExifCleaner](assets/img/metadata-removal/exifcleaner.svg){ .twemoji } [ExifCleaner](metadata-removal-tools.md#exifcleaner) +- ![Логотип MAT2](assets/img/metadata-removal/mat2.svg){ .twemoji } [MAT2](metadata-removal-tools.md#mat2) +- ![Логотип ExifEraser](assets/img/metadata-removal/exiferaser.svg){ .twemoji } [ExifEraser (Android)](metadata-removal-tools.md#exiferaser-android) +- ![Логотип Metapho](assets/img/metadata-removal/metapho.jpg){ .twemoji } [Metapho (iOS)](metadata-removal-tools.md#metapho) +- ![Логотип ExifTool](assets/img/metadata-removal/exiftool.png){ .twemoji } [ExifTool (CLI)](metadata-removal-tools.md#exiftool) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](encryption.md#openpgp) + +### Инструменты для многофакторной аутентификации + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](file-sharing.md) + +### Менеджеры паролей + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](frontends.md) + +### Офисные приложения + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](multi-factor-authentication.md) + +### Мессенджеры + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](news-aggregators.md) + +### Заметки + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](notebooks.md) + +### Анонимные сети + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](productivity.md) + +### Мессенджеры + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Подробнее :hero-arrow-circle-right-fill:](video-streaming.md) diff --git a/i18n/ru/tor.md b/i18n/ru/tor.md new file mode 100644 index 00000000..0e8b8f2e --- /dev/null +++ b/i18n/ru/tor.md @@ -0,0 +1,125 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Браузер Tor + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! recommendation + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. downloads + + - [:fontawesome-brands-windows: Windows](https://www.mozilla.org/firefox/windows) + - [:fontawesome-brands-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:fontawesome-brands-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox) + - [:fontawesome-brands-git: Source](https://hg.mozilla.org/mozilla-central) + +Этот браузер дает вам доступ к мостам Tor и \[сети Tor\](https://en.wikipedia.org/wiki/Tor_(network)), а также может быть настроен с помощью трех уровней безопасности - *Обычного*, *Высокого* и *Высшего*. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Terms of Service; Didn't Read + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/ru/video-streaming.md b/i18n/ru/video-streaming.md new file mode 100644 index 00000000..99c85456 --- /dev/null +++ b/i18n/ru/video-streaming.md @@ -0,0 +1,49 @@ +--- +title: "Видеохостинги" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +Основная угроза при использовании платформ потокового видео заключается в том, что ваши интересы и списки подписчиков могут быть использованы чтобы отслеживать вас. Вам следует сочетать эти инструменты с [VPN](/vpn) или [Tor](https://www.torproject.org/), чтобы усложнить отслеживание вашего использования. + +## Клиенты + +!!! recommendation + + При использовании Freetube ваш IP-адрес по-прежнему известен YouTube, [Invidious](https://instances.invidious.io) и экземплярам SponsorBlock, которые вы используете. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! note + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! Для уменьшения этой угрозы рассмотрите возможность самостоятельного хостинга. + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. Мы учитываем и обсуждаем много факторов, перед тем как рекомендовать какой-то проект, и документирование каждого из них ещё не завершено. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/ru/vpn.md b/i18n/ru/vpn.md new file mode 100644 index 00000000..1ad4feb1 --- /dev/null +++ b/i18n/ru/vpn.md @@ -0,0 +1,320 @@ +--- +title: "VPN сервисы" +icon: material/vpn +description: Это лучшие VPN-сервисы для защиты вашей конфиденциальности и безопасности в Интернете. Найдите провайдера, который не будет шпионить за вами. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPN не обеспечивает анонимность" + + Использование VPN **не обеспечивает** анонимность ваших привычек при просмотре веб-страниц, а также **не прибавляет** безопасности при использовании незащищенного (HTTP) трафика. + + Если вам нужна **анонимность**, вам следует использовать браузер Tor **вместо** VPN. + + Если вам нужна дополнительная **безопасность**, убедитесь, что вы подключаетесь к веб-сайтам, используя [HTTPS](https://en.wikipedia.org/wiki/HTTPS). VPN не является заменой полезных привычек для обеспечения безопасности. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Рекомендованные провайдеры + +Рекомендуемые нами провайдеры находятся за пределами США, используют шифрование, принимают Monero, поддерживают WireGuard и OpenVPN и не сохраняют логи вашего трафика. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. Выбор VPN-провайдера с ближайшим к вам сервером позволит снизить задержку передаваемого вами сетевого трафика. + + Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Кроме того, WireGuard стремится быть более простым и производительным. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. Выбор VPN-провайдера с ближайшим к вам сервером позволит снизить задержку передаваемого вами сетевого трафика. Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. \[WireGuard\](https://www.wireguard.com)\[^1] - это более новый протокол, использующий самую современную [криптографию\](https://www.wireguard.com/protocol/). + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Кроме того, WireGuard стремится быть более простым и производительным. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Mullvad + +!!! recommendation annotate + + ![Логотип Mullvad](/assets/img/vpn/mullvad.svg#only-light){ align=right } + ![Логотип Mullvad](/assets/img/vpn/mullvad-dark.svg#only-dark){ align=right } + + **Mullvad** - это быстрый и недорогой VPN с серьезным акцентом на прозрачность и безопасность. Они работают с **2009 года**. + + Mullvad базируется в Швеции и не имеет бесплатной пробной версии. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Это происходит из-за более короткого маршрута (меньше промежуточных серверов) до пункта назначения. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +VPN-клиенты Mullvad были проверены компаниями Cure53 и Assured AB в отчете по пентесту \[опубликовано на сайте cure53.de\] (https://cure53.de/pentest-report_mullvad_v2.pdf). Исследователи безопасности заключили: + +> Cure53 и Assured AB довольны результатами аудита, и программное обеспечение оставляет общее положительное впечатление. Учитывая преданность безопасности в команде Mullvad VPN, проверяющие не сомневаются, что проект находится на правильном пути с точки зрения безопасности. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad поддерживает протокол WireGuard®. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Кроме того, WireGuard стремится быть более простым и производительным. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! recommendation + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/sv/404.md b/i18n/sv/404.md new file mode 100644 index 00000000..25c1c780 --- /dev/null +++ b/i18n/sv/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) diff --git a/i18n/sv/CODE_OF_CONDUCT.md b/i18n/sv/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..e7f92a8b --- /dev/null +++ b/i18n/sv/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Gemenskapens uppförandekod + +**Vi lovar** att göra vår community till en upplevelse utan trakasserier för alla. + +**Vi strävar** efter att skapa en positiv miljö genom att använda ett välkomnande och inkluderande språk och genom att respektera andras åsikter. + +**Vi tillåter inte** olämpligt eller på annat sätt oacceptabelt beteende, t. ex. sexualiserat språk, trollande och förolämpande kommentarer eller annat som främjar intolerans eller trakasserier. + +## Gemenskapsnormer + +Vad vi förväntar oss av medlemmarna i våra samhällen: + +1. **Sprid inte felaktig information** + + Vi skapar en evidensbaserad utbildningsgemenskap kring sekretess och säkerhet, inte ett hem för konspirationsteorier. Om du till exempel hävdar att en viss programvara är skadlig eller att vissa telemetriuppgifter inkräktar på privatlivet, förklara i detalj vad som samlas in och hur det sker. Påståenden av detta slag måste stödjas av tekniska bevis. + +1. **Missbruka inte vår vilja att hjälpa till** + + Våra medlemmar är inte gratis teknisk support. Vi hjälper dig gärna med specifika steg på din integritetsresa om du är villig att anstränga dig från din sida. Vi är inte villiga att svara på oändligt upprepade frågor om generiska datorproblem som du skulle ha kunnat besvara själv med en 30-sekunders sökning på internet. Var inte en [hjälp vampyr](https://slash7.com/2006/12/22/vampires/). + +1. **Uppför dig på ett positivt och konstruktivt sätt** + + Exempel på beteende som bidrar till en positiv miljö för vårt samhälle är: + + - Visa empati och vänlighet mot andra människor + - Respektera olika åsikter, synpunkter och erfarenheter + - Ge och acceptera konstruktiv feedback på ett elegant sätt + - Att ta ansvar och be om ursäkt till dem som drabbats av våra misstag och lära sig av erfarenheten + - Fokusera på vad som är bäst, inte bara för oss som individer utan för hela samhället + +### Oacceptabelt beteende + +Följande beteenden betraktas som trakasserier och är oacceptabla inom vår community: + +- Användning av sexualiserat språk eller bildspråk, och sexuell uppmärksamhet eller framsteg av något slag +- Trolling, förolämpande eller nedsättande kommentarer och personliga eller politiska attacker +- Offentliga eller privata trakasserier +- Publicera andras privata information, till exempel en fysisk eller e-postadress, utan deras uttryckliga tillstånd +- Annan handling som rimligen kan anses vara olämplig i en professionell tillställning + +## Omfattning + +Vår uppförandekod gäller inom alla projektutrymmen, samt när en individ representerar Privacy Guides-projektet i andra samhällen. + +Vi är ansvariga för att klargöra normerna för vår community och har rätt att ta bort eller ändra kommentarerna från dem som deltar i vår community, efter behov och efter eget gottfinnande. + +### Kontakt + +Om du observerar ett problem på en plattform som Matrix eller Reddit kan du kontakta våra moderatorer på den plattformen i chatt, via DM eller genom ett särskilt "Modmail"-system. + +Om du har ett problem någon annanstans, eller ett problem som våra moderatorer inte kan lösa, kan du vända dig till `jonah@privacyguides.org` och/eller `dngray@privacyguides.org`. + +Alla samhällsledare är skyldiga att respektera privatlivet och säkerheten för reportern för varje incident. diff --git a/i18n/sv/about/criteria.md b/i18n/sv/about/criteria.md new file mode 100644 index 00000000..c0c83301 --- /dev/null +++ b/i18n/sv/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Allmänna kriterier +--- + +!!! exempel "Pågående arbete" + + Följande sida är ett pågående arbete och återspeglar för närvarande inte alla kriterier för våra rekommendationer. Tidigare diskussion om detta ämne: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Nedan följer några saker som måste gälla för alla inlagor till integritetsguider. Varje kategori kommer att ha ytterligare krav för inkludering. + +## Finansiell information + +Vi tjänar inga pengar på att rekommendera vissa produkter, vi använder inga affiliate-länkar och vi ger inga särskilda överväganden till projektdonatorer. + +## Allmänna riktlinjer + +Vi tillämpar dessa prioriteringar när vi överväger nya rekommendationer: + +- **Säker**: Verktyg bör följa bästa säkerhetspraxis där det är tillämpligt. +- **Källa Tillgänglighet**: Projekt med öppen källkod föredras i allmänhet framför likvärdiga proprietära alternativ. +- **Plattformsoberoende**: Vi föredrar vanligtvis att rekommendationerna är plattformsoberoende för att undvika leverantörslåsning. +- **Aktiv utveckling**: De verktyg som vi rekommenderar bör vara aktivt utvecklade, ounderhållna projekt kommer i de flesta fall att tas bort. +- **Användbarhet**: Verktyg bör vara tillgängliga för de flesta datoranvändare, en alltför teknisk bakgrund bör inte krävas. +- **Dokumenterad**: Verktyg ska ha tydlig och omfattande dokumentation för användning. + +## Utvecklarens självinlämningar + +Vi har dessa krav på utvecklare som vill lämna in sitt projekt eller sin programvara för bedömning. + +- Måste uppge tillhörighet, det vill säga din position inom projektet som lämnas in. + +- Måste ha ett säkerhetsdokument om det är ett projekt som innebär hantering av känslig information som en budbärare, lösenordshanterare, krypterad molnlagring etc. + - Tredje parts revisionsstatus. Vi vill veta om du har en sådan, eller om du har en planerad sådan. Om möjligt, ange vem som kommer att genomföra revisionen. + +- Måste förklara vad projektet tillför när det gäller integritetsskydd. + - Löser det något nytt problem? + - Varför skulle någon använda det framför alternativen? + +- Måste ange vilken exakt hotmodell som gäller för deras projekt. + - Det bör vara tydligt för potentiella användare vad projektet kan erbjuda och vad det inte kan erbjuda. diff --git a/i18n/sv/about/donate.md b/i18n/sv/about/donate.md new file mode 100644 index 00000000..8accd67a --- /dev/null +++ b/i18n/sv/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Supporting Us +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/sv/about/index.md b/i18n/sv/about/index.md new file mode 100644 index 00000000..90ea58dd --- /dev/null +++ b/i18n/sv/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides är en socialt motiverad webbplats som ger information om hur du skyddar din datasäkerhet och integritet. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides-logotyp](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** är en socialt motiverad webbplats som tillhandahåller [information](/kb) för att skydda din datasäkerhet och integritet. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Källkod" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> För att hitta [integritetsfokuserade alternativ] appar, kolla in sajter som Goda Rapporter och **integritetsguider**, som lista sekretessfokuserade appar i en mängd olika kategorier, särskilt inklusive e-postleverantörer (vanligtvis på betalda planer) som inte drivs av de stora teknikföretag. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> Om du letar efter en ny VPN kan du gå till rabattkoden för nästan alla poddar. Om du letar efter en **bra** VPN behöver du professionell hjälp. Samma sak gäller för e-postklienter, webbläsare, operativsystem och lösenordshanterare. Hur vet du vilket av dessa alternativ som är det bästa och mest integritetsvänliga? För det finns **Sekretessguider**, en plattform där ett antal volontärer söker dag i, dag ut för de bästa integritetsvänliga verktyg att använda på internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## Historik + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/sv/about/notices.md b/i18n/sv/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/sv/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/sv/about/privacy-policy.md b/i18n/sv/about/privacy-policy.md new file mode 100644 index 00000000..26c668d1 --- /dev/null +++ b/i18n/sv/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Privacy Policy" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/sv/about/privacytools.md b/i18n/sv/about/privacytools.md new file mode 100644 index 00000000..35d4ce42 --- /dev/null +++ b/i18n/sv/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "Vanliga frågor om PrivacyTools" +--- + +# Varför vi gick vidare från PrivacyTools + +I september 2021 kom alla aktiva medarbetare enhälligt överens om att flytta från PrivacyTools till den här webbplatsen: Sekretessguider. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Publicera meddelanden på vår subreddit och i andra forum för att informera om den officiella ändringen. +- Formellt stänga tjänsterna på privacytools.io, som Matrix och Mastodon, och uppmana befintliga användare att flytta över så snart som möjligt. + +Allt verkade gå smidigt och de flesta av våra aktiva medlemmar gick över till vårt nya projekt precis som vi hoppades. + +## Följande händelser + +Ungefär en vecka efter övergången återkom BurungHantu online för första gången på nästan ett år, men ingen i vårt team var villig att återvända till PrivacyTools på grund av hans historiska opålitlighet. Istället för att be om ursäkt för sin långa frånvaro gick han omedelbart till offensiv och såg övergången till Privacy Guides som ett angrepp mot honom och hans projekt. Därefter raderade han [](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) många av dessa inlägg när gemenskapen påpekade att han hade varit frånvarande och övergivit projektet. + +BurungHantu hävdade att han ville fortsätta att arbeta med privacytools.io på egen hand och bad oss ta bort omdirigeringen från www.privacytools.io till [www.privacyguides.org](https://www.privacyguides.org). Vi gick med på det och bad honom att hålla subdomänerna för Matrix, Mastodon och PeerTube aktiva så att vi kan köra dem som en offentlig tjänst för vår gemenskap under åtminstone några månader, så att användare på dessa plattformar enkelt kan flytta över till andra konton. På grund av den federerade karaktären hos de tjänster vi tillhandahöll var de bundna till specifika domännamn, vilket gjorde det mycket svårt att migrera (och i vissa fall omöjligt). + +Eftersom BurungHantu inte fick tillbaka kontrollen över underreddit r/privacytoolsIO när han begärde det (mer information nedan), stängdes dessa underdomäner tyvärr av från [](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) i början av oktober, vilket innebar att alla användare som fortfarande använde dessa tjänster inte längre hade möjlighet att flytta. + +BurungHantu gjorde därefter falska anklagelser om att Jonah skulle ha stulit donationer från projektet. BurungHantu hade över ett år på nacken sedan den påstådda händelsen inträffade, men han informerade aldrig någon om den förrän efter att Privacy Guides migration hade genomförts. BurungHantu har upprepade gånger ombetts av teamet [och gemenskapen](https://twitter.com/TommyTran732/status/1526153536962281474)att lämna bevis och att kommentera orsaken till sin tystnad, men han har inte gjort det. + +BurungHantu gjorde också ett twitterinlägg på [](https://twitter.com/privacytoolsIO/status/1510560676967710728) där han påstod att en "advokat" hade kontaktat honom på Twitter och gav honom råd, i ett annat försök att tvinga oss att ge honom kontroll över vår subreddit, och som en del av hans smutskastningskampanj för att fördunkla vattnet kring lanseringen av Privacy Guides samtidigt som han låtsas vara ett offer. + +## PrivacyTools.io nu + +Sedan den 25 september 2022 ser vi hur BurungHantus övergripande planer förverkligas på privacytools.io, och det är just därför som vi beslutade att skapa den här förklarande sidan idag. Den webbplats som han driver verkar vara en starkt SEO-optimerad version av den webbplats som rekommenderar verktyg i utbyte mot ekonomisk ersättning. Nyligen togs IVPN och Mullvad, två VPN-leverantörer som nästan alla rekommenderar [](../vpn.md) av integritetsgruppen och som är kända för sin inställning till affiliateprogram, bort från PrivacyTools. I deras ställe? NordVPN, Surfshark, ExpressVPN och hide.me: Stora VPN-företag med opålitliga plattformar och affärsmetoder som är ökända för sin aggressiva marknadsföring och sina affiliateprogram. + +==**PrivacyTools har blivit exakt den typ av webbplats som vi [varnade för](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) på bloggen PrivacyTools 2019.**== Vi har försökt att hålla oss på avstånd från PrivacyTools sedan övergången, men deras fortsatta trakasserier mot vårt projekt och nu deras absurda missbruk av den trovärdighet som deras varumärke har fått under 6 år av bidrag till öppen källkod är extremt oroande för oss. De av oss som faktiskt kämpar för integritet kämpar inte mot varandra och får inte råd från den högstbjudande. + +## privacyTools. io nu + +Efter lanseringen av [r/PrivacyGuides](https://www.reddit.com/r/privacyguides)blev det opraktiskt för u/trai_dep att fortsätta moderera båda underredaktionerna, och eftersom gemenskapen var med på övergången gjordes r/privacytoolsIO [till](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) en begränsad underredaktion i ett inlägg den 1 november 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/sv/about/services.md b/i18n/sv/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/sv/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/sv/about/statistics.md b/i18n/sv/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/sv/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/sv/advanced/communication-network-types.md b/i18n/sv/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/sv/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/sv/advanced/dns-overview.md b/i18n/sv/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/sv/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/sv/advanced/payments.md b/i18n/sv/advanced/payments.md new file mode 100644 index 00000000..6758c2a2 --- /dev/null +++ b/i18n/sv/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! fara + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/sv/advanced/tor-overview.md b/i18n/sv/advanced/tor-overview.md new file mode 100644 index 00000000..00c51ec6 --- /dev/null +++ b/i18n/sv/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Översikt" +icon: 'simple/torproject' +description: Tor är ett decentraliserat nätverk som är gratis att använda och som är utformat för att använda internet med så mycket integritet som möjligt. +--- + +Tor är ett decentraliserat nätverk som är gratis att använda och som är utformat för att använda internet med så mycket integritet som möjligt. Om nätverket används på rätt sätt möjliggör det privat och anonym surfning och kommunikation. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Var och en av dessa noder har sin egen funktion: + +### Entrénod + +Ingångsnoden, ofta kallad guard-noden, är den första noden som din Tor-klient ansluter till. Ingångsnoden kan se din IP-adress, men den kan inte se vad du ansluter till. + +Till skillnad från andra noder väljer Tor-klienten slumpmässigt en ingångsnod och håller sig till den i två till tre månader för att skydda dig mot vissa attacker.[^1] + +### Den mellersta noden + +Den mellersta noden är den andra noden som din Tor-klient ansluter till. Den kan se vilken nod trafiken kom från - ingångsnoden - och vilken nod den går vidare till härnäst. Mellannoden kan inte se din IP-adress eller den domän du ansluter till. + +För varje ny krets väljs mittnoden slumpmässigt ut av alla tillgängliga Tor-noder. + +### Entrénod + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Välfinansierade motståndare som har möjlighet att passivt övervaka den mesta nätverkstrafiken över hela världen har en chans att avanonymisera Tor-användare med hjälp av avancerad trafikanalys. Tor skyddar dig inte heller från att avslöja dig själv av misstag, till exempel om du delar för mycket information om din verkliga identitet. +- Tor-utgångsnoderna kan också övervaka trafiken som passerar genom dem. Detta innebär att trafik som inte är krypterad, såsom vanlig HTTP-trafik, kan registreras och övervakas. Om sådan trafik innehåller personligt identifierbar information kan den avanonymisera dig till den utgångsnoden. Därför rekommenderar vi att du använder https över Tor där det är möjligt. + +Om du vill använda Tor för att surfa på webben rekommenderar vi endast den officiella **** Tor Browser - den är utformad för att förhindra fingeravtryck. + +- [Läs mer :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Ytterligare resurser + +- [Användarhandbok för Tor Browser](https://tb-manual.torproject.org) +- [Hur Tor fungerar - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Lök Tjänster - Datorfil](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: Det första reläet i din krets kallas "entry guard" eller "guard". Det är ett snabbt och stabilt relä som förblir det första i din krets i 2-3 månader för att skydda mot en känd attack som bryter anonymiteten. Resten av din krets ändras med varje ny webbplats du besöker, och alla dessa reläer ger Tor: s fullständiga integritetsskydd. För mer information om hur skyddsreläer fungerar, se detta [blogginlägg](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) och [papper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) på ingångsvakter. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Reläflagga: en särskild (diskvalificering) av reläer för kretslägen (t.ex. "Guard", "Exit", "BadExit"), kretsegenskaper (t.ex. "Fast", "Stable") eller roller (t.ex. "Authority", "HSDir") som tilldelats av katalogmyndigheterna och som definieras ytterligare i specifikationen för katalogprotokollet. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/sv/android.md b/i18n/sv/android.md new file mode 100644 index 00000000..20f12676 --- /dev/null +++ b/i18n/sv/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! anmärkning + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! varning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! varning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! anmärkning + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! anmärkning + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +### Operativsystem + +- Måste vara programvara med öppen källkod. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/sv/assets/img/account-deletion/exposed_passwords.png b/i18n/sv/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/sv/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/sv/assets/img/android/rss-apk-dark.png b/i18n/sv/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/sv/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/sv/assets/img/android/rss-apk-light.png b/i18n/sv/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/sv/assets/img/android/rss-apk-light.png differ diff --git a/i18n/sv/assets/img/android/rss-changes-dark.png b/i18n/sv/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/sv/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/sv/assets/img/android/rss-changes-light.png b/i18n/sv/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/sv/assets/img/android/rss-changes-light.png differ diff --git a/i18n/sv/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/sv/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/how-tor-works/tor-encryption.svg b/i18n/sv/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/how-tor-works/tor-path-dark.svg b/i18n/sv/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..7747be79 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Din + -enhet + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/sv/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/sv/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/how-tor-works/tor-path.svg b/i18n/sv/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..c0612131 --- /dev/null +++ b/i18n/sv/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Din + -enhet + + + + Inträde + + + + + Inträde + + + + + Inträde + + + + + Inträde + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/sv/assets/img/multi-factor-authentication/fido.png b/i18n/sv/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/sv/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/sv/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/sv/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/sv/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/sv/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/sv/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/sv/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/sv/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/sv/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/sv/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/sv/basics/account-creation.md b/i18n/sv/basics/account-creation.md new file mode 100644 index 00000000..522e4363 --- /dev/null +++ b/i18n/sv/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tips + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! anmärkning + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/sv/basics/account-deletion.md b/i18n/sv/basics/account-deletion.md new file mode 100644 index 00000000..15faba7d --- /dev/null +++ b/i18n/sv/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### E-postadress + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. Om tjänsten inte respekterar din rätt till radering kan du kontakta din nationella dataskyddsmyndighet [](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) och du kan ha rätt till ekonomisk kompensation. + +### Överskrivning av kontoinformation + +I vissa situationer där du planerar att överge ett konto kan det vara klokt att skriva över kontoinformationen med falska uppgifter. När du har sett till att du kan logga in kan du ändra all information i ditt konto till förfalskad information. Anledningen till detta är att många webbplatser kommer att behålla information som du tidigare hade även efter att kontot raderats. Förhoppningen är att de kommer att skriva över den tidigare informationen med de senaste uppgifterna du angav. Det finns dock ingen garanti för att det inte kommer att finnas säkerhetskopior med den tidigare informationen. + +För e-postkontot skapar du antingen ett nytt alternativt e-postkonto via din valfria leverantör eller skapar ett alias med hjälp av en e-postaliaseringstjänst på [](../email.md#email-aliasing-services). Du kan sedan ta bort din alternativa e-postadress när du är klar. Vi rekommenderar att du inte använder tillfälliga e-postleverantörer, eftersom det ofta är möjligt att återaktivera tillfälliga e-postmeddelanden. + +### Radera + +Du kan kontrollera [JustDeleteMe](https://justdeleteme.xyz) för instruktioner om hur du tar bort kontot för en specifik tjänst. Vissa webbplatser har ett alternativ för att ta bort kontot, medan andra går så långt som att tvinga dig att prata med en supportmedarbetare. Raderingen kan variera från webbplats till webbplats, och på vissa webbplatser är det omöjligt att radera konton. + +För tjänster som inte tillåter radering av konton är det bästa du kan göra att förfalska all din information som tidigare nämnts och stärka kontosäkerheten. För att göra det, aktivera [MFA](multi-factor-authentication.md) och eventuella extra säkerhetsfunktioner som erbjuds. Ändra också lösenordet till ett slumpmässigt genererat lösenord som har den högsta tillåtna storleken (en lösenordshanterare [](../passwords.md) kan vara användbar för detta). + +Om du är nöjd med att all information du bryr dig om tas bort kan du säkert glömma det här kontot. Om inte kan det vara en bra idé att spara uppgifterna tillsammans med dina andra lösenord och ibland logga in igen för att återställa lösenordet. + +Även om du kan radera ett konto finns det ingen garanti för att all din information tas bort. Vissa företag är faktiskt skyldiga enligt lag att spara viss information, särskilt när det gäller finansiella transaktioner. Det är mestadels utom din kontroll vad som händer med dina data när det gäller webbplatser och molntjänster. + +## Undvik nya konton + +Som det gamla talesättet säger: "Ett uns av förebyggande åtgärder är värt ett pund av botemedel" När du känner dig frestad att registrera dig för ett nytt konto, fråga dig själv, "Behöver jag verkligen det här? Kan jag uppnå det jag behöver utan ett konto?" Det kan ofta vara mycket svårare att radera ett konto än att skapa ett. Och även efter att du har raderat eller ändrat informationen på ditt konto kan det finnas en cachad version från en tredje part, till exempel [Internet Archive](https://archive.org/). Undvik frestelsen när du kan - ditt framtida jag kommer att tacka dig! diff --git a/i18n/sv/basics/common-misconceptions.md b/i18n/sv/basics/common-misconceptions.md new file mode 100644 index 00000000..a080465c --- /dev/null +++ b/i18n/sv/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tips + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/sv/basics/common-threats.md b/i18n/sv/basics/common-threats.md new file mode 100644 index 00000000..d01dc000 --- /dev/null +++ b/i18n/sv/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. De flesta behöver inte gå så långt. + +## Säkerhet och sekretess + +:material-bug-outline: Passiva attacker + +Säkerhet och integritet förväxlas också ofta, eftersom man behöver säkerhet för att få ett sken av integritet: Det är meningslöst att använda verktyg - även om de är privata till sin utformning - om de lätt kan utnyttjas av angripare som senare släpper ut dina uppgifter. Men det omvända är inte nödvändigtvis sant: Den säkraste tjänsten i världen *är inte nödvändigtvis* privat. Det bästa exemplet på detta är att lita på data till Google som, med tanke på deras skala, har haft få säkerhetsincidenter genom att anställa branschledande säkerhetsexperter för att säkra sin infrastruktur. Även om Google tillhandahåller mycket säkra tjänster, skulle mycket få människor betrakta sina data privat i Googles gratis konsumentprodukter (Gmail, YouTube, etc.) + +När det gäller applikationssäkerhet vet vi i allmänhet inte (och kan ibland inte) om programvaran vi använder är skadlig, eller kanske en dag blir skadlig. Även med de mest pålitliga utvecklarna finns det i allmänhet ingen garanti för att deras programvara inte har en allvarlig sårbarhet som senare kan utnyttjas. + +För att minimera den skada som en skadlig programvara ** kan orsaka bör du använda säkerhet genom uppdelning. Det kan till exempel handla om att använda olika datorer för olika jobb, att använda virtuella maskiner för att separera olika grupper av relaterade program eller att använda ett säkert operativsystem med starkt fokus på sandlåda för program och obligatorisk åtkomstkontroll. + +!!! tips + + Mobila operativsystem har i allmänhet bättre applikationssandlåda än stationära operativsystem: Appar kan inte få root-åtkomst och kräver tillstånd för åtkomst till systemresurser. + + Skrivbordsoperativsystem släpar i allmänhet efter vid korrekt sandlåda. ChromeOS har liknande sandlådor som Android och macOS har fullständig kontroll över systembehörigheter (och utvecklare kan välja att sandlådor ska användas för program). Dessa operativsystem överför dock identifieringsinformation till sina respektive OEM-tillverkare. Linux tenderar att inte lämna information till systemleverantörer, men har dåligt skydd mot exploateringar och skadliga program. Detta kan mildras något med specialiserade distributioner som i stor utsträckning använder sig av virtuella maskiner eller behållare, såsom [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Riktade attacker + +Riktade attacker mot en specifik person är mer problematiska att hantera. Vanliga attacker är att skicka skadliga dokument via e-post, utnyttja sårbarheter (t.ex. i webbläsare och operativsystem) och fysiska attacker. Om detta är ett problem för dig bör du använda mer avancerade strategier för att minska hoten. + +!!! tips + + I **webbläsare**, **emailklienter** och **kontorsprogram** körs vanligtvis kod som inte är tillförlitlig och som skickas till dig från tredje part. Att köra flera virtuella maskiner för att separera sådana här program från värdsystemet och från varandra är en teknik som du kan använda för att minska risken för att en exploatering i dessa program ska kunna äventyra resten av systemet. Tekniker som Qubes OS eller Microsoft Defender Application Guard på Windows ger till exempel praktiska metoder för att göra detta. + +Om du är orolig för **fysiska attacker** bör du använda ett operativsystem med en säker verifierad uppstart, t.ex. Android, iOS, macOS eller [Windows (med TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). Du bör också se till att enheten är krypterad och att operativsystemet använder en TPM eller Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) eller [Element](https://developers.google.com/android/security/android-ready-se) för att begränsa försöken att ange krypteringsfrasen. Du bör undvika att dela din dator med personer du inte litar på, eftersom de flesta stationära operativsystem inte krypterar data separat per användare. + +## Sekretess från tjänsteleverantörer + +:material-server-network: Tjänsteleverantörer + +Vi lever i en värld där nästan allt är anslutet till internet. Våra "privata" meddelanden, e-postmeddelanden och sociala interaktioner lagras vanligtvis på en server, någonstans. I allmänhet, när du skickar ett meddelande till någon lagras det på en server, och när din vän vill läsa meddelandet kommer servern att visa det för dem. + +Det uppenbara problemet med detta är att tjänsteleverantören (eller en hackare som har äventyrat servern) kan komma åt dina konversationer när och hur de vill, utan att du någonsin vet. Detta gäller många vanliga tjänster, som SMS-meddelanden, Telegram och Discord. + +Tack och lov kan E2EE lindra detta problem genom att kryptera kommunikationen mellan dig och dina önskade mottagare innan den ens skickas till servern. Sekretessen för dina meddelanden garanteras, förutsatt att tjänsteleverantören inte har tillgång till någon av parternas privata nycklar. + +!!! anmärkning "Anmärkning om webbaserad kryptering" + + I praktiken varierar effektiviteten i olika E2EE-genomföranden. Applikationer, till exempel [Signal](../real-time-communication.md#signal), körs naturligt på din enhet, och varje kopia av applikationen är densamma över olika installationer. Om tjänsteleverantören skulle införa en [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) i sitt program - i ett försök att stjäla dina privata nycklar - skulle det senare kunna upptäckas med [reverse engineering] (https://en.wikipedia.org/wiki/Reverse_engineering). + + Å andra sidan är webbaserade E2EE-implementationer, som Proton Mail-webmail eller Bitwardens *Web Vault*, beroende av att servern dynamiskt serverar JavaScript-kod till webbläsaren för att hantera kryptografi. En skadlig server kan rikta dig och skicka skadlig JavaScript-kod för att stjäla din krypteringsnyckel (och det skulle vara extremt svårt att märka). Eftersom servern kan välja att betjäna olika webbklienter till olika människor - även om du märkte attacken - skulle det vara otroligt svårt att bevisa leverantörens skuld. + + Därför bör du använda inbyggda applikationer över webbklienter när det är möjligt. + +Även med E2EE kan tjänsteleverantörer fortfarande profilera dig utifrån **metadata**, som vanligtvis inte är skyddade. Medan tjänsteleverantören inte kan läsa dina meddelanden kan de fortfarande observera viktiga saker, till exempel vem du pratar med, hur ofta du skickar meddelanden till dem och när du vanligtvis är aktiv. Skydd av metadata är ganska ovanligt, och om det ingår i din hotmodell [](threat-modeling.md)- bör du vara uppmärksam på den tekniska dokumentationen för den programvara du använder för att se om det finns någon minimering eller något skydd av metadata överhuvudtaget. + +## Massövervakningsprogram + +:material-eye-outline: Massövervakning + +Massövervakning är ett komplicerat försök att övervaka "beteende, många aktiviteter eller information" hos en hel (eller en stor del av en) befolkning.[^1] Det hänvisar ofta till statliga program, t.ex. de [som Edward Snowden avslöjade 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). Det kan dock också utföras av företag, antingen på uppdrag av myndigheter eller på eget initiativ. + +!!! sammanfattning av "Atlas of Surveillance" + + Om du vill veta mer om övervakningsmetoder och hur de tillämpas i din stad kan du också ta en titt på [Atlas of Surveillance] (https://atlasofsurveillance.org/) från [Electronic Frontier Foundation] (https://www.eff.org/). + + I Frankrike kan du ta en titt på [Technolopolices webbplats](https://technopolice.fr/villes/) som upprätthålls av den ideella föreningen La Quadrature du Net. + +Regeringar rättfärdigar ofta massövervakningsprogram som nödvändiga medel för att bekämpa terrorism och förebygga brottslighet. Men kränker de mänskliga rättigheterna, är det oftast används för att oproportionerligt rikta minoritetsgrupper och politiska dissidenter, bland annat. + +!!! citat "ACLU: [*Det är en viktig fråga för den personliga integriteten: Massövervakning är inte vägen framåt*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Med anledning av [Edward Snowdens avslöjanden om regeringsprogram som [PRISM](https://en.wikipedia.org/wiki/PRISM) och [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)] erkände underrättelsetjänstemännen också att NSA i åratal i hemlighet hade samlat in uppgifter om praktiskt taget alla amerikaners telefonsamtal - vem som ringer till vem, när samtalen görs och hur länge de varar. Den här typen av information kan, när den samlas in av NSA dag efter dag, avslöja otroligt känsliga detaljer om människors liv och umgänge, t. ex. om de har ringt till en pastor, en abortvårdare, en missbruksrådgivare eller en självmordshotline. + +Trots den ökande massövervakningen i USA har regeringen konstaterat att massövervakningsprogram som avsnitt 215 har haft "litet unikt värde" när det gäller att stoppa faktiska brott eller terroristplaner, och att insatserna i stort sett har varit en kopia av FBI:s egna riktade övervakningsprogram.[^2] + +På nätet kan du spåras på olika sätt: + +- Din IP adress +- Webbläsarcookies +- Uppgifter som du skickar till webbplatser +- Fingeravtryck från din webbläsare eller enhet +- Betalningsmetod korrelation + +\[Denna lista är inte uttömmande]. + +Om du är orolig för massövervakningsprogram kan du använda strategier som att dela upp din identitet på nätet, smälta in bland andra användare eller, när det är möjligt, helt enkelt undvika att lämna ut identifieringsuppgifter. + +:material-account-cash: Övervakningskapitalism + +> Övervakningskapitalism är ett ekonomiskt system som är centrerat kring insamling och kommersialisering av personuppgifter i syfte att skapa vinst.[^3] + +För många människor är spårning och övervakning av privata företag ett växande problem. Genomgripande annonsnätverk, som de som drivs av Google och Facebook, spänner över internet långt bortom bara de webbplatser de kontrollerar och spårar dina handlingar längs vägen. Genom att använda verktyg som innehållsblockerare för att begränsa nätverksförfrågningar till deras servrar och läsa sekretesspolicyn för de tjänster du använder kan du undvika många grundläggande motståndare (även om det inte helt kan förhindra spårning).[^4] + +Dessutom kan även företag utanför *AdTech* eller spårningsbranschen dela din information med [datamäklare](https://en.wikipedia.org/wiki/Information_broker) (t.ex. Cambridge Analytica, Experian eller Datalogix) eller andra parter. Du kan inte automatiskt anta att dina data är säkra bara för att den tjänst du använder inte faller inom den typiska AdTech- eller spårningsaffärsmodellen. Det starkaste skyddet mot företags datainsamling är att kryptera eller dölja dina data när det är möjligt, vilket gör det svårt för olika leverantörer att korrelera data med varandra och bygga en profil på dig. + +## Begränsning av offentlig information + +:material-account-search: Offentlig exponering + +Det bästa sättet att hålla dina uppgifter hemliga är att helt enkelt inte offentliggöra dem från början. Att ta bort oönskad information du hittar om dig själv online är ett av de bästa första stegen du kan ta för att återfå din integritet. + +- [Se vår guide om radering av konto :material-arrow-right-drop-circle:](account-deletion.md) + +På webbplatser där du delar med dig av information är det mycket viktigt att du kontrollerar sekretessinställningarna för ditt konto för att begränsa hur mycket informationen sprids. Aktivera till exempel "privat läge" på dina konton om du får alternativet: Detta säkerställer att ditt konto inte indexeras av sökmotorer och att det inte kan visas utan ditt tillstånd. + +Om du redan har skickat in din riktiga information till webbplatser som inte borde ha den, kan du överväga att använda en taktik för desinformation, som att skicka in fiktiv information om din identitet på nätet. Detta gör att din riktiga information inte kan särskiljas från den falska informationen. + +## Undvik censur + +:material-close-outline: Censur + +Censur på nätet kan utföras (i varierande grad) av aktörer som totalitära regeringar, nätverksadministratörer och tjänsteleverantörer. Dessa försök att kontrollera kommunikation och begränsa tillgången till information kommer alltid att vara oförenliga med den mänskliga rätten till yttrandefrihet.[^5] + +Censur på företagsplattformar blir allt vanligare, eftersom plattformar som Twitter och Facebook ger efter för allmänhetens efterfrågan, marknadstryck och påtryckningar från myndigheter. Statliga påtryckningar kan vara dolda förfrågningar till företag, till exempel när Vita huset [begär att en provocerande YouTube-video ska tas bort](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html), eller öppna förfrågningar, till exempel när den kinesiska regeringen kräver att företag ska följa en strikt censurregim. + +Människor som oroar sig för hotet om censur kan använda teknik som [Tor](../advanced/tor-overview.md) för att kringgå den och stödja censurresistenta kommunikationsplattformar som [Matrix](../real-time-communication.md#element), som inte har någon centraliserad kontoinspektion som kan stänga konton godtyckligt. + +!!! tips + + Även om det kan vara lätt att undvika censur, kan det vara mycket problematiskt att dölja det faktum att du gör det. + + Du bör överväga vilka aspekter av nätverket din motståndare kan observera, och om du har trovärdigt förnekande för dina handlingar. Om du till exempel använder [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) kan det hjälpa dig att kringgå rudimentära DNS-baserade censursystem, men det kan inte dölja vad du besöker för din internetleverantör. En VPN eller Tor kan hjälpa till att dölja vad du besöker för nätverksadministratörer, men kan inte dölja att du använder nätverken överhuvudtaget. Pluggable transports (t.ex. Obfs4proxy, Meek eller Shadowsocks) kan hjälpa dig att undvika brandväggar som blockerar vanliga VPN-protokoll eller Tor, men dina försök att kringgå dem kan fortfarande upptäckas med metoder som probing eller [deep packet inspection] (https://en.wikipedia.org/wiki/Deep_packet_inspection). + +Du måste alltid överväga riskerna med att försöka kringgå censur, de potentiella konsekvenserna och hur sofistikerad din motståndare kan vara. Du bör vara försiktig när du väljer programvara och ha en backup-plan om du skulle bli upptäckt. + +[^1]: Wikipedia: [*Massövervakning*](https://en.wikipedia.org/wiki/Mass_surveillance) och [*Övervakning*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: Usa: s tillsynsnämnd för integritet och medborgerliga fri- och rättigheter: [*Rapport om telefonregistreringsprogrammet som genomförts enligt avsnitt 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Övervakningskapitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Räkna badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (eller "lista alla de dåliga saker som vi vet om"), som många adblockers och antivirusprogram gör, misslyckas med att tillräckligt skydda dig från nya och okända hot eftersom de ännu inte har lagts till i filterlistan. Du bör också använda andra metoder för att minska risken. +[^5]: Förenta nationerna: [*Universella förklaringen om de mänskliga rättigheterna*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/sv/basics/email-security.md b/i18n/sv/basics/email-security.md new file mode 100644 index 00000000..59f59b3d --- /dev/null +++ b/i18n/sv/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: E-postsäkerhet +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +E-post är som standard en osäker kommunikationsform. Du kan förbättra din e-postsäkerhet med verktyg som OpenPGP, som lägger till End-to-End-kryptering till dina meddelanden, men OpenPGP har fortfarande ett antal nackdelar jämfört med kryptering i andra meddelandeprogram, och vissa e-postdata kan aldrig krypteras av naturliga skäl på grund av hur e-post är utformad. + +E-post används därför bäst för att ta emot transaktionsmeddelanden (t. ex. meddelanden, verifieringsmeddelanden, lösenordsåterställning osv.) från de tjänster du registrerar dig för online, inte för att kommunicera med andra. + +## E-post-krypteringsnycklar + +Standardmetoden för att lägga till E2EE i e-postmeddelanden mellan olika e-postleverantörer är att använda OpenPGP. Det finns olika implementeringar av OpenPGP-standarden, de vanligaste är [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) och [OpenPGP.js](https://openpgpjs.org). + +Det finns en annan standard som är populär bland företag och som heter [S/MIME](https://en.wikipedia.org/wiki/S/MIME), men den kräver ett certifikat som utfärdats av en [Certifikatmyndighet](https://en.wikipedia.org/wiki/Certificate_authority) (alla utfärdar inte S/MIME-certifikat). Den har stöd för [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) och [Outlook for Web eller Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Även om du använder OpenPGP har det inte stöd för [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), vilket innebär att om antingen din eller mottagarens privata nyckel någonsin stjäls kommer alla tidigare meddelanden som krypterats med den att avslöjas. Det är därför vi rekommenderar [snabbmeddelanden](../real-time-communication.md) som implementerar vidarebefordran av sekretess via e-post för person-till-person-kommunikation när det är möjligt. + +### Vilka e-postklienter stöder E2EE? + +E-postleverantörer som tillåter dig att använda standardprotokoll som IMAP och SMTP kan användas med någon av de e-postklienter på [som vi rekommenderar](../email-clients.md). Beroende på autentiseringsmetoden kan detta leda till sämre säkerhet om leverantören eller e-postklienten inte stöder OATH eller en bryggapplikation, eftersom [multi-faktorautentisering](multi-factor-authentication.md) inte är möjlig med vanlig lösenordsautentisering. + +### Hur skyddar jag mina privata nycklar? + +Ett smartkort (t.ex. [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) eller [Nitrokey](https://www.nitrokey.com)) fungerar genom att ta emot ett krypterat e-postmeddelande från en enhet (telefon, surfplatta, dator osv.) som kör en e-post-/webbmail-klient. Meddelandet dekrypteras sedan av smartkortet och det dekrypterade innehållet skickas tillbaka till enheten. + +Det är fördelaktigt att dekrypteringen sker på smartkortet för att undvika att den privata nyckeln exponeras för en komprometterad enhet. + +## Översikt över metadata för e-post + +E-postmetadata lagras i e-postmeddelandets [meddelandehuvud](https://en.wikipedia.org/wiki/Email#Message_header) och innehåller några synliga rubriker som du kanske har sett, t.ex: `To`, `From`, `Cc`, `Date`, `Subject`. Det finns också ett antal dolda rubriker som ingår i många e-postklienter och e-postleverantörer och som kan avslöja information om ditt konto. + +Klientprogram kan använda metadata för e-post för att visa vem ett meddelande är från och när det togs emot. Servrar kan använda den för att avgöra var ett e-postmeddelande måste skickas, bland [andra ändamål](https://en.wikipedia.org/wiki/Email#Message_header) som inte alltid är transparenta. + +### Vem kan se metadata för e-post? + +E-postmetadata skyddas från utomstående observatörer med [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) som skyddar dem från utomstående observatörer, men de kan fortfarande ses av din e-postklientprogramvara (eller webbmail) och alla servrar som vidarebefordrar meddelandet från dig till mottagare, inklusive din e-postleverantör. Ibland använder e-postservrar också tjänster från tredje part för att skydda sig mot skräppost, som i allmänhet också har tillgång till dina meddelanden. + +### Varför kan metadata inte vara E2EE? + +Metadata för e-post är avgörande för e-postens mest grundläggande funktionalitet (varifrån den kom och vart den ska ta vägen). E2EE var ursprungligen inte inbyggt i e-postprotokollen, utan krävde istället tilläggsprogram som OpenPGP. Eftersom OpenPGP-meddelanden fortfarande måste fungera med traditionella e-postleverantörer kan de inte kryptera metadata, utan endast själva meddelandet. Det innebär att även om du använder OpenPGP kan utomstående observatörer se mycket information om dina meddelanden, t. ex. vem du skickar e-post till, ämnesraden, när du skickar e-post osv. diff --git a/i18n/sv/basics/multi-factor-authentication.md b/i18n/sv/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ac27dacf --- /dev/null +++ b/i18n/sv/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Faktor Autentisering" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Flerfaktorsautentisering** (**MFA**) är en säkerhetsmekanism som kräver ytterligare steg utöver att ange användarnamn (eller e-post) och lösenord. Den vanligaste metoden är tidsbegränsade koder som du kan få från SMS eller en app. + +Om en hackare (eller motståndare) kan ta reda på ditt lösenord får han eller hon normalt sett tillgång till det konto som lösenordet tillhör. Ett konto med MFA tvingar hackaren att ha både lösenordet (något som du *känner till*) och en enhet som du äger (något som du *har*), t. ex. din telefon. + +MFA-metoder varierar i säkerhet, men bygger på förutsättningen att ju svårare det är för en angripare att få tillgång till din MFA-metod, desto bättre. Exempel på MFA-metoder (från svagaste till starkaste) inkluderar SMS, e-postkoder, app push-meddelanden, TOTP, Yubico OTP och FIDO. + +## Jämförelse av MFA-metod + +### SMS eller e-post MFA + +Att ta emot OTP-koder via SMS eller e-post är ett av de svagare sätten att säkra dina konton med MFA. Att få en kod via e-post eller sms är inte längre något som du *har*", eftersom det finns många olika sätt för en hackare att [ta över ditt telefonnummer](https://en.wikipedia.org/wiki/SIM_swap_scam) eller få tillgång till din e-post utan att ha fysisk tillgång till någon av dina enheter överhuvudtaget. Om en obehörig person får tillgång till din e-post kan han eller hon använda den för att både återställa ditt lösenord och få autentiseringskoden, vilket ger honom eller henne full tillgång till ditt konto. + +### Pushnotiser + +MFA med push-notiser är ett meddelande som skickas till en app på din telefon där du uppmanas att bekräfta nya kontoinloggningar. Den här metoden är mycket bättre än SMS eller e-post, eftersom en angripare vanligtvis inte kan få dessa push-notiser utan att ha en redan inloggad enhet, vilket innebär att de måste äventyra en av dina andra enheter först. + +Vi gör alla misstag, och det finns risk för att du kan acceptera inloggningsförsöket av misstag. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +För webbtjänster används det vanligtvis tillsammans med WebAuthn som är en del av [W3C:s rekommendationer](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). Det använder autentisering med offentliga nycklar och är säkrare än delade hemligheter som används i Yubico OTP- och TOTP-metoder, eftersom det innehåller ursprungsnamnet (vanligtvis domännamnet) under autentisering. Intyg tillhandahålls för att skydda dig från nätfiskeattacker, eftersom det hjälper dig att avgöra att du använder den autentiska tjänsten och inte en falsk kopia. + +Till skillnad från Yubico OTP använder WebAuthn inget offentligt ID, så nyckeln är **inte** identifierbar på olika webbplatser. Det använder inte heller någon tredje parts molnserver för autentisering. All kommunikation sker mellan nyckeln och den webbplats du loggar in på. FIDO använder också en räknare som ökas vid användning för att förhindra återanvändning av sessioner och klonade tangenter. + +Om en webbplats eller tjänst stöder WebAuthn för autentisering rekommenderas det starkt att du använder den över alla andra former av MFA. + +## Allmänna rekommendationer + +Vi har dessa allmänna rekommendationer: + +### Vilken metod ska jag använda? + +När du konfigurerar din MFA-metod, kom ihåg att den bara är lika säker som den svagaste autentiseringsmetoden du använder. Det är därför viktigt att du endast använder den bästa MFA-metoden som finns tillgänglig. Om du till exempel redan använder TOTP bör du inaktivera MFA för e-post och SMS. Om du redan använder FIDO2/WebAuthn bör du inte använda Yubico OTP eller TOTP på ditt konto. + +### Säkerhetskopior + +Du bör alltid ha säkerhetskopior av din MFA-metod. Säkerhetsnycklar för maskinvara kan förloras, stjälas eller helt enkelt sluta fungera med tiden. Det rekommenderas att du har ett par hårdvarusäkerhetsnycklar med samma åtkomst till dina konton istället för bara en. + +När du använder TOTP med en autentiseringsapp ska du se till att säkerhetskopiera dina återställningsnycklar eller själva appen, eller kopiera de "delade hemligheterna" till en annan instans av appen på en annan telefon eller till en krypterad behållare (t.ex. [VeraCrypt](../encryption.md#veracrypt)). + +### Inledande inställning + +När du köper en säkerhetsnyckel är det viktigt att du ändrar standardinloggningsuppgifterna, ställer in lösenordsskydd för nyckeln och aktiverar touchbekräftelse om nyckeln stöder det. Produkter som YubiKey har flera gränssnitt med separata referenser för var och en av dem, så du bör gå över varje gränssnitt och ställa in skydd också. + +### E-post och SMS + +Om du måste använda e-post för MFA ska du se till att e-postkontot i sig är skyddat med en lämplig MFA-metod. + +Om du använder SMS MFA, använd en operatör som inte byter ditt telefonnummer till ett nytt SIM-kort utan tillgång till kontot, eller använd ett dedikerat VoIP-nummer från en leverantör med liknande säkerhet för att undvika en [SIM swap-attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA-verktyg som vi rekommenderar](../multi-factor-authentication.md ""){.md-button} + +## Fler ställen att inrätta MFA + +Flerfaktorsautentisering kan användas för att säkra lokala inloggningar, SSH-nycklar eller till och med lösenordsdatabaser. + +### Windows + +Yubico har en dedikerad [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) som lägger till Challenge-Response-autentisering för inloggningsflödet med användarnamn och lösenord för lokala Windows-konton. Om du har en YubiKey med stöd för autentisering med utmaningssvar kan du ta en titt på [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), där du kan konfigurera MFA på din Windows-dator. + +### macOS + +macOS har [inbyggt stöd](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) för autentisering med smarta kort (PIV). Om du har ett smartkort eller en hårdvarunyckel som stöder PIV-gränssnittet, till exempel YubiKey, rekommenderar vi att du följer dokumentationen från leverantören av smartkortet eller hårdvarunyckeln och konfigurerar andrafaktorsautentisering för din macOS-dator. + +[Använda din YubiKey som ett smartkort i macOS](https://support.yubico.com/hc/en-us/articles/360016649059) som kan hjälpa dig att ställa in din YubiKey på macOS. + +När din smartkort/säkerhetsnyckel har ställts in rekommenderar vi att du kör det här kommandot i terminalen: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +Kommandot förhindrar att en motståndare kringgår MFA när datorn startar. + +### Linux + +!!! varning + + Om värdnamnet på ditt system ändras (till exempel på grund av DHCP), skulle du inte kunna logga in. Det är viktigt att du skapar ett korrekt värdnamn för din dator innan du följer den här guiden. + +Modulen `pam_u2f` på Linux kan ge tvåfaktorsautentisering för inloggning på de flesta populära Linuxdistributioner. Om du har en maskinvarusäkerhetsnyckel som stöder U2F kan du konfigurera MFA-autentisering för inloggning. Yubico har en guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) som borde fungera för alla distributioner. Pakethanteraren kommandon-såsom `apt-get`-och paketnamn kan dock skilja sig. Den här guiden gäller **inte** för Qubes OS. + +### Qubes OS + +Qubes OS har stöd för autentisering med Challenge-Response-autentisering med YubiKeys. Om du har en YubiKey med stöd för autentisering med utmaningssvar kan du ta en titt på dokumentationen för Qubes OS [YubiKey](https://www.qubes-os.org/doc/yubikey/) om du vill konfigurera MFA på Qubes OS. + +### SSH + +#### Hårdvarusäkerhetsnycklar + +SSH MFA kan konfigureras med flera olika autentiseringsmetoder som är populära med hårdvarusäkerhetsnycklar. Vi rekommenderar att du läser Yubicos dokumentation på [](https://developers.yubico.com/SSH/) om hur du ställer in detta. + +#### Tidsbaserat engångslösenord (TOTP) + +SSH MFA kan också ställas in med TOTP. DigitalOcean har tillhandahållit en handledning [Hur man ställer in flerfaktorsautentisering för SSH på Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Det mesta bör vara likadant oavsett distribution, men kommandona för pakethanteraren - t. ex. `apt-get`- och paketnamnen kan skilja sig åt. + +### KeePass (och KeePassXC) + +KeePass- och KeePassXC-databaser kan säkras med hjälp av Challenge-Response eller HOTP som andrafaktorsautentisering. Yubico har tillhandahållit ett dokument för KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) och det finns också ett dokument på webbplatsen [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa). diff --git a/i18n/sv/basics/passwords-overview.md b/i18n/sv/basics/passwords-overview.md new file mode 100644 index 00000000..00a21179 --- /dev/null +++ b/i18n/sv/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! anmärkning + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Lösenordshanterare + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Säkerhetskopior + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/sv/basics/threat-modeling.md b/i18n/sv/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/sv/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/sv/basics/vpn-overview.md b/i18n/sv/basics/vpn-overview.md new file mode 100644 index 00000000..28f43bba --- /dev/null +++ b/i18n/sv/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN-översikt +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtuella privata nätverk är ett sätt att förlänga slutet av ditt nätverk till en utgång någon annanstans i världen. En internetleverantör kan se flödet av internettrafik som kommer in i och ut ur din nätverksavslutningsenhet (dvs. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +En VPN kan hjälpa dig eftersom den kan flytta förtroendet till en server någon annanstans i världen. ISP: n ser då bara att du är ansluten till en VPN och ingenting om den aktivitet som du skickar in i den. + +## Ska jag använda en VPN? + +**Ja**, om du inte redan använder Tor. En VPN gör två saker: den flyttar riskerna från din Internetleverantör till sig själv och döljer din IP för en tredjepartstjänst. + +VPN-tjänster kan inte kryptera data utanför anslutningen mellan din enhet och VPN-servern. VPN-leverantörer kan se och ändra din trafik på samma sätt som din internetleverantör. Och det finns inget sätt att verifiera en VPN-leverantörs policy om "ingen loggning" på något sätt. + +De döljer dock din faktiska IP-adress för en tredjepartstjänst, förutsatt att det inte finns några IP-läckor. De hjälper dig att smälta in bland andra och minskar IP-baserad spårning. + +## När ska jag inte använda en VPN? + +Att använda en VPN i fall där du använder din [kända identitet](common-threats.md#common-misconceptions) är sannolikt inte användbart. + +Om du gör det kan det utlösa system för att upptäcka skräppost och bedrägerier, till exempel om du skulle logga in på din banks webbplats. + +## Hur är det med kryptering? + +Den kryptering som erbjuds av VPN-leverantörer sker mellan dina enheter och deras servrar. Det garanterar att den specifika länken är säker. Detta är ett steg upp från att använda okrypterade proxies där en motståndare i nätverket kan avlyssna kommunikationen mellan dina enheter och proxies och ändra den. Kryptering mellan dina appar eller webbläsare och tjänsteleverantörerna hanteras dock inte av denna kryptering. + +För att det du gör på de webbplatser du besöker ska vara privat och säkert måste du använda HTTPS. Detta kommer att hålla dina lösenord, sessionstoken och frågor säkra från VPN-leverantören. Överväg att aktivera "HTTPS everywhere" i webbläsaren för att förhindra nedgraderingsattacker som [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Ska jag använda krypterad DNS med en VPN? + +Om inte din VPN-leverantör är värd för de krypterade DNS-servrarna finns **ingen**. Att använda DOH/DOT (eller någon annan form av krypterad DNS) med servrar från tredje part innebär helt enkelt att fler enheter måste lita på och gör **absolut ingenting** för att förbättra din integritet/säkerhet. Din VPN-leverantör kan fortfarande se vilka webbplatser du besöker baserat på IP-adresser och andra metoder. I stället för att bara lita på din VPN-leverantör litar du nu på både VPN-leverantören och DNSleverantören. + +Ett vanligt skäl att rekommendera krypterad DNS är att det hjälper mot DNS-spoofing. Din webbläsare bör dock redan kontrollera om [TLS-certifikat](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) med **HTTPS** och varna dig för det. Om du inte använder **HTTPS**kan en motståndare fortfarande ändra allt annat än dina DNS-frågor och slutresultatet blir inte mycket annorlunda. + +Självfallet bör du **inte använda krypterad DNS med Tor**. Detta skulle leda alla dina DNS-förfrågningar genom en enda krets och göra det möjligt för den krypterade DNS-leverantören att avanonymisera dig. + +## Ska jag använda Tor *och* en VPN? + +Genom att använda en VPN med Tor skapar du i princip en permanent ingångsnod, ofta med en pengastig kopplad till den. Detta ger inga ytterligare fördelar för dig, samtidigt som angreppsytan för din anslutning ökar dramatiskt. Om du vill dölja din användning av Tor för din internetleverantör eller din regering har Tor en inbyggd lösning för detta: Tor bridges. [Läs mer om Tor bridges och varför det inte är nödvändigt att använda en VPN](../advanced/tor-overview.md). + +## Vad händer om jag behöver anonymitet? + +VPN-tjänster kan inte ge anonymitet. Din VPN-leverantör ser fortfarande din riktiga IP-adress och har ofta ett pengaspår som kan kopplas direkt till dig. Du kan inte förlita dig på att policyer för "ingen loggning" skyddar dina uppgifter. Använd istället [Tor](https://www.torproject.org/). + +## Hur är det med VPN-leverantörer som tillhandahåller Tor-noder? + +Använd inte den här funktionen. Poängen med att använda Tor är att du inte litar på din VPN-leverantör. För närvarande stöder Tor endast [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) -protokollet. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (används i [WebRTC](https://en.wikipedia.org/wiki/WebRTC) för röst- och videodelning, det nya [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) -protokollet etc.), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) och andra paket kommer att tappas. För att kompensera för detta dirigerar VPN-leverantörer vanligtvis alla paket som inte är TCP-paket genom sin VPN-server (ditt första hopp). Detta är fallet med [ProtonVPN](https://protonvpn.com/support/tor-vpn/). När du använder denna Tor-över-VPN-inställning har du inte heller kontroll över andra viktiga Tor-funktioner, t.ex. [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (använder en annan Tor-krets för varje domän du besöker). + +Funktionen bör ses som ett bekvämt sätt att komma åt Tor-nätverket, inte att vara anonym. För riktig anonymitet ska du använda Tor Browser, TorSocks eller en Tor-gateway. + +## När är VPN-tjänster användbara? + +En VPN kan fortfarande vara användbar för dig i en rad olika situationer, till exempel: + +1. Om du döljer din trafik från **kan du bara** din Internetleverantör. +1. Dölja dina nedladdningar (t. ex. torrents) för din internetleverantör och organisationer som bekämpar piratkopiering. +1. Dölja din IP-adress från webbplatser och tjänster från tredje part och förhindra IP-baserad spårning. + +I sådana situationer, eller om du har en annan övertygande anledning, är de VPN-leverantörer som vi listat ovan de som vi anser vara mest pålitliga. Att använda en VPN-leverantör innebär dock fortfarande att du *litar på* leverantören. I nästan alla andra situationer bör du använda ett säkert**-by-design** verktyg som Tor. + +## Källor och vidare läsning + +1. [VPN - en mycket osäker berättelse](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) av Dennis Schubert +1. [Översikt över Tor-nätverket](../advanced/tor-overview.md) +1. [IVPN sekretessguider](https://www.ivpn.net/privacy-guides) +1. ["Behöver jag en VPN?"](https://www.doineedavpn.com), ett verktyg som utvecklats av IVPN för att utmana aggressiv VPN-marknadsföring genom att hjälpa enskilda personer att avgöra om en VPN är rätt för dem. + +## Relevant information + +- [Problemet med VPN- och integritetsgranskningswebbplatser](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Undersökning av gratis VPN-app](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Dolda VPN-ägare avslöjas: 101 VPN-produkter som drivs av endast 23 företag](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [Det här kinesiska företaget ligger i hemlighet bakom 24 populära appar som kräver farliga behörigheter](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/sv/calendar.md b/i18n/sv/calendar.md new file mode 100644 index 00000000..da7f6ca7 --- /dev/null +++ b/i18n/sv/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Kalendersynkronisering" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +### Minimikrav + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/sv/cloud.md b/i18n/sv/cloud.md new file mode 100644 index 00000000..dfa75243 --- /dev/null +++ b/i18n/sv/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Molnlagring" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Många molnlagringsleverantörer kräver ditt fulla förtroende för att de inte kommer att titta på dina filer. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? fråga "Letar du efter Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +### Minimikrav + +- Måste genomdriva end-to-end-kryptering. +- Måste erbjuda en gratis plan eller provperiod för testning. +- Måste stödja TOTP- eller FIDO2-multifaktorautentisering eller inloggning med lösenord. +- Måste erbjuda ett webbgränssnitt som stöder grundläggande filhanteringsfunktioner. +- Måste möjliggöra enkel export av alla filer/dokument. +- Måste använda standard, granskad kryptering. + +### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Klienterna bör ha öppen källkod. +- Klienterna bör granskas i sin helhet av en oberoende tredje part. +- De bör erbjuda inhemska klienter för Linux, Android, Windows, macOS och iOS. + - Dessa klienter bör integreras med operativsystemets verktyg för leverantörer av molnlagring, t. ex. integrering av Files-appen i iOS eller DocumentsProvider-funktionen i Android. +- Det bör vara enkelt att dela filer med andra användare. +- Bör erbjuda åtminstone grundläggande funktioner för förhandsgranskning och redigering av filer i webbgränssnittet. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/sv/cryptocurrency.md b/i18n/sv/cryptocurrency.md new file mode 100644 index 00000000..25efd838 --- /dev/null +++ b/i18n/sv/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! fara + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/sv/data-redaction.md b/i18n/sv/data-redaction.md new file mode 100644 index 00000000..40f4450e --- /dev/null +++ b/i18n/sv/data-redaction.md @@ -0,0 +1,143 @@ +--- +title: "Redigering av data och metadata" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +När du delar filer ska du se till att ta bort tillhörande metadata. Bildfiler innehåller vanligtvis [Exif](https://en.wikipedia.org/wiki/Exif) data. Foton innehåller ibland även GPS-koordinater i filmetadata. + +## Skrivbord + +### MAT2 + +!!! recommendation + + ![MAT2-logotyp](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** är en gratis programvara som gör det möjligt att ta bort metadata från bild-, ljud-, torrent- och dokumentfiler. Den tillhandahåller både ett kommandoradsverktyg och ett grafiskt användargränssnitt via ett [tillägg för Nautilus] (https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), standardfilhanteraren för [GNOME](https://www.gnome.org), och [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), standardfilhanteraren för [KDE](https://kde.org). + + På Linux finns ett grafiskt verktyg från tredje part [Metadata Cleaner] (https://gitlab.com/rmnvgr/metadata-cleaner) som drivs av MAT2 och är [tillgängligt på Flathub] (https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? nedladdningar + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobil + +### ExifEraser (Android) + +!!! recommendation + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** är ett modernt program för radering av bildmetadata för Android, utan behörighet. + + För närvarande stöds JPEG-, PNG- och WebP-filer. + + [:octicons-repo-16: Repository](https://github.com/Hackeralert/Picocrypt){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Hackeralert/Picocrypt){ .card-link title="Source Code" } + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +Vilka metadata som raderas beror på bildens filtyp: + +* **JPEG**: ICC-profil, Exif, Photoshop Image Resources och XMP/ExtendedXMP-metadata raderas om de finns. +* **PNG**: ICC-profil, Exif- och XMP-metadata raderas om de finns. +* **PNG**: ICC-profil, Exif- och XMP-metadata raderas om de finns. + +Efter att ha behandlat bilderna ger ExifEraser dig en fullständig rapport om exakt vad som togs bort från varje bild. + +Appen erbjuder flera sätt att radera metadata från bilder. Namn: + +* Du kan dela en bild från ett annat program med ExifEraser. +* I appen kan du välja en enda bild, flera bilder samtidigt eller till och med en hel katalog. +* Den har ett "kamera"-alternativ som använder operativsystemets kameraapp för att ta ett foto och sedan tar bort metadata från det. +* Du kan dra foton från en annan app till ExifEraser när båda är öppna i delad skärm. +* Slutligen kan du klistra in en bild från klippbordet. + +### Metapho (iOS) + +!!! recommendation + + ![Metapho logotyp](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** är en enkel och ren visare för fotometadata som datum, filnamn, storlek, kameramodell, slutartid och plats. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Sekretesspolicy" } + + ??? nedladdningar + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur-logotyp](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** är en gratis app som kan sudda ut känsliga delar av bilder innan de delas på nätet. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! varning + + Du bör **aldrig** använda oskärpa för att redigera [text i bilder] (https://bishopfox.com/blog/unredacter-tool-never-pixelation). Om du vill redigera text i en bild ritar du en ruta över texten. För detta föreslår vi appar som [Pocket Paint] (https://github.com/Catrobat/Paintroid). + +## Kommandorad + +### ExifTool + +!!! recommendation + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** är det ursprungliga perl-biblioteket och kommandoradstillämpningen för att läsa, skriva och redigera metainformation (Exif, IPTC, XMP med mera) i en mängd olika filformat (JPEG, TIFF, PNG, PDF, RAW med mera). + + Det är ofta en del av andra program för att ta bort Exif-filer och finns i de flesta Linuxdistributioners arkiv. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute??? nedladdningar + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! exempel "Radera data från en katalog med filer" + + ```bash + exiftool -all= *.file_extension + ``` + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Appar som utvecklas för operativsystem med öppen källkod måste vara med öppen källkod. +- Apparna måste vara gratis och får inte innehålla annonser eller andra begränsningar. diff --git a/i18n/sv/desktop-browsers.md b/i18n/sv/desktop-browsers.md new file mode 100644 index 00000000..4127185a --- /dev/null +++ b/i18n/sv/desktop-browsers.md @@ -0,0 +1,361 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +Om du vill surfa anonymt på internet bör du använda [Tor](tor.md) i stället. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Rekommenderad konfiguration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** innehåller en inbyggd innehållsblockerare och [integritetsfunktioner] (https://brave.com/privacy-features/), varav många är aktiverade som standard. + + Brave bygger på webbläsarprojektet Chromium, så den bör kännas bekant och ha minimala problem med webbkompatibilitet. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Rekommenderad konfiguration + +These options can be found in :material-menu: → **Settings**. + +##### Sköldar + +Brave har några åtgärder mot fingeravtryck i sin funktion [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Vi föreslår att du konfigurerar dessa alternativ [globalt](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) på alla sidor som du besöker. + +Shields alternativ kan nedgraderas vid behov för varje enskild plats, men som standard rekommenderar vi att du ställer in följande: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? varning "Use default filter lists" + Brave låter dig välja ytterligare innehållsfilter på den interna sidan `brave://adblock`. Vi avråder från att använda den här funktionen; behåll istället standardfilterlistorna. Om du använder extra listor sticker du ut från andra Brave-användare och kan också öka angreppsytan om det finns en exploit i Brave och en skadlig regel läggs till i en av de listor du använder. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Avmarkera alla komponenter för sociala medier + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) gör det möjligt att få tillgång till dina webbläsardata (historik, bokmärken osv.) på alla dina enheter utan att du behöver ett konto och skyddar dem med E2EE. + +## Ytterligare resurser + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +### Minimikrav + +- Måste vara programvara med öppen källkod. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Eventuella ändringar som krävs för att göra webbläsaren mer integritetsvänlig bör inte påverka användarupplevelsen negativt. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Kriterier för förlängning + +- Får inte replikera inbyggda webbläsar- eller OS-funktioner. +- Måste direkt påverka användarens integritet, det vill säga får inte bara ge information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/sv/desktop.md b/i18n/sv/desktop.md new file mode 100644 index 00000000..265ab503 --- /dev/null +++ b/i18n/sv/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Skrivbord" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/sv/dns.md b/i18n/sv/dns.md new file mode 100644 index 00000000..01ba9e71 --- /dev/null +++ b/i18n/sv/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +| DNS Provider | Privacy Policy | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Krypterade DNS-proxyservrar + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Egenstyrda lösningar + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/sv/email-clients.md b/i18n/sv/email-clients.md new file mode 100644 index 00000000..cae032da --- /dev/null +++ b/i18n/sv/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "E-postklienter" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Rekommenderad konfiguration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! varning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! varning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +### Minimikrav + +- Appar som utvecklas för operativsystem med öppen källkod måste vara med öppen källkod. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/sv/email.md b/i18n/sv/email.md new file mode 100644 index 00000000..e322a751 --- /dev/null +++ b/i18n/sv/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! varning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## E-postaliaseringstjänster + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Självhanterande e-post + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Kriterier + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/sv/encryption.md b/i18n/sv/encryption.md new file mode 100644 index 00000000..38e6c936 --- /dev/null +++ b/i18n/sv/encryption.md @@ -0,0 +1,354 @@ +--- +title: "Programvara för kryptering" +icon: material/file-lock +description: Kryptering av data är det enda sättet att kontrollera vem som har tillgång till dem. These tools allow you to encrypt your emails and any other files. +--- + +Kryptering av data är det enda sättet att kontrollera vem som har tillgång till dem. Om du för närvarande inte använder krypteringsprogram för din hårddisk, e-post eller filer bör du välja ett alternativ här. + +## Multiplattform + +De alternativ som anges här är flera plattformar och bra för att skapa krypterade säkerhetskopior av dina data. + +### Cryptomator (moln) + +!!! recommendation + + ![Cryptomators logotyp](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** är en krypteringslösning som är utformad för privat lagring av filer till alla molnleverantörer. Det låter dig skapa valv som lagras på en virtuell enhet, vars innehåll krypteras och synkroniseras med din molnlagringsleverantör. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Källkod" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator använder AES-256-kryptering för att kryptera både filer och filnamn. Cryptomator kan inte kryptera metadata som åtkomst, ändring och skapande tidsstämplar, eller antalet och storleken på filer och mappar. + +Vissa kryptografiska bibliotek från Cryptomator har granskats [av Cure53](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44). De granskade biblioteken omfattar följande: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) och [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). Granskningen omfattade inte [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), som är ett bibliotek som används av Cryptomator för iOS. + +I Cryptomators dokumentation beskrivs närmare det avsedda [säkerhetsmålet](https://docs.cryptomator.org/en/latest/security/security-target/), [säkerhetsarkitektur](https://docs.cryptomator.org/en/latest/security/architecture/)och [bästa praxis](https://docs.cryptomator.org/en/latest/security/best-practices/) för användning. + +### Picocrypt (Fil) + +!!! recommendation + + ![Picocrypt-logotyp](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** är ett litet och enkelt krypteringsverktyg som tillhandahåller modern kryptering. Picocrypt använder den säkra XChaCha20-chiffern och Argon2id-nyckelderivatfunktionen för att ge en hög säkerhetsnivå. Det använder Go standard x/crypto moduler för sina krypteringsfunktioner. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (disk) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** är ett källkod-tillgängligt freeware-verktyg som används för on-the-fly kryptering. Det kan skapa en virtuell krypterad disk i en fil, kryptera en partition eller kryptera hela lagringsenheten med autentisering före start. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute??? nedladdningar + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt är en gaffel i det nedlagda TrueCrypt-projektet. Enligt utvecklarna har säkerhetsförbättringar genomförts och problem som togs upp vid den första TrueCrypt-kodgranskningen har åtgärdats. + +När du krypterar med VeraCrypt kan du välja mellan olika hashfunktioner [](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). Vi föreslår att du **endast** väljer [SHA-512](https://en.wikipedia.org/wiki/SHA-512) och håller dig till [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) blockchiffer. + +Truecrypt har granskats [ett antal gånger](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), och VeraCrypt har också granskats [separat](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## Fullständig diskkryptering + +Moderna operativsystem inkluderar [FDE](https://en.wikipedia.org/wiki/Disk_encryption) och har en [säker kryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker-logotyp](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** är den lösning för fullständig volymkryptering som ingår i Microsoft Windows. Den främsta anledningen till att vi rekommenderar den är att den [använder TPM] (https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), ett företag som arbetar med kriminalteknik, har skrivit om det i [Understanding BitLocker TPM Protection] (https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker stöds endast av [](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) i Windows utgåvorna Pro, Enterprise och Education. Den kan aktiveras i Home-utgåvorna om de uppfyller förutsättningarna. + +??? exempel "Aktivering av BitLocker på Windows Home" + + För att aktivera BitLocker i Windows Home-utgåvor måste du ha partitioner som är formaterade med en [GUID Partition Table] (https://en.wikipedia.org/wiki/GUID_Partition_Table) och ha en dedikerad TPM-modul (v1.2, 2.0+). + + 1. Öppna en kommandotolk och kontrollera enhetens partitionstabellformat med följande kommando. Du bör se "**GPT**" listad under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Kör det här kommandot (i en administratörskommandotolk) för att kontrollera din TPM-version. Du bör se `2.0` eller `1.2` bredvid `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Avancerade startalternativ](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). Du måste starta om och samtidigt trycka på F8-tangenten innan Windows startar och gå in i kommandotolken ** i **Felsökning** → **Avancerade alternativ** → **Kommandotolk**. + + 4. Logga in med ditt administratörskonto och skriv detta i kommandotolken för att starta kryptering: + + ``` + manage-bde -on c: -used + ``` + + 5. Stäng kommandotolken och fortsätt att starta upp till vanligt Windows. + + 6. Öppna en administratörskommandotolk och kör följande kommandon: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tips + + Säkerhetskopiera `BitLocker-Recovery-Key.txt` på skrivbordet till en separat lagringsenhet. Förlust av denna återställningskod kan leda till förlust av data. + +### FileVault + +!!! recommendation + + ![FileVaults logotyp](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** är en lösning för volymkryptering i farten som är inbyggd i macOS. FileVault rekommenderas eftersom det finns [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) maskinvarusäkerhetsfunktioner på ett Apple Silicon SoC- eller T2-säkerhetschip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +Vi rekommenderar att du lagrar en lokal återställningsnyckel på en säker plats i stället för att använda ditt iCloud-konto för återställning. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS-logotyp](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** är standardmetoden för FDE för Linux. Den kan användas för att kryptera hela volymer, partitioner eller skapa krypterade behållare. + + [:octicons-home-16: Repository](https://github.com/Hackeralert/Picocrypt){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Hackeralert/Picocrypt){ .card-link title="Source Code" } + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup){ .card-link title=Contribute } + +??? exempel "Skapa och öppna krypterade behållare" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Öppna krypterade behållare + Vi rekommenderar att du öppnar behållare och volymer med `udisksctl` eftersom detta använder [Polkit](https://en.wikipedia.org/wiki/Polkit). De flesta filhanterare, t. ex. de som ingår i populära skrivbordsmiljöer, kan låsa upp krypterade filer. Verktyg som [udiskie](https://github.com/coldfix/udiskie) kan köras i systemfältet och ge ett användbart användargränssnitt. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl låsa upp -b /dev/loop0 + ``` + +!!! note "Kom ihåg att säkerhetskopiera volymrubriker" + + Vi rekommenderar att du alltid [säkerhetskopierar dina LUKS-rubriker] (https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) om en del av enheten skulle gå sönder. Detta kan göras genom att: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Webbläsarbaserad + +Webbläsarbaserad kryptering kan vara användbar när du behöver kryptera en fil men inte kan installera programvara eller appar på enheten. + +### hat.sh + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** är ett källkod-tillgängligt freeware-verktyg som används för on-the-fly kryptering. Det kan också vara värd för sig själv och är användbart om du behöver kryptera en fil men inte kan installera någon programvara på din enhet på grund av organisationspolicyer. + + [:octicons-globe-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Källkod" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations/){ .card-link title=Contribute" } + +## Kommandorad + +Verktyg med kommandoradsgränssnitt är användbara för att integrera [skalskript](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor-logotyp](assets/img/encryption-software/kryptor.png){ align=right } + + ** Kryptor** är ett gratis och öppet källkodsverktyg för filkryptering och signering som använder moderna och säkra kryptografiska algoritmer. Det syftar till att vara en bättre version av [age](https://github.com/FiloSottile/age) och [Minisign](https://jedisct1.github.io/minisign/) för att ge ett enkelt, enklare alternativ till GPG. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Källkod" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb-logotyp](assets/img/encryption-software/tomb.png){ align=right } + + * * Tomb * * är ett kommandoradsskal för LUKS. Den stöder steganografi via [verktyg från tredje part] (https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP behövs ibland för specifika uppgifter som digital signering och kryptering av e-post. PGP har många funktioner och är [komplext](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) eftersom det har funnits länge. För uppgifter som signering eller kryptering av filer föreslår vi ovanstående alternativ. + +Vid kryptering med PGP har du möjlighet att konfigurera olika alternativ i din `gpg.conf` -fil. Vi rekommenderar att du använder de standardalternativ som anges i [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tips "Använd framtida standardvärden när du skapar en nyckel" + + När du [genererar nycklar] (https://www.gnupg.org/gph/en/manual/c14.html) föreslår vi att du använder kommandot `future-default`, eftersom detta kommer att instruera GnuPG att använda modern kryptografi som [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) och [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard-logotypen](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG * * är ett GPL-licensierat alternativ till PGP-paketet med kryptografisk programvara. GnuPG är kompatibel med [RFC 4880](https://tools.ietf.org/html/rfc4880), som är den aktuella IETF-specifikationen för OpenPGP. GnuPG-projektet har arbetat med ett [uppdaterat utkast](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) i ett försök att modernisera OpenPGP. GnuPG är en del av Free Software Foundations GNU-programvaruprojekt och har fått stora [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) från den tyska regeringen. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) - [:simple-windows11: App Store](download.html) + - [:simple-apple: Android]() + - [:simple-linux: Windows]() + - [ macOS]() + - [ Linux]() + - [ Flathub) + +### GPG4win + +!!! recommendation + + ![GPG4win-logotyp](assets/img/enkrypteringsprogram/gpg4win.svg){ align=right } + + **GPG4win** är ett paket för Windows från [Intevation and g10 Code] (https://gpg4win.org/impressum.html). Den innehåller [olika verktyg] (https://gpg4win.org/about.html) som kan hjälpa dig att använda GPG i Microsoft Windows. Projektet initierades och finansierades ursprungligen [av](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Tysklands federala kontor för informationssäkerhet (BSI) 2005. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](documentation.html/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Källkod" } + [:octicons-heart-16:](donate.html/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! anmärkning + + Vi rekommenderar [Canary Mail](email-clients.md#canary-mail) för att använda PGP med e-post på iOS-enheter. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** ger OpenPGP-stöd för [Apple Mail](email-clients.md#apple-mail) och macOS. + + Vi rekommenderar att du tar en titt på deras [First steps] (https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) och [Knowledge base] (https://gpgtools.tenderapp.com/kb) för stöd. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-apple: Flathub](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain-logotyp](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** är en Android-implementering av GnuPG. Det krävs vanligtvis av e-postklienter som [K-9 Mail](email-clients.md#k-9-mail) och [FairEmail](email-clients.md#fairemail) och andra Android-appar för att ge krypteringsstöd. Cure53 genomförde en [säkerhetsrevision] (https://www.openkeychain.org/openkeychain-3-6) av OpenKeychain 3.6 i oktober 2015. Tekniska detaljer om granskningen och OpenKeychains lösningar finns på [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-googleplay: Google Play] (https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +### Minimikrav + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/sv/file-sharing.md b/i18n/sv/file-sharing.md new file mode 100644 index 00000000..34218aa3 --- /dev/null +++ b/i18n/sv/file-sharing.md @@ -0,0 +1,145 @@ +--- +title: "Fildelning och synkronisering" +icon: material/share-variant +description: Upptäck hur du kan dela dina filer privat mellan dina enheter, med vänner och familj eller anonymt på nätet. +--- + +Upptäck hur du kan dela dina filer privat mellan dina enheter, med vänner och familj eller anonymt på nätet. + +## Fildelningsprogram + +### Skicka + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** är en förgrening av Mozillas nedlagda Firefox Send-tjänst som låter dig skicka filer till andra med en länk. Filerna krypteras på din enhet så att de inte kan läsas av servern, och de kan också skyddas med lösenord. Den som upprätthåller Send är värd för en [offentlig instans] (https://send.vis.ee/). Du kan använda andra offentliga instanser, eller du kan vara värd för Skicka själv. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/timvisee/send#readme/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Källkod" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee/){ .card-link title=Contribute } + +Send kan användas via webbgränssnittet eller via [ffsend](https://github.com/timvisee/ffsend) CLI. Om du känner till kommandoraden och skickar filer ofta rekommenderar vi att du använder CLI-klienten för att undvika JavaScript-baserad kryptering. Du kan ange flaggan `- värd` för att använda en specifik server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare-logotyp](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** är ett verktyg med öppen källkod som låter dig dela en fil av valfri storlek på ett säkert och anonymt sätt. Det fungerar genom att starta en webbserver som är tillgänglig som en Tor onion-tjänst, med en oigenkännlig URL som du kan dela med mottagarna för att ladda ner eller skicka filer. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:simple-torbrowser:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.onionshare.org/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Får inte lagra dekrypterade data på en fjärrserver. +- Måste vara programvara med öppen källkod. +- Måste antingen ha klienter för Linux, macOS och Windows eller ha ett webbgränssnitt. + +## FreedomBox + +!!! recommendation + + ![FreedomBox-logotyp](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** är ett operativsystem som är utformat för att köras på en [single-board computer (SBC)] (https://en.wikipedia.org/wiki/Single-board_computer). Syftet är att göra det enkelt att konfigurera serverprogram som du kanske vill vara värd för själv. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate){ .card-link title=Contribute } + +## Filsynkronisering + +### Nextcloud (klient-server) + +!!! recommendation + + ![Nextcloud-logotyp](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** är en svit med gratis klient-serverprogramvara med öppen källkod för att skapa egna filhostingtjänster på en privat server som du kontrollerar. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Källkod" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! fara + + Vi rekommenderar inte att du använder [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) för Nextcloud eftersom det kan leda till dataförluster; det är mycket experimentellt och inte av produktionskvalitet. + +### Synkronisering (P2P) + +!!! recommendation + + ![Synkronisera logotyp](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** är ett verktyg för kontinuerlig filsynkronisering med öppen källkod. Det används för att synkronisera filer mellan två eller flera enheter över det lokala nätverket eller internet. Synkronisering använder inte en centraliserad server; den använder [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html #bep-v1) för att överföra data mellan enheter. All data krypteras med TLS. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations){ .card-link title=Contribute??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +#### Minimikrav + +- Får inte kräva en fjärr-/molnserver från tredje part. +- Måste vara programvara med öppen källkod. +- Måste antingen ha klienter för Linux, macOS och Windows eller ha ett webbgränssnitt. + +#### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Har mobila klienter för iOS och Android, som åtminstone stöder förhandsgranskning av dokument. +- Stöder säkerhetskopiering av foton från iOS och Android, och stöder som tillval synkronisering av filer och mappar på Android. diff --git a/i18n/sv/financial-services.md b/i18n/sv/financial-services.md new file mode 100644 index 00000000..030c6f9a --- /dev/null +++ b/i18n/sv/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/sv/frontends.md b/i18n/sv/frontends.md new file mode 100644 index 00000000..c8889a93 --- /dev/null +++ b/i18n/sv/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontend" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! varning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tips + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tips + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tips + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! varning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Överväg att använda en [VPN](vpn.md) eller [Tor](https://www.torproject.org) om din [hotmodell](basics/threat-modelling.md) kräver att du döljer din IP-adress. + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! varning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Överväg att använda en [VPN](vpn.md) eller [Tor](https://www.torproject.org) om din [hotmodell](basics/threat-modelling.md) kräver att du döljer din IP-adress. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! varning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Överväg att använda en [VPN](vpn.md) eller [Tor](https://www.torproject.org) om din [hotmodell](basics/threat-modelling.md) kräver att du döljer din IP-adress. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Överväg att använda en [VPN](vpn.md) eller [Tor](https://www.torproject.org) om din [hotmodell](basics/threat-modelling.md) kräver att du döljer din IP-adress. + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! varning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tips + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tips + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +Recommended frontends... + +- Måste vara programvara med öppen källkod. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/sv/index.md b/i18n/sv/index.md new file mode 100644 index 00000000..f0f85522 --- /dev/null +++ b/i18n/sv/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.sv.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/sv/kb-archive.md b/i18n/sv/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/sv/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/sv/meta/brand.md b/i18n/sv/meta/brand.md new file mode 100644 index 00000000..c65279f3 --- /dev/null +++ b/i18n/sv/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Riktlinjer för varumärket +--- + +Webbplatsen heter **Privacy Guides** och bör **inte** ändras till: + +
+- PrivacyGuides +- Sekretessguider +- PG +- PG.org +
+ +Namnet på underreddit är **r/PrivacyGuides** eller **the Privacy Guides Subreddit**. + +Ytterligare riktlinjer för varumärket finns på [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Varumärke + +"Privacy Guides" och sköldlogotypen är varumärken som ägs av Jonah Aragon, obegränsad användning är tillåten för Privacy Guides-projektet. + +Utan att avstå från någon av sina rättigheter ger Privacy Guides inte råd till andra om omfattningen av sina immateriella rättigheter. Privacy Guides varken tillåter eller samtycker till att dess varumärken används på ett sätt som kan orsaka förvirring genom att antyda att de är associerade med eller sponsras av Privacy Guides. Om du känner till någon sådan användning, vänligen kontakta Jonah Aragon på jonah@privacyguides.org. Kontakta din juridiska rådgivare om du har frågor. diff --git a/i18n/sv/meta/git-recommendations.md b/i18n/sv/meta/git-recommendations.md new file mode 100644 index 00000000..f096a09c --- /dev/null +++ b/i18n/sv/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git-rekommendationer +--- + +Om du gör ändringar på denna webbplats på GitHub.coms webbredigerare direkt, borde du inte behöva oroa dig för detta. Om du utvecklar lokalt och/eller är en långsiktig webbplatsredaktör (som förmodligen borde utveckla lokalt!), bör du överväga dessa rekommendationer. + +## Aktivera signering av SSH-nyckeln för åtagande + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/sv/meta/uploading-images.md b/i18n/sv/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/sv/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/sv/meta/writing-style.md b/i18n/sv/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/sv/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/sv/mobile-browsers.md b/i18n/sv/mobile-browsers.md new file mode 100644 index 00000000..8f43e464 --- /dev/null +++ b/i18n/sv/mobile-browsers.md @@ -0,0 +1,223 @@ +--- +title: "Mobila webbläsare" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +Detta är våra för närvarande rekommenderade mobila webbläsare och konfigurationer för standardiserad/icke-anonym surfning på internet. Om du vill surfa anonymt på internet bör du använda [Tor](tor.md) i stället. I allmänhet rekommenderar vi att du håller ett minimum av tillägg; de har privilegierad åtkomst i din webbläsare, kräver att du litar på utvecklaren, kan få dig [att sticka ut](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint)och [försvagar](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) webbplatsens isolering. + +## Android + +På Android är Firefox fortfarande mindre säkert än Chromium-baserade alternativ: Mozillas motor, [GeckoView](https://mozilla.github.io/geckoview/), har ännu inte stöd för [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) eller aktiverar [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** innehåller en inbyggd innehållsblockerare och [integritetsfunktioner] (https://brave.com/privacy-features/), varav många är aktiverade som standard. + + Brave bygger på webbläsarprojektet Chromium, så den bör kännas bekant och ha minimala problem med webbkompatibilitet. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: App Store](https://github.com/brave/brave-browser/releases) + +#### Rekommenderad konfiguration + +Tor Browser är det enda sättet att verkligen surfa anonymt på internet. När du använder Brave rekommenderar vi att du ändrar följande inställningar för att skydda din integritet från vissa parter, men alla andra webbläsare än [Tor Browser](tor.md#tor-browser) kommer att kunna spåras av *någon* i något avseende. + +Dessa alternativ finns i :material-menu: → **Inställningar** → **Modiga sköldar & sekretess** + +##### Sköldar + +Brave har några åtgärder mot fingeravtryck i sin funktion [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-). Vi föreslår att du konfigurerar dessa alternativ [globalt](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) på alla sidor som du besöker. + +##### Brave skyddar globala standardvärden + +Shields alternativ kan nedgraderas vid behov för varje enskild plats, men som standard rekommenderar vi att du ställer in följande: + +
+ +- [x] Välj **Aggressiv** under Blockera spårare och annonser + +??? varning "Use default filter lists" + Brave låter dig välja ytterligare innehållsfilter på den interna sidan `brave://adblock`. Vi avråder från att använda den här funktionen; behåll istället standardfilterlistorna. Om du använder extra listor sticker du ut från andra Brave-användare och kan också öka angreppsytan om det finns en exploit i Brave och en skadlig regel läggs till i en av de listor du använder. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Rensa surfhistorik + +- [x] Välj **Rensa uppgifter vid avslut** + +##### Blockering av sociala medier + +- [ ] Avmarkera alla komponenter för sociala medier + +##### Andra sekretessinställningar + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) gör det möjligt att få tillgång till dina webbläsardata (historik, bokmärken osv.) på alla dina enheter utan att du behöver ett konto och skyddar dem med E2EE. + +## iOS + +I iOS är alla appar som kan surfa på webben [](https://developer.apple.com/app-store/review/guidelines) begränsade till att använda Apples WebKit-ramverk [WebKit](https://developer.apple.com/documentation/webkit), så det finns få skäl att använda en tredjepartswebbläsare. + +### Safari + +!!! recommendation + + ![Safari-logotyp](assets/img/browsers/safari.svg){ align=right } + + **Safari** är standardwebbläsaren i iOS. Den innehåller [integritetsfunktioner] (https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) som intelligent spårningsskydd, integritetsrapport, isolerade flikar för privat surfning, iCloud Private Relay och automatiska HTTPS-uppgraderingar. + + [:octicons-home-16: Repository](https://github.com/Hackeralert/Picocrypt){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/Hackeralert/Picocrypt){ .card-link title="Source Code" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Contribute} + +#### Rekommenderad konfiguration + +Dessa alternativ finns i :gear: **Inställningar** → **Safari** → **Sekretess och säkerhet**. + +##### Förebyggande av spårning på olika webbplatser + +- [x] Aktivera **Förhindra spårning på andra webbplatser** + +Detta aktiverar WebKits [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). Funktionen hjälper till att skydda mot oönskad spårning genom att använda maskininlärning på enheten för att stoppa spårare. ITP skyddar mot många vanliga hot, men blockerar inte alla spårningsvägar eftersom den är utformad för att inte störa användbarheten av webbplatser. + +##### Integritetsrapport + +Privacy Report ger en ögonblicksbild av de spårare som för närvarande förhindras från att profilera dig på den webbplats du besöker. Den kan också visa en veckorapport som visar vilka spårare som har blockerats över tid. + +Rapporten om sekretess är tillgänglig via menyn Sidinställningar. + +##### Sekretessbevarande annonsmätning + +- [ ] Inaktivera **Integritetsbevarande annonsmätning** + +Vid mätning av annonsklick har man traditionellt använt spårningsteknik som inkräktar på användarnas integritet. [Privat klickmätning](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) är en WebKit-funktion och föreslagen webbstandard som syftar till att göra det möjligt för annonsörer att mäta effektiviteten hos webbkampanjer utan att kompromissa med användarnas integritet. + +Funktionen har i sig själv inga större problem med integriteten, så även om du kan välja att låta den vara aktiverad anser vi att det faktum att den automatiskt inaktiveras i privat surfning är en indikator för att inaktivera funktionen. + +##### Alltid privat surfning + +Öppna Safari och tryck på knappen Flikar längst ner till höger. Expandera sedan listan Flikgrupper. + +- [x] Välj **Rensa uppgifter vid avslut** + +Safaris läge för privat surfning ger ytterligare skydd för privatlivet. Privat surfning använder en ny [tillfällig](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) -session för varje flik, vilket innebär att flikarna är isolerade från varandra. Det finns också andra mindre sekretessfördelar med privat surfning, till exempel att inte skicka en webbsidas adress till Apple när du använder Safaris översättningsfunktion. + +Observera att privat surfning inte sparar cookies och webbplatsdata, så det är inte möjligt att vara inloggad på webbplatser. Detta kan vara en olägenhet. + +##### iCloud-synkronisering + +Synkronisering av Safari-historik, flikgrupper, iCloud-flikar och sparade lösenord är E2EE. Som standard är bokmärken dock [och inte](https://support.apple.com/en-us/HT202303). Apple kan dekryptera och komma åt dem i enlighet med sin sekretesspolicy för [](https://www.apple.com/legal/privacy/en-ww/). + +Du kan aktivera E2EE för dig Safari-bokmärken och nedladdningar genom att aktivera [Avancerat dataskydd](https://support.apple.com/en-us/HT212520). Gå till ditt **Apple-ID-namn → iCloud → Avancerat dataskydd**. + +- [x] Aktivera **Avancerat dataskydd** + +Om du använder iCloud med avancerat dataskydd inaktiverat rekommenderar vi också att du kontrollerar att Safaris standardhämtningsplats är inställd på lokalt på din enhet. Detta alternativ finns i :gear: **Inställningar** → **Safari** → **Allmänt** → **Nedladdningar**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard för iOS** är ett gratis tillägg för innehållsspärrning för Safari med öppen källkod som använder det inhemska [Content Blocker API] (https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard för iOS har vissa premiumfunktioner, men standardblockeringen av innehåll i Safari är gratis. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Ytterligare filterlistor saktar ner saker och kan öka din attackyta, så använd bara det du behöver. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +### Minimikrav + +- Måste ha stöd för automatiska uppdateringar. +- Måste få motoruppdateringar inom 0-1 dagar från uppströmsutgåvan. +- Eventuella ändringar som krävs för att göra webbläsaren mer integritetsvänlig bör inte påverka användarupplevelsen negativt. +- Android webbläsare måste använda Chromium-motorn. + - Tyvärr är Mozilla GeckoView fortfarande mindre säkert än Chromium på Android. + - iOS-browsers är begränsade till WebKit. + +### Kriterier för förlängning + +- Får inte replikera inbyggda webbläsar- eller OS-funktioner. +- Måste direkt påverka användarens integritet, det vill säga får inte bara ge information. diff --git a/i18n/sv/multi-factor-authentication.md b/i18n/sv/multi-factor-authentication.md new file mode 100644 index 00000000..f7b5d7f6 --- /dev/null +++ b/i18n/sv/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** har en säkerhetsnyckel som kan [FIDO2 och WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) som heter **Nitrokey FIDO2**. För PGP-stöd måste du köpa en av deras andra nycklar som * * Nitrokey Start * *, * *NitrokeyPro 2** eller **NitrokeyStorage 2**. + + [:octicons-home-16: Repository](https://github.com/Hackeralert/Picocrypt){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/Hackeralert/Picocrypt){ .card-link title="Source Code" } + [:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Contribute} + +Jämförelsetabellen [](https://www.nitrokey.com/#comparison) visar funktionerna och hur Nitrokey-modellerna jämför. De **Nitrokey 3** listade kommer att ha en kombinerad funktionsuppsättning. + +Nitrokey-modeller kan konfigureras med [Nitrokey-appen](https://www.nitrokey.com/download). + +För de modeller som stöder HOTP och TOTP finns det 3 platser för HOTP och 15 för TOTP. Vissa Nitrokeys kan fungera som en lösenordshanterare. De kan lagra 16 olika autentiseringsuppgifter och kryptera dem med samma lösenord som OpenPGP-gränssnittet. + +!!! varning + + Även om Nitrokeys inte lämnar ut HOTP/TOTP-hemligheterna till den enhet de är anslutna till, är HOTP- och TOTP-lagringen **inte** krypterad och sårbar för fysiska attacker. Om du vill lagra HOTP- eller TOTP-hemligheter rekommenderar vi starkt att du använder en Yubikey i stället. + +!!! varning + + Återställning av OpenPGP-gränssnittet på en Nitrokey kommer också att göra lösenordsdatabasen [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey firmware är öppen källkod, till skillnad från YubiKey. Den inbyggda programvaran på moderna NitroKey-modeller (utom **NitroKey Pro 2**) kan uppdateras. + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +#### Minimikrav + +- Måste använda högkvalitativa, manipuleringssäkra hårdvarusäkerhetsmoduler. +- Måste stödja den senaste FIDO2-specifikationen. +- Får inte tillåta utvinning av privata nycklar. +- Enheter som kostar mer än 35 dollar måste ha stöd för hantering av OpenPGP och S/MIME. + +#### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Bör finnas tillgänglig i USB-C-format. +- Bör finnas tillgängligt med NFC. +- Bör stödja TOTP hemlig lagring. +- Bör stödja säkra uppdateringar av fast programvara. + +## Autentiseringsapp + +Authenticator Apps implementerar en säkerhetsstandard som antagits av Internet Engineering Task Force (IETF) kallad **Time-based Engångslösenord**eller **TOTP**. Detta är en metod där webbplatser delar en hemlighet med dig som används av din autentiseringsapp för att generera en sex (vanligtvis) siffrig kod baserat på aktuell tid, som du anger när du loggar in för att webbplatsen ska kontrollera. Vanligtvis regenereras dessa koder var 30: e sekund, och när en ny kod genereras blir den gamla värdelös. Även om en hackare får tag på en sexsiffrig kod finns det inget sätt för dem att vända på koden för att få fram den ursprungliga hemligheten eller på annat sätt kunna förutsäga vad framtida koder kan vara. + +Vi rekommenderar starkt att du använder mobila TOTP-appar i stället för alternativ för datorer eftersom Android och iOS har bättre säkerhet och appisolering än de flesta operativsystem för datorer. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logotyp](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** är en gratis, säker och öppen källkodsapp för att hantera dina tvåstegsverifieringstokens för dina onlinetjänster. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Källkod" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: App Store](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP-logotyp](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** är en inbyggd, lätt och säker tidsbaserad (TOTP) & kontrabaserad (HOTP) lösenordsklient för iOS. Raivo OTP erbjuder valfri iCloud backup & synkronisering. Raivo OTP finns också tillgängligt för macOS i form av en applikation i statusfältet, men Mac-appen fungerar inte oberoende av iOS-appen. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application/){ .card-link title=Dokumentation} + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Source code must be publicly available. +- Får inte kräva internetuppkoppling. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/sv/news-aggregators.md b/i18n/sv/news-aggregators.md new file mode 100644 index 00000000..8e30a214 --- /dev/null +++ b/i18n/sv/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "Nyhetsaggregatorer" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregatorklienter + +### Akregator + +!!! recommendation + + ![Akregators logotyp](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** är en nyhetsflödesläsare som är en del av projektet [KDE](https://kde.org). Den har en snabb sökning, avancerad arkiveringsfunktionalitet och en intern webbläsare för enkel läsning av nyheter. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Källkod" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Matare + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** är en modern RSS-klient för Android som har många [features](https://gitlab. om/spacecowboy/Feeder#funktioner) och fungerar bra med mappar RSS-flöden. Den stöder [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) och [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://github.com/Hackeralert/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/Hackeralert/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play] (https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Flytande läsare + +!!! recommendation + + ![Fluent Reader-logotyp](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** är en säker plattformsoberoende nyhetsaggregator som har användbara integritetsfunktioner som t.ex. radering av cookies vid avslut, strikt [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) och proxystöd, vilket innebär att du kan använda den via [Tor](tor.md). + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Källkod" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-windows11: Google Play](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME-flöden + +!!! recommendation + + ![GNOME Feeds logotyp](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** är en nyhetsläsare för [RSS](https://en.wikipedia.org/wiki/RSS) och [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) för [GNOME](https://www.gnome.org). Det har ett enkelt gränssnitt och är ganska snabbt. + + [:octicons-home-16: Repository](https://github.com/Hackeralert/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/Hackeralert/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-linux: Google Play](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: App Store](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logotyp](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** är en webbaserad nyhetsaggregator som du kan lägga upp själv. Den stöder [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) och [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** är en gratis och öppen källkodsläsare för macOS och iOS med fokus på en inhemsk design och funktionalitet. Den stöder de vanliga feedformaten samt inbyggt stöd för Twitter- och Reddit-flöden. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat-logotyp](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** är en RSS/Atom-flödesläsare för textkonsolen. Det är en aktivt underhållen gaffel av [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). Den är mycket lätt och idealisk för användning via [Secure Shell] (https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary }[:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + [](){ .card-link title=Contribute } + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Måste vara programvara med öppen källkod. +- Måste fungera lokalt, dvs. får inte vara en molntjänst. + +## RSS-support för sociala medier + +Vissa sociala medietjänster har också stöd för RSS, även om det inte ofta annonseras. + +### Reddit + +På Reddit kan du prenumerera på subreddits via RSS. + +!!! exempel + Ersätt `subreddit_name` med det subreddit du vill prenumerera på. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Med hjälp av någon av Nitter [-instanserna](https://github.com/zedeus/nitter/wiki/Instances) kan du enkelt prenumerera via RSS. + +!!! exempel + 1. Välj en instans och ställ in `nitter_instance`. + 2. Ersätt `twitter_account` med kontonamnet. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +Du kan prenumerera på YouTube-kanaler utan att logga in och koppla användningsinformation till ditt Google-konto. + +!!! exempel + + Om du vill prenumerera på en YouTube-kanal med en RSS-klient letar du först efter din [kanalkod] (https://support.google.com/youtube/answer/6180214) och ersätter `[KANAL-ID]` nedan: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[KANAL-ID] + ``` diff --git a/i18n/sv/notebooks.md b/i18n/sv/notebooks.md new file mode 100644 index 00000000..be23552b --- /dev/null +++ b/i18n/sv/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Anteckningsböcker" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Håll koll på dina anteckningar och dagboksanteckningar utan att ge dem till tredje part. + +Om du för närvarande använder ett program som Evernote, Google Keep eller Microsoft OneNote föreslår vi att du väljer ett alternativ som stöder E2EE. + +## Molnbaserad + +### Joplin + +!!! recommendation + + ![Joplin-logotyp](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** är ett kostnadsfritt, öppen källkod och fullt utrustat program för anteckningar och att göra som kan hantera ett stort antal markdown-noter organiserade i anteckningsböcker och taggar. Det erbjuder E2EE och kan synkroniseras via Nextcloud, Dropbox och mer. Det erbjuder också enkel import från Evernote och vanlig text anteckningar. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Källkod" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmk + +Joplin stöder inte lösenord/PIN-skydd för [applikationen själv eller enskilda anteckningar och anteckningsböcker](https://github.com/laurent22/joplin/issues/289). Dina data är dock fortfarande krypterade under överföring och på synkroniseringsplatsen med hjälp av huvudnyckeln. Sedan januari 2023 stöder Joplin biometrisk applåsning för [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) och [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standardnoteringar + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** är en enkel och privat anteckningsapp som gör dina anteckningar enkla och tillgängliga överallt. Den har E2EE på alla plattformar och en kraftfull skrivbordsupplevelse med teman och anpassade redaktörer. Den har också [reviderats av en oberoende revisionsbyrå (PDF)] (https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Källkod" } + [:octicons-heart-16:](https://standardnotes.com/donate/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee-logotyp](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** är en webbaserad E2EE-dokumentredigerare med öppen källkod och ett program för lagring av foton. Cryptee är en PWA, vilket innebär att den fungerar smidigt på alla moderna enheter utan att kräva inbyggda appar för varje plattform. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:octicons-globe-16: Flathub](https://crypt.ee/download) + +Cryptee erbjuder 100 Mb lagring gratis, med betalalternativ om du behöver mer. För att registrera dig krävs ingen e-post eller annan personligt identifierbar information. + +## Lokala anteckningsböcker + +### Org-läge + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** är ett [major mode] (https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) för GNU Emacs. Org-mode är till för att föra anteckningar, upprätthålla TODO-listor, planera projekt och skriva dokument med ett snabbt och effektivt system för klartext. Synkronisering är möjlig med [filsynkronisering](file-sharing.md#file-sync)-verktyg. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Klienterna bör ha öppen källkod. +- Alla funktioner för molnsynkronisering måste vara E2EE. +- Måste stödja export av dokument till ett standardformat. + +### Bästa fall + +- Funktioner för lokal säkerhetskopiering/synkronisering bör stödja kryptering. +- Molnbaserade plattformar bör stödja delning av dokument. diff --git a/i18n/sv/os/android-overview.md b/i18n/sv/os/android-overview.md new file mode 100644 index 00000000..c334d55e --- /dev/null +++ b/i18n/sv/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! varning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! anmärkning + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/sv/os/linux-overview.md b/i18n/sv/os/linux-overview.md new file mode 100644 index 00000000..161a9aba --- /dev/null +++ b/i18n/sv/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Översikt över Linux +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +Man tror ofta att [programvara med öppen källkod](https://en.wikipedia.org/wiki/Open-source_software) är säker i sig eftersom källkoden är tillgänglig. Det finns en förväntan på att gemenskapens kontroll sker regelbundet, men detta är inte alltid fallet [](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +För närvarande har skrivbord Linux några områden som kan förbättras bättre jämfört med sina egenutvecklade motsvarigheter, t.ex.: + +- En verifierad startkedja, som Apples [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (med [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Androids [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot)eller Microsoft Windows [bootprocess](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) med [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). Dessa funktioner och hårdvarutekniker kan alla bidra till att förhindra ihållande manipulering av skadlig kod eller [evil maid-attacker](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- En stark sandlådelösning som den som finns i [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md)och [Android](https://source.android.com/security/app-sandbox). Vanligt förekommande sandboxing-lösningar för Linux, t.ex. [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) och [Firejail](https://firejail.wordpress.com/), har fortfarande en lång väg att gå +- Starka [åtgärder för att minska exploateringar](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Trots dessa nackdelar är stationära Linux-distributioner bra om du vill: + +- Undvik telemetri som ofta kommer med egna operativsystem +- Bevara [frihet för programvara](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Har system som är inriktade på integritet, t.ex. [Whonix](https://www.whonix.org) eller [Tails](https://tails.boum.org/) + +På vår webbplats används i allmänhet termen "Linux" för att beskriva Linuxdistributioner för skrivbordsmiljöer. Andra operativsystem som också använder Linux-kärnan som ChromeOS, Android och Qubes OS diskuteras inte här. + +[Våra Linux-rekommendationer :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Välja din distribution + +Inte alla Linux-distributioner är skapade lika. Medan vår Linux-rekommendationssida inte är avsedd att vara en auktoritativ källa på vilken distribution du ska använda, finns det några saker du bör tänka på när du väljer vilken distribution du ska använda. + +### Utgivningscykel + +Vi rekommenderar starkt att du väljer distributioner som ligger nära de stabila uppströmsutgåvorna, ofta kallade rullande utgåvor. Detta beror på att frysta utgåvor ofta inte uppdaterar paketversioner och hamnar bakom säkerhetsuppdateringar. + +För frusna distributioner som [Debian](https://www.debian.org/security/faq#handling)förväntas paketansvariga backa patchar för att åtgärda sårbarheter snarare än att stöta programvaran till "nästa version" som släppts av uppströmsutvecklaren. Vissa säkerhetskorrigeringar [inte](https://arxiv.org/abs/2105.14565) får en [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (särskilt mindre populär programvara) alls och därför inte göra det i distributionen med denna patching modell. Som ett resultat hålls mindre säkerhetskorrigeringar ibland tillbaka till nästa stora utgåva. + +Vi tror inte att hålla paket tillbaka och tillämpa tillfälliga patchar är en bra idé, eftersom det skiljer sig från hur utvecklaren kan ha avsett att programvaran ska fungera. [Richard Brown](https://rootco.de/aboutme/) har en presentation om detta: + +
+ +
+ +### Traditionella och atomära uppdateringar + +Traditionellt sett uppdaterar Linuxdistributioner genom att sekventiellt uppdatera de önskade paketen. Traditionella uppdateringar som de som används i Fedora-, Arch Linux- och Debianbaserade distributioner kan vara mindre tillförlitliga om ett fel uppstår under uppdateringen. + +Distributioner med atomär uppdatering tillämpar uppdateringar i sin helhet eller inte alls. Typiskt sett är transaktionella uppdateringssystem också atomära. + +Ett system för transaktionsuppdatering skapar en ögonblicksbild som görs före och efter att en uppdatering tillämpas. Om en uppdatering misslyckas när som helst (till exempel på grund av ett strömavbrott) kan uppdateringen enkelt återställas till ett "senast kända goda tillstånd" + +Atomic update-metoden används för oföränderliga distributioner som Silverblue, Tumbleweed och NixOS och kan uppnå tillförlitlighet med den här modellen. [Adam Šamalík](https://twitter.com/adsamalik) gav en presentation om hur `rpm-ostree` fungerar med Silverblue: + +
+ +
+ +### "Säkerhetsfokuserad" distribution + +Det råder ofta viss förvirring mellan "säkerhetsfokuserade" fördelningar och "pentesting"-fördelningar. En snabb sökning på "den säkraste Linuxdistributionen" ger ofta resultat som Kali Linux, Black Arch och Parrot OS. Dessa distributioner är offensiva distributioner för penetrationstestning som innehåller verktyg för att testa andra system. De innehåller ingen "extra säkerhet" eller defensiva åtgärder som är avsedda för vanlig användning. + +### Arch Linux baserade distributioner + +Arch-baserade distributioner rekommenderas inte för dem som är nya i Linux (oavsett distribution) eftersom de kräver regelbundet underhåll av systemet [](https://wiki.archlinux.org/title/System_maintenance). Arch har ingen distributionsuppdateringsmekanism för de underliggande programvaruvalen. Därför måste du hålla dig uppdaterad om aktuella trender och ta till dig teknik när den ersätter äldre metoder på egen hand. + +För ett säkert system förväntas du också ha tillräckliga Linuxkunskaper för att korrekt konfigurera säkerheten för deras system, t.ex. anta ett [obligatoriskt system för åtkomstkontroll](https://en.wikipedia.org/wiki/Mandatory_access_control), konfigurera [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, skärpa uppstartsparametrar, manipulera [sysctl](https://en.wikipedia.org/wiki/Sysctl) -parametrar och veta vilka komponenter de behöver, t.ex. [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Alla som använder [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **måste** vara bekväma med att granska PKGBUILDs som de installerar från den tjänsten. AUR-paket är innehåll som produceras av gemenskapen och är inte granskade på något sätt, och är därför sårbara för attacker i programvarukedjan, vilket faktiskt har hänt [tidigare](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR bör alltid användas sparsamt och ofta finns det många dåliga råd på olika sidor som uppmanar folk att blint använda [AUR-hjälpmedel](https://wiki.archlinux.org/title/AUR_helpers) utan tillräcklig varning. Liknande varningar gäller för användning av tredje parts Personal Package Archives (PPAs) på Debianbaserade distributioner eller Community Projects (COPR) på Fedora. + +Om du har erfarenhet av Linux och vill använda en Arch-baserad distribution rekommenderar vi endast huvudversionen av Arch Linux, inte något av dess derivat. Vi rekommenderar särskilt dessa två Arch-derivat: + +- **Manjaro**: Denna distribution håller tillbaka paket i två veckor för att se till att deras egna ändringar inte går sönder, inte för att se till att uppströmsversionen är stabil. När AUR-paket används byggs de ofta med de senaste [-biblioteken](https://en.wikipedia.org/wiki/Library_(computing)) från Arch:s arkiv. +- **Garuda**: De använder [Chaotic-AUR](https://aur.chaotic.cx/) som automatiskt och blint kompilerar paket från AUR. Det finns ingen verifieringsprocess för att se till att AUR-paketen inte drabbas av attacker i leveranskedjan. + +### Kicksecure + +Vi rekommenderar starkt att du inte använder föråldrade distributioner som Debian, men det finns ett Debianbaserat operativsystem som har hårdgjorts för att vara mycket säkrare än vanliga Linuxdistributioner: [Kicksecure](https://www.kicksecure.com/). Kicksecure är, förenklat uttryckt, en uppsättning skript, konfigurationer och paket som avsevärt minskar angreppsytan för Debian. Den täcker många rekommendationer för sekretess och skydd av integritet som standard. + +### Linux-libre-kärnan och "Libre"-distributioner + +Vi rekommenderar starkt **att** inte använder Linux-libre-kärnan, eftersom den [tar bort säkerhetsåtgärder](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) och [av ideologiska skäl undertrycker kärnans varningar](https://news.ycombinator.com/item?id=29674846) om sårbar mikrokod. + +## Allmänna rekommendationer + +### Enhetskryptering + +De flesta Linux-distributioner har ett alternativ i installationsprogrammet för att aktivera [LUKS](../encryption.md#linux-unified-key-setup) fde. Om det här alternativet inte är inställt vid installationstillfället måste du säkerhetskopiera dina data och installera om, eftersom krypteringen tillämpas efter [diskpartitionering](https://en.wikipedia.org/wiki/Disk_partitioning), men innan [filsystem](https://en.wikipedia.org/wiki/File_system) formateras. Vi föreslår också att du raderar din lagringsenhet på ett säkert sätt: + +- [Säker radering av data :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Växla + +Överväg att använda [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) eller [krypterad swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) i stället för okrypterad swap för att undvika potentiella säkerhetsproblem med känsliga data som flyttas till [swaputrymme](https://en.wikipedia.org/wiki/Memory_paging). Fedora-baserade distributioner [använder ZRAM som standard](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +Vi rekommenderar att du använder en skrivbordsmiljö som stöder visningsprotokollet [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) eftersom det har utvecklats med säkerheten [i åtanke](https://lwn.net/Articles/589147/). Dess föregångare, [X11](https://en.wikipedia.org/wiki/X_Window_System), har inte stöd för isolering av grafiska gränssnitt, vilket gör att alla fönster kan [spela in skärmen, logga och injicera inmatningar i andra fönster](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), vilket gör alla försök till sandboxing meningslösa. Även om det finns alternativ för att göra nested X11, t.ex. [Xpra](https://en.wikipedia.org/wiki/Xpra) eller [Xephyr](https://en.wikipedia.org/wiki/Xephyr), har de ofta negativa konsekvenser för prestandan och är inte bekväma att konfigurera och är inte att föredra framför Wayland. + +Lyckligtvis har vanliga miljöer som [GNOME](https://www.gnome.org), [KDE](https://kde.org)och fönsterhanteraren [Sway](https://swaywm.org) stöd för Wayland. Vissa distributioner som Fedora och Tumbleweed använder det som standard, och andra kan komma att göra det i framtiden eftersom X11 är i [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). Om du använder en av dessa miljöer är det lika enkelt som att välja "Wayland"-sessionen i skrivbordsdisplayhanteraren ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +Vi rekommenderar **mot** om du använder skrivbordsmiljöer eller fönsterhanterare som inte har stöd för Wayland, till exempel Cinnamon (standard i Linux Mint), Pantheon (standard i Elementary OS), MATE, Xfce och i3. + +### Proprietär fast programvara (uppdateringar av mikrokod) + +Linuxdistributioner som [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) eller DIY (Arch Linux) levereras inte med de proprietära [mikrokodsuppdateringarna](https://en.wikipedia.org/wiki/Microcode) som ofta åtgärdar sårbarheter. Några anmärkningsvärda exempel på dessa sårbarheter är [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), och andra [maskinvarusårbarheter](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +Vi rekommenderar **starkt** att du installerar mikrokodsuppdateringar, eftersom din CPU redan kör den egenutvecklade mikrokoden från fabriken. Fedora och openSUSE har båda mikrokoduppdateringar som standard. + +### Uppdateringar + +De flesta Linuxdistributioner installerar automatiskt uppdateringar eller påminner dig om att göra det. Det är viktigt att hålla operativsystemet uppdaterat så att programvaran korrigeras när en sårbarhet hittas. + +Vissa distributioner (särskilt de som riktar sig till avancerade användare) är mer avskalade och förväntar sig att du gör saker själv (t.ex. Arch eller Debian). Dessa kräver att du kör "pakethanteraren" (`apt`, `pacman`, `dnf`, etc.) manuellt för att få viktiga säkerhetsuppdateringar. + +Dessutom hämtar vissa distributioner inte uppdateringar av den fasta programvaran automatiskt. För detta måste du installera [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Verktyg för integritet + +### Randomisering av MAC-adresser + +Många Linuxdistributioner för skrivbordssystem (Fedora, openSUSE osv.) levereras med [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), för att konfigurera Ethernet- och Wi-Fi-inställningar. + +Det är möjligt att [randomisera MAC-adressen](https://fedoramagazine.org/randomize-mac-address-nm/) [MAC-adressen](https://en.wikipedia.org/wiki/MAC_address) när du använder NetworkManager. Detta ger lite mer integritet i Wi-Fi-nätverk eftersom det är svårare att spåra specifika enheter i nätverket du är ansluten till. Den [**gör dig inte anonym**](https://papers.mathyvanhoef.com/wisec2016.pdf). + +Vi rekommenderar att du ändrar inställningen till **random** i stället för **stable**, vilket föreslås i artikeln [](https://fedoramagazine.org/randomize-mac-address-nm/). + +Om du använder [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components)måste du ställa in [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) vilket aktiverar [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +Det finns inte många punkter i slumpmässig MAC-adress för Ethernet-anslutningar som en systemadministratör kan hitta dig genom att titta på den port du använder på [-nätverksväxeln](https://en.wikipedia.org/wiki/Network_switch). Randomisering av Wi-Fi- MAC-adresser beror på stöd från Wi-Fi-programmets fasta programvara. + +### Andra identifierare + +Det finns andra systemidentifierare som du bör vara försiktig med. Du bör fundera på om detta gäller för din hotmodell [](../basics/threat-modeling.md): + +- **Värdnamn:** Systemets värdnamn delas med de nätverk du ansluter till. Du bör undvika att inkludera identifierande termer som ditt namn eller operativsystem i ditt värdnamn och i stället hålla dig till generiska termer eller slumpmässiga strängar. +- **Användarnamn:** På samma sätt används ditt användarnamn på olika sätt i systemet. Överväg att använda generiska termer som "användare" snarare än ditt faktiska namn. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/sv/os/qubes-overview.md b/i18n/sv/os/qubes-overview.md new file mode 100644 index 00000000..7bbe9cb6 --- /dev/null +++ b/i18n/sv/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Översikt över Qubes" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) är ett operativsystem som använder hypervisorn [Xen](https://en.wikipedia.org/wiki/Xen) för att ge stark säkerhet för skrivbordsdatorer genom isolerade virtuella maskiner. Varje virtuell dator kallas *Qube* och du kan tilldela varje Qube en förtroendenivå baserat på dess syfte. Eftersom Qubes OS ger säkerhet genom att använda isolering och endast tillåta åtgärder från fall till fall är det motsatsen till [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## Hur fungerar Qubes OS? + +Qubes använder [compartmentalization](https://www.qubes-os.org/intro/) för att hålla systemet säkert. Qubes skapas från mallar, med Fedora, Debian och [Whonix](../desktop.md#whonix)som standard. Qubes OS låter dig också skapa en gång [engångs](https://www.qubes-os.org/doc/how-to-use-disposables/) virtuella maskiner. + +![Qubes arkitektur](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes arkitektur, kredit: Vad är Qubes OS Intro
+ +Varje Qubes-program har en färgad kant på [](https://www.qubes-os.org/screenshots/) som kan hjälpa dig att hålla reda på vilken virtuell maskin programmet körs på. Du kan till exempel använda en särskild färg för din bankwebbläsare och en annan färg för en allmänt opålitlig webbläsare. + +![Färgad kant](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes fönstergränser, kredit: Qubes Screenshots
+ +## Varför ska jag använda Qubes? + +Qubes OS är användbart om din [hotmodell](../basics/threat-modeling.md) kräver stark uppdelning och säkerhet, t.ex. om du tror att du kommer att öppna opålitliga filer från opålitliga källor. En typisk anledning till att använda Qubes OS är att öppna dokument från okända källor. + +Qubes OS använder [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (dvs. en "AdminVM") för att kontrollera andra gäst-VM:er eller Qubes på värdoperativsystemet. Andra virtuella datorer visar individuella programfönster i Dom0: s skrivbordsmiljö. Det gör det möjligt att färgkoda fönster baserat på förtroendenivåer och köra appar som kan interagera med varandra med mycket detaljerad kontroll. + +### Kopiera och klistra in text + +Du kan [kopiera och klistra in text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) med hjälp av `qvm-copy-to-vm` eller nedanstående instruktioner: + +1. Tryck på **Ctrl+C** för att tala om för den virtuella maskinen att du vill kopiera något. +2. Tryck på **Ctrl+Shift+C** för att be den virtuella maskinen att göra denna buffert tillgänglig för det globala klippbordet. +3. Tryck på **Ctrl+Shift+V** i destinations-VM för att göra det globala klippbordet tillgängligt. +4. Tryck på **Ctrl+V** i den virtuella maskinen för att klistra in innehållet i bufferten. + +### Filutbyte + +Om du vill kopiera och klistra in filer och kataloger (mappar) från en VM till en annan kan du använda alternativet **Kopiera till annan AppVM...** eller **Flytta till annan AppVM...**. Skillnaden är att alternativet **Move** raderar den ursprungliga filen. Båda alternativen skyddar ditt klippblock från att läcka till andra Qubes. Detta är säkrare än filöverföring med luftgranskning eftersom en dator med luftgranskning fortfarande tvingas analysera partitioner eller filsystem. Detta är inte nödvändigt med inter-qube-kopieringssystemet. + +??? info "AppVM eller qubes har inte egna filsystem" + + Du kan [kopiera och flytta filer] (https://www.qubes-os.org/doc/how-to-copy-and-move-files/) mellan Qubes. När du gör det görs inte ändringarna omedelbart och kan lätt ångras i händelse av en olycka. + +### Inter-VM-interaktioner + +Ramverket [qrexec](https://www.qubes-os.org/doc/qrexec/) är en central del av Qubes som gör det möjligt att kommunicera virtuella maskiner mellan domäner. Det bygger på Xen-biblioteket *vchan*, som underlättar [isolering genom policyer](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Ytterligare resurser + +För ytterligare information rekommenderar vi att du konsulterar de omfattande Qubes OS-dokumentationssidorna som finns på webbplatsen [Qubes OS](https://www.qubes-os.org/doc/). Offlinekopior kan laddas ner från dokumentationsarkivet för Qubes OS [](https://github.com/QubesOS/qubes-doc). + +- Fonden för öppen teknik: [*Världens förmodligen säkraste operativsystem*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitionera mitt digitala liv i säkerhetsdomäner*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Relaterade artiklar*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/sv/passwords.md b/i18n/sv/passwords.md new file mode 100644 index 00000000..c9714068 --- /dev/null +++ b/i18n/sv/passwords.md @@ -0,0 +1,334 @@ +--- +title: "Lösenordshanterare" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Lösenordshanterare gör att du kan lagra och hantera lösenord och andra autentiseringsuppgifter på ett säkert sätt med hjälp av ett huvudlösenord. + +[Introduktion till lösenord :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Inbyggda lösenordshanterare i programvaror som webbläsare och operativsystem är ibland inte lika bra som en särskild programvara för lösenordshantering. Fördelen med en inbyggd lösenordshanterare är att den är väl integrerad med programvaran, men den kan ofta vara mycket enkel och saknar integritets- och säkerhetsfunktioner som fristående produkter har. + + Lösenordshanteraren i Microsoft Edge erbjuder till exempel inte alls E2EE. Googles lösenordshanterare har [optional](https://support.google.com/accounts/answer/11350823) E2EE, och [Apple's](https://support.apple.com/en-us/HT202303) erbjuder E2EE som standard. + +## Molnbaserad + +Dessa lösenordshanterare synkroniserar dina lösenord till en molnserver så att du enkelt kan komma åt dem från alla dina enheter och för att skydda dig mot förlust av enheter. + +### Bitwarden + +!!! recommendation + + ![Bitwardens logotyp](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** är en gratis lösenordshanterare med öppen källkod. Syftet är att lösa problem med lösenordshantering för enskilda personer, grupper och företag. Bitwarden är en av de bästa och säkraste lösningarna för att lagra alla dina inloggningar och lösenord och samtidigt hålla dem synkroniserade mellan alla dina enheter. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? :simple-microsoftedge: nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password- + +Bitwarden har också [Bitwarden Send](https://bitwarden.com/products/send/), vilket gör att du kan dela text och filer säkert med [end-to-end-kryptering](https://bitwarden.com/help/send-encryption). Ett lösenord [](https://bitwarden.com/help/send-privacy/#send-passwords) kan krävas tillsammans med sändningslänken. Bitwarden Send har också [automatisk radering](https://bitwarden.com/help/send-lifespan). + +Du behöver [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) för att kunna dela filer. Gratisabonnemanget tillåter endast textdelning. + +Bitwardens kod på serversidan är [öppen källkod](https://github.com/bitwarden/server), så om du inte vill använda Bitwardens moln kan du enkelt vara värd för din egen Bitwarden-synkroniseringsserver. + +**Vaultwarden** är en alternativ implementering av Bitwardens synkroniseringsserver skriven i Rust och kompatibel med officiella Bitwarden-klienter, perfekt för självhostad distribution där körning av den officiella resurstunga tjänsten kanske inte är idealisk. Om du vill vara värd för Bitwarden på din egen server, vill du nästan säkert använda Vaultwarden över Bitwardens officiella serverkod. + +[:octicons-repo-16: Vaultwardens utvecklingskatalog](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ . ard-link title=Dokumentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ . ard-link title="Källkod" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** är en lösenordshanterare med starkt fokus på säkerhet och användarvänlighet, som gör att du kan lagra lösenord, kreditkort, programlicenser och annan känslig information i ett säkert digitalt valv. Ditt valv lagras på 1Passwords servrar för en [månadsavgift] (https://1password.com/sign-up/). 1Password är [audited](https://support.1password.com/security-assessments/) på regelbunden basis och erbjuder exceptionell kundsupport. 1Password är en sluten källa, men produktens säkerhet dokumenteras noggrant i deras [white paper om säkerhet](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Repository](https://github.com/Hackeralert/Picocrypt){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/Hackeralert/Picocrypt){ .card-link title="Source Code" } + [:octicons-info-16:](https://support.1password.com){ .card-link title=Contribute??? nedladdningar - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Android]() + - [:simple-apple: Windows]() + - [:simple-linux: macOS]() + - [ Linux]() + - [ Flathub/) + +Traditionellt har **1Password** erbjudit den bästa användarupplevelsen av lösenordshanteraren för personer som använder macOS och iOS, men nu har den fått samma funktioner på alla plattformar. Den har många funktioner som är inriktade på familjer och mindre tekniska personer, samt avancerad funktionalitet. + +Ditt 1Password-valv är skyddat med både ditt huvudlösenord och en slumpmässig 34-teckig säkerhetsnyckel för att kryptera dina data på deras servrar. Den här säkerhetsnyckeln ger dina data ett extra skydd eftersom dina data är säkrade med hög entropi oavsett huvudlösenordet. Många andra lösenordshanteringslösningar är helt beroende av styrkan i ditt huvudlösenord för att säkra dina data. + +En fördel som 1Password har jämfört med Bitwarden är dess förstklassiga stöd för inhemska klienter. Medan Bitwarden hänvisar många uppgifter, särskilt kontohanteringsfunktioner, till sitt webbgränssnitt, gör 1Password nästan alla funktioner tillgängliga i sina mobila och stationära klienter. 1Password-klienterna har också ett mer intuitivt användargränssnitt, vilket gör dem lättare att använda och navigera. + +### Psono + +!!! recommendation + + ![Psono-logotyp](assets/img/password-management/psono.svg){ align=right } + + **Psono** är en gratis lösenordshanterare med öppen källkod från Tyskland, med fokus på lösenordshantering för team. Psono stöder säker delning av lösenord, filer, bokmärken och e-post. Alla hemligheter skyddas av ett huvudlösenord. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono tillhandahåller omfattande dokumentation för sin produkt. Webbklienten för Psono kan vara självhyst, alternativt kan du välja den fullständiga Community Edition eller Enterprise Edition med ytterligare funktioner. + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +#### Minimikrav + +- Måste använda starka, standardbaserade/moderna E2EE. +- Måste ha noggrant dokumenterade krypterings- och säkerhetsrutiner. +- Måste ha en publicerad revision från en välrenommerad, oberoende tredje part. +- All icke nödvändig telemetri måste vara frivillig. +- Får inte samla in mer PII än vad som är nödvändigt för fakturering. + +#### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Telemetri bör vara opt-in (inaktiverad som standard) eller inte samlas in alls. +- Den bör ha öppen källkod och vara någorlunda självhanterlig. + +## Lokal lagring + +Med dessa alternativ kan du hantera en krypterad lösenordsdatabas lokalt. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** är en gemenskapsfork av KeePassX, en inhemsk plattformsoberoende anpassning av KeePass Password Safe, med målet att utöka och förbättra den med nya funktioner och felrättningar för att tillhandahålla en funktionsrik, plattformsoberoende och modern lösenordshanterare med öppen källkod. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Källkod" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC lagrar sina exportdata som [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) -filer. Detta kan innebära att du förlorar data om du importerar filen till en annan lösenordshanterare. Vi rekommenderar att du kontrollerar varje post manuellt. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logotyp](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** är en lättviktig lösenordshanterare för Android som gör det möjligt att redigera krypterade data i en enda fil i KeePass-format och fylla i formulär på ett säkert sätt. [Contributor Pro] (https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) gör det möjligt att låsa upp kosmetiskt innehåll och icke-standardiserade protokollfunktioner, men viktigare är att det hjälper och uppmuntrar till utveckling. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: App Store](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox-logotyp](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** är en inhemsk lösenordshanterare med öppen källkod för iOS och macOS. Strongbox stöder både KeePass- och Password Safe-format och kan användas tillsammans med andra lösenordshanterare, som KeePassXC, på andra plattformar än Apple-plattformar. Genom att använda en [freemium modell](https://strongboxsafe.com/pricing/), erbjuder Strongbox de flesta funktioner under sin fria nivå med mer bekvämlighetsinriktad [features](https://strongboxsafe. om/comparison/) – såsom biometrisk autentisering – låst bakom en prenumeration eller evig licens. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Källkod" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Dessutom finns det en offline-version som erbjuds: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). Denna version är avskalad i ett försök att minska angreppsytan. + +### Kommandorad + +Dessa produkter är minimala lösenordshanterare som kan användas inom skriptprogram. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** är en lösenordshanterare för kommandoraden skriven i Go. Det fungerar på alla större skrivbords- och serveroperativsystem (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute??? nedladdningar + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Måste vara plattformsoberoende. diff --git a/i18n/sv/productivity.md b/i18n/sv/productivity.md new file mode 100644 index 00000000..b5af915e --- /dev/null +++ b/i18n/sv/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Produktivitetsverktyg" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud-logotyp](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** är en svit med gratis klient-serverprogramvara med öppen källkod för att skapa egna filhostingtjänster på en privat server som du kontrollerar. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Källkod" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? nedladdningar + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! fara + + Vi rekommenderar inte att du använder [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) för Nextcloud eftersom det kan leda till dataförluster; det är mycket experimentellt och inte av produktionskvalitet. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Måste vara plattformsoberoende. +- Måste vara programvara med öppen källkod. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/sv/real-time-communication.md b/i18n/sv/real-time-communication.md new file mode 100644 index 00000000..d9157869 --- /dev/null +++ b/i18n/sv/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Realtidskommunikation" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! varning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/sv/router.md b/i18n/sv/router.md new file mode 100644 index 00000000..ac86ded6 --- /dev/null +++ b/i18n/sv/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Nedan följer några alternativa operativsystem som kan användas på routrar, Wi-Fi-accesspunkter osv. + +## OpenWrt + +!!! recommendation + + ![OpenWrt-logotyp](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** är ett Linuxbaserat operativsystem som främst används på inbyggda enheter för att dirigera nätverkstrafik. Den innehåller util-linux, uClibc och BusyBox. Alla komponenter har optimerats för hem routrar. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +Du kan se OpenWrts [tabell över maskinvara](https://openwrt.org/toh/start) för att kontrollera om din enhet stöds. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** är en FreeBSD-baserad brandvägg och routningsplattform med öppen källkod som innehåller många avancerade funktioner, t.ex. trafikformning, belastningsbalansering och VPN-funktioner, med många fler funktioner som finns tillgängliga i form av tilläggsmoduler. OPNsense används vanligen som brandvägg, router, trådlös åtkomstpunkt, DHCP-server, DNS-server och VPN-slutpunkt. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate){ .card-link title=Contribute } + +OPNsense utvecklades ursprungligen som en gaffel av [pfSense](https://en.wikipedia.org/wiki/PfSense), och båda projekten är kända för att vara fria och pålitliga brandväggsdistributioner som erbjuder funktioner som ofta endast finns i dyra kommersiella brandväggar. Utvecklarna av OPNsense [, som lanserades 2015, citerade](https://docs.opnsense.org/history/thefork.html) ett antal säkerhets- och kodkvalitetsproblem med pfSense som de ansåg nödvändiggjorde en delning av projektet, samt oro över Netgates majoritetsförvärv av pfSense och pfSense-projektets framtida inriktning. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Måste vara öppen källkod. +- Måste få regelbundna uppdateringar. +- Must support a wide variety of hardware. diff --git a/i18n/sv/search-engines.md b/i18n/sv/search-engines.md new file mode 100644 index 00000000..e4318c7e --- /dev/null +++ b/i18n/sv/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Sökmotorer" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! varning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +### Minimikrav + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Bästa fall + +Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/sv/tools.md b/i18n/sv/tools.md new file mode 100644 index 00000000..591fb521 --- /dev/null +++ b/i18n/sv/tools.md @@ -0,0 +1,477 @@ +--- +title: "Verktyg för integritet" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +Om du letar efter en specifik lösning på något är det här hård- och mjukvaruverktyg som vi rekommenderar i olika kategorier. Våra rekommenderade verktyg för integritetsskydd är i första hand valda utifrån säkerhetsfunktioner, med ytterligare betoning på decentraliserade verktyg och verktyg med öppen källkod. De kan tillämpas på en mängd olika hotmodeller, från skydd mot globala massövervakningsprogram och undvikande av stora teknikföretag till begränsning av attacker, men det är bara du som kan avgöra vad som fungerar bäst för dina behov. + +Om du vill ha hjälp med att hitta de bästa verktygen för sekretess och alternativa program för dina behov kan du starta en diskussion i vårt forum [](https://discuss.privacyguides.net/) eller i vår community [Matrix](https://matrix.to/#/#privacyguides:matrix.org)! + +Om du vill ha mer information om varje projekt, varför de valdes ut och ytterligare tips och tricks som vi rekommenderar, kan du klicka på länken "Läs mer" i varje avsnitt eller klicka på själva rekommendationen för att komma till det specifika avsnittet på sidan. + +## Tor-nätverket + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake ökar inte integriteten, men det gör det möjligt för dig att enkelt bidra till Tor-nätverket och hjälpa människor i censurerade nätverk att få bättre integritet. + +[Läs mer :material-arrow-right-drop-circle:](tor.md) + +## Webbläsare för skrivbordet + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Läs mer :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Ytterligare resurser + +
+ +- ![uBlock Origin-logotyp](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Läs mer :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Webbläsare för mobiler + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Läs mer :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Ytterligare resurser + +
+ +- ![AdGuard logotyp](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard för iOS](mobile-browsers.md#adguard) + +
+ +[Läs mer :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operativsystem + +### Mobil + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Läs mer :material-arrow-right-drop-circle:](android.md) + +#### Android-app + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Läs mer :material-arrow-right-drop-circle:](android.md#general-apps) + +### Skrivbord + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Läs mer :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![DivestOS logo](assets/img/android/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Läs mer :material-arrow-right-drop-circle:](router.md) + +## Tjänsteleverantörer + +### Molnlagring + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Läs mer :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Leverantörer + +Vi [rekommenderar](dns.md#recommended-providers) ett antal krypterade DNS-servrar utifrån olika kriterier, t.ex. [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) och [Quad9](https://quad9.net/). Vi rekommenderar att du läser våra sidor om DNS innan du väljer en leverantör. I många fall är det inte rekommenderat att använda en alternativ DNS-leverantör. + +[Läs mer :material-arrow-right-drop-circle:](dns.md) + +#### Krypterade DNS-proxyservrar + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![DivestOS logo](assets/img/android/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Läs mer :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Egenstyrda lösningar + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Läs mer :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### E-postadress + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmaildark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Läs mer :material-arrow-right-drop-circle:](email.md) + +#### E-postaliaseringstjänster + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Läs mer :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Självhanterande e-post + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Läs mer :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Läs mer :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Läs mer :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Sökmotorer + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Läs mer :material-arrow-right-drop-circle:](search-engines.md) + +### DNS Leverantörer + +??? vPN-tjänster kan inte ge anonymitet" + + En VPN kommer **inte** att hålla dina surfvanor anonyma, och inte heller kommer den att lägga till ytterligare säkerhet för icke-säker (HTTP) trafik. + + Om du är ute efter **anonymitet** bör du använda Tor Browser **i stället** för en VPN. + + Om du vill öka **säkerheten** bör du alltid se till att du ansluter till webbplatser med HTTPS. En VPN är inte en ersättning för goda säkerhetsrutiner. + + [Läs mer :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Läs mer :material-arrow-right-drop-circle:](vpn.md) + +## Programvara + +### Kalendersynkronisering + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Läs mer :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Läs mer :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Redigering av data och metadata + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Läs mer :material-arrow-right-drop-circle:](data-redaction.md) + +### E-postklienter + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP i standardwebmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Läs mer :material-arrow-right-drop-circle:](email-clients.md) + +### Programvara för kryptering + +??? info "Diskryptering av operativsystemet" + + För att kryptera din operativsystemenhet rekommenderar vi vanligtvis att du använder det krypteringsverktyg som operativsystemet tillhandahåller, oavsett om det är **BitLocker** i Windows, **FileVault** i macOS eller **LUKS** i Linux. Dessa verktyg ingår i operativsystemet och använder vanligtvis hårdvarukrypteringselement, t. ex. en TPM, som andra krypteringsprogram för hela hårddiskar, t. ex. VeraCrypt, inte gör. VeraCrypt lämpar sig fortfarande för diskar som inte är i driftssystemet, t. ex. externa enheter, särskilt enheter som kan nås från flera olika operativsystem. + + [Läs mer :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Läs mer :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP-klienter + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Läs mer :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### Fildelning och synkronisering + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Läs mer :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontend + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Läs mer :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Faktor Autentisering + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Läs mer :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### Nyhetsaggregatorer + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Läs mer :material-arrow-right-drop-circle:](news-aggregators.md) + +### Anteckningsböcker + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Läs mer :material-arrow-right-drop-circle:](notebooks.md) + +### Lösenordshanterare + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Läs mer :material-arrow-right-drop-circle:](passwords.md) + +### Produktivitetsverktyg + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Läs mer :material-arrow-right-drop-circle:](productivity.md) + +### Realtidskommunikation + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Läs mer :material-arrow-right-drop-circle:](real-time-communication.md) + +### Klienter för videoströmning + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Läs mer :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/sv/tor.md b/i18n/sv/tor.md new file mode 100644 index 00000000..173de64a --- /dev/null +++ b/i18n/sv/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor-nätverket" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! recommendation + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! fara + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ Om inbäddningen inte visas för dig, kontrollera att du inte blockerar tredjepartsramen från `torproject.org`. Du kan också besöka [denna sida] (https://snowflake.torproject.org/embed.html). + +Snowflake ökar inte din integritet på något sätt och används inte heller för att ansluta till Tor-nätverket i din webbläsare. Om din internetanslutning är ocensurerad bör du dock överväga att använda den för att hjälpa människor i censurerade nätverk att själva få bättre integritet. Det finns ingen anledning att oroa sig för vilka webbplatser människor kommer åt via din proxy - deras synliga IP-adress kommer att matcha deras Tor exit-nod, inte din. + +Att driva en Snowflake-proxy är en låg risk, till och med mer än att driva en Tor-relä eller en bro, som redan inte är särskilt riskfyllda verksamheter. Men det gör fortfarande proxy-trafik genom ditt nätverk som kan vara effektiva på vissa sätt, särskilt om ditt nätverk är bandbredd-begränsad. Se till att du förstår [hur Snowflake fungerar](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) innan du bestämmer dig för att köra en proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/sv/video-streaming.md b/i18n/sv/video-streaming.md new file mode 100644 index 00000000..9e53efdf --- /dev/null +++ b/i18n/sv/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Videouppspelning" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +Det främsta hotet när du använder en plattform för videostreaming är att dina streamingvanor och prenumerationslistor kan användas för att profilera dig. Du bör kombinera dessa verktyg med en [VPN](vpn.md) eller [Tor](https://www.torproject.org/) för att göra det svårare att profilera din användning. + +## LBRY + +!!! recommendation + + ![LBRY-logotyp](assets/img/video-streaming/lbry.svg){ align=right } + + **LBRY-nätverket** är ett decentraliserat nätverk för videodelning. Den använder ett [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-liknande nätverk för att lagra videoinnehållet och ett [blockchain](https://wikipedia.org/wiki/Blockchain) för att lagra indexen för dessa videor. Den största fördelen med denna design är censurmotstånd. + + **LBRY-klienten** hjälper dig att strömma videor från LBRY-nätverket och lagrar din prenumerationslista i din egen LBRY-plånbok. + + [:octicons-home-16: Startsida](https://cryptomator.org){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq/){ .card-link title=Dokumentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Källkod" } + [](/){ .card-link title=Contribute??? nedladdningar + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! anmärkning + + Endast **LBRY-klienten** rekommenderas, eftersom webbplatsen [Odysee](https://odysee.com) och LBRY-klienterna i F-Droid, Play Store och App Store har obligatorisk synkronisering och telemetri. + +!!! varning + + När du tittar på och är värd för videor är din IP-adress synlig för LBRY-nätverket. Överväg att använda en [VPN](vpn.md) eller [Tor](https://www.torproject.org) om din [hotmodell](basics/threat-modelling.md) kräver att du döljer din IP-adress. + +Vi rekommenderar **att inte** synkroniserar din plånbok med LBRY Inc. eftersom synkronisering av krypterade plånböcker inte stöds ännu. Om du synkroniserar din plånbok med LBRY Inc. du måste lita på att de inte tittar på din prenumerationslista, [LBC](https://lbry.com/faq/earn-credits) pengar, eller ta kontroll över din kanal. + +Du kan inaktivera *Spara värddata för att hjälpa LBRY-nätverket* alternativet i :gear: **Inställningar** → **Avancerade inställningar**, för att undvika att din IP-adress och dina videor exponeras när du använder LBRY under en längre tid. + +## Kriterier + +**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig. + +!!! exempel "Det här avsnittet är nytt" + + Vi arbetar med att fastställa kriterier för varje del av vår webbplats, och detta kan komma att ändras. Om du har några frågor om våra kriterier, vänligen [fråga på vårt forum] (https://discuss.privacyguides.net/latest) och tro inte att vi inte har beaktat något när vi gjorde våra rekommendationer om det inte finns med här. Det finns många faktorer som beaktas och diskuteras när vi rekommenderar ett projekt, och att dokumentera varje enskild faktor är ett pågående arbete. + +- Får inte kräva ett centralt konto för att visa videor. + - Decentraliserad autentisering, t. ex. via en mobil plånboks privata nyckel, är acceptabel. diff --git a/i18n/sv/vpn.md b/i18n/sv/vpn.md new file mode 100644 index 00000000..2516951d --- /dev/null +++ b/i18n/sv/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! vPN-tjänster kan inte ge anonymitet" + + En VPN kommer **inte** att hålla dina surfvanor anonyma, och inte heller kommer den att lägga till ytterligare säkerhet för icke-säker (HTTP) trafik. + + Om du är ute efter **anonymitet** bör du använda Tor Browser **i stället** för en VPN. + + Om du vill öka **säkerheten** bör du alltid se till att du ansluter till webbplatser med HTTPS. En VPN är inte en ersättning för goda säkerhetsrutiner. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Kriterier + +!!! fara + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/tr/404.md b/i18n/tr/404.md new file mode 100644 index 00000000..85b0a9fb --- /dev/null +++ b/i18n/tr/404.md @@ -0,0 +1,19 @@ +--- +hide: + - geri bildirim +meta: + - + property: "robotlar" + content: "noindex, nofollow" +--- + +# 404 - Sayfa Bulunamadı + +Aradığınız sayfayı bulamadık! Belki de bunlardan birini arıyordunuz? + +- [Tehdit Modellemesine Giriş](basics/threat-modeling.md) +- [Önerilen DNS Sağlayıcıları](dns.md) +- [En İyi Masaüstü Web Tarayıcıları](desktop-browsers.md) +- [En İyi VPN Sağlayıcıları](vpn.md) +- [Privacy Guides Forumu](https://discuss.privacyguides.net) +- [Blog](https://blog.privacyguides.org) diff --git a/i18n/tr/CODE_OF_CONDUCT.md b/i18n/tr/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/tr/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/tr/about/criteria.md b/i18n/tr/about/criteria.md new file mode 100644 index 00000000..d1c6a707 --- /dev/null +++ b/i18n/tr/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: Genel Kriterler +--- + +!!! örnek "Devam Eden Çalışma" + + Aşağıdaki sayfa üzerinde çalışılmaktadır ve şu anda tavsiyelerimize ilişkin kriterlerin tamamını yansıtmamaktadır. Bu konuyla ilgili geçmiş tartışma: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Aşağıda Privacy Guides'a yapılan tüm başvurular için geçerli olması gereken bazı hususlar yer almaktadır. Her kategorinin dahil edilmesi için ek gereklilikler olacaktır. + +## Finansal Açıklama + +Belirli ürünleri tavsiye ederek para kazanmıyoruz, bağlı kuruluş bağlantıları kullanmıyoruz ve proje bağışçılarına özel bir değerlendirme sağlamıyoruz. + +## Genel Talimatlar + +Yeni önerileri değerlendirirken bu öncelikleri uygularız: + +- **Güvenli**: Araçlar, uygun olan her yerde en iyi güvenlik uygulamalarını takip etmelidir. +- **Kaynak Kullanılabilirliği**: Açık kaynak projeleri genellikle eşdeğer tescilli alternatiflere göre tercih edilir. +- **Çapraz Platform**: Satıcı kilitlenmesini önlemek için genellikle önerilerin çapraz platform olmasını tercih ederiz. +- **Aktif Gelişim**: Tavsiye ettiğimiz araçlar aktif olarak geliştirilmeli, çoğu durumda sürdürülmeyen projeler kaldırılacaktır. +- **Kullanılabilirlik**: Araçlar çoğu bilgisayar kullanıcısı için erişilebilir olmalı, aşırı teknik bir altyapı gerekmemelidir. +- **Belgelenmiş**: Araçlar, kullanım için açık ve kapsamlı belgelere sahip olmalıdır. + +## Geliştiricinin Kendi Gönderimleri + +Projelerini veya yazılımlarını değerlendirmeye göndermek isteyen geliştiriciler için bu gerekliliklere sahibiz. + +- Bağlılığınızı, yani sunulan projedeki pozisyonunuzu açıklamalısınız. + +- Mesajlaşma uygulaması, şifre yöneticisi, şifreli bulut depolama vb. gibi hassas bilgilerin işlenmesini içeren bir projeyse, bir güvenlik teknik incelemesine sahip olmalıdır. + - Üçüncü taraf denetim durumu. Bir tane varsa veya planladıysanız bilmek istiyoruz. Mümkünse lütfen denetimi kimin yapacağını belirtin. + +- Projenin mahremiyet konusunda masaya ne getirdiğini açıklamalıdır. + - Yeni bir sorunu çözüyor mu? + - Neden alternatifleri yerine bunu kullansınlar ki? + +- Projelerinde tam tehdit modelinin ne olduğunu belirtmelidir. + - Potansiyel kullanıcılar için projenin neleri sağlayabileceği ve neleri sağlayamayacağı açık olmalıdır. diff --git a/i18n/tr/about/donate.md b/i18n/tr/about/donate.md new file mode 100644 index 00000000..6f604134 --- /dev/null +++ b/i18n/tr/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Bizi Destekleyin +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +If you want to support us financially, the most convenient method for us is contributing via Open Collective, a website operated by our fiscal host. Open Collective accepts payments via credit/debit card, PayPal, and bank transfers. + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Privacy Guides is a **non-profit** organization. We use donations for a variety of purposes, including: + +**Domain Registrations** +: + +We have a few domain names like `privacyguides.org` which cost us around $10 yearly to maintain their registration. + +**Web Hosting** +: + +Traffic to this website uses hundreds of gigabytes of data per month, we use a variety of service providers to keep up with this traffic. + +**Online Services** +: + +We host [internet services](https://privacyguides.net) for testing and showcasing different privacy-products we like and [recommend](../tools.md). Some of which are made publicly available for our community's use (SearXNG, Tor, etc.), and some are provided for our team members (email, etc.). + +**Product Purchases** +: + +We occasionally purchase products and services for the purposes of testing our [recommended tools](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/tr/about/index.md b/i18n/tr/about/index.md new file mode 100644 index 00000000..ebbcd6e0 --- /dev/null +++ b/i18n/tr/about/index.md @@ -0,0 +1,102 @@ +--- +title: "Privacy Guides Hakkında" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. Tamamen gönüllü [ekip üyeleri](https://discuss.privacyguides.net/g/team) ve katkıda bulunanlar tarafından işletilen, kâr amacı gütmeyen bir kolektifiz. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Ekibimiz + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Ana Sayfa](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: E-posta](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: E-posta](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Ana Sayfa](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Ana Sayfa](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site Lisansı + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Aksi belirtilmedikçe, bu web sitesindeki orijinal içerik [Creative Commons Attribution-NoDerivatives 4.0 Uluslararası Kamu Lisansı](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE) altında kullanıma sunulmuştur. Bu, `Privacy Guides (www.privacyguides.org)` adresine uygun şekilde atıfta bulunduğunuz ve lisansa bir bağlantı verdiğiniz sürece, materyali ticari olarak bile herhangi bir amaçla herhangi bir ortamda veya formatta kopyalamakta ve yeniden dağıtmakta özgür olduğunuz anlamına gelir. Bunu herhangi bir makul bir şekilde yapabilirsiniz, ancak Gizlilik Kılavuzları (Privacy Guides) sizi veya kullanımınızı onayladığı hiçbir şekilde değil. Bu web sitesinin içeriğini yeniden düzenler, dönüştürür veya oluşturursanız, değiştirilen materyali dağıtamazsınız. + +Bu lisans; insanların, çalışmalarımızı uygun şekilde kredi vermeden paylaşmalarını ve çalışmalarımızı insanları yanlış yönlendirmek için kullanılabilecek şekilde değiştirmelerini önlemek için mevcuttur. Bu lisansın koşullarını üzerinde çalıştığınız proje için çok kısıtlayıcı buluyorsanız, lütfen `jonah@privacyguides.org`adresinden bize ulaşın. Gizlilik alanındaki iyi niyetli projeler için alternatif lisanslama seçenekleri sunmaktan mutluluk duyuyoruz! diff --git a/i18n/tr/about/notices.md b/i18n/tr/about/notices.md new file mode 100644 index 00000000..0b61404d --- /dev/null +++ b/i18n/tr/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Yasal Sorumluluk Reddi + +Privacy Guides bir hukuk firması değildir. Bu bakımdan, Privacy Guides sitesi ve katkıda bulunanları yasal tavsiye vermemektedir. Web sitemizdeki ve rehberlerdeki içerik ve tavsiyeler yasal tavsiye teşkil etmemekte olduğu gibi siteye katkıda bulunmak veya Privacy Guides ile ya da diğer katkıda bulunanlarla sitemiz hakkında iletişime geçmek avukat-müvekkil ilişkisi sağlamamaktadır. + +Bu siteyi yönetmek, diğer herhangi bir insan gayreti gibi, belirsizlikler ve ödünler içermektedir. Bu web sitenin yardım etmesini umarız, ancak hatalar içerebilir ve her duruma çözüm olmayabilir. Durumunuz hakkında bir sorunuz varsa, kendi araştırmanızı yapmanızı, başka uzmanlara ulaşmanızı ve Privacy Guides topluluğu ile tartışmanızı teşvik ediyoruz. Eğer herhangi bir yasal sorunuz varsa, ilerlemeden önce kendi yasal danışmanınıza başvurmalısınız. + +Gizlilik Kılavuzları (Privacy Guides), web sitesinin ve katkıda bulunanların korunması için Gizlilik Kılavuzları Projesi (Privacy Guides Project) ve web sitesinin garanti olmadan sunulduğunu açıkça ortaya koyan şartları içeren lisanslara katkıda bulunan açık kaynaklı bir projedir. Web sitesini kullanmaktan veya dahil edilen herhangi bir öneriyi kullanmaktan kaynaklanan zararlar için sorumluluk kabul etmez. Gizlilik Kılavuzları (Privacy Guides), web sitesinde veya bu sitede bağlantılı herhangi bir üçüncü taraf sitede bu tür materyallerle ilgili olarak materyallerin kullanımının doğruluğunu, olası sonuçları veya güvenilirliği ile ilgili herhangi bir beyanda bulunmaz. + +Gizlilik kılavuzları (Privacy Guides) ek olarak, bu web sitesinin sürekli olarak kullanılabilir veya hiç kullanılabilir olacağını garanti etmez. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Bu, yerini alan bir lisansın aksi belirtildiği bu depoya veya koda yerleştirilmiş üçüncü taraf kodu içermez. Aşağıdakiler dikkate değer örneklerdir, ancak bu liste her şey dahil olmayabilir: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Bu, Creative Commons Attribution-Noderivatives 4.0 International Public License metninde belirtilen şartlara göre, bu depodaki insan tarafından okunabilir içeriği kendi projeniz için kullanabileceğiniz anlamına gelir. Bunu herhangi bir makul bir şekilde yapabilirsiniz, ancak Gizlilik Kılavuzları (Privacy Guides) sizi veya kullanımınızı onayladığı hiçbir şekilde değil. Gizlilik Kılavuzları (Privacy Guides) markasını bu projeden açık bir onay almadan kendi projenizde **kullanamazsınız**. Gizlilik Kılavuzları'nın (Privacy Guides) marka ticari markaları arasında "Gizlilik Kılavuzları (Privacy Guides)" kelime işaretleri ve zırh (shield) logosu yer alıyor. + +Üçüncü taraf sağlayıcılardan elde edilen `varlıklardaki` logoların ve diğer görüntülerin ya kamu malı ya da **adil kullanımda** olduğuna inanıyoruz. Özetle, yasal [adil kullanım doktrini](https://www.copyright.gov/fair-use/more-info.html), konuyu kamuoyu yorumu amacıyla tanımlamak için telif hakkıyla korunan görüntülerin kullanılmasına izin verir. Bununla birlikte, bu logolar ve diğer görüntüler yine de bir veya daha fazla yargı alanında ticari marka yasalarına tabi olabilir. Bu içeriği kullanmadan önce, lütfen ticari markanın sahibi olan varlığı veya kuruluşu tanımlamak için kullanıldığından ve bunu amaçladığınız kullanım koşullarında geçerli olan yasalar uyarınca kullanma hakkına sahip olduğunuzdan emin olun. *Bu web sitesinden içerik kopyalarken, başka birinin ticari markasını veya telif hakkını ihlal etmediğinizden yalnızca siz sorumlusunuz.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Kabul Edilebilir Kullanım + +Bu web sitesini, web sitesine zarar verecek veya bunlara zarar verebilecek veya Gizlilik Kılavuzları'nın (Privacy Guides) mevcudiyetinin veya erişilebilirliğine veya yasadışı, yasadışı, hileli, zararlı veya herhangi bir yasadışı, yasadışı, bağlantılı olarak, hileli, zararlı amaç, zararlı faaliyet veya herhangi bir şekilde kullanılabilirliğine neden olabilecek hiçbir şekilde kullanamazsınız. + +Aşağıdakiler de dahil olmak üzere, bu web sitesinde veya bu web sitesine göre herhangi bir sistematik veya otomatik veri toplama faaliyeti gerçekleştirmemelisiniz: + +* Agresif Otomatik Taramalar +* Hizmet Reddi Saldırıları (DOS, DDOS) +* Kazıma (Scraping) +* Veri Madenciliği (Data Mining) +* Çerçeveleme (Framing, IFrames) + +--- + +*Bu bildirimin kendisi [opensource.guide'den](https://github.com/github/opensource.guide/blob/master/notices.md) Github'da kabul edildi. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/tr/about/privacy-policy.md b/i18n/tr/about/privacy-policy.md new file mode 100644 index 00000000..eaa58ef5 --- /dev/null +++ b/i18n/tr/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Gizlilik Politikası" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/tr/about/privacytools.md b/i18n/tr/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/tr/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/tr/about/services.md b/i18n/tr/about/services.md new file mode 100644 index 00000000..fcb67a15 --- /dev/null +++ b/i18n/tr/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Hizmetleri + +Özellikleri test etmek ve tek bir merkeze bağlı olmayan, federe ve/veya açık kaynaklı projeleri tanıtmak için bir dizi web hizmeti yürütüyoruz. Bu hizmetlerin birçoğu kamuya açıktır ve aşağıda ayrıntılı olarak açıklanmıştır. + +[:material-comment-alert: Bir sorunu bildirin](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Kullanılabilirlik: Halka açık +- Kaynak: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Kullanılabilirlik: Yalnızca Davetliler + *Privacy Guides* ile ilgili geliştirme veya içerik üzerinde çalışan herhangi bir ekibe talep üzerine erişim verilebilir. +- Kaynak: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Kullanılabilirlik: Yalnızca Davetliler + Erişim, talep üzerine Gizlilik Kılavuzları ekip üyelerine, Matrix moderatörlerine, üçüncü taraf Matrix topluluk yöneticilerine, Matrix bot operatörlerine ve güvenilir bir Matrix varlığına ihtiyaç duyan diğer kişilere verilebilir. +- Kaynak: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Kullanılabilirlik: Halka açık +- Kaynak: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/tr/about/statistics.md b/i18n/tr/about/statistics.md new file mode 100644 index 00000000..7bc644bf --- /dev/null +++ b/i18n/tr/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Trafik İstatistikleri +--- + +## Web Sitesi İstatistikleri + + +
İstatistikler Plausible Analytics tarafından desteklenmektedir
+ + + + +## Blog İstatistikleri + + +
İstatistikler Plausible Analytics tarafından desteklenmektedir
+ + + diff --git a/i18n/tr/advanced/communication-network-types.md b/i18n/tr/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/tr/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/tr/advanced/dns-overview.md b/i18n/tr/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/tr/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/tr/advanced/payments.md b/i18n/tr/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/tr/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/tr/advanced/tor-overview.md b/i18n/tr/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/tr/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/tr/android.md b/i18n/tr/android.md new file mode 100644 index 00000000..2c9daa50 --- /dev/null +++ b/i18n/tr/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! öneri + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! öneri + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! öneri + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! öneri + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! öneri + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! öneri + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! öneri + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! öneri + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/tr/assets/img/account-deletion/exposed_passwords.png b/i18n/tr/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/tr/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/tr/assets/img/android/rss-apk-dark.png b/i18n/tr/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/tr/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/tr/assets/img/android/rss-apk-light.png b/i18n/tr/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/tr/assets/img/android/rss-apk-light.png differ diff --git a/i18n/tr/assets/img/android/rss-changes-dark.png b/i18n/tr/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/tr/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/tr/assets/img/android/rss-changes-light.png b/i18n/tr/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/tr/assets/img/android/rss-changes-light.png differ diff --git a/i18n/tr/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/tr/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/how-tor-works/tor-encryption.svg b/i18n/tr/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/how-tor-works/tor-path-dark.svg b/i18n/tr/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/tr/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/tr/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/how-tor-works/tor-path.svg b/i18n/tr/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/tr/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/tr/assets/img/multi-factor-authentication/fido.png b/i18n/tr/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/tr/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/tr/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/tr/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/tr/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/tr/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/tr/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/tr/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/tr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/tr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/tr/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/tr/basics/account-creation.md b/i18n/tr/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/tr/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/tr/basics/account-deletion.md b/i18n/tr/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/tr/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/tr/basics/common-misconceptions.md b/i18n/tr/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/tr/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/tr/basics/common-threats.md b/i18n/tr/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/tr/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/tr/basics/email-security.md b/i18n/tr/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/tr/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/tr/basics/multi-factor-authentication.md b/i18n/tr/basics/multi-factor-authentication.md new file mode 100644 index 00000000..bcf5ceb5 --- /dev/null +++ b/i18n/tr/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## Genel Öneriler + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/tr/basics/passwords-overview.md b/i18n/tr/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/tr/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/tr/basics/threat-modeling.md b/i18n/tr/basics/threat-modeling.md new file mode 100644 index 00000000..a35b694c --- /dev/null +++ b/i18n/tr/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Tehdit Modellemesi" +icon: 'material/target-account' +description: Gizlilik yolculuğunuzda yüzleşeceğiniz ilk ve en zorlu görev; güvenliği, gizliliği ve kullanılabilirliği dengeleyebilmektir. +--- + +Gizlilik yolculuğunuzda yüzleşeceğiniz ilk ve en zorlu görev; güvenliği, gizliliği ve kullanılabilirliği dengeleyebilmektir. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. Bu yüzden tehdit modelleri önemlidir. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +Bir “varlık” değer verdiğiniz ve korumak istediğiniz bir şeydir. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Listeniz bireyleri, bir devlet kurumunu veya şirketleri içerebilir.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +Ne olabileceği ile olma olasılığı arasında ayrım yapmak önemlidir. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. Açık bir Wi - Fi ağındaki bir bilgisayar korsanı şifrelenmemiş iletişimlerinize erişebilir. Hükümetinizin daha güçlü yetenekleri olabilir. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Kaynaklar + +- [EFF Surveillance Self Defense: Güvenlik Planınız](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/tr/basics/vpn-overview.md b/i18n/tr/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/tr/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/tr/calendar.md b/i18n/tr/calendar.md new file mode 100644 index 00000000..24929326 --- /dev/null +++ b/i18n/tr/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! öneri + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! öneri + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/tr/cloud.md b/i18n/tr/cloud.md new file mode 100644 index 00000000..57919c82 --- /dev/null +++ b/i18n/tr/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! öneri + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! öneri + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/tr/cryptocurrency.md b/i18n/tr/cryptocurrency.md new file mode 100644 index 00000000..bb268f7a --- /dev/null +++ b/i18n/tr/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! öneri + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/tr/data-redaction.md b/i18n/tr/data-redaction.md new file mode 100644 index 00000000..bbb28647 --- /dev/null +++ b/i18n/tr/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! öneri + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! öneri + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! öneri + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! öneri + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! öneri + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/tr/desktop-browsers.md b/i18n/tr/desktop-browsers.md new file mode 100644 index 00000000..8e7e7a47 --- /dev/null +++ b/i18n/tr/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Masaüstü Tarayıcıları" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +Bunlar, standart/anonim olmayan gezinti için şu anda önerilen masaüstü web tarayıcılarımız ve yapılandırmalarımızdır. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +İnternette anonim olarak gezinmeniz gerekiyorsa, bunun yerine [Tor](tor.md) kullanmalısınız. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! öneri + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! öneri + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! öneri + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! öneri + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/tr/desktop.md b/i18n/tr/desktop.md new file mode 100644 index 00000000..79666c71 --- /dev/null +++ b/i18n/tr/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! öneri + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! öneri + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! öneri + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! öneri + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! öneri + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! öneri + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! öneri + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! öneri + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/tr/dns.md b/i18n/tr/dns.md new file mode 100644 index 00000000..318dc5cb --- /dev/null +++ b/i18n/tr/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS Çözümleyicileri" +icon: material/dns +description: Bunlar, İSS'nizin varsayılan yapılandırmasını değiştirmek için geçiş yapmanızı önerdiğimiz bazı şifreli DNS sağlayıcılarıdır. +--- + +Üçüncü taraf sunucularla şifrelenmiş DNS, yalnızca herhangi bir sonucu olmayacağından emin olduğunuzda temel [DNS Engellemesini](https://en.wikipedia.org/wiki/DNS_blocking) aşmak için kullanılmalıdır. Şifrelenmiş DNS internet faaliyetlerinizi gizlemenize yardımcı olmaz. + +[DNS hakkında daha fazla bilgi edinin :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Önerilen Sağlayıcılar + +| DNS Sağlayıcısı | Gizlilik Politikası | Protokoller | Günlük kaydı | ECS | Filtreleme | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ---------------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Bazı[^1] | Hayır | Sunucu seçimine göre. Kullanılan filtre listesine buradan ulaşabilirsiniz. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Bazı[^2] | Hayır | Sunucu seçimine göre. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | İsteğe bağlı[^3] | Hayır | Sunucu seçimine göre. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Hayır[^4] | Hayır | Sunucu seçimine göre. Kullanılan filtre listesine buradan ulaşabilirsiniz. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | İsteğe bağlı[^5] | İsteğe bağlı | Sunucu seçimine göre. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Bazı[^6] | İsteğe bağlı | Sunucu seçimine bağlı olarak, Malware varsayılan olarak engellenir. | + +## Kriterler + +**Lütfen önerdiğimiz projelerin hiçbirine bağlı olmadığımızı unutmayın.** [standart kriterlerimize](about/criteria.md)ek olarak, objektif tavsiyelerde bulunabilmemiz için bir dizi gereklilik geliştirdik. Bir projeyi kullanmayı seçmeden önce bu listeye aşina olmanızı ve sizin için doğru seçim olduğundan emin olmak için kendi araştırmanızı yapmanızı öneririz. + +!!! örnek "Bu bölüm yenidir" + + Sitemizin her bölümü için tanımlanmış kriterler oluşturmaya çalışıyoruz ve bu değişebilir. Kriterlerimizle ilgili herhangi bir sorunuz varsa, lütfen [forumumuzda sorun](https://discuss.privacyguides.net/latest) ve burada listelenmemişse, önerilerimizi yaparken dikkate almadığımızı düşünmeyin. Bir projeyi önerdiğimizde dikkate alınan ve tartışılan birçok faktör vardır ve her birini belgelemek devam eden bir çalışmadır. + +- [DNSSEC](advanced/dns-overview.md#what-is-dnssec) desteklemelidir. +- [QNAME Minimizasyonu](advanced/dns-overview.md#what-is-qname-minimization). +- [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) adresinin devre dışı bırakılmasına izin verilmelidir. +- [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) desteği veya coğrafi yönlendirme desteği tercih edilmelidir. + +## İşletim Sistemi Desteği + +### Android + +Android 9 ve üstü, TLS üzerinden DNS'yi destekler. Ayarlar şurada bulunabilir: **Ayarlar** → **Ağ & İnternet** → **Özel DNS**. + +### Apple Cihazları + +iOS, iPadOS, tvOS ve macOS'in en son sürümleri hem DoT hem de DoH'yi desteklemektedir. Her iki protokol de [yapılandırma profilleri](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) veya [DNS Ayarları API'si](https://developer.apple.com/documentation/networkextension/dns_settings)aracılığıyla doğal olarak desteklenmektedir. + +Bir yapılandırma profili veya DNS Ayarları API'sini kullanan bir uygulama yüklendikten sonra DNS yapılandırması seçilebilir. Bir VPN etkinse, VPN tüneli içindeki çözünürlük, sistem genelindeki ayarlarınızı değil VPN'in DNS ayarlarını kullanacaktır. + +#### İmzalı Profiller + +Apple şifrelenmiş DNS profilleri oluşturmak için yerel bir arayüz sağlamaz. [Güvenli DNS profil oluşturucu](https://dns.notjakob.com/tool.html) kendi şifreli DNS profillerinizi oluşturmak için resmi olmayan bir araçtır, ancak bunlar imzalanmayacaktır. İmzalanmış profiller tercih edilir; imzalama profilin kaynağını doğrular ve profillerin bütünlüğünü sağlamaya yardımcı olur. İmzalanmış yapılandırma profillerine yeşil bir "Doğrulandı" etiketi verilir. Kod imzalama hakkında daha fazla bilgi için bkz. [Kod İmzalama Hakkında](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **İmzalı profiller** [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io)ve [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/)tarafından sunulmaktadır. + +!!! bilgi + + Birçok Linux dağıtımının DNS aramalarını yapmak için kullandığı `systemd-resolved` henüz [DoH'u desteklemiyor] (https://github.com/systemd/systemd/issues/8639). DoH kullanmak istiyorsanız, sistem çözümleyicinizden tüm DNS sorgularını almak ve HTTPS üzerinden iletmek için [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) gibi bir proxy yüklemeniz ve [yapılandırmanız] (https://wiki.archlinux.org/title/Dnscrypt-proxy) gerekir. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! öneri + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! öneri + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! öneri + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! öneri + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/tr/email-clients.md b/i18n/tr/email-clients.md new file mode 100644 index 00000000..18831df4 --- /dev/null +++ b/i18n/tr/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! öneri + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! öneri + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! öneri + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! öneri + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! öneri + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! öneri + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! öneri + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! öneri + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! öneri + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/tr/email.md b/i18n/tr/email.md new file mode 100644 index 00000000..e0d0c0a9 --- /dev/null +++ b/i18n/tr/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! öneri + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! öneri + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! öneri + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! öneri + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! öneri + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! öneri + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! öneri + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! öneri + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/tr/encryption.md b/i18n/tr/encryption.md new file mode 100644 index 00000000..b12cdc8b --- /dev/null +++ b/i18n/tr/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! öneri + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! öneri + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! öneri + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! öneri + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! öneri + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! öneri + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! öneri + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! öneri + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! öneri + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! öneri + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! öneri + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! öneri + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! öneri + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/tr/file-sharing.md b/i18n/tr/file-sharing.md new file mode 100644 index 00000000..90cd02f9 --- /dev/null +++ b/i18n/tr/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! öneri + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! öneri + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! öneri + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! öneri + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! öneri + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/tr/financial-services.md b/i18n/tr/financial-services.md new file mode 100644 index 00000000..6b6b5e7c --- /dev/null +++ b/i18n/tr/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! öneri + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! öneri + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! öneri + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! öneri + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/tr/frontends.md b/i18n/tr/frontends.md new file mode 100644 index 00000000..4fea69e5 --- /dev/null +++ b/i18n/tr/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! öneri + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! öneri + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! öneri + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! öneri + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! öneri + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! öneri + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! öneri açıklaması + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! öneri + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! öneri + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/tr/index.md b/i18n/tr/index.md new file mode 100644 index 00000000..25f5d4ad --- /dev/null +++ b/i18n/tr/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.tr.html +hide: + - navigation + - toc + - geri bildirim +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Neden önemsemeliyim? + +##### "Saklayacak bir şeyim yok. Mahremiyetimi neden önemseyeyim ki?" + +Tıpkı ırklar arası evlilik hakkı, kadınların oy hakkı, ifade özgürlüğü ve diğer pek çok hak gibi, mahremiyet hakkımız da her zaman desteklenmemiştir. Birçok diktatörlükte hala desteklenmiyor. Bizden önceki nesiller mahremiyet hakkımız için savaştı. ==Mahremiyet, hepimizin doğasında var olan ve sahip olmamız gereken bir insan hakkıdır. + +Mahremiyet ile gizliliği birbirine karıştırmamalısınız. Banyoda ne olduğunu biliyoruz ama yine de kapıyı kapatıyoruz. Çünkü gizlilik değil, mahremiyet istiyorsunuz. **Herkesin** koruyacak bir şeyi vardır. Mahremiyet bizi insan yapan bir şeydir. + +[:material-target-account: Yaygın İnternet Tehditleri](basics/common-threats.md ""){.md-button.md-button--primary} + +## Ne yapmalıyım? + +##### Öncelikle bir plan yapmalısınız + +Tüm verilerinizi her zaman herkesten korumaya çalışmak pratik değildir, pahalıdır ve yorucudur. Ama endişelenmeyin! Güvenlik bir süreçtir ve ileriyi düşünerek sizin için doğru olan bir plan oluşturabilirsiniz. Güvenlik sadece kullandığınız araçlar veya indirdiğiniz yazılımlarla ilgili değildir. Aksine, karşılaştığınız benzersiz tehditleri ve bunları nasıl azaltabileceğinizi anlayarakle ilgilidir. + +==Tehditleri belirleme ve karşı önlemleri tanımlama sürecine **tehdit modelleme**== denir ve her iyi güvenlik ve gizlilik planının temelini oluşturur. + +[:material-book-outline: Tehdit Modellemesi Hakkında Daha Fazla Bilgi Edinin](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Sana ihtiyacımız var! Nasıl dahil olabilirsiniz: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Forumumuza Katılın" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Bizi Mastodon'da takip edin" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Bu web sitesine katkıda bulunun" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Bu web sitesini çevirmeye yardımcı olun" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Matrix'te bizimle sohbet edin" } +[:material-information-outline:](about/index.md){ title="Hakkımızda daha fazla bilgi edinin" } +[:material-hand-coin-outline:](about/donate.md){ title="Projeyi destekleyin" } + +Privacy Guides gibi bir web sitesinin her zaman güncel kalması önemlidir. Hedef kitlemizin sitemizde listelenen uygulamalar için yazılım güncellemelerini takip etmesine ve önerdiğimiz sağlayıcılarla ilgili son haberleri izlemesine ihtiyacımız var. İnternetin hızlı temposuna ayak uydurmak zor, ancak elimizden gelenin en iyisini yapmaya çalışıyoruz. Bir hata tespit ederseniz, bir sağlayıcının listelenmemesi gerektiğini düşünürseniz, nitelikli bir sağlayıcının eksik olduğunu fark ederseniz, bir tarayıcı eklentisinin artık en iyi seçenek olmadığını düşünürseniz veya başka bir sorunu ortaya çıkarırsanız, lütfen bize bildirin. diff --git a/i18n/tr/kb-archive.md b/i18n/tr/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/tr/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/tr/meta/brand.md b/i18n/tr/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/tr/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/tr/meta/git-recommendations.md b/i18n/tr/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/tr/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/tr/meta/uploading-images.md b/i18n/tr/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/tr/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/tr/meta/writing-style.md b/i18n/tr/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/tr/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/tr/mobile-browsers.md b/i18n/tr/mobile-browsers.md new file mode 100644 index 00000000..72681d00 --- /dev/null +++ b/i18n/tr/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. İnternette anonim olarak gezinmeniz gerekiyorsa, bunun yerine [Tor](tor.md) kullanmalısınız. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! öneri + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! öneri + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! öneri + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/tr/multi-factor-authentication.md b/i18n/tr/multi-factor-authentication.md new file mode 100644 index 00000000..d2f857fd --- /dev/null +++ b/i18n/tr/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! öneri + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! öneri + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! öneri + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! öneri + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/tr/news-aggregators.md b/i18n/tr/news-aggregators.md new file mode 100644 index 00000000..ad937431 --- /dev/null +++ b/i18n/tr/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! öneri + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! öneri + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! öneri + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! öneri + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! öneri + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! öneri + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! öneri + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/tr/notebooks.md b/i18n/tr/notebooks.md new file mode 100644 index 00000000..270be0ef --- /dev/null +++ b/i18n/tr/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! öneri + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! öneri + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! öneri + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! öneri + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/tr/os/android-overview.md b/i18n/tr/os/android-overview.md new file mode 100644 index 00000000..a78631a2 --- /dev/null +++ b/i18n/tr/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/tr/os/linux-overview.md b/i18n/tr/os/linux-overview.md new file mode 100644 index 00000000..a02e10a8 --- /dev/null +++ b/i18n/tr/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## Genel Öneriler + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/tr/os/qubes-overview.md b/i18n/tr/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/tr/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/tr/passwords.md b/i18n/tr/passwords.md new file mode 100644 index 00000000..0900e9ae --- /dev/null +++ b/i18n/tr/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! öneri + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! öneri + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! öneri + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! öneri + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! öneri + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! öneri + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! öneri + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/tr/productivity.md b/i18n/tr/productivity.md new file mode 100644 index 00000000..85315429 --- /dev/null +++ b/i18n/tr/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! öneri + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! öneri + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! öneri + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! öneri + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! öneri + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/tr/real-time-communication.md b/i18n/tr/real-time-communication.md new file mode 100644 index 00000000..cabf9f4d --- /dev/null +++ b/i18n/tr/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Gerçek Zamanlı İletişim" +icon: material/chat-processing +description: Diğer anlık mesajlaşma uygulamaları, tüm özel konuşmalarınızı kendilerini işleten şirketin kullanımına sunuyor. +--- + +Bunlar, şifrelenmiş gerçek zamanlı iletişim için önerilerimizdir. + +[İletişim Ağı Türleri :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Şifrelenmiş Mesajlaşma Uygulamaları + +Bu mesajlaşma uygulamaları hassas iletişimlerinizi güvence altına almak için harikadır. + +### Signal + +!!! öneri + + ![Signal logosu](assets/img/messengers/signal.svg){ align=right } + + **Signal**, Signal Messenger LLC tarafından geliştirilen bir mobil uygulamadır. Uygulama anlık mesajlaşmanın yanı sıra sesli ve görüntülü arama da sağlıyor. + + Tüm iletişimler uçtan uca şifrelemeye sahiptir. Kişileriniz Signal PIN'iniz kullanılarak şifrelenir ve sunucunun bunlara erişimi yoktur. Profiller de şifrelenir ve yalnızca sohbet ettiğiniz kişilerle paylaşılır. + + [:octicons-home-16: Ana Sayfa](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Gizlilik Politikası" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Dokümantasyon} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Kaynak Kodu" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title="Katkıda Bulun" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal [özel grupları](https://signal.org/blog/signal-private-group-system/) destekler. Sunucuda grup üyeliklerinizin, grup adlarınızın, grup fotoğraflarınızın veya grup özelliklerinizin kaydı yoktur. [Gizli Gönderici](https://signal.org/blog/sealed-sender/) etkinleştirildiğinde Signal, en aza indirgenmiş metadata'ya sahiptir. Gönderenin adresi mesajla birlikte şifrelenir ve sunucu tarafından yalnızca alıcı adresi görülebilir. Gizli Gönderici varsayılan olarak yalnızca kişileriniz için etkindir ancak spam alma riskini arttırmakla beraber tüm alıcılar için etkinleştirilebilir. Signal, kişisel tanımlayıcı olarak telefon numaranızı gerektirir. + +Protokol 2016 yılında bağımsız olarak [denetlenmiştir](https://eprint.iacr.org/2016/1013.pdf). Signal protokolünün özellikleri [dokümantasyonunda](https://signal.org/docs/) bulunabilir. + +Signal kurulumunuzu yapılandırma ve sağlamlaştırma konusunda bazı ek ipuçlarımız var: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! öneri + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! öneri + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! öneri + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! öneri + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/tr/router.md b/i18n/tr/router.md new file mode 100644 index 00000000..9212dc02 --- /dev/null +++ b/i18n/tr/router.md @@ -0,0 +1,48 @@ +--- +title: "Yönlendirici Yazılımı" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Aşağıda; yönlendiricilerde, Wi-Fi erişim noktalarında vb. kullanılabilecek birkaç alternatif işletim sistemi bulunmaktadır. + +## OpenWrt + +!!! öneri + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** Linux kernelini temel alan, gömülü cihazlarda ağ trafiğini yönlendirmek için kullanılan bir işletim sistemidir. (Gömülü bir işletim sistemi de denebilir.). Ana bileşenler Linux kerneli, util - linux, uClibc ve BusyBox'tur. Tüm bileşenler, ev yönlendiricilerinde bulunan sınırlı depolama ve belleğe sığacak kadar küçük olacak şekilde optimize edilmiştir. + + [:octicons-home-16: Anasayfa](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +Cihazınızın desteklenip desteklenmediğini kontrol etmek için OpenWrt'nin [donanım tablosuna](https://openwrt.org/toh/start) başvurabilirsiniz. + +## pfSense + +!!! öneri + + ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense; FreeBSD tabanlı, açık kaynak kodlu bir güvenlik duvarı/yönlendirici programıdır. Bir ağ için özel bir güvenlik duvarı/yönlendirici yapmak üzere bir bilgisayara kurulmuştur ve güvenilirliği, genellikle, sadece pahalı ticari güvenlik duvarlarında bulunan özellikler sunmasıyla bilinir. + + pfSense genellikle çevre güvenlik duvarı, yönlendirici, kablosuz erişim noktası, DHCP sunucusu, DNS sunucusu ve VPN noktası olarak dağıtılır. + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/tr/search-engines.md b/i18n/tr/search-engines.md new file mode 100644 index 00000000..72087382 --- /dev/null +++ b/i18n/tr/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! öneri + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! öneri + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! öneri + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! öneri + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/tr/tools.md b/i18n/tr/tools.md new file mode 100644 index 00000000..54c45a41 --- /dev/null +++ b/i18n/tr/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Yönlendirici Yazılımı + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? "VPN'ler anonimlik sağlamaz" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/tr/tor.md b/i18n/tr/tor.md new file mode 100644 index 00000000..78b374b1 --- /dev/null +++ b/i18n/tr/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Tarayıcı + +!!! öneri + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! öneri + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! öneri + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/tr/video-streaming.md b/i18n/tr/video-streaming.md new file mode 100644 index 00000000..47795ce2 --- /dev/null +++ b/i18n/tr/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! öneri + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/tr/vpn.md b/i18n/tr/vpn.md new file mode 100644 index 00000000..bf3851d3 --- /dev/null +++ b/i18n/tr/vpn.md @@ -0,0 +1,309 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! "VPN'ler anonimlik sağlamaz" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Tor'u İndir](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](basics/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Önerilen Sağlayıcılar + +Önerdiğimiz sağlayıcılar şifreleme kullanır, Monero kabul eder, WireGuard & OpenVPN'i destekler ve kayıt tutmama politikasına sahiptir. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! öneri + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. Size en yakın sunucuya sahip bir VPN sağlayıcısı seçmek, gönderdiğiniz ağ trafiğinin gecikme süresini azaltacaktır. + + Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). Ayrıca VPN sağlayıcısının özel anahtarlarının güvenliği için [sanal özel sunucular](https://en.wikipedia.org/wiki/Virtual_private_server) gibi daha ucuz paylaşımlı çözümler (diğer müşterilerle) yerine [özel sunucular](https://en.wikipedia.org/wiki/Dedicated_hosting_service) kullanmasının daha iyi olduğunu düşünüyoruz. + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). +{ .annotate } + +1. 2 yıllık abonelikle (119,76 $) %10 daha indirimli. + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! öneri + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. Size en yakın sunucuya sahip bir VPN sağlayıcısı seçmek, gönderdiğiniz ağ trafiğinin gecikme süresini azaltacaktır. Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). + + Ayrıca VPN sağlayıcısının özel anahtarlarının güvenliği için [sanal özel sunucular](https://en.wikipedia.org/wiki/Virtual_private_server) gibi daha ucuz paylaşımlı çözümler (diğer müşterilerle) yerine [özel sunucular](https://en.wikipedia.org/wiki/Dedicated_hosting_service) kullanmasının daha iyi olduğunu düşünüyoruz. downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). +{ .annotate } + +1. 2 yıllık abonelikle (119,76 $) %10 daha indirimli. + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! öneri açıklaması + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + **Proton VPN**, VPN alanında güçlü bir rakiptir ve 2016'dan beri faaliyet göstermektedir. İsviçre merkezli Proton AG, sınırlı bir ücretsiz versiyonun yanı sıra daha özellikli bir premium seçenek de sunuyor. + + **Ücretsiz** - **Plus Plan USD $71,88/yıl** (1) + + [:octicons-home-16: Ana sayfa](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Gizlilik Politikası" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Dokümantasyon} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Kaynak Kodu" } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. Bunun nedeni hedefe giden rotanın daha kısa olmasıdır (daha az atlama). +{ .annotate } + +1. 2 yıllık abonelikle (119,76 $) %10 daha indirimli. + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Ocak 2020 itibarıyla Proton VPN, SEC Consult tarafından bağımsız bir denetimden geçmiştir. SEC Consult, Proton VPN'in Windows, Android ve iOS uygulamalarında bazı orta ve düşük riskli güvenlik açıklarını buldu ve bunların tümü raporlar yayınlanmadan önce Proton VPN tarafından "uygun şekilde düzeltildi". Tespit edilen sorunların hiçbiri bir saldırganın cihazınıza veya trafiğinize uzaktan erişim sağlamasına neden olmaz. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/uk/404.md b/i18n/uk/404.md new file mode 100644 index 00000000..f5c05a84 --- /dev/null +++ b/i18n/uk/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Не знайдено + +Ми не можемо знайти сторінку, яку ви шукали! Можливо, ви шукали щось подібне? + +- [Вступ до моделювання загроз](basics/threat-modeling.md) +- [Рекомендовані DNS-провайдери](dns.md) +- [Найкращі веб-браузери для ПК](desktop-browsers.md) +- [Найкращі VPN-провайдери](vpn.md) +- [Форум Privacy Guides](https://discuss.privacyguides.net) +- [Наш блог](https://blog.privacyguides.org) diff --git a/i18n/uk/CODE_OF_CONDUCT.md b/i18n/uk/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/uk/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/uk/about/criteria.md b/i18n/uk/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/uk/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/uk/about/donate.md b/i18n/uk/about/donate.md new file mode 100644 index 00000000..1f9ca2a2 --- /dev/null +++ b/i18n/uk/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Підтримайте нас +--- + + +Підтримка актуальності Privacy Guides та поширення інформації про конфіденційність і глобальне спостереження, потребує багато [людей](https://github.com/privacyguides/privacyguides.org/graphs/contributors) та [праці](https://github.com/privacyguides/privacyguides.org/pulse/monthly). Якщо вам подобається те, що ми робимо, спробуйте долучитися: [редагуйте сайт](https://github.com/privacyguides/privacyguides.org) або [робіть переклади](https://crowdin.com/project/privacyguides). + +Якщо ви хочете надати нам фінансову підтримку, найзручніший для нас спосіб - це зробити внесок через Open Collective, вебсайт, під керівництвом нашого фіскального хостингу. Open Collective приймає платежі за допомогою кредитної/дебетової картки, PayPal, та банківські перекази. + +[Зробити внесок на OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Пожертвування, зроблені безпосередньо на наш Open Collective, як правило, не оподатковуються в США, оскільки наш фінансовий організатор (Open Collective Foundation) є зареєстрованою організацією 501(c) 3. Після пожертвування ви отримаєте квитанцію від Open Collective Foundation. Privacy Guides не надають фінансових консультацій, і ви повинні звернутися до свого податкового консультанта, щоб з'ясувати чи це є сприйнятливим для вас. + +Якщо ви вже користуєтеся спонсорством GitHub, ви також можете підтримати нашу організацію там. + +[Підтримайте нас на GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Спонсори + +Особлива подяка всім, хто підтримує нашу місію! :heart: + +*Зверніть увагу: Цей розділ завантажує віджет напряму з Open Collective. Ця секція не показує пожертвування, зроблені за межами Open Collective, і ми не контролюємо конкретних спонсорів, зазначених у цьому розділі.* + + + +## Як ми використовуємо пожертви + +Privacy Guides - це **некомерційна** організація. Ми використовуємо пожертви для різних цілей, зокрема: + +**Реєстрація домену** +: + +У нас є кілька доменних імен, таких як `privacyguides.org`, які коштують нам приблизно 10 доларів на рік, щоб підтримувати їх реєстрацію. + +**Вебхостинг** +: + +Трафік на цей вебсайт використовує сотні гігабайтів даних на місяць, ми використовуємо різних постачальників послуг, щоб не відставати від цього трафіку. + +**Онлайн-сервіси** +: + +Ми розміщуємо [Інтернет-сервіси](https://privacyguides.net) для тестування та демонстрації різних продуктів конфіденційності, які нам подобаються, та які ми [рекомендуємо](../tools.md). Деякі з них є загальнодоступними для використання нашою спільнотою (SearXNG, Tor тощо), а деякі надаються членам нашої команди (електронна пошта та інше). + +**Придбання продукції** +: + +Час від часу ми купуємо продукти та послуги з метою тестування наших [рекомендованих інструментів](../tools.md). + +Ми все ще працюємо з нашим фіскальним хостом (Open Collective Foundation), щоб отримувати пожертви криптовалюти, на цей час облік неможливий для багатьох дрібніших транзакцій, але це має змінитися в майбутньому. Однак, якщо ви хочете зробити значну пожертву в криптовалюті (> $100), будь ласка, зв'яжіться з [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/uk/about/index.md b/i18n/uk/about/index.md new file mode 100644 index 00000000..8b0e2bb7 --- /dev/null +++ b/i18n/uk/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Ви **не маєте права** використовувати брендинг Privacy Guides у своєму власному проєкті без прямого схвалення цього проєкту. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/uk/about/notices.md b/i18n/uk/about/notices.md new file mode 100644 index 00000000..e0e3b8a9 --- /dev/null +++ b/i18n/uk/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Відмова від відповідальності + +Privacy Guides не є юридичною фірмою. Таким чином, вебсайт Privacy Guides та його учасники не надають юридичних консультацій. Матеріали та рекомендації на нашому вебсайті та посібниках не є юридичною консультацією, а також внесок у вебсайт чи спілкування з Privacy Guides або іншими учасниками нашого вебсайту не створюють відносин адвокат-клієнт. + +Керування цим вебсайтом, як і будь-якими людськими зусиллями, передбачає невизначеність та компроміси. Ми сподіваємося, що цей вебсайт допоможе, але він може містити помилки та не може вирішити кожну ситуацію. Якщо в вас виникли запитання щодо вашої ситуації, радимо провести власне дослідження, знайти інших експертів та взяти участь в обговореннях зі спільнотою Privacy Guides. Якщо у вас є які-небудь юридичні питання, вам слід проконсультуватися зі своїм власним юристом, перш ніж рухатись далі. + +Privacy Guides-це проект з відкритим вихідним кодом, створений за ліцензіями, які включають умови, які для захисту вебсайту та його учасників чітко вказують, що проект Privacy Guides і вебсайт пропонуються "як є", без гарантій і з відмовою від відповідальності за шкоду, що виникла в результаті використання вебсайту або будь-яких рекомендацій, що містяться в ньому. Privacy Guides не гарантують і не роблять ніяких заяв щодо точності, ймовірних результатів або надійності використання матеріалів на вебсайті або іншим чином пов'язаних з такими матеріалами на вебсайті або на будь-яких сторонніх сайтах, пов'язаних з цим сайтом. + +Крім того, Privacy Guides не гарантують, що цей вебсайт буде постійно або взагалі доступний. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Це не включає сторонній код, вбудований в цей репозиторій, або код, де ліцензія, що замінює ліцензію, відмічена іншим чином. Нижче наведені відомі приклади, але цей список може бути неповним: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Це означає, що ви можете використовувати читабельний вміст в цьому репозиторії для вашого власного проєкту відповідно до умов, викладених в універсальному тексті CC0 1.0. Ви **не маєте права** використовувати брендинг Privacy Guides у своєму власному проєкті без прямого схвалення цього проєкту. Торгові марки бернду Privacy Guides включають в себе логотип та "Privacy Guides". Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +Ми вважаємо, що логотипи та інші зображення в `assets`, отримані від сторонніх постачальників, є або суспільним надбанням, або **добросовісним використанням**. У двох словах, правова [доктрина добросовісного використання](https://www.copyright.gov/fair-use/more-info.html) дозволяє використання зображень, захищених авторським правом, для ідентифікації предмета з метою публічного обговорення. Однак ці логотипи та інші зображення все ще можуть підпадати під дію законів про товарні знаки в одній або декількох юрисдикціях. Перед використанням цього контенту, будь ласка, переконайтеся, що він використовується для ідентифікації юридичної особи або організації, якій належить товарний знак, і що у вас є право використовувати його відповідно до законів, які застосовуються в обставинах вашого передбачуваного використання. *Копіюючи вміст з цього вебсайту, ви несете повну відповідальність за те, щоб не порушувати чужу торгову марку або авторські права.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Допустиме використання + +Ви не можете використовувати цей вебсайт будь-яким чином, який викликає або може викликати пошкодження вебсайту або погіршення доступності Privacy Guides, або будь-яким способом, який є незаконним, шахрайським, шкідливим або пов'язаним з будь-якою незаконною, шахрайською або шкідливою метою або діяльністю. + +Ви не повинні проводити будь-які систематичні або автоматизовані заходи зі збору даних на цьому вебсайті або у зв'язку з ним без письмової згоди Aragon Ventures LLC, включаючи: + +* Надмірне автоматизоване сканування +* Атаки типу "відмова в обслуговуванні" +* Скрейпінг +* Інтелектуальний аналіз даних +* "Фреймінг" (IFrames) + +--- + +*Частини самого цього повідомлення були взяті з [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) на GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/uk/about/privacy-policy.md b/i18n/uk/about/privacy-policy.md new file mode 100644 index 00000000..81c49308 --- /dev/null +++ b/i18n/uk/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Політика конфіденційності" +--- + +Privacy Guides - це проєкт спільноти, який керується низкою активних волонтерів. Загальнодоступний список членів команди [можна знайти на GitHub](https://github.com/orgs/privacyguides/people). + +## Дані, які ми збираємо від відвідувачів + +Конфіденційність відвідувачів нашого веб-сайту важлива для нас, тому ми не відстежуємо жодних окремих людей. Як відвідувач нашого вебсайту: + +- Ніяка особиста інформація не збирається +- Жодна інформація, така як файли cookie, не зберігається в браузері +- Жодна інформація не передається, не відправляється та не продається третім особам +- Жодна інформація не передається рекламним компаніям +- Жодна інформація не видобувається та не збирається для особистих та поведінкових тенденцій +- Жодна інформація не монетизується + +Ви можете переглянути дані, які ми збираємо, на нашій сторінці [статистики](statistics.md). + +Ми здійснюємо самостійне встановлення [Plausible Analytics](https://plausible.io), щоб зібрати деякі анонімні дані про використання для статистичних цілей. Мета полягає в тому, щоб відстежувати загальні тенденції у відвідуванні нашого веб-сайту, а не відстежувати окремих відвідувачів. Усі дані наведені лише в узагальненому вигляді. Ніякі персональні дані не збираються. + +Зібрані дані включають джерела посилань, популярні сторінки, тривалість відвідування, інформацію про пристрої (тип пристрою, операційна система, країна і браузер), які використовуються під час відвідування тощо. Ви можете дізнатися більше про те, як Plausible працює та збирає інформацію з повагою до конфіденційності [тут](https://plausible.io/data-policy). + +## Дані, які ми збираємо від власників облікових записів + +На деяких вебсайтах і послугах, які ми надаємо, для багатьох функцій може знадобитися обліковий запис. Наприклад, обліковий запис може бути необхідним для публікації та відповіді на теми на платформі форуму. + +Щоб зареєструвати більшість облікових записів, ми збиратимемо ім'я користувача, адресу електронної пошти та пароль. У випадку, якщо вебсайт вимагає більше інформації, ніж тільки ці дані, це буде чітко позначено та зазначено в окремій заяві про конфіденційність на сайті. + +Ми використовуємо дані вашого облікового запису для ідентифікації вас на вебсайті та для створення специфічних для вас сторінок, таких як сторінка вашого профілю. Ми також будемо використовувати дані вашого облікового запису для публікації вашого загальнодоступного профілю в наших сервісах. + +Ми використовуємо вашу електронну пошту для того щоб: + +- Сповіщати вас про публікації та інші дії на вебсайтах або сервісах. +- Скинути пароль та допомогти захистити ваш обліковий запис. +- Зв'язатися з вами в особливих обставинах, пов'язаних з вашим обліковим записом. +- Зв'язатися з вами з приводу юридичних запитів, таких як запити на видалення DMCA. + +На деяких вебсайтах і сервісах ви можете надати додаткову інформацію для свого облікового запису, таку як коротка біографія, аватар, ваше місце розташування або ваш день народження. Ми надаємо цю інформацію всім, хто може отримати доступ до відповідного веб-сайту або служби. Ця інформація не є обов'язковою для використання будь-яких наших сервісів і може бути стерта в будь-який час. + +Ми будемо зберігати дані вашого облікового запису до тих пір, поки ваш обліковий запис залишається відкритим. Після закриття облікового запису ми можемо зберегти деякі або всі дані вашого облікового запису у вигляді резервних копій або архівів на строк до 90 днів. + +## Зворотний зв'язок + +Команда Privacy Guides, як правило, не має доступу до персональних даних, окрім обмеженого доступу, наданого через деякі панелі модерації. Запити щодо вашої особистої інформації слід надсилати безпосередньо за адресою: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +З усіх інших питань ви можете зв'язатися з будь-яким членом нашої команди. + +Щодо скарг відповідно до GDPR загалом, ви можете подавати скарги до місцевих органів нагляду за захистом даних. У Франції цим займається Національна комісія з питань інформатики та свобод, яка розглядає скарги. Вони надають [шаблон листа-скарги](https://www.cnil.fr/en/plaintes) для використання. + +## Про цю політику + +Ми будемо публікувати будь-які нові версії цієї заяви [тут](privacy-policy.md). Ми можемо змінити спосіб оголошення змін у наступних версіях цього документа. В той же час ми можемо оновити нашу контактну інформацію в будь-який час, не оголошуючи про зміни. Будь ласка, зверніться до [Політики конфіденційності](privacy-policy.md) для отримання актуальної контактної інформації в будь-який час. + +Повну версію [історії](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) цієї сторінки можна знайти на GitHub. diff --git a/i18n/uk/about/privacytools.md b/i18n/uk/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/uk/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/uk/about/services.md b/i18n/uk/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/uk/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/uk/about/statistics.md b/i18n/uk/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/uk/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/uk/advanced/communication-network-types.md b/i18n/uk/advanced/communication-network-types.md new file mode 100644 index 00000000..e8e60399 --- /dev/null +++ b/i18n/uk/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Рекомендовані месенджери](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/uk/advanced/dns-overview.md b/i18n/uk/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/uk/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/uk/advanced/payments.md b/i18n/uk/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/uk/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/uk/advanced/tor-overview.md b/i18n/uk/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/uk/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/uk/android.md b/i18n/uk/android.md new file mode 100644 index 00000000..fbcabfd2 --- /dev/null +++ b/i18n/uk/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! рекомендації + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! рекомендації + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! рекомендації + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! рекомендації + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! рекомендації + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! рекомендації + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! рекомендації + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! рекомендації + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/uk/assets/img/account-deletion/exposed_passwords.png b/i18n/uk/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/uk/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/uk/assets/img/android/rss-apk-dark.png b/i18n/uk/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/uk/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/uk/assets/img/android/rss-apk-light.png b/i18n/uk/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/uk/assets/img/android/rss-apk-light.png differ diff --git a/i18n/uk/assets/img/android/rss-changes-dark.png b/i18n/uk/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/uk/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/uk/assets/img/android/rss-changes-light.png b/i18n/uk/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/uk/assets/img/android/rss-changes-light.png differ diff --git a/i18n/uk/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/uk/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/how-tor-works/tor-encryption.svg b/i18n/uk/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/how-tor-works/tor-path-dark.svg b/i18n/uk/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/uk/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/uk/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/how-tor-works/tor-path.svg b/i18n/uk/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/uk/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/uk/assets/img/multi-factor-authentication/fido.png b/i18n/uk/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/uk/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/uk/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/uk/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/uk/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/uk/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/uk/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/uk/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/uk/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/uk/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/uk/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/uk/basics/account-creation.md b/i18n/uk/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/uk/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/uk/basics/account-deletion.md b/i18n/uk/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/uk/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/uk/basics/common-misconceptions.md b/i18n/uk/basics/common-misconceptions.md new file mode 100644 index 00000000..69b7d4d4 --- /dev/null +++ b/i18n/uk/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Поширені міфи" +icon: 'material/robot-confused' +description: Конфіденційність — непроста тема, і легко піддатися маркетинговим заявам та іншій дезінформації. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Чи безпечне програмне забезпечення з відкритим кодом за своєю суттю? + acceptedAnswer: + "@type": Answer + text: | + Доступність вихідного коду та спосіб ліцензування програмного забезпечення жодним чином не впливають на його безпеку. Програмне забезпечення з відкритим вихідним кодом може бути більш безпечним, ніж пропрієтарне програмне забезпечення, але немає жодних гарантій, що це так. Оцінюючи програмне забезпечення, ви повинні звертати увагу на репутацію та безпеку кожного інструменту на індивідуальній основі. + - + "@type": Question + name: Чи може передача довіри іншому провайдеру підвищити рівень конфіденційності? + acceptedAnswer: + "@type": Answer + text: | + Ми багато говоримо про "передачу довіри", коли обговорюємо такі рішення, як VPN (які передають довіру, яку ви покладаєте на свого інтернет-провайдера, до VPN-провайдера). Хоча це захищає ваші дані від вашого інтернет-провайдера, обраний вами VPN-провайдер все одно має доступ до ваших даних: ваші дані не повністю захищені від усіх сторін. + - + "@type": Question + name: Чи є рішення, орієнтовані на конфіденційність, за своєю суттю надійними? + acceptedAnswer: + "@type": Answer + text: | + Зосередження виключно на політиці конфіденційності та маркетингу інструменту або провайдера може відвернути вашу увагу від його слабких сторін. Коли ви шукаєте більш конфіденційне рішення, вам слід визначити, в чому полягає основна проблема, і знайти технічні розв'язання цієї проблеми. Наприклад, ви можете не використовувати Google Диск, який надає Google доступ до всіх ваших даних. Основною проблемою в цьому випадку є відсутність E2EE, тому вам слід переконатися, що провайдер, до якого ви переходите, дійсно реалізує E2EE, або скористатися інструментом (наприклад, Cryptomator), який забезпечує E2EE на будь-якому хмарному провайдері. Перехід до "орієнтованого на конфіденційність" провайдера (який не впроваджує E2EE) не вирішить вашу проблему: він просто змістить довіру від Google до цього провайдера. + - + "@type": Question + name: Наскільки складною має бути моя модель загроз? + acceptedAnswer: + "@type": Answer + text: | + Ми часто бачимо, як люди описують надто складні моделі загроз конфіденційності. Часто ці рішення включають в себе такі проблеми, як багато різних облікових записів електронної пошти або складні налаштування з великою кількістю рухомих частин і умов. Відповіді зазвичай відповідають на питання: «Який найкращий спосіб зробити X?» + Пошук "найкращого" рішення для себе не обов'язково означає, що ви шукаєте безпомилкове рішення з десятками умов — з такими рішеннями часто важко працювати на практиці. Як ми обговорювали раніше, безпека часто приходить за рахунок зручності. +--- + +## "Програмне забезпечення з відкритим кодом завжди безпечне" або "Пропрієтарне програмне забезпечення більш безпечне" + +Ці міфи випливають з низки упереджень, але доступність вихідного коду та спосіб ліцензування програмного забезпечення жодним чином не впливають на його безпеку. == Програмне забезпечення з відкритим вихідним кодом має *потенціал* бути безпечнішим, ніж пропрієтарне програмне забезпечення, але немає жодних гарантій, що це так.== Коли ви оцінюєте програмне забезпечення, ви повинні дивитися на репутацію та безпеку кожного інструменту на індивідуальній основі. + +Програмне забезпечення з відкритим кодом *може* перевірятися третіми сторонами і часто є більш прозорим щодо потенційних вразливостей, ніж пропрієтарні аналоги. Це також дає змогу ознайомитися з кодом та вимкнути всі підозрілі функції, які ви знайдете самі. Однак, *якщо ви не зробите цього*, немає ніякої гарантії, що код коли-небудь оцінювався, особливо для невеликих проєктів. Відкритий процес розробки також іноді використовується для впровадження нових вразливостей навіть у великі проєкти.[^1] + +З іншого боку, пропрієтарне програмне забезпечення менш прозоре, але це не означає, що воно не є безпечним. Великі проєкти пропрієтарного програмного забезпечення можуть бути перевірені як внутрішніми, так і сторонніми організаціями, а незалежні дослідники безпеки все ще можуть знайти вразливості за допомогою таких методів, як зворотна інженерія. + +Щоб уникнути упереджених рішень, *дуже важливо* оцінювати стандарти конфіденційності та безпеки програмного забезпечення, яке ви використовуєте. + +## "Передача довіри може підвищити конфіденційність" + +Ми багато говоримо про "передачу довіри", коли обговорюємо такі рішення, як VPN (які передають довіру, яку ви покладаєте на свого інтернет-провайдера, до VPN-провайдера). Хоча це захищає ваші дані *конкретно* від вашого інтернет-провайдера, обраний вами VPN-провайдер все одно має доступ до ваших даних: Ваші дані не повністю захищені від усіх сторін. Це означає, що: + +1. Ви повинні бути обережними при виборі постачальника, якому ви передаєте довіру. +2. Ви все одно повинні використовувати інші методи, такі як E2EE, щоб повністю захистити свої дані. Просто недовіряти одному провайдеру, щоб довіряти іншому, не захищає ваші дані. + +## "Рішення, орієнтовані на конфіденційність, за своєю суттю є надійними" + +Зосередження виключно на політиці конфіденційності та маркетингу інструменту або провайдера може відвернути вашу увагу від його слабких сторін. Коли ви шукаєте більш конфіденційне рішення, вам слід визначити, в чому полягає основна проблема, і знайти технічні розв'язання цієї проблеми. Наприклад, ви можете не використовувати Google Диск, який надає Google доступ до всіх ваших даних. Основною проблемою в цьому випадку є відсутність E2EE, тому вам слід переконатися, що провайдер, до якого ви переходите, дійсно реалізує E2EE, або скористатися інструментом (наприклад, [Cryptomator](../encryption.md#cryptomator-cloud)), який забезпечує E2EE на будь-якому хмарному провайдері. Перехід до "орієнтованого на конфіденційність" провайдера (який не впроваджує E2EE) не вирішить вашу проблему: він просто змістить довіру від Google до цього провайдера. + +Політика конфіденційності та бізнес-практики постачальників, яких ви обираєте, дуже важливі, але їх слід вважати другорядними у порівнянні з технічними гарантіями вашої конфіденційності: ви не повинні перекладати довіру на іншого постачальника, коли довіра до постачальника взагалі не є вимогою. + +## "Складніше — краще" + +Ми часто бачимо, як люди описують надто складні моделі загроз конфіденційності. Часто ці рішення включають в себе такі проблеми, як багато різних облікових записів електронної пошти або складні налаштування з великою кількістю рухомих частин і умов. Відповіді зазвичай відповідають на питання: «Який найкращий спосіб зробити *X*?» + +Пошук "найкращого" рішення для себе не обов'язково означає, що ви шукаєте безпомилкове рішення з десятками умов — з такими рішеннями часто важко працювати на практиці. Як ми обговорювали раніше, безпека часто приходить за рахунок зручності. Нижче ми надаємо кілька порад: + +1. ==Дії повинні служити певній меті:== подумайте, як зробити те, що ви хочете, з найменшою кількістю дій. +2. ==Усунення точок людських помилок:== ми зазнаємо невдач, втомлюємося і забуваємо про щось. Щоб підтримувати безпеку, уникайте покладатися на ручні умови та процеси, які вам потрібно запам'ятати. +3. ==Використовуйте правильний рівень захисту для того, що ви плануєте.== ми часто зустрічаємо рекомендації щодо так званих рішень, захищених від правоохоронних органів або повісток до суду. Вони часто вимагають спеціальних знань і, як правило, не є тим, чого хочуть люди. Немає сенсу будувати складну модель загроз для анонімності, якщо вас можна легко деанонімізувати за допомогою простого нагляду. + +Отже, як це може виглядати? + +Однією з найяскравіших моделей загроз є та, коли люди *знають, хто ви*, і та, коли вони цього не знають. Завжди будуть ситуації, коли ви повинні заявити своє юридичне ім 'я, і є інші, де в цьому нема потреби. + +1. **Відома особистість** — відома особистість використовується для речей, де ви повинні оголошувати своє ім'я. Існує багато юридичних документів та договорів, де потрібна юридична особа. Це може бути відкриття банківського рахунку, підписання договору оренди нерухомості, отримання паспорта, митних декларацій при імпорті товарів або інші питання, пов'язані з вашим урядом. Зазвичай це призводить до отримання облікових даних, таких як кредитні картки, перевірка кредитного рейтингу, номерів рахунків і, можливо, фізичних адрес. + + Ми не рекомендуємо використовувати VPN або Tor для цих цілей, оскільки ваша особистість вже відома за допомогою інших засобів. + + !!! tip + + При покупках в Інтернеті використання [поштомата] (https://uk.wikipedia.org/wiki/Поштомат) може допомогти зберегти вашу фізичну адресу в конфіденційності. + +2. **Невідома особистість** — невідома особистість може бути стабільним псевдонімом, який ви регулярно використовуєте. Він не є анонімним, бо не змінюється. Якщо ви є частиною онлайн-спільноти, можливо, ви захочете зберегти образ, який знають інші. Цей псевдонім не є анонімним, оскільки за умови тривалого спостереження за ним можна отримати додаткову інформацію про його власника, наприклад, про те, як він пише, його загальні знання про теми, які його цікавлять, тощо. + + Ви можете використовувати VPN для цього, щоб приховати свою IP-адресу. Фінансові транзакції складніше приховати: Ви можете розглянути можливість використання анонімних криптовалют, таких як [Monero](https://www.getmonero.org/). Використання зміни альткоїнів також може допомогти приховати, звідки походить ваша валюта. Як правило, обмінники вимагають пройти процедуру KYC (знай свого клієнта), перш ніж вони дозволять вам обміняти фіатну валюту на будь-який вид криптовалюти. Місцеві варіанти зустрічей також можуть бути рішенням, але вони часто дорожчі, а іноді також вимагають KYC. + +3. **Анонімна особистість** — навіть маючи досвід, анонімну особистість важко підтримувати тривалий час. Це мають бути короткострокові та недовговічні ідентичності, які регулярно змінюються. + + Використання Tor може допомогти в цьому. Варто також зазначити, що більша анонімність можлива через асинхронне спілкування: Спілкування в режимі реального часу вразливе до аналізу шаблонів набору тексту (тобто більше за абзац тексту, поширеного на форумі, електронною поштою тощо). + +[^1]: Одним із помітних прикладів цього є [інцидент 2021 року, в якому дослідники Університету Міннесоти впровадили три вразливості у проект розробки ядра Лінукса](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/uk/basics/common-threats.md b/i18n/uk/basics/common-threats.md new file mode 100644 index 00000000..6dc06868 --- /dev/null +++ b/i18n/uk/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Поширені Загрози" +icon: 'material/eye-outline' +description: Ваша модель загроз є особистою, але це деякі з речей, які хвилюють багатьох відвідувачів цього сайту. +--- + +Загалом, ми класифікуємо наші рекомендації на [загрози](threat-modeling.md) або цілі, які стосуються більшості людей. ==Ви можете бути зацікавлені в жодній, одній, кількох або всіх цих можливостях==, і інструменти та сервіси, які ви використовуєте, залежать від того, які цілі ви ставите перед собою. Ви також можете мати специфічні загрози поза цими категоріями, і це цілком нормально! Важливою частиною є розуміння переваг і недоліків інструментів, які ви обираєте, оскільки практично жоден з них не захистить вас від усіх можливих загроз. + +- :material-incognito: Анонімність — розмежування вашої активності в Інтернеті від вашої реальної особистості, захист від людей, які намагаються розкрити саме *вашу* особистість. +- :material-target-account: Цільові атаки — захист від хакерів та інших зловмисників, які намагаються отримати доступ саме до *ваших* даних або пристроїв. +- :material-bug-outline: Пасивні атаки — захист від таких речей, як шкідливе програмне забезпечення, витік даних та інших атак, спрямованих проти багатьох людей одразу. +- :material-server-network: Постачальники послуг — захист ваших даних від постачальників послуг (наприклад, за допомогою E2EE, що робить ваші дані нечитабельними для сервера). +- :material-eye-outline: Масове спостереження — захист від державних установ, організацій, веб-сайтів та служб, які працюють разом, щоб відстежувати вашу діяльність. +- :material-account-cash: Капіталізм нагляду — захист від великих рекламних мереж, таких як Google і Facebook, а також безлічі інших сторонніх збирачів даних. +- :material-account-search: Публічний розголос — обмеження інформації про вас, яка доступна в Інтернеті - пошуковим системам або широкій громадськості. +- :material-close-outline: Цензура — уникнення цензурованого доступу до інформації або цензури під час спілкування в Інтернеті. + +Деякі з цих загроз можуть бути важливішими для вас, ніж інші, залежно від ваших конкретних проблем. Наприклад, розробник програмного забезпечення, який має доступ до цінних або критично важливих даних, може бути в першу чергу стурбований :material-target-account: цільовими атаками, але, ймовірно, він також хоче захистити свої персональні дані від :material-eye-outline: програм масового спостереження. Аналогічно, багато людей можуть бути в першу чергу стурбовані :material-account-search: публічним розголошенням їхніх персональних даних, але їм все одно слід остерігатися проблем, пов'язаних з безпекою, таких як :material-bug-outline: пасивні атаки — як-от шкідливе програмне забезпечення, що вражає їхні пристрої. + +## Анонімність проти Конфіденційності + +:material-incognito: Анонімність + +Анонімність часто плутають з конфіденційністю, але це різні поняття. У той час як конфіденційність це набір рішень, які ви приймаєте щодо того, як використовуються і поширюються ваші дані, анонімність — це повне відокремлення вашої діяльності в Інтернеті від вашої реальної особистості. + +Наприклад, інформатори та журналісти можуть мати набагато більш екстремальну модель загроз, яка вимагає повної анонімності. Це не лише приховування того, чим вони займаються, які дані мають, і щоб їх не зламали зловмисники чи уряд, а й повне приховування того, ким вони є насправді. Вони часто жертвують будь-якими зручностями, якщо це важливо для захисту їхньої анонімності, конфіденційності або безпеки, тому що від цього може залежати їхнє життя. Більшості людей не потрібно заходити так далеко. + +## Безпека та Конфіденційність + +:material-bug-outline: Пасивні атаки + +Безпеку і конфіденційність також часто плутають, адже для досягнення будь-якої суттєвої конфіденційності вам потрібна безпека: використання інструментів, навіть якщо вони є конфіденційними за своєю суттю, є марним, якщо вони можуть бути легко експлуатовані зловмисниками, які згодом оприлюднять ваші дані. Однак зворотне не обов'язково вірно: найбезпечніший сервіс у світі *не обов'язково є* конфіденційним. Найкращим прикладом цього є довіра даних компанії Google, яка, зважаючи на свої масштаби, мала мало інцидентів безпеки завдяки залученню провідних експертів у галузі безпеки для захисту своєї інфраструктури. Попри те, що Google надає дуже безпечні послуги, дуже мало людей вважають свої дані конфіденційними в безкоштовних споживчих продуктах Google (Gmail, YouTube і т.д.). + +Коли мова йде про безпеку додатків, ми зазвичай не знаємо (а іноді й не можемо знати), чи є програмне забезпечення, яке ми використовуємо, шкідливим, або чи може воно колись таким стати. Навіть найнадійніші розробники не можуть гарантувати, що їхнє програмне забезпечення не має серйозних вразливостей, які згодом можуть бути використані. + +Щоб мінімізувати шкоду, яку може завдати шкідливе програмне забезпечення **, вам слід застосовувати захист за допомогою розмежування. Наприклад, це може бути використання різних комп'ютерів для різних завдань, використання віртуальних машин для розділення різних груп пов'язаних додатків або використання безпечної операційної системи з сильним акцентом на ізоляцію додатків і обов'язковим контролем доступу. + +!!! tip + + Мобільні операційні системи зазвичай мають кращу ізоляцію додатків, ніж операційні системи для ПК: програми не можуть отримати root-доступ і потребують дозволу для доступу до системних ресурсів. + + Десктопні операційні системи зазвичай відстають у створенні належної ізоляції. ChromeOS має схожі можливості ізоляції з Android, а macOS має повний контроль прав у системі (і розробники можуть ввімкнути ізоляцію додатків). Однак ці операційні системи передають ідентифікаційну інформацію відповідним виробникам обладнання. Linux, як правило, не надає інформацію постачальникам систем, але має слабкий захист від експлойтів та шкідливих програм. Цю проблему можна дещо пом'якшити за допомогою спеціалізованих дистрибутивів, які широко використовують віртуальні машини або контейнери, таких як [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Цілеспрямовані атаки + +З цілеспрямованими атаками на конкретну особу боротися складніше. Поширені атаки включають надсилання шкідливих документів електронною поштою, експлуатацію вразливостей (наприклад, у браузерах та операційних системах) і фізичні атаки. Якщо це викликає у вас занепокоєння, вам слід використовувати більш просунуті стратегії пом'якшення загроз. + +!!! tip + + За своєю суттю **веб-браузери**, **поштові клієнти** та **офісні програми** зазвичай виконують ненадійний код, надісланий вам третіми сторонами. Запуск декількох віртуальних машин для відокремлення таких додатків від основної системи, а також один від одного - це один зі способів зменшити ймовірність того, що експлойт в цих додатках може скомпрометувати решту системи. Наприклад, такі технології, як Qubes OS або Microsoft Defender Application Guard на Windows, надають зручні методи для цього. + +Якщо ви стурбовані **фізичними атаками**, вам слід використовувати операційну систему з безпечною перевіреною реалізацією завантаження, таку як Android, iOS, macOS або [Windows (з TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). Також слід переконатися, що ваш диск зашифровано, а операційна система використовує TPM або Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) чи [Element](https://developers.google.com/android/security/android-ready-se) для обмеження кількості спроб введення ключової фрази шифрування. Вам слід уникати спільного використання комп'ютера з людьми, яким ви не довіряєте, оскільки більшість настільних операційних систем не шифрують дані окремо для кожного користувача. + +## Конфіденційність від постачальників послуг + +:material-server-network: Постачальники послуг + +Ми живемо у світі, де майже все підключено до інтернету. Наші "приватні" повідомлення, електронні листи та соціальні взаємодії зазвичай зберігаються десь на сервері. Зазвичай, коли ви надсилаєте комусь повідомлення, воно зберігається на сервері, і коли ваш друг захоче прочитати повідомлення, сервер покаже йому повідомлення. + +Очевидна проблема полягає в тому, що постачальник послуг (або хакер, який зламав сервер) може отримати доступ до ваших розмов, коли завгодно і як завгодно, без вашого відома. Це стосується багатьох поширених сервісів, таких як SMS-повідомлення, Telegram і Discord. + +На щастя, E2EE може вирішити цю проблему, шифруючи повідомлення між вами й вашими бажаними одержувачами ще до того, як вони будуть відправлені на сервер. Конфіденційність ваших повідомлень гарантується, якщо постачальник послуг не має доступу до приватних ключів жодної зі сторін. + +!!! note "Примітка про веб-шифрування" + + На практиці ефективність різних реалізацій E2EE відрізняється. Такі додатки як [Signal](../real-time-communication.md#signal) працюють на вашому пристрої за замовчуванням, і кожна копія програми однакова для різних інсталяцій. Якщо постачальник послуг впровадить [бекдор](https://uk.wikipedia.org/wiki/Бекдор) у свій додаток — у спробі викрасти ваші приватні ключі — це можна буде пізніше виявити за допомогою [зворотної розробки](https://uk.wikipedia.org/wiki/Зворотня_розробка). + + З іншого боку, веб-реалізації E2EE, такі як веб-пошта Proton Mail або *Web Vault* від Bitwarden, покладаються на сервер, який динамічно надає браузеру код JavaScript для провадження криптографії. Шкідливий сервер може вибрати вас і надіслати вам шкідливий JavaScript-код, щоб викрасти ваш ключ шифрування (і це буде надзвичайно важко помітити). Оскільки сервер може обслуговувати різних веб-клієнтів для різних людей — навіть якщо ви помітили атаку — довести провину провайдера буде неймовірно складно. + + Тому вам слід використовувати нативні додатки замість веб-клієнтів, коли це можливо. + +Навіть з E2EE постачальники послуг все ще можуть профілювати вас на основі **метаданих**, які, як правило, не захищені. Хоча провайдер не може читати ваші повідомлення, він може спостерігати за важливими речами, наприклад, за тим, з ким ви розмовляєте, як часто ви надсилаєте їм повідомлення і коли ви зазвичай активні. Захист метаданих є досить рідкісним явищем, і — якщо це входить до вашої [моделі загроз](threat-modeling.md) — вам слід звернути пильну увагу на технічну документацію програмного забезпечення, яке ви використовуєте, щоб дізнатися, чи передбачено мінімізацію або захист метаданих взагалі. + +## Програми масового спостереження + +:material-eye-outline: Масове спостереження + +Масове спостереження — це складні зусилля з моніторингу "поведінки, багатьох видів діяльності або інформації" всього (або значної частини) населення.[^1] Часто йдеться про урядові програми, такі як ті, що [розкрив Едвард Сноуден у 2013 році](https://uk.wikipedia.org/wiki/Викриття_масового_стеження_у_2013_році). Однак це також може здійснюватися корпораціями, як від імені державних органів, так і за власною ініціативою. + +!!! abstract "Атлас спостереження" + + Якщо ви хочете дізнатися більше про методи спостереження і про те, як вони застосовуються у вашому місті, ви також можете ознайомитися з [Атласом спостереження] (https://atlasofsurveillance.org/) від [Electronic Frontier Foundation] (https://www.eff.org/). + + У Франції ви можете зазирнути на [веб-сайт Технополісу] (https://technopolice.fr/villes/), який підтримує некомерційна асоціація La Quadrature du Net. + +Уряди часто виправдовують програми масового спостереження як необхідні засоби для боротьби з тероризмом і запобігання злочинності. Однак, порушуючи права людини, це найчастіше використовується для непропорційного переслідування груп меншин та політичних дисидентів, серед інших. + +!!! quote "ACLU: [*Урок конфіденційності 9/11: Масове спостереження — це не шлях вперед*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + Після викриттів [Едвардом Сноуденом таких урядових програм як [PRISM](https://uk.wikipedia.org/wiki/PRISM_(розвідувальна_програма)) і [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], співробітники розвідки також визнали, що АНБ роками таємно збирало записи про телефонні дзвінки практично кожного американця - хто кому дзвонить, коли ці дзвінки здійснюються і як довго вони тривають. Така інформація, яку АНБ збирає день за днем, може розкрити неймовірно делікатні подробиці про життя людей і їхні зв'язки, наприклад, чи телефонували вони до пастора, лікаря, який робить аборти, консультанта з питань залежності або на гарячу лінію для самогубців. + +Незважаючи на зростання масового стеження в США, уряд виявив, що програми масового стеження, такі як Розділ 215, мають "невелику унікальну цінність" щодо припинення реальних злочинів або терористичних змов, а їхні зусилля значною мірою дублюють власні програми цільового стеження, що проводяться ФБР.[^2] + +В Інтернеті вас можуть відстежувати різними способами: + +- Ваша IP-адреса +- Файли cookie браузера +- Дані, які ви передаєте на веб-сайти +- Відбиток вашого браузера або пристрою +- Кореляція способів оплати + +\[Цей список не є вичерпним]. + +Якщо ви стурбовані програмами масового стеження, ви можете використовувати такі стратегії, як розмежування ваших ідентифікаційних даних в Інтернеті, змішування з іншими користувачами або, коли це можливо, просто уникати розголошення інформації, що ідентифікує вас. + +:material-account-cash: Капіталізм нагляду + +> Капіталізм нагляду - це економічна система, в основі якої лежить збір і комерціалізація персональних даних з метою отримання прибутку.[^3] + +Для багатьох людей відстеження та нагляд з боку приватних корпорацій викликає дедалі більше занепокоєння. Повсюдні рекламні мережі, такі як Google і Facebook, охоплюють Інтернет далеко за межами сайтів, які вони контролюють, відстежуючи ваші дії по дорозі. Використання таких інструментів, як блокувальники контенту для обмеження мережевих запитів до їх серверів, а також ознайомлення з політикою конфіденційності сервісів, якими ви користуєтеся, може допомогти вам уникнути багатьох основних загроз (хоча повністю запобігти відстеженню не вдасться).[^4] + +Крім того, навіть компанії, що не належать до *AdTech* або трекінгової індустрії, можуть ділитися вашою інформацією з [брокерами даних](https://en.wikipedia.org/wiki/Data_broker) (такими як Cambridge Analytica, Experian або Datalogix) або іншими сторонами. Ви не можете автоматично вважати, що ваші дані в безпеці лише тому, що сервіс, яким ви користуєтеся, не підпадає під типову бізнес-модель рекламних технологій або трекінгу. Найсильнішим захистом від корпоративного збору даних є шифрування або обфускація ваших даних, коли це можливо, що ускладнює різним провайдерам співвіднесення даних один з одним і створення профілю вашої особистості. + +## Обмеження публічно доступної інформації + +:material-account-search: Публічний розголос + +Найкращий спосіб зберегти ваші дані конфіденційними — це просто не оприлюднювати їх взагалі. Видалення небажаної інформації, яку ви знаходите про себе в Інтернеті, є одним з найкращих перших кроків, які ви можете зробити, щоб відновити свою конфіденційність. + +- [Перегляньте нашу інструкцію з видалення облікового запису :material-arrow-right-drop-circle:](account-deletion.md) + +На сайтах, де ви ділитеся інформацією, дуже важливо перевірити налаштування конфіденційності вашого облікового запису, щоб обмежити поширення цих даних. Наприклад, увімкніть "приватний режим" у своїх акаунтах, якщо є така можливість: це гарантує, що ваш акаунт не буде індексовано пошуковими системами, і його не можна буде переглянути без вашого дозволу. + +Якщо ви вже надали свою справжню інформацію сайтам, які не повинні її мати, розгляньте можливість використання тактики дезінформації, наприклад, надання вигаданої інформації, пов'язаної з цією онлайн-особистістю. Це зробить вашу справжню інформацію нерозрізненою з неправдивою. + +## Уникнення цензури + +:material-close-outline: Цензура + +Цензуру в Інтернеті можуть здійснювати (різною мірою) такі суб'єкти, як тоталітарні уряди, мережеві адміністратори та провайдери послуг. Ці спроби контролювати комунікацію та обмежувати доступ до інформації завжди будуть несумісні з правом людини на свободу вираження поглядів.[^5] + +Цензура на корпоративних платформах стає все більш поширеним явищем, оскільки такі платформи, як Twitter і Facebook, піддаються суспільному попиту, тиску ринку і тиску з боку державних органів. Державний тиск може бути прихованим, як, наприклад, коли Білий дім [вимагає видалити](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) провокаційне відео на YouTube, або відкритим, як, наприклад, коли уряд Китаю вимагає від компаній дотримуватися суворого режиму цензури. + +Люди, стурбовані загрозою цензури, можуть використовувати такі технології, як [Tor](../advanced/tor-overview.md), щоб обійти її, і підтримувати стійкі до цензури комунікаційні платформи, такі як [Matrix](../real-time-communication.md#element), які не мають централізованого облікового органу, що може довільно закривати акаунти. + +!!! tip + + У той час як уникнути цензури може бути легко, приховати той факт, що ви це робите, може бути дуже проблематично. + + Ви повинні враховувати, які аспекти мережі може спостерігати ваш супротивник, і чи є у вас правдоподібне заперечення ваших дій. Наприклад, використання [зашифрованого DNS](../advanced/dns-overview.md#what-is-encrypted-dns) може допомогти вам обійти рудиментарні системи цензури, засновані на DNS, але це не може по-справжньому приховати те, що ви відвідуєте, від вашого Інтернет-провайдера. VPN або Tor можуть допомогти приховати від мережевих адміністраторів що саме ви відвідуєте, але не можуть приховати сам факт використання цих мереж. Підключувані засоби передачі (такі як Obfs4proxy, Meek або Shadowsocks) можуть допомогти вам обійти брандмауери, які блокують поширені VPN-протоколи або Tor, але ваші спроби обходу все одно можуть бути виявлені такими методами, як зондування або [Deep Packet Inspection] (https://uk.wikipedia.org/wiki/Deep_packet_inspection). + +Ви завжди повинні враховувати ризики, пов'язані зі спробами обійти цензуру, потенційні наслідки і те, наскільки витонченим може бути ваш супротивник. Ви повинні бути обережними у виборі програмного забезпечення та мати запасний план на випадок, якщо вас спіймають. + +[^1]: Вікіпедія: [*Масове спостереження*](https://en.wikipedia.org/wiki/Mass_surveillance) та [*Спостереження*](https://uk.wikipedia.org/wiki/Спостереження_(негласне)). +[^2]: Рада з нагляду за дотриманням приватності та громадянських свобод США: [*Звіт про програму прослуховування телефонних розмов, здійснену відповідно до Розділу 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Вікіпедія: [*Капіталізм нагляду*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Перерахування поганого](https://www.ranum.com/security/computer_security/editorials/dumb/)" (або, "перерахування всього поганого, про що ми знаємо"), як це роблять багато адблокерів і антивірусних програм, не може адекватно захистити вас від нових і невідомих загроз, тому що вони ще не додані до списку фільтрів. Ви також повинні використовувати інші методи пом'якшення. +[^5]: Організація Об'єднаних Націй: [*Декларація про права людини*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/uk/basics/email-security.md b/i18n/uk/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/uk/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/uk/basics/multi-factor-authentication.md b/i18n/uk/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ae57848d --- /dev/null +++ b/i18n/uk/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/uk/basics/passwords-overview.md b/i18n/uk/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/uk/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/uk/basics/threat-modeling.md b/i18n/uk/basics/threat-modeling.md new file mode 100644 index 00000000..9f0ba7db --- /dev/null +++ b/i18n/uk/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Моделювання загроз" +icon: 'material/target-account' +description: Баланс між безпекою, конфіденційністю та зручністю використання - одне з перших і найскладніших завдань, з яким ви зіткнетеся на шляху до приватності. +--- + +Баланс між безпекою, конфіденційністю та зручністю використання - одне з перших і найскладніших завдань, з яким ви зіткнетеся на шляху до приватності. У всьому є компроміс: чим безпечніше щось, тим більш обмежувальним або незручним воно є в цілому і т.д. Часто люди вважають, що проблема з рекомендованими інструментами полягає в тому, що їх занадто складно почати використовувати! + +Якщо ви хочете використовувати **найбільш** безпечні інструменти, вам доведеться пожертвувати *суттєвою* зручністю використання. І навіть тоді, ==ніщо не буває повністю захищеним.== Існує **висока** безпека, але ніколи не **повна** безпека. Ось чому моделі загроз важливі. + +**Отже, що це за моделі загроз?** + +==Модель загроз - це перелік найбільш ймовірних загроз вашій безпеці та конфіденційності.== Оскільки неможливо захиститися від **кожної** атаки/атакуючого, вам слід зосередитися на **найбільш ймовірних** загрозах. У сфері комп'ютерної безпеки загроза — це подія, яка може підірвати ваші зусилля, спрямовані на збереження конфіденційності та безпеки. + +Зосередження уваги на загрозах, які є важливими для вас, звужує ваше уявлення про необхідний захист, і ви можете вибрати інструменти, які найкраще підходять для цієї роботи. + +## Створення вашої моделі загроз + +Щоб визначити, що може статися з речами, які ви цінуєте, і від кого їх потрібно захищати, вам слід відповісти на ці п'ять запитань: + +1. Що я хочу захистити? +2. Від кого я хочу це захистити? +3. Наскільки ймовірно, що мені доведеться це захищати? +4. Наскільки поганими будуть наслідки, якщо я зазнаю невдачі? +5. На які труднощі я готовий піти, щоб спробувати запобігти можливим наслідкам? + +### Що я хочу захистити? + +"Актив" — це те, що ви цінуєте і хочете захистити. У контексті цифрової безпеки ==активом зазвичай є певна інформація.== Наприклад, ваші електронні листи, списки контактів, повідомлення в месенджері, місцезнаходження та файли — все це потенційні активи. Ваші пристрої також можуть бути активами. + +*Складіть список своїх активів: дані, які ви зберігаєте, де вони зберігаються, хто має до них доступ і що заважає іншим отримати до них доступ.* + +### Від кого я хочу це захистити? + +Щоб відповісти на це питання, важливо визначити, хто може захотіти отримати доступ до вас або вашої інформації. ==Фізична або юридична особа, яка становить загрозу для ваших активів, є "супротивником". Прикладами потенційних супротивників є ваш начальник, колишній партнер, бізнес-конкуренти, уряд або хакер у публічній мережі. + +*Складіть список ваших супротивників або тих, хто може захотіти заволодіти вашими активами. Ваш список може включати фізичних осіб, державні установи або корпорації.* + +Залежно від того, хто є вашими супротивниками, за певних обставин цей список може бути чимось, що ви захочете знищити після того, як завершите планування безпеки. + +### Наскільки ймовірно, що мені доведеться це захищати? + +==Ризик — це ймовірність того, що певна загроза для певного активу дійсно відбудеться. Ризик йде пліч-о-пліч з можливостями. Хоча ваш мобільний оператор має доступ до всіх ваших даних, ризик того, що він розмістить ваші особисті дані в Інтернеті, щоб зашкодити вашій репутації, є низьким. + +Важливо розрізняти те, що може статися, і ймовірністю того, що це може статися. Наприклад, існує загроза, що ваш будинок може обвалитися, але ризик цього набагато вищий у Сан-Франциско (де землетруси є поширеним явищем), ніж у Стокгольмі (де вони не є поширеним явищем). + +Оцінка ризиків - це особистий і суб'єктивний процес. Багато людей вважають певні загрози неприйнятними, незалежно від того, наскільки ймовірною є їхня реалізація, оскільки сама по собі наявність загрози не варта витрат. В інших випадках люди ігнорують високі ризики, тому що не вважають загрозу проблемою. + +*Запишіть, які загрози ви збираєтеся сприймати серйозно, а які можуть бути занадто рідкісними або занадто нешкідливими (або занадто складними для боротьби з ними), щоб про них турбуватися.* + +### Наскільки поганими будуть наслідки, якщо я зазнаю невдачі? + +Існує багато способів, за допомогою яких противник може отримати доступ до ваших даних. Наприклад, зловмисник може прочитати ваші приватні повідомлення, коли вони проходять через мережу, або видалити чи пошкодити ваші дані. + +==Мотиви супротивників дуже різняться, так само як і їхня тактика. Уряд, який намагається запобігти поширенню відео, що демонструє насильство з боку поліції, може задовольнитися простим видаленням або обмеженням доступності цього відео. На противагу цьому, політичний опонент може захотіти отримати доступ до секретного контенту і опублікувати його без вашого відома. + +Планування безпеки передбачає розуміння того, наскільки серйозними можуть бути наслідки, якщо противник успішно отримає доступ до одного з ваших активів. Щоб визначити це, слід врахувати можливості вашого супротивника. Наприклад, ваш мобільний оператор має доступ до всіх ваших телефонних записів. Хакер у відкритій мережі Wi-Fi може отримати доступ до ваших незашифрованих повідомлень. Ваш уряд може мати сильніші можливості. + +*Запишіть, що ваш супротивник може захотіти зробити з вашими особистими даними.* + +### На які труднощі я готовий піти, щоб спробувати запобігти можливим наслідкам? + +==Ідеального варіанту безпеки не існує.== Не всі мають однакові пріоритети, занепокоєння чи доступ до ресурсів. Ваша оцінка ризиків дозволить вам спланувати правильну стратегію, збалансувавши зручність, вартість і конфіденційність. + +Наприклад, адвокат, який представляє клієнта у справі, що стосується національної безпеки, може бути готовий піти на більші заходи для захисту комунікації у цій справі, наприклад, використовувати зашифровану електронну пошту, ніж мати, яка регулярно надсилає своїй доньці кумедні відео з котиками. + +*Запишіть, які варіанти пом'якшення ваших унікальних загроз вам доступні. Зверніть увагу, чи є у вас будь-які фінансові, технічні або соціальні обмеження.* + +### Спробуйте самі: захистіть те, що вам належить + +Ці питання можуть стосуватися найрізноманітніших ситуацій, як онлайн, так і офлайн. Як загальну демонстрацію того, яким чином працюють ці питання, давайте розробимо план, як убезпечити ваш будинок і майно. + +**Що ви хочете захистити? (Або, *що у вас є такого, що варто захищати?*)** +: + +Ваші активи можуть включати коштовності, електроніку, важливі документи або фотографії. + +**Від кого ви хочете це захистити?** +: + +Вашими супротивниками можуть бути грабіжники, сусіди або гості. + +**Наскільки ймовірно, що вам доведеться це захищати?** +: + +Чи були у вашому районі випадки крадіжок? Наскільки надійні ваші сусіди або гості? Які можливості у ваших супротивників? Які ризики ви повинні враховувати? + +**Наскільки серйозними будуть наслідки, якщо ви зазнаєте невдачі?** +: + +Чи є у вас вдома щось, що ви не можете замінити? Чи є у вас час або гроші, щоб замінити ці речі? Чи є у вас страховка, яка покриває крадіжку речей з вашого будинку? + +**На які труднощі ви готові піти, щоб запобігти цим наслідкам?** +: + +Чи готові ви купити сейф для конфіденційних документів? Чи можете ви дозволити собі купити якісний замок? У вас є час, щоб відкрити сейф у місцевому банку і зберігати там свої цінності? + +Тільки після того, як ви поставите собі ці питання, ви зможете оцінити, яких заходів слід вжити. Якщо ваше майно цінне, але ймовірність злому низька, то, можливо, ви не захочете вкладати занадто багато грошей у замок. Але якщо ймовірність злому висока, ви захочете придбати найкращий замок на ринку і подумати про встановлення системи безпеки. + +Складання плану безпеки допоможе вам зрозуміти загрози, характерні саме для вас, оцінити ваші активи, ваших супротивників та їх можливості, а також ймовірність ризиків, з якими ви стикаєтеся. + +## Додаткові джерела + +Для людей, які хочуть підвищити рівень конфіденційності та безпеки в Інтернеті, ми склали список поширених загроз, з якими стикаються наші відвідувачі, або цілей, які переслідують наші відвідувачі, щоб дати вам натхнення і продемонструвати основу наших рекомендацій. + +- [Поширені цілі та загрози :material-arrow-right-drop-circle:](common-threats.md) + +## Джерела + +- [Самозахист від стеження EFF: Ваш план безпеки](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/uk/basics/vpn-overview.md b/i18n/uk/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/uk/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/uk/calendar.md b/i18n/uk/calendar.md new file mode 100644 index 00000000..93b2b93d --- /dev/null +++ b/i18n/uk/calendar.md @@ -0,0 +1,70 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Tutanota + +!!! рекомендації + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. Features include: automatic E2EE of all data, sharing features, import/export functionality, multi-factor authentication, and [more](https://tutanota.com/calendar-app-comparison/). + + Multiple calendars and extended sharing functionality is limited to paid subscribers. + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! рекомендації + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Features include: automatic E2EE of all data, sharing features, import/export functionality, and [more](https://proton.me/support/proton-calendar-guide). Those on the free tier get access to a single calendar, whereas paid subscribers can create up to 20 calendars. Extended sharing functionality is also limited to paid subscribers. + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/uk/cloud.md b/i18n/uk/cloud.md new file mode 100644 index 00000000..b4cbbca8 --- /dev/null +++ b/i18n/uk/cloud.md @@ -0,0 +1,99 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! рекомендації + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! рекомендації + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/uk/cryptocurrency.md b/i18n/uk/cryptocurrency.md new file mode 100644 index 00000000..9c7289a8 --- /dev/null +++ b/i18n/uk/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! рекомендації + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/uk/data-redaction.md b/i18n/uk/data-redaction.md new file mode 100644 index 00000000..9cb58e36 --- /dev/null +++ b/i18n/uk/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! рекомендації + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + On Linux, a third-party graphical tool [Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner) powered by MAT2 exists and is [available on Flathub](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner). + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! рекомендації + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. Namely: + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! рекомендації + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! рекомендації + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! warning + + You should **never** use blur to redact [text in images](https://bishopfox.com/blog/unredacter-tool-never-pixelation). If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! рекомендації + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/uk/desktop-browsers.md b/i18n/uk/desktop-browsers.md new file mode 100644 index 00000000..02b5e45a --- /dev/null +++ b/i18n/uk/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! рекомендації + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! рекомендації + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! рекомендації + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! рекомендації + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/uk/desktop.md b/i18n/uk/desktop.md new file mode 100644 index 00000000..591949fb --- /dev/null +++ b/i18n/uk/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! рекомендації + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! рекомендації + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! рекомендації + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! рекомендації + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! рекомендації + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! рекомендації + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! рекомендації + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! рекомендації + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** це операційна система з відкритим кодом, розроблена для забезпечення надійної безпеки настільних комп'ютерів. Qubes базується на Xen, X Window System та Linux і може запускати більшість програм Linux та використовувати більшість драйверів Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/uk/dns.md b/i18n/uk/dns.md new file mode 100644 index 00000000..7ddc3594 --- /dev/null +++ b/i18n/uk/dns.md @@ -0,0 +1,139 @@ +--- +title: "Розв'язувачі DNS" +icon: material/dns +description: Ось кілька провайдерів зашифрованих DNS, на яких ми рекомендуємо перейти, щоб замінити конфігурацію за замовчуванням вашого Інтернет-провайдера. +--- + +Зашифрований DNS на сторонніх серверах слід використовувати, щоб обійти базове [блокування за DNS](https://en.wikipedia.org/wiki/DNS_blocking) лише тоді, коли ви впевнені, що це не матиме жодних наслідків. Зашифрований DNS не допоможе вам приховати будь-яку вашу веб-активність. + +[Дізнайтеся більше про DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Рекомендовані DNS-провайдери + +| DNS-провайдер | Політика конфіденційності | Протоколи | Логування | ECS | Фільтрація | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | --------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Незашифрований текст
DoH/3
DoT
DNSCrypt | Деяке[^1] | Ні | Залежно від вибору сервера. Список використовуваних фільтрів можна знайти тут. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Незашифрований текст
DoH/3
DoT | Деяке[^2] | Ні | Залежно від вибору сервера. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Незашифрований текст
DoH/3
DoT
DoQ | Опціонально[^3] | Ні | Залежно від вибору сервера. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | Немає[^4] | Ні | Залежно від вибору сервера. Список використовуваних фільтрів можна знайти тут. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Незашифрований текст
DoH/3
DoT | Опціонально[^5] | Опціонально | Залежно від вибору сервера. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Незашифрований текст
DoH
DoT
DNSCrypt | Деяке[^6] | Опціонально | Залежно від вибору сервера, блокування шкідливих програм за замовчуванням. | + +## Критерії + +**Зверніть увагу, що ми не пов'язані з жодним з проектів, які ми рекомендуємо.** На додаток до [наших стандартних критеріїв](about/criteria.md), ми розробили чіткий набір вимог, які дозволяють нам надавати об'єктивні рекомендації. Ми пропонуємо вам ознайомитися з цим списком перед тим, як вибрати проект, і провести власне дослідження, щоб переконатися, що це правильний вибір для вас. + +!!! example "Цей розділ новий" + + Ми працюємо над встановленням чітких критеріїв для кожного розділу нашого сайту, і вони можуть бути змінені. Якщо у вас виникли запитання щодо наших критеріїв, будь ласка, [запитайте на нашому форумі] (https://discuss.privacyguides.net/latest) і не думайте, що ми не врахували щось, коли складали наші рекомендації, якщо це не вказано тут. Коли ми рекомендуємо проєкт, ми враховуємо та обговорюємо багато факторів, і документування кожного з них є постійним процесом. + +- Повинен підтримувати [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [Мінімізація QNAME](advanced/dns-overview.md#what-is-qname-minimization). +- Дозвіл відключити [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs). +- Віддавайте перевагу підтримці [anycast,](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) або підтримці геонавігації. + +## Нативна підтримка операційної системи + +### Android + +Android 9 і вище підтримує DNS через TLS. Налаштування можна знайти тут: **Налаштування** → **Мережа & Інтернет** → **Приватний DNS**. + +### Пристрої Apple + +Останні версії iOS, iPadOS, tvOS та macOS підтримують як DoT, так і DoH. Обидва протоколи підтримуються нативно через [профілі конфігурації](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) або через [API налаштувань DNS](https://developer.apple.com/documentation/networkextension/dns_settings). + +Після встановлення профілю конфігурації або програми, яка використовує API налаштувань DNS, можна вибрати конфігурацію DNS. Якщо VPN активна, при вирішенні в тунелі VPN будуть використовуватися налаштування DNS VPN, а не ваші загальносистемні налаштування. + +#### Підписані профілі + +Apple не надає власного інтерфейсу для створення зашифрованих профілів DNS. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) — неофіційний інструмент для створення власних зашифрованих DNS профілів, які, однак, не будуть підписані. Підписаним профілям надається перевага; підпис підтверджує походження профілю і допомагає забезпечити цілісність профілів. Підписаним профілям конфігурації присвоюється зелена мітка "Перевірено". Для отримання додаткової інформації про підписання коду див. [Про підписання коду](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Підписані профілі** пропонують [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io)та [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, за якою багато дистрибутивів Linux здійснюють вирішення своїх DNS-пошуків, поки що не [підтримують DoH](https://github.com/systemd/systemd/issues/8639). Якщо ви хочете використовувати DoH, вам потрібно встановити проксі на кшталт [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) і [налаштувати його] (https://wiki.archlinux.org/title/Dnscrypt-proxy), щоб він приймав усі DNS-запити від вашого системного розв'язувача і перенаправляв їх через HTTPS. + +## Зашифровані DNS-проксі + +Програмне забезпечення для проксі-серверів із зашифрованим DNS надає локальний проксі-сервер для перенаправлення на [незашифрованого DNS](advanced/dns-overview.md#unencrypted-dns). Зазвичай він використовується на платформах, які не підтримують [зашифрований DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! рекомендації + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** - клієнт для Android з відкритим вихідним кодом, що підтримує [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) і DNS Proxy, а також кешування DNS-відповідей, локальне ведення логів DNS-запитів і може використовуватися в якості фаєрвола. + + [:octicons-home-16: Домашня сторінка](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Вихідний код" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! рекомендації + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** - це DNS-проксі з підтримкою [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh) та [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "Функція анонімного DNS не [**не**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) анонімізує інший мережевий трафік." + + [:octicons-repo-16: Репозиторій](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Вихідний код" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Сприяти} + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Рішення для самостійного розміщення + +Самостійно розміщене рішення DNS корисно для забезпечення фільтрації на контрольованих платформах, таких як Smart TV та інші пристрої IoT, оскільки не потрібно клієнтське програмне забезпечення. + +### AdGuard Home + +!!! рекомендації + + ![Логотип AdGuard Home](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** - це програма з відкритим вихідним кодом [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole), яка використовує [DNS-фільтрацію](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) для блокування небажаного веб-вмісту, наприклад, реклами. + + AdGuard Home має відшліфований веб-інтерфейс для перегляду аналітики та керування заблокованим контентом. + + [:octicons-home-16: Домашня сторінка](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Вихідний код" } + +### Pi-hole + +!!! рекомендації + + ![Логотип Pi-hole](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** - це [DNS-sinkhole]з відкритим вихідним кодом (https://wikipedia.org/wiki/DNS_sinkhole), який використовує [DNS-фільтрацію](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) для блокування небажаного веб-контенту, наприклад, реклами. + + Pi-hole розроблений для розміщення на Raspberry Pi, але він не обмежується цим обладнанням. Програмне забезпечення має зручний веб-інтерфейс для перегляду аналітики та управління заблокованим контентом. + + [:octicons-home-16: Домашня сторінка](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Вихідний код" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Зробити внесок} + +[^1]: AdGuard зберігає агреговані показники продуктивності своїх DNS-серверів, а саме: кількість завершених запитів до певного сервера, кількість заблокованих запитів і швидкість обробки запитів. Вони також ведуть і зберігають базу даних доменів, до яких надходили запити протягом останніх 24 годин. "Нам потрібна ця інформація, щоб виявляти та блокувати нові трекери та загрози". "Ми також фіксуємо, скільки разів той чи інший трекер був заблокований. Нам потрібна ця інформація, щоб видалити застарілі правила з наших фільтрів". [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare збирає та зберігає лише обмежену кількість даних DNS-запитів, які надсилаються до вирішувача 1.1.1.1. Сервіс 1.1.1.1 не реєструє особисті дані, а основна частина обмежених неперсоніфікованих даних запитів зберігається лише протягом 25 годин. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D веде журнали лише для преміум-вирішувачів зі спеціальними профілями DNS. Безкоштовні розв'язувачі не логують дані. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: DNS-сервіс Mullvad доступний обом підписникам та не підписникам Mullvad VPN. У їхній політиці конфіденційності чітко зазначено, що вони не реєструють DNS-запити жодним чином. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS може надавати аналітику та функції логування за бажанням. Ви можете вибрати час та місце зберігання для будь-яких логів, які ви вирішите зберігати. Якщо це спеціально не запитується, дані не реєструються. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 збирає деякі дані з метою моніторингу загроз та реагування на них. Потім ці дані можуть бути змішані та поширені, наприклад, з метою дослідження безпеки. Quad9 не збирає і не записує IP-адреси або інші дані, які вони вважають особистими. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/uk/email-clients.md b/i18n/uk/email-clients.md new file mode 100644 index 00000000..108dbb64 --- /dev/null +++ b/i18n/uk/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! рекомендації + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! рекомендації + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! рекомендації + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! рекомендації + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! рекомендації + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! рекомендації + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! рекомендації + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! рекомендації + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! рекомендації + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/uk/email.md b/i18n/uk/email.md new file mode 100644 index 00000000..24415f24 --- /dev/null +++ b/i18n/uk/email.md @@ -0,0 +1,503 @@ +--- +title: "Сервіси електронної пошти" +icon: material/email +description: Ці провайдери електронної пошти пропонують чудове місце для безпечного зберігання ваших листів, а багато з них пропонують сумісне з іншими провайдерами шифрування OpenPGP. +--- + +Електронна пошта це практично необхідність для користування будь-яким онлайн-сервісом, проте ми не рекомендуємо використовувати її для особистих розмов. Замість того, щоб використовувати електронну пошту для зв'язку з іншими людьми, розгляньте можливість використання засобів обміну повідомленнями, які підтримують таємницю. + +[Рекомендовані месенджери](real-time-communication.md ""){.md-button} + +Для всього іншого ми рекомендуємо різноманітні поштові сервіси, що базуються на стійких бізнес-моделях і мають вбудовані функції безпеки та конфіденційності. + +- [OpenPGP-сумісні провайдери електронної пошти :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Інші провайдери електронної пошти з шифруванням :material-arrow-right-drop-circle:](#more-providers) +- [Послуги аліасингу електронної пошти :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Варіанти самостійного розміщення :material-arrow-right-drop-circle:](#self-hosting-email) + +## Сервіси, сумісні з OpenPGP + +Ці провайдери підтримують шифрування/дешифрування OpenPGP і стандарт Web Key Directory (WKD), що дозволяє використовувати електронні листи E2EE, незалежні від провайдера. Наприклад, користувач Proton Mail може надіслати повідомлення E2EE користувачеві Mailbox.org, або ви можете отримувати сповіщення, зашифровані за допомогою OpenPGP, від інтернет-сервісів, які його підтримують. + +
+ +- ![Логотип Proton Mail](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Логотип Mailbox.org](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + При використанні технології E2EE, такої як OpenPGP, в електронному листі все одно залишаються деякі метадані, які не зашифровані в заголовку листа. Дізнайтеся більше про [метадані електронної пошти](basics/email-security.md#email-metadata-oview). + + OpenPGP також не підтримує пряму секретність, що означає, що якщо ваш або одержувача закритий ключ буде викрадено, всі попередні повідомлення, зашифровані за допомогою цього ключа, будуть відкриті. [Як захистити свої приватні ключі?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! рекомендації + + ![Логотип Proton Mail](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail — це поштовий сервіс з акцентом на конфіденційності, шифруванні, безпеці та простоті використання. Вони працюють з **2013 року**. Компанія Proton AG базується в Женеві, Швейцарія. Облікові записи починаються з 500 МБ пам'яті в безкоштовному тарифному плані. + + [:octicons-home-16: Домашня сторінка](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Вихідний код" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Безкоштовні акаунти мають деякі обмеження, такі як відсутність можливості пошуку в основному тексті та доступу до [Proton Mail Bridge](https://proton.me/mail/bridge), який необхідний для використання [рекомендованого десктопного поштового клієнта](email-clients.md) (наприклад, Thunderbird). Платні акаунти включають такі функції, як Proton Mail Bridge, додаткове сховище та підтримку власних доменів. [Атестаційний лист](https://proton.me/blog/security-audit-all-proton-apps) для додатків Proton Mail було надано 9 листопада 2021 року компанією [Securitum](https://research.securitum.com). + +Якщо ви маєте тарифний план Proton Unlimited, Business або Visionary, ви також отримуєте [SimpleLogin](#simplelogin) Premium безкоштовно. + +Proton Mail має внутрішні звіти про збої, які **не** передаються третім особам. Цю функцію можна вимкнути: **Налаштування** > **Перейти до налаштувань** > **Обліковий запис** > **Безпека та конфіденційність** > **Надсилати звіти про збої**. + +#### :material-check:{ .pg-green } Користувацькі домени та аліаси + +Абоненти оплачуваних планів Proton Mail можуть використовувати власний домен з сервісом або [всеохоплюючу](https://proton.me/support/catch-all) адресу. Proton Mail також підтримує [субадресацію](https://proton.me/support/creating-aliases), що корисно для людей, які не хочуть купувати домен. + +#### :material-check:{ .pg-green } Конфіденційні способи оплати + +Proton Mail [приймає](https://proton.me/support/payment-options) готівку поштою на додаток до стандартних кредитних/дебетових карток, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) та платежі через PayPal. + +#### :material-check:{ .pg-green } Безпека облікового запису + +Proton Mail підтримує [двофакторну автентифікацію за допомогою TOTP](https://proton.me/support/two-factor-authentication-2fa) та [апаратні ключі безпеки](https://proton.me/support/2fa-security-key) за стандартами FIDO2 або U2F. Використання апаратного ключа безпеки вимагає попереднього налаштування двофакторної автентифікації за допомогою TOTP. + +#### :material-check:{ .pg-green } Безпека даних + +Proton Mail має [шифрування з нульовим доступом](https://proton.me/blog/zero-access-encryption) у стані спокою для ваших електронних листів та [календарів](https://proton.me/news/protoncalendar-security-model). Дані, захищені шифруванням з нульовим доступом, доступні лише вам. + +Певна інформація, що зберігається в [Proton Contacts](https://proton.me/support/proton-contacts), наприклад, імена користувачів та адреси електронної пошти, не захищена шифруванням з нульовим доступом. Поля контактів, які підтримують шифрування з нульовим доступом, наприклад, номери телефонів, позначені значком замка. + +#### :material-check:{ .pg-green } Шифрування електронної пошти + +Proton Mail має [інтегроване OpenPGP шифрування](https://proton.me/support/how-to-use-pgp) у своїй електронній пошті. Електронні листи на інші акаунти Proton Mail шифруються автоматично, а шифрування на адреси, що не належать до Proton Mail, за допомогою ключа OpenPGP можна легко ввімкнути в налаштуваннях вашого акаунта. Вони також дозволяють вам [шифрувати повідомлення на адреси, що не належать до Proton Mail](https://proton.me/support/password-protected-emails), без необхідності створювати обліковий запис Proton Mail або використовувати програмне забезпечення на кшталт OpenPGP. + +Proton Mail також підтримує виявлення відкритих ключів через HTTP за допомогою їхнього [каталогу веб-ключів (WKD)](https://wiki.gnupg.org/WKD). Це дозволяє людям, які не користуються Proton Mail, легко знайти OpenPGP ключі акаунтів Proton Mail для незалежного від провайдерів E2EE. + + +#### :material-information-outline:{ .pg-blue } Деактивація облікового запису + +Якщо у вас платний акаунт і ваш рахунок [не сплачений](https://proton.me/support/delinquency) протягом 14 днів, ви не зможете отримати доступ до своїх даних. Через 30 днів ваш акаунт стане простроченим і не буде отримувати вхідну пошту. Протягом цього періоду ви продовжуватимете отримувати рахунки. + +#### :material-information-outline:{ .pg-blue } Додаткова функціональність + +Proton Mail пропонує "Безлімітний" акаунт за €9,99/місяць, який також надає доступ до Proton VPN на додаток до декількох облікових записів, доменів, псевдонімів та 500 ГБ сховища. + +Proton Mail не пропонує функцію цифрової спадщини. + +### Mailbox.org + +!!! рекомендації + + ![Логотип Mailbox.org](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** — це поштовий сервіс, який прагне бути безпечним, не містить реклами та працює на 100% екологічно чистій енергії. Вони працюють з 2014 року. Mailbox.org базується в Берліні, Німеччина. Облікові записи починаються з 2 ГБ сховища, яке можна збільшити за потреби. + + [:octicons-home-16: Домашня сторінка](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Документація} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Користувацькі домени та аліаси + +Mailbox.org дозволяє вам використовувати власний домен і підтримує [всеохоплюючі адреси](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain). Mailbox.org також підтримує [субадресацію](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), що корисно, якщо ви не хочете купувати домен. + +#### :material-check:{ .pg-green } Конфіденційні способи оплати + +Mailbox.org не приймає жодних криптовалют, оскільки їхній платіжний процесор BitPay призупинив роботу в Німеччині. Однак вони приймають готівку поштою, готівку на банківський рахунок, банківські перекази, кредитні картки, PayPal і кілька німецьких платіжних систем: paydirekt і Sofortüberweisung. + +#### :material-check:{ .pg-green } Безпека облікового запису + +Mailbox.org підтримує [двофакторну аутентифікацію](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) лише для їхньої електронної пошти. Ви можете використовувати TOTP або [Yubikey](https://en.wikipedia.org/wiki/YubiKey) через [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Веб-стандарти, такі як [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) на цей момент не підтримуються. + +#### :material-information-outline:{ .pg-blue } Безпека даних + +Mailbox.org дозволяє шифрувати вхідну пошту за допомогою їхньої [зашифрованої поштової скриньки](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). Нові повідомлення, які ви отримуєте, будуть негайно зашифровані вашим публічним ключем. + +Однак, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), програмна платформа, що використовується Mailbox.org, [не підтримує](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) шифрування вашої адресної книги та календаря. Для цієї інформації може бути більш доречною [окрема опція](calendar.md). + +#### :material-check:{ .pg-green } Шифрування електронної пошти + +Mailbox.org має [інтегроване шифрування](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) у свою електронну пошту, що спрощує надсилання повідомлень людям з публічними ключами OpenPGP. Вони також дозволяють віддаленим одержувачам [розшифровувати електронні листи](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) на серверах Mailbox.org. Ця функція корисна, коли віддалений одержувач не має OpenPGP і не може розшифрувати копію листа у власній поштовій скриньці. + +Mailbox.org також підтримує виявлення публічних ключів через HTTP з їхнього [каталогу веб-ключів (WKD)](https://wiki.gnupg.org/WKD). Це дозволяє людям за межами Mailbox.org легко знаходити ключі OpenPGP акаунтів Mailbox.org для незалежного від провайдерів E2EE. + +#### :material-information-outline:{ .pg-blue } Деактивація облікового запису + +Після закінчення контракту ваш обліковий запис буде переведено в режим обмеженого користування, а через [30 днів він буде безповоротно видалений](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Додаткова функціональність + +Ви можете отримати доступ до свого облікового запису Mailbox.org через IMAP/SMTP за допомогою їхнього сервісу [.onion](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). Однак їхній інтерфейс електронної пошти не може бути доступний через сервіс .onion, і у вас можуть виникати помилки TLS сертифіката. + +Усі акаунти постачаються з обмеженим хмарним сховищем, яке [можна зашифрувати](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org також пропонує аліас [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), який забезпечує TLS шифрування на з'єднанні між поштовими серверами, інакше повідомлення не буде надіслано взагалі. Mailbox.org також підтримує [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) на додаток до стандартних протоколів доступу, таких як IMAP і POP3. + +Mailbox.org має функцію цифрової спадщини для всіх тарифних планів. Ви можете вибрати, чи хочете ви, щоб будь-які ваші дані були передані спадкоємцям, за умови, що вони подадуть заяву та нададуть ваш заповіт. Крім того, ви можете номінувати людину за ім'ям та адресою. + +## Більше провайдерів + +Ці провайдери зберігають ваші електронні листи за допомогою шифрування з нульовим рівнем доступу, що робить їх чудовими варіантами для захисту ваших збережених електронних листів. Однак вони не підтримують сумісні стандарти шифрування для E2EE-зв'язку між провайдерами. + +
+ +- ![Логотип StartMail](assets/img/email/startmail.svg#only-light){ .twemoji }![Логотип StartMail](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Логотип Tutanota](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! рекомендації + + ![Логотип StartMail](assets/img/email/startmail.svg#only-light){ align=right } + ![Логотип StartMail](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + * * StartMail* * — це служба електронної пошти з акцентом на безпеку та конфіденційність за допомогою використання стандартного шифрування OpenPGP. StartMail працює з 2014 року і базується на бульварі 11, Зейст, Нідерланди. Облікові записи починаються з 10 ГБ. Вони пропонують 30-денну пробну версію. + + [:octicons-home-16: Домашня сторінка](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Політика конфіденційності"} + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Документація} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Користувацькі домени та аліаси + +Особисті облікові записи можуть використовувати [довільні або швидкі](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) аліаси. [Користувацькі домени](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) також доступні. + +#### :material-alert-outline:{ .pg-orange } Конфіденційні способи оплати + +StartMail приймає Visa, MasterCard, American Express та Paypal. StartMail також має інші [варіанти оплати](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods), такі як [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (в даний час тільки для особистих рахунків) і прямий дебет SEPA для рахунків старше року. + +#### :material-check:{ .pg-green } Безпека облікового запису + +StartMail підтримує двофакторну автентифікацію за допомогою TOTP [тільки для електронної пошти](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). Вони не дозволяють автентифікацію за допомогою ключа безпеки U2F. + +#### :material-information-outline:{ .pg-blue } Безпека даних + +StartMail має [шифрування з нульовим доступом у стані спокою](https://www.startmail.com/en/whitepaper/#_Toc458527835), використовуючи свою систему "користувацького сховища". Коли ви входите в систему, сховище відкривається, і електронна пошта переміщується до сховища з черги, де вона розшифровується відповідним приватним ключем. + +StartMail підтримує імпорт [контактів](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts), однак вони доступні лише в електронній пошті, а не через такі протоколи, як [CalDAV](https://uk.wikipedia.org/wiki/CalDAV). Контакти також не зберігаються за допомогою шифрування з нульовим рівнем знань. + +#### :material-check:{ .pg-green } Шифрування електронної пошти + +StartMail має [інтегроване шифрування](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) у свою електронну пошту, що спрощує надсилання зашифрованих повідомлень за допомогою публічних ключів OpenPGP. Однак вони не підтримують стандарт Web Key Directory, що ускладнює виявлення публічного ключа поштової скриньки Startmail для інших поштових провайдерів або клієнтів. + +#### :material-information-outline:{ .pg-blue } Деактивація облікового запису + +Після закінчення терміну дії акаунта StartMail видалить ваш обліковий запис назавжди через [6 місяців у 3 етапи](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Додаткова функціональність + +StartMail дозволяє створювати додатки з зображеннями в електронних листах. Якщо ви дозволите завантажити віддалене зображення, відправник не дізнається вашу IP-адресу. + +StartMail не пропонує функцію цифрової спадщини. + +### Tutanota + +!!! рекомендації + + ![Логотип Tutanota](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** — це поштовий сервіс з акцентом на безпеку та конфіденційність завдяки використанню шифрування. Tutanota працює з **2011 року** і базується в Ганновері, Німеччина. Облікові записи починаються з 1 ГБ пам'яті в безкоштовному тарифному плані. + + [:octicons-home-16: Домашня сторінка](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Вихідний код" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Зробити внесок} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota не підтримує [протокол IMAP](https://tutanota.com/faq/#imap) або використання сторонніх [поштових клієнтів](email-clients.md), також ви не зможете додати [зовнішні поштові скриньки](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) до додатку Tutanota. Наразі не підтримується ні [імпорт електронної пошти](https://github.com/tutao/tutanota/issues/630), ні [підпапки](https://github.com/tutao/tutanota/issues/927), хоча це [має бути змінено](https://tutanota.com/blog/posts/kickoff-import). Листи можна експортувати [окремо або шляхом масового вибору](https://tutanota.com/howto#generalMail) за папкою, що може бути незручно, якщо у вас багато папок. + +#### :material-check:{ .pg-green } Користувацькі домени та аліаси + +Платні акаунти Tutanota можуть використовувати до 5 [аліасів](https://tutanota.com/faq#alias) та [користувацьких доменів](https://tutanota.com/faq#custom-domain). Tutanota не дозволяє [субадресацію (плюс адреси)](https://tutanota.com/faq#plus), але ви можете використовувати [всеохоплюючі адреси](https://tutanota.com/howto#settings-global) з власним доменом. + +#### :material-information-outline:{ .pg-blue } Конфіденційні способи оплати + +Tutanota безпосередньо приймає лише кредитні картки та PayPal, однак [криптовалюту](cryptocurrency.md) можна використовувати для придбання подарункових карток через їхнє [партнерство](https://tutanota.com/faq/#cryptocurrency) з Proxystore. + +#### :material-check:{ .pg-green } Безпека облікового запису + +Tutanota підтримує [двофакторну автентифікацію](https://tutanota.com/faq#2fa) за допомогою TOTP або U2F. + +#### :material-check:{ .pg-green } Безпека даних + +Tutanota має [шифрування з нульовим доступом у стані спокою](https://tutanota.com/faq#what-encrypted) для ваших електронних листів, [контактів адресної книги](https://tutanota.com/faq#encrypted-address-book) та [календарів](https://tutanota.com/faq#calendar). Це означає, що повідомлення та інші дані, які зберігаються у вашому акаунті, можете читати тільки ви. + +#### :material-information-outline:{ .pg-blue } Шифрування електронної пошти + +Tutanota [не використовує OpenPGP](https://www.tutanota.com/faq/#pgp). Облікові записи Tutanota можуть отримувати зашифровані листи з облікових записів електронної пошти не Tutanota, тільки якщо вони будуть надіслані через [тимчасову поштову скриньку Tutanota](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Деактивація облікового запису + +Tutanota [видалятиме неактивні безкоштовні акаунти](https://tutanota.com/faq#inactive-accounts) через шість місяців. Ви можете повторно використовувати деактивований безкоштовний акаунт, якщо заплатите. + +#### :material-information-outline:{ .pg-blue } Додаткова функціональність + +Tutanota пропонує бізнес-версію [Tutanota для неприбуткових організацій](https://tutanota.com/blog/posts/secure-email-for-non-profit) безкоштовно або зі значною знижкою. + +Tutanota також має бізнес-функцію під назвою [Secure Connect](https://tutanota.com/secure-connect/). Це забезпечує контакт клієнта з бізнесом, який використовує E2EE. Ця функція коштує 240 євро на рік. + +Tutanota не пропонує функцію цифрової спадщини. + +## Служби аліасингу електронної пошти + +Сервіс аліасів електронної пошти дозволяє вам легко генерувати нову адресу електронної пошти для кожного веб-сайту, на якому ви реєструєтесь. Створені вами аліаси пересилають всю пошту на обрану вами адресу електронної пошти, приховуючи як вашу "основну" електронну адресу, так і особу вашого провайдера електронної пошти. Справжній аліасінг електронної пошти краще, ніж адресація з плюсом, яка широко використовується і підтримується багатьма провайдерами, що дозволяє створювати псевдоніми на кшталт ваше ім'я +[щозавгодно]@example.com, оскільки веб-сайти, рекламодавці та мережі відстеження можуть банально видалити все, що стоїть після знака +, щоб дізнатися вашу справжню електронну адресу. + +
+ +- ![логотип AnonAddy](assets/img/email/anonaddy.svg#only-light){ .twemoji }![логотип AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![логотип SimpleLogin](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Псевдонімізація електронної пошти може слугувати захистом на випадок, якщо ваш поштовий провайдер припинить роботу. У цьому випадку ви можете легко перенаправити свої аліаси на нову адресу електронної пошти. Своєю чергою, однак, ви довіряєте службі аліасингу, в подальшому функціонуванні. + +Використання спеціального сервісу аліасингу електронної пошти також має низку переваг у порівнянні з універсальним псевдонімом у власному домені: + +- Псевдоніми можна вмикати та вимикати індивідуально, коли вам це потрібно, щоб веб-сайти не надсилали вам випадкових листів. +- Відповіді надсилаються з псевдо-адреси, яка приховує вашу справжню електронну адресу. + +Вони також мають низку переваг над "тимчасовими поштовими сервісами": + +- Аліаси є постійними і можуть бути ввімкнені знову, якщо вам потрібно отримати щось на кшталт скидання пароля. +- Імейли надсилаються на вашу довірену поштову скриньку, а не зберігаються у провайдера псевдонімів. +- Тимчасові поштові служби зазвичай мають загальнодоступні поштові скриньки, до яких може отримати доступ будь-хто, хто знає адресу, а аліаси є приватними для вас. + +Ми рекомендуємо провайдерів, які дозволяють створювати аліаси на доменах, які вони контролюють, а також на власних доменах за помірну щорічну плату. Вони також можуть бути розміщені самостійно, якщо ви хочете отримати максимальний контроль. Однак використання власного домену може мати недоліки, пов'язані з конфіденційністю: Якщо ви єдина людина, яка використовує власний домен, ваші дії можна легко відстежити на різних веб-сайтах, просто подивившись на доменне ім'я в адресі електронної пошти та ігноруючи все, що стоїть перед знаком at (@). + +Використання сервісу псевдонімів вимагає довіри до ваших незашифрованих повідомлень як з боку вашого провайдера електронної пошти, так і з боку провайдера аліасів. Деякі провайдери дещо пом'якшують цю проблему за допомогою автоматичного PGP шифрування, яке зменшує кількість сторін, яким ви повинні довіряти, з двох до однієї, шифруючи вхідні електронні листи до того, як вони будуть доставлені до вашого кінцевого провайдера поштової скриньки. + +### AnonAddy + +!!! рекомендації + + ![Логотип AnonAddy](assets/img/email/anonaddy.svg#only-light){ align=right } + ![Логотип AnonAddy](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + * * AnonAddy * * дозволяє безкоштовно створити 20 аліасів на спільному домені або необмежену кількість "стандартних" аліасів, які є менш анонімними. + + [:octicons-home-16: Домашня сторінка](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Вихідний код" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Зробити внесок} + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +Кількість спільних псевдонімів (які закінчуються на спільний домен, наприклад @anonaddy.me), які ви можете створити, обмежена 20 на безкоштовному плані AnonAddy і 50 на плані за $12/рік. Ви можете створювати необмежену кількість стандартних псевдонімів (які закінчуються на @[username].anonaddy.com або на власний домен у платних планах), однак, як уже згадувалося, це може зашкодити конфіденційності, оскільки люди можуть банально пов'язати ваші стандартні псевдоніми між собою на основі лише доменного імені. Необмежена кількість спільних псевдонімів доступна за $36 на рік. + +Особливі безкоштовні можливості: + +- [x] 20 спільних псевдонімів +- [x] Необмежена кількість стандартних псевдонімів +- [ ] Немає вихідних відповідей +- [x] 2 Поштові скриньки одержувачів +- [x] Автоматичне шифрування PGP + +### SimpleLogin + +!!! рекомендації + + ![Логотип Simplelogin](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin — це безкоштовний сервіс, який надає аліаси для електронної пошти на низці загальних доменних імен, а також опціонально надає платні функції, такі як необмежена кількість псевдонімів та власні домени. + + [:octicons-home-16: Домашня сторінка](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Вихідний код" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin був [придбаний компанією Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) 8 квітня 2022 року. Якщо ви використовуєте Proton Mail як основну поштову скриньку, SimpleLogin — чудовий вибір. Оскільки обидва продукти тепер належать одній компанії, вам достатньо довіряти лише одному суб'єкту. Ми також очікуємо, що в майбутньому SimpleLogin буде більш тісно інтегрований з пропозиціями Proton. SimpleLogin продовжує підтримувати переадресацію до будь-якого провайдера електронної пошти на ваш вибір. Securitum [провела аудит](https://simplelogin.io/blog/security-audit/) SimpleLogin на початку 2022 року, і всі проблеми [були вирішені](https://simplelogin.io/audit2022/web.pdf). + +Ви можете прив'язати свій обліковий запис SimpleLogin до свого облікового запису Proton в налаштуваннях. Якщо ви маєте тарифний план Proton Unlimited, Business або Visionary, ви отримаєте SimpleLogin Premium безкоштовно. + +Особливі безкоштовні можливості: + +- [x] 10 спільних псевдонімів +- [x] Необмежена кількість відповідей +- [x] 1 Поштова скринька одержувача + +## Самостійний хостинг електронної пошти + +Досвідчені системні адміністратори можуть розглянути можливість створення власного поштового сервера. Поштові сервери потребують уваги та постійного обслуговування, щоб забезпечити безпеку та надійність доставки пошти. + +### Комбіновані програмні рішення + +!!! рекомендації + + ![Логотип Mailcow](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** — це більш просунутий поштовий сервер, який ідеально підходить для тих, хто має трохи більше досвіду роботи з Linux. У ньому є все необхідне в Docker-контейнері: Поштовий сервер з підтримкою DKIM, антивірус та спам-моніторинг, електронна пошта та ActiveSync з SOGo, а також веб-адміністрування з підтримкою 2FA. + + [:octicons-home-16: Домашня сторінка](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Вихідний код" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Зробити внесок} + +!!! рекомендації + + ![Логотип Mail-in-a-Box](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** — це автоматизований скрипт для розгортання поштового сервера на Ubuntu. Його мета — полегшити людям створення власного поштового сервера. + + [:octicons-home-16: Домашня сторінка](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Документація} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Вихідний код" } + +Для більш ручного підходу ми вибрали ці дві статті: + +- [Налаштування поштового сервера з OpenSMTPD, Dovecot та Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [Як запустити власний поштовий сервер](https://www.c0ffee.net/blog/mail-server-guide/) (серпень 2017) + +## Критерії + +**Будь ласка, зверніть увагу, що ми не пов'язані з жодним із рекомендованих нами провайдерів.** На додаток до [наших стандартних критеріїв](about/criteria.md), ми розробили чіткий набір вимог до будь-якого постачальника послуг електронної пошти, який бажає бути рекомендованим, включаючи впровадження найкращих галузевих практик, сучасних технологій тощо. Ми радимо вам ознайомитися з цим списком перед тим, як обирати постачальника послуг електронної пошти, а також провести власне дослідження, щоб переконатися, що обраний вами провайдер є правильним вибором для вас. + +### Технологія + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/uk/encryption.md b/i18n/uk/encryption.md new file mode 100644 index 00000000..ad322182 --- /dev/null +++ b/i18n/uk/encryption.md @@ -0,0 +1,356 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! рекомендації + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! рекомендації + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features. + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! рекомендації + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! рекомендації + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! рекомендації + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! рекомендації + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! рекомендації + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! рекомендації + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! рекомендації + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! рекомендації + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! рекомендації + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! рекомендації + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! рекомендації + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/uk/file-sharing.md b/i18n/uk/file-sharing.md new file mode 100644 index 00000000..d19f5379 --- /dev/null +++ b/i18n/uk/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! рекомендації + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! рекомендації + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! рекомендації + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! рекомендації + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! рекомендації + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/uk/financial-services.md b/i18n/uk/financial-services.md new file mode 100644 index 00000000..07a6787d --- /dev/null +++ b/i18n/uk/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! рекомендації + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! рекомендації + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! рекомендації + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! рекомендації + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/uk/frontends.md b/i18n/uk/frontends.md new file mode 100644 index 00000000..d071e178 --- /dev/null +++ b/i18n/uk/frontends.md @@ -0,0 +1,267 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! рекомендації + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! рекомендації + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! рекомендації + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! рекомендації + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! рекомендації + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! рекомендації + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! рекомендації + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! рекомендації + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/uk/index.md b/i18n/uk/index.md new file mode 100644 index 00000000..2aadd801 --- /dev/null +++ b/i18n/uk/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.uk.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Чому це має мене хвилювати? + +##### "Мені нічого приховувати. Чому я повинен піклуватися про свою приватність?" + +Подібно до права на міжрасовий шлюб, виборчого права жінок, свободи слова та багатьох інших, наше право на конфіденційність не завжди дотримувалося. У деяких диктаторських режимах це досі не відбувається. Покоління до нас боролися за наше право на приватність. ==Конфіденційність - це право людини, притаманне всім нам,== на яке ми маємо право (без виключення). + +Не варто плутати конфіденційність із таємністю. Ми знаємо, що відбувається у ванній, але ви все одно зачиняєте двері. Це тому, що ви хочете конфіденційності, а не таємності. **Кожному** є що захищати. Конфіденційність - це щось, що робить нас людьми. + +[:material-target-account: Поширені Інтернет-загрози](basics/common-threats.md ""){.md-button.md-button--primary} + +## Що мені робити? + +##### Спочатку, вам потрібно скласти план + +Намагатися постійно захищати всі свої дані від усіх - непрактично, дорого і виснажливо. Але не хвилюйтеся! Безпека - це процес, і, думаючи наперед, ви можете скласти план, який підходить саме вам. Безпека - це не лише інструменти, які ви використовуєте, або програмне забезпечення, яке ви завантажуєте. Скоріше, вона починається з розуміння унікальних загроз, з якими ви стикаєтеся, і того, як ви можете їх пом'якшити. + +==Цей процес виявлення загроз та визначення контрзаходів називається **моделюванням загроз**==, та він є основою кожного хорошого плану безпеки та конфіденційності. + +[:material-book-outline: Дізнайтеся більше про моделювання загроз](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## Ви нам потрібні! Ось як можна долучитися: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Приєднуйтесь до нашого форуму" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Слідкуйте за нами на Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Зробити внесок у цей сайт" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Допомогти з перекладом цього сайту" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Поспілкуйтеся з нами на Matrix" } +[:material-information-outline:](about/index.md){ title="Дізнатися більше про нас" } +[:material-hand-coin-outline:](about/donate.md){ title="Підтримати проект" } + +Для таких сайтів, як Privacy Guides, важливо завжди залишатися актуальними. Ми хочемо, щоб наша аудиторія стежила за оновленнями програмного забезпечення для додатків, перелічених на нашому сайті, а також за останніми новинами про провайдерів, яких ми рекомендуємо. Важко встигати за швидким темпом інтернету, але ми намагаємося з усіх сил. Якщо ви помітили помилку, вважаєте, що провайдер не повинен бути в списку, помітили відсутність кваліфікованого провайдера, вважаєте, що плагін для браузера більше не є найкращим вибором, або виявили будь-яку іншу проблему, будь ласка, повідомте нам про це. diff --git a/i18n/uk/kb-archive.md b/i18n/uk/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/uk/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/uk/meta/brand.md b/i18n/uk/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/uk/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/uk/meta/git-recommendations.md b/i18n/uk/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/uk/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/uk/meta/uploading-images.md b/i18n/uk/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/uk/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/uk/meta/writing-style.md b/i18n/uk/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/uk/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/uk/mobile-browsers.md b/i18n/uk/mobile-browsers.md new file mode 100644 index 00000000..8ff0e992 --- /dev/null +++ b/i18n/uk/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! рекомендації + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! рекомендації + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! рекомендації + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/uk/multi-factor-authentication.md b/i18n/uk/multi-factor-authentication.md new file mode 100644 index 00000000..84955985 --- /dev/null +++ b/i18n/uk/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! рекомендації + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! рекомендації + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! рекомендації + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! рекомендації + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/uk/news-aggregators.md b/i18n/uk/news-aggregators.md new file mode 100644 index 00000000..fcb6cd9e --- /dev/null +++ b/i18n/uk/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! рекомендації + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! рекомендації + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! рекомендації + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! рекомендації + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! рекомендації + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! рекомендації + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! рекомендації + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/uk/notebooks.md b/i18n/uk/notebooks.md new file mode 100644 index 00000000..f5afad19 --- /dev/null +++ b/i18n/uk/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! рекомендації + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! рекомендації + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! рекомендації + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! рекомендації + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/uk/os/android-overview.md b/i18n/uk/os/android-overview.md new file mode 100644 index 00000000..f96281e1 --- /dev/null +++ b/i18n/uk/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Огляд Android +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android - це безпечна операційна система, яка має надійну [пісочницю для додатків](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), та систему управління [дозволами](https://developer.android.com/guide/topics/permissions/overview). + +## Вибір прошивки Android + +Коли ви купуєте телефон Android, операційна система пристрою за замовчуванням часто постачається з інвазивною інтеграцією з додатками та службами, які не є частиною [Android Open Source Project](https://source.android.com/). Прикладом цього є служби Google Play, які мають безповоротні привілеї для доступу до ваших файлів, зберігання контактів, журналів дзвінків, SMS-повідомлень, місцезнаходження, камери, мікрофона, ідентифікаторів обладнання тощо. Ці програми та сервіси збільшують вразливість вашого пристрою до атак і є джерелом різних проблем з конфіденційністю в Android. + +Ця проблема може бути вирішена за допомогою користувацької прошивки Android, яка не постачається з такою інвазивною інтеграцією. На жаль, багато користувацьких прошивок Android часто порушують модель безпеки Android, не підтримуючи критичні функції безпеки, такі як AVB, захист від відкату, оновлення мікропрограми тощо. Деякі дистрибутиви також постачають збірки [`налагодження`](https://source.android.com/setup/build/building#choose-a-target), які надають доступ root через [ADB](https://developer.android.com/studio/command-line/adb) та потребують [більш дозвільних](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) політик SELinux для функцій налагодження, в результаті чого це призводить до збільшення поверхні атаки та ослаблення моделі безпеки. + +В ідеалі, вибираючи користувальницький дистрибутив Android, ви повинні переконатися, що він підтримує модель безпеки Android. Принаймні, дистрибутив повинен мати виробничі збірки, підтримку AVB, захист від відкату, своєчасне оновлення прошивки та операційної системи, а також SELinux в [примусовому режимі (enforcing mode)](https://source.android.com/security/selinux/concepts#enforcement_levels). Всі наші рекомендовані прошивки Android відповідають цим критеріям. + +[Наші рекомендації для системи Android :material-arrow-right:](../android.md ""){.md-button} + +## Уникайте рутування + +[Рутування](https://en.wikipedia.org/wiki/Rooting_(Android)) Android пристроїв може значно знизити безпеку, оскільки це послаблює повну [модель безпеки Android](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). Це може знизити конфіденційність у разі використання експлойта, якому сприяє зниження безпеки. Поширені методи отримання root-прав передбачають втручання в розділ boot, що унеможливлює успішне виконання Verified Boot. Додатки, які потребують root-права, також змінюють системний розділ, що означає, що Verified Boot повинен залишатись вимкненим. Наявність root-доступу безпосередньо в інтерфейсі користувача також збільшує [поверхню атаки](https://en.wikipedia.org/wiki/Attack_surface) вашого пристрою і може сприяти [підвищенню привілеїв](https://en.wikipedia.org/wiki/Privilege_escalation), вразливостей та обходу політики SELinux. + +Блокувальники реклами, які змінюють [файл hosts](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) та фаєрволи (AFWall+), які потребують постійного доступу root є небезпечними та не повинні використовуватися. Вони також не є правильним способом вирішення своїх цілей. Для блокування реклами замість цих рішень ми пропонуємо зашифровані [DNS](../dns.md) або [VPN](../vpn.md) з функцією блокування. RethinkDNS, TrackerControl та AdAway в режимі без root-прав займуть слот VPN (використовуючи локальний цикл VPN), що не дозволить вам використовувати сервіси які підвищують конфіденційність, такі як Orbot або справжній VPN-сервер. + +AFWall+ використовує підхід на основі [пакетної фільтрації](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter), та його можна обійти в деяких ситуаціях. + +Ми не вважаємо, що жертви безпеки, які приносить рутування телефону, варті сумнівних переваг конфіденційності цих програм. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot)> є важливою частиною моделі безпеки Android. Він забезпечує захист від атак [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack), стійкість до шкідливого програмного забезпечення, та гарантує що оновлення безпеки не можуть бути знижені за допомогою [захисту від відкату](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 і вище перейшли від повного шифрування диска до більш гнучкішого [шифрування на основі файлів](https://source.android.com/security/encryption/file-based). Ваші дані шифруються за допомогою унікальних ключів шифрування, а файли операційної системи залишаються незашифрованими. + +Verified Boot забезпечує цілісність файлів операційної системи, тим самим запобігаючи зловмиснику з фізичним доступом втручатися або встановлювати шкідливе програмне забезпечення на пристрій. У малоймовірному випадку, коли шкідливе програмне забезпечення може експлуатувати інші частини системи та отримувати вищий привілейований доступ, Verified Boot запобігатиме та повертатиме зміни до системного розділу після перезавантаження пристрою. + +На жаль, OEM-виробники зобов'язані підтримувати Verified Boot лише на своїй заводській прошивці Android. Лише кілька OEM-виробників, таких як Google, підтримують користувацьку реєстрацію ключів AVB на своїх пристроях. Крім цього, деякі похідні AOSP, такі як LineageOS або /e/ OS, не підтримують Verified Boot навіть на обладнанні з підтримкою Verified Boot для сторонніх операційних систем. Ми рекомендуємо вам перевірити наявність підтримки **перед** придбанням нового пристрою. Похідні AOSP, які не підтримують Verified Boot **не рекомендуються**. + +Оновлення мікропрограми є критично важливими для підтримки безпеки, і без них ваш пристрій не може бути захищеним. OEM-виробники мають угоди про підтримку зі своїми партнерами щодо надання компонентів із закритим вихідним кодом протягом обмеженого періоду. Вони детально описані в щомісячному [бюлетені безпеки Android](https://source.android.com/security/bulletin). + +## Оновлення мікропрограми + +Оскільки такі компоненти телефону, як процесор та радіотехнології, покладаються на компоненти із закритим вихідним кодом, оновлення повинні надаватися відповідними виробниками. Тому важливо, щоб ви придбали пристрій в рамках активного циклу підтримки. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) та [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) підтримують свої пристрої протягом 4 років, тоді як дешевші продукти часто мають коротші цикли підтримки. + +Пристрої EOL, які більше не підтримуються виробником SoC, не можуть отримувати оновлення мікропрограми від OEM-виробників або сторонніх дистриб'юторів Android. Це означає, що проблеми безпеки на цих пристроях залишаться не усуненими. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +Важливо не використовувати версії Android з [вичерпаним терміном служби](https://endoflife.date/android). Новіші версії Android не тільки отримують оновлення безпеки для операційної системи, але й важливі оновлення, що покращують конфіденційність. + +[Дозволи на Android](https://developer.android.com/guide/topics/permissions/overview) надають вам контроль над доступом програм. Google регулярно вносить [покращення](https://developer.android.com/about/versions/11/privacy/permissions) у систему дозволів в кожній наступній версії. Всі встановлені вами програми суворо [ізольовані](https://source.android.com/security/app-sandbox), тому немає потреби встановлювати будь-які антивірусні додатки. + +## Версії Android + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Дозволи Android + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Профілі користувачів + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## Профілі користувачів + +Для цього потрібен **контролер пристрою** такий як [Shelter](#recommended-apps), якщо ви не використовуєте CalyxOS, яка вже містить в собі контролер. + +Робочий профіль залежить від функціонування контролера пристрою. Кожен профіль зашифрований за допомогою власного ключа шифрування і не може отримати доступ до даних будь-яких інших профілів. Навіть власник пристрою не може переглядати дані профілів, не знаючи їхніх паролів. Multiple user profiles are a more secure method of isolation. + +## Робочий профіль + +[Робочі профілі](https://support.google.com/work/android/answer/6191949) - це ще один спосіб ізоляції програм, який може бути зручнішим, ніж окремі профілі користувачів. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +Робочий профіль залежить від функціонування контролера пристрою. Такі функції як *Файловий шатл* та *блокування пошуку контактів* або будь-які інші функції ізоляції повинні бути реалізовані контролером. Коли вони не використовуються, ми рекомендуємо вимкнути їх. + +Цей метод, як правило, є менш безпечним, ніж додатковий профіль користувача; однак, він дозволяє вам зручно запускати додатки як в робочому, так і в особистому профілях одночасно. + +## VPN Killswitch + +Якщо у вас є обліковий запис Google, радимо зареєструватися в [Програмі Додаткового Захисту](https://landing.google.com/advancedprotection/). Ця функція може запобігти витоку, якщо VPN відключений. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Глобальні перемикачі + +Сучасні пристрої Android мають глобальні перемикачі для вимкнення служб Bluetooth і визначення місцезнаходження. В Android 12 з'явилися перемикачі для камери та мікрофона. Коли вони не використовуються, ми рекомендуємо вимкнути їх. Програми не можуть використовувати вимкнені функції (навіть якщо їм надано індивідуальний дозвіл), поки їх не буде ввімкнено знову. + +## Google + +Якщо ви користуєтесь пристроєм зі службами Google, заводською операційною системою або операційною системою, яка безпечно використовує служби Google Play, такі як GrapheneOS, ви можете внести ряд додаткових змін, щоб покращити конфіденційність. Ми як і раніше рекомендуємо повністю уникати сервісів Google або обмежити сервіси Google Play профілем користувача/робочим профілем, об'єднавши контролер пристрою, такий як *Shelter* з ізольованим Google Play від GrapheneOS. + +### Програма додаткового захисту + +Якщо у вас є обліковий запис Google, радимо зареєструватися в [Програмі Додаткового Захисту](https://landing.google.com/advancedprotection/). Це дозволить вам отримати **деякі** виправлення безпеки від Google, не порушуючи при цьому моделі безпеки Android використовуючи небезпечну похідну Android і збільшуючи поверхню атаки. + +Програма додаткового захисту забезпечує посилений моніторинг загроз та вмикає: + +- Суворішу двофакторну автентифікацію; напр. **повинен** використовуватись [FIDO](/security/multi-factor-authentication/#fido-fast-identity-online), та забороняється використання [SMS](/security/multi-factor-authentication/#sms-or-email-mfa), [TOTP](/security/multi-factor-authentication.md#time-based-one-time-password-totp), та [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Доступ до даних облікового запису можуть отримувати лише Google і перевірені сторонні програми +- Сканування вхідних електронних листів в акаунтах Gmail на предмет [спроб фішингу](https://en.wikipedia.org/wiki/Phishing#Email_phishing) +- Суворіше [сканування веб-переглядача](https://www.google.com/chrome/privacy/whitepaper.html#malware) з Google Chrome +- Більш суворий процес відновлення облікових записів з втраченими обліковими даними + + Якщо ви використовуєте не ізольовані сервіси Google Play (поширені в заводських операційних системах), Програма Додаткового Захисту також надає декілька [додаткових переваг](https://support.google.com/accounts/answer/9764949?hl=en), таких як: + +- Не дозволяється встановлення додатків за межами магазину Google Play, магазину додатків постачальника ОС або через [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Обов'язкове автоматичне сканування пристрою за допомогою [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Попередження про неперевірені додатки + +### Оновлення системи Google Play + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +На прошивках Android з привілейованими сервісами Google Play (як на заводських ОС), налаштування може здійснюватися в одному з кількох місць. Перевірте We would still recommend upgrading to a supported device as soon as possible. + +### Рекламний ідентифікатор + +Всі пристрої з встановленими сервісами Google Play автоматично генерують [рекламний ідентифікатор](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en), який використовується для таргетованої реклами. Вимкніть цю функцію, щоб обмежити збір даних про вас. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +На прошивках Android з привілейованими сервісами Google Play (як на заводських ОС), налаштування може здійснюватися в одному з кількох місць. Перевірте + +- :gear: **Налаштування** → **Google** → **Реклама** +- :gear: **Налаштування** → **Конфіденційність** → **Реклама** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet та Play API цілісність + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) та [Play API цілісність](https://developer.android.com/google/play/integrity) зазвичай використовуються для [банківських додатків](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS проходить перевірку `basicIntegrity`, але не перевірку сертифікації `ctsProfileMatch`. Пристрої з Android 8 або пізнішою версією мають підтримку апаратної атестації, яку неможливо обійти без витоку ключів або серйозних вразливостей. + +Що стосується Google Wallet, ми не рекомендуємо це використовувати через їхню [політику конфіденційності](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en) яка стверджує, що ви повинні відмовитися, якщо ви не хочете, щоб ваш кредитний рейтинг та особиста інформація надавалися партнерським маркетинговим службам. diff --git a/i18n/uk/os/linux-overview.md b/i18n/uk/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/uk/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/uk/os/qubes-overview.md b/i18n/uk/os/qubes-overview.md new file mode 100644 index 00000000..5bba1170 --- /dev/null +++ b/i18n/uk/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/uk/passwords.md b/i18n/uk/passwords.md new file mode 100644 index 00000000..48b9a92f --- /dev/null +++ b/i18n/uk/passwords.md @@ -0,0 +1,341 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! рекомендації + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! рекомендації + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! рекомендації + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! рекомендації + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! рекомендації + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! рекомендації + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! рекомендації + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/uk/productivity.md b/i18n/uk/productivity.md new file mode 100644 index 00000000..76406e03 --- /dev/null +++ b/i18n/uk/productivity.md @@ -0,0 +1,155 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! рекомендації + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! danger + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! рекомендації + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! рекомендації + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! рекомендації + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! рекомендації + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/uk/real-time-communication.md b/i18n/uk/real-time-communication.md new file mode 100644 index 00000000..1062db12 --- /dev/null +++ b/i18n/uk/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! рекомендації + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! рекомендації + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! рекомендації + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! рекомендації + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! рекомендації + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/uk/router.md b/i18n/uk/router.md new file mode 100644 index 00000000..8a63b1af --- /dev/null +++ b/i18n/uk/router.md @@ -0,0 +1,47 @@ +--- +title: "Прошивка роутера" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Нижче наведено кілька альтернативних операційних систем, які можна використовувати на маршрутизаторах, точках доступу Wi-Fi тощо. + +## OpenWrt + +!!! рекомендації + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** - це операційна система (зокрема, вбудована операційна система), заснована на ядрі Linux, яка в основному використовується на вбудованих пристроях для маршрутизації мережевого трафіку. Основними компонентами є ядро Linux, util-linux, uClibc, та BusyBox. Всі компоненти були оптимізовані за розміром, щоб бути досить маленькими для розміщення в обмеженому сховищі і пам'яті, доступних в домашніх маршрутизаторах. + + [Homepage](https://openwrt.org){ .md-button .md-button--primary } + + ??? + +Щоб перевірити, чи підтримується ваш пристрій, перегляньте [таблицю апаратного забезпечення](https://openwrt.org/toh/start) OpenWrt. + +## OPNsense + +!!! рекомендації + + ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense - це дистрибутив програмного забезпечення для брандмауера / маршрутизатора з відкритим вихідним кодом, заснований на FreeBSD. Він встановлюється на комп'ютер для створення виділеного брандмауера/маршрутизатора для мережі та відомий своєю надійністю і пропонує функції, які часто зустрічаються тільки в дорогих комерційних брандмауерах. + + pfSense зазвичай розгортається як брандмауер по периметру, маршрутизатор, бездротова точка доступу, DHCP-сервер, DNS-сервер і кінцева точка VPN. + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/uk/search-engines.md b/i18n/uk/search-engines.md new file mode 100644 index 00000000..5eccf292 --- /dev/null +++ b/i18n/uk/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! рекомендації + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! рекомендації + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! рекомендації + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! рекомендації + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/uk/tools.md b/i18n/uk/tools.md new file mode 100644 index 00000000..a38a5b7f --- /dev/null +++ b/i18n/uk/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Прошивка роутера + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/uk/tor.md b/i18n/uk/tor.md new file mode 100644 index 00000000..8dfd3a6a --- /dev/null +++ b/i18n/uk/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Логотип Tor](assets/img/self-contained-networks/tor.svg){ align=right } + +Мережа **Tor** - це група серверів, керованих волонтерами, яка дозволяє вам підключатися безкоштовно і покращувати вашу конфіденційність і безпеку в Інтернеті. Приватні особи та організації також можуть обмінюватися інформацією через мережу Tor з "прихованими сервісами .onion" без шкоди для своєї конфіденційності. Оскільки трафік Tor важко заблокувати і відстежити, Tor є ефективним інструментом обходу цензури. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Домашня сторінка} +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Документація} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Вихідний код" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Зробити внесок } + +Tor працює, спрямовуючи ваш інтернет-трафік через ці волонтерські сервери, замість того, щоб встановлювати пряме з'єднання з сайтом, який ви намагаєтесь відвідати. Це приховує, звідки надходить трафік, і жоден сервер у шляху з 'єднання не може побачити повний шлях, звідки надходить трафік, а це означає, що навіть сервери, які ви використовуєте для з' єднання, не можуть порушити вашу анонімність. + +[Детальний огляд Tor :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Підключення до Tor + +Існує безліч способів під'єднатися до мережі Tor з вашого пристрою, найпоширенішим з яких є **Tor Browser**, форк Firefox, призначений для анонімного перегляду веб-сторінок на настільних комп'ютерах і Android. На додаток до перелічених нижче програм, існують також операційні системи, розроблені спеціально для підключення до мережі Tor, такі як [Whonix](desktop.md#whonix) або [Qubes OS](desktop.md#qubes-os), які забезпечують ще більшу безпеку і захист, ніж стандартний Tor Browser. + +### Tor Browser + +!!! рекомендації + + ![Логотип Tor Browser](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** — це вибір, якщо вам потрібна анонімність, оскільки він надає доступ до мережі Tor і мостів, а також включає в себе стандартні налаштування і розширення, які автоматично налаштовуються на рівні безпеки за замовчуванням: *Стандартний*, *Безпечніший* і *Найбезпечніший*. + + [:octicons-home-16: Домашня сторінка](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Документація } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Вихідний код" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Зробити внесок } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + Ви **ніколи** не повинні встановлювати додаткові розширення для браузера Tor або змінювати налаштування `about:config`, включаючи ті, які ми рекомендуємо для Firefox. Розширення браузера і нестандартні налаштування виділяють вас серед інших користувачів мережі Tor, тим самим полегшуючи доступ до [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +Браузер Tor розроблений таким чином, щоб запобігти зняттю відбитків або ідентифікації вас на основі конфігурації вашого браузера. Тому вкрай важливо, щоб ви **не** модифікували браузер поза межами стандартних [рівнів безпеки](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! рекомендації + + ![Логотип Orbot](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** — це безкоштовна Tor VPN для смартфонів, яка спрямовує трафік від будь-якої програми на вашому пристрої через мережу Tor. + + [:octicons-home-16: Домашня сторінка](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Політика конфіденційності" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Документація} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Вихідний код" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Зробити внесок} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Підказки для Android" + + Orbot може спрямовувати через проксі окремі програми, якщо вони підтримують SOCKS або HTTP-проксі. Він також може спрямовувати через проксі всі ваші мережеві з'єднання за допомогою [VpnService](https://developer.android.com/reference/android/net/VpnService) і може використовуватися з кілсвічем VPN у :gear: **Налаштування** → **Мережа та Інтернет** → **VPN** → :gear: → **Блокувати з'єднання без VPN**. + + Orbot часто застаріває в [F-Droid репозиторії](https://guardianproject.info/fdroid) Guardian Project та [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) Guardian Project, тому краще завантажуйте безпосередньо з [GitHub репозиторію](https://github.com/guardianproject/orbot/releases). + + Всі версії підписуються одним і тим же підписом, тому вони повинні бути сумісні одна з одною. + +## Реле та мости + +### Snowflake + +!!! рекомендації + + ![Логотип Snowflake](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Логотип Snowflake](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** дозволяє вам пожертвувати пропускну здатність для проекту Tor, використовуючи "проксі-сервер Snowflake" у вашому браузері. + + Люди, які зазнають цензури, можуть використовувати проксі-сервери Snowflake для підключення до мережі Tor. Snowflake — це чудовий спосіб зробити внесок у мережу, навіть якщо ви не володієте технічними знаннями для запуску Tor-реле або моста. + + [:octicons-home-16: Домашня сторінка](https://snowflake.torproject.org/?lang=uk){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Oперегляд){ .card-link title=Документація} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Вихідний код" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Зробити внесок} + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Залиште цю сторінку відкритою, щоб бути Snowflake проксі") + +??? tip "Вбудована Snowflake" + + Ви можете увімкнути Snowflake у вашому браузері, натиснувши перемикач нижче і ==залишивши цю сторінку відкритою==. Ви також можете встановити Snowflake як розширення для браузера, щоб він завжди працював, коли браузер відкритий, однак додавання сторонніх розширень може збільшити вашу поверхню атаки. + +
+ Якщо вбудовуваний елемент не відображається, переконайтеся, що ви не заблокували сторонній фрейм з `torproject.org`. Крім того, відвідайте [цю сторінку](https://snowflake.torproject.org/embed.html). + +Snowflake жодним чином не збільшує вашу конфіденційність і не використовується для підключення до мережі Tor у вашому власному браузері. Однак, якщо ваше інтернет-з'єднання не піддається цензурі, вам варто подумати про його використання, щоб допомогти людям, які перебувають у мережах з цензурою, самим досягти кращої конфіденційності. Вам не потрібно турбуватися про те, до яких сайтів люди отримують доступ через ваш проксі — їх видима IP-адреса буде відповідати їх вихідному вузлу з Tor, а не вашій. + +Запуск проксі-сервера Snowflake пов'язаний з навіть меншим ризиком, ніж запуск Tor-реле або моста, які й самі не є особливо ризикованими заходами. Однак він все одно спрямовує трафік проходить через вашу мережу, що може мати певний вплив, особливо якщо ваша мережа має обмежену пропускну здатність. Переконайтеся, що ви розумієте [як працює Snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) перед тим, як вирішити, чи запускати проксі. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/uk/video-streaming.md b/i18n/uk/video-streaming.md new file mode 100644 index 00000000..a6654d12 --- /dev/null +++ b/i18n/uk/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! рекомендації + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/uk/vpn.md b/i18n/uk/vpn.md new file mode 100644 index 00000000..853c8235 --- /dev/null +++ b/i18n/uk/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Рекомендовані DNS-провайдери + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! рекомендації + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! рекомендації + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/vi/404.md b/i18n/vi/404.md new file mode 100644 index 00000000..25c1c780 --- /dev/null +++ b/i18n/vi/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - Not Found + +We couldn't find the page you were looking for! Maybe you were looking for one of these? + +- [Introduction to Threat Modeling](basics/threat-modeling.md) +- [Recommended DNS Providers](dns.md) +- [Best Desktop Web Browsers](desktop-browsers.md) +- [Best VPN Providers](vpn.md) +- [Privacy Guides Forum](https://discuss.privacyguides.net) +- [Our Blog](https://blog.privacyguides.org) diff --git a/i18n/vi/CODE_OF_CONDUCT.md b/i18n/vi/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/vi/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/vi/about/criteria.md b/i18n/vi/about/criteria.md new file mode 100644 index 00000000..3084230b --- /dev/null +++ b/i18n/vi/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: General Criteria +--- + +!!! example "Work in Progress" + + The following page is a work in progress, and does not reflect the full criteria for our recommendations at this time. Past discussion on this topic: [#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +Below are some things that must apply to all submissions to Privacy Guides. Each category will have additional requirements for inclusion. + +## Financial Disclosure + +We do not make money from recommending certain products, we do not use affiliate links, and we do not provide special consideration to project donors. + +## General Guidelines + +We apply these priorities when considering new recommendations: + +- **Secure**: Tools should follow security best-practices wherever applicable. +- **Source Availability**: Open source projects are generally preferred over equivalent proprietary alternatives. +- **Cross-Platform**: We typically prefer recommendations to be cross-platform, to avoid vendor lock-in. +- **Active Development**: The tools that we recommend should be actively developed, unmaintained projects will be removed in most cases. +- **Usability**: Tools should be accessible to most computer users, an overly technical background should not be required. +- **Documented**: Tools should have clear and extensive documentation for use. + +## Developer Self-Submissions + +We have these requirements in regard to developers which wish to submit their project or software for consideration. + +- Must disclose affiliation, i.e. your position within the project being submitted. + +- Must have a security whitepaper if it is a project that involves handling of sensitive information like a messenger, password manager, encrypted cloud storage etc. + - Third party audit status. We want to know if you have one, or have one planned. If possible please mention who will be conducting the audit. + +- Must explain what the project brings to the table in regard to privacy. + - Does it solve any new problem? + - Why should anyone use it over the alternatives? + +- Must state what the exact threat model is with their project. + - It should be clear to potential users what the project can provide, and what it cannot. diff --git a/i18n/vi/about/donate.md b/i18n/vi/about/donate.md new file mode 100644 index 00000000..c1635996 --- /dev/null +++ b/i18n/vi/about/donate.md @@ -0,0 +1,50 @@ +--- +title: Phương Thức Quyên Góp +--- + + +It takes a lot of [people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) and [work](https://github.com/privacyguides/privacyguides.org/pulse/monthly) to keep Privacy Guides up to date and spreading the word about privacy and mass surveillance. If you like what we do, consider getting involved by [editing the site](https://github.com/privacyguides/privacyguides.org) or [contributing translations](https://crowdin.com/project/privacyguides). + +Phải cần rất nhiều [người](https://github.com/privacyguides/privacyguides.org/graphs/contributors) và [làm việc](https://github.com/privacyguides/privacyguides.org/pulse/monthly) để cập nhật Privacy Guides và quảng bá rộng rãi về quyền riêng tư và giám sát hàng loạt. Nếu bạn thích những gì chúng tôi làm, cách tốt nhất để giúp đỡ là tham gia bằng cách [chỉnh sửa trang web](https://github.com/privacyguides/privacyguides.org) hoặc [đóng góp bản dịch](https://crowdin.com/project/privacyguides). + +[Donate on OpenCollective.com](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +Donations made directly to us on Open Collective are generally tax-deductible in the US, because our fiscal host (the Open Collective Foundation) is a registered 501(c)3 organization. You will receive a receipt from the Open Collective Foundation after donating. Privacy Guides does not provide financial advice, and you should contact your tax advisor to find out whether this is applicable to you. + +If you already make use of GitHub sponsorships, you can also sponsor our organization there. + +[Sponsor us on GitHub](https://github.com/sponsors/privacyguides ""){.md-button} + +## Backers + +A special thanks to all those who support our mission! :heart: + +*Please note: This section loads a widget directly from Open Collective. This section does not reflect donations made outside of Open Collective, and we have no control over the specific donors featured in this section.* + + + +## How We Use Donations + +Chúng tôi vẫn đang làm việc với tổ chức tài chính của mình (Open Collective Foundation) để nhận các khoản đóng góp từ tiền điện tử, hiện tại, kế toán không khả thi đối với nhiều giao dịch nhỏ hơn, nhưng điều này sẽ thay đổi trong tương lai. Trong thời gian chờ đợi, nếu bạn muốn quyên góp tiền điện tử (> $100) cỡ lớn, vui lòng liên hệ với [jonah@privacyguides.org](mailto:jonah@privacyguides.org). + +**Đăng Ký Tên Miền** +: + +Chúng tôi có một vài tên miền như `privacyguides.org` mà chúng tôi tốn khoảng $10 mỗi năm để duy trì đăng ký của họ. + +**Web Hosting** +: + +Lưu lượng truy cập vào trang web này sử dụng hàng trăm gigabyte dữ liệu mỗi tháng, chúng tôi sử dụng nhiều nhà cung cấp dịch vụ khác nhau để theo kịp lượng truy cập này. + +**Dịch Vụ Trực Tuyến** +: + +Chúng tôi tổ chức [dịch vụ internet](https://privacyguides.net) để thử nghiệm và giới thiệu các sản phẩm bảo mật khác nhau mà chúng tôi thích và [đề xuất](../tools.md). Một số trong số đó được cung cấp công khai để cộng đồng của chúng tôi sử dụng (SearXNG, Tor, v.v.) và một số được cung cấp cho các thành viên trong nhóm của chúng tôi (email, v.v.). + +**Mua Sản Phẩm** +: + +Thỉnh thoảng chúng tôi mua sản phẩm và dịch vụ cho mục đích thử nghiệm [công cụ được đề xuất của chúng tôi](../tools.md). + +We are still working with our fiscal host (the Open Collective Foundation) to receive cryptocurrency donations, at the moment the accounting is unfeasible for many smaller transactions, but this should change in the future. In the meantime, if you wish to make a sizable (> $100) cryptocurrency donation, please reach out to [jonah@privacyguides.org](mailto:jonah@privacyguides.org). diff --git a/i18n/vi/about/index.md b/i18n/vi/about/index.md new file mode 100644 index 00000000..d3ee9758 --- /dev/null +++ b/i18n/vi/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. Bạn **không được** sử dụng thương hiệu Privacy Guides trong dự án của riêng bạn mà không có sự chấp thuận rõ ràng từ dự án này. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/vi/about/notices.md b/i18n/vi/about/notices.md new file mode 100644 index 00000000..8ab67371 --- /dev/null +++ b/i18n/vi/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Từ Chối Trách Nhiệm Pháp Lý + +Privacy Guides không phải là một công ty luật. Do đó, trang web Privacy Guides và những người đóng góp không cung cấp tư vấn pháp lý. Tài liệu và khuyến nghị trong trang web và hướng dẫn của chúng tôi không cấu thành tư vấn pháp lý cũng như không đóng góp vào trang web hoặc giao tiếp với Privacy Guides hoặc những người đóng góp khác về trang web của chúng tôi tạo ra mối quan hệ luật sư-khách hàng. + +Điều hành trang web này, giống như bất kỳ nỗ lực nào của con người, liên quan đến sự không chắc chắn và sự đánh đổi. Chúng tôi hy vọng trang web này hữu ích, nhưng nó có thể bao gồm các sai lầm và không thể giải quyết mọi tình huống. Nếu bạn có bất kỳ câu hỏi nào về tình huống của mình, chúng tôi khuyến khích bạn tự nghiên cứu, tìm kiếm các chuyên gia khác và tham gia thảo luận với cộng đồng Privacy Guides. Nếu quý vị có bất kỳ câu hỏi pháp lý nào, quý vị nên tham khảo ý kiến của luật sư riêng của mình trước khi tiếp tục. + +Privacy Guides là một dự án nguồn mở được đóng góp theo giấy phép bao gồm các điều khoản, để bảo vệ trang web và những người đóng góp của trang web, nêu rõ rằng dự án và trang web của Privacy Guides được cung cấp "nguyên trạng", không có bảo hành và từ chối trách nhiệm pháp lý đối với các thiệt hại do sử dụng trang web hoặc bất kỳ khuyến nghị nào có trong đó. Privacy Guides không bảo đảm hoặc đưa ra bất kỳ tuyên bố nào liên quan đến tính chính xác, kết quả có thể hoặc độ tin cậy của việc sử dụng các tài liệu trên trang web hoặc liên quan đến các tài liệu đó trên trang web hoặc trên bất kỳ trang web của bên thứ ba nào được liên kết trên trang web này. + +Ngoài ra, Privacy Guides không đảm bảo rằng trang web này sẽ liên tục khả dụng hoặc có sẵn. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +Điều này không bao gồm mã của bên thứ ba được nhúng trong kho lưu trữ này hoặc mã mà giấy phép thay thế được ghi chú khác. Sau đây là những ví dụ đáng chú ý, nhưng danh sách này có thể không bao gồm tất cả: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +Điều này có nghĩa là bạn có thể sử dụng nội dung có thể đọc được của con người trong kho lưu trữ này cho dự án của riêng bạn, theo các điều khoản được nêu trong văn bản CC0 1.0 Universal. Bạn **không được** sử dụng thương hiệu Privacy Guides trong dự án của riêng bạn mà không có sự chấp thuận rõ ràng từ dự án này. Nhãn hiệu thương hiệu của Privacy Guides bao gồm nhãn hiệu chữ "Privacy Guides" và logo shield. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +Chúng tôi tin rằng các logo và hình ảnh khác trong `tài sản` thu được từ các nhà cung cấp bên thứ ba thuộc phạm vi công cộng hoặc **sử dụng hợp pháp**. Tóm lại, học thuyết sử dụng hợp pháp [](https://en.wikipedia.org/wiki/Fair_use) cho phép sử dụng hình ảnh có bản quyền để xác định chủ đề cho mục đích bình luận công khai. Tuy nhiên, các logo và hình ảnh khác này vẫn có thể tuân theo luật thương hiệu ở một hoặc nhiều khu vực pháp lý. Trước khi sử dụng nội dung này, vui lòng đảm bảo rằng nội dung được sử dụng để xác định thực thể hoặc tổ chức sở hữu thương hiệu và bạn có quyền sử dụng nội dung đó theo luật áp dụng trong trường hợp bạn dự định sử dụng. *Khi sao chép nội dung từ trang web này, bạn hoàn toàn chịu trách nhiệm đảm bảo rằng bạn không vi phạm thương hiệu hoặc bản quyền của người khác.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Chấp Thuận Sử Dụng + +Bạn không được sử dụng trang web này theo bất kỳ cách nào gây ra hoặc có thể gây thiệt hại cho trang web hoặc làm giảm tính sẵn có hoặc khả năng truy cập của Privacy Guides, hoặc theo bất kỳ cách nào bất hợp pháp, bất hợp pháp, gian lận, có hại hoặc liên quan đến bất kỳ mục đích hoặc hoạt động bất hợp pháp, bất hợp pháp, gian lận hoặc có hại nào. + +Bạn không được tiến hành bất kỳ hoạt động thu thập dữ liệu có hệ thống hoặc tự động nào trên hoặc liên quan đến trang web này mà không có sự đồng ý rõ ràng bằng văn bản từ Aragon Ventures LLC, bao gồm: + +* Quét tự động quá mức +* Tấn công từ chối dịch vụ +* Quét dữ liệu +* Khai thác dữ liệu +* 'Khung' (IFrames) + +--- + +*Phần của thông báo này chính nó đã được thông qua từ [mã nguồn mở](https://github.com/github/opensource.guide/blob/master/notices.md) trên GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/vi/about/privacy-policy.md b/i18n/vi/about/privacy-policy.md new file mode 100644 index 00000000..b6c1e1c0 --- /dev/null +++ b/i18n/vi/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "Chính Sách Bảo Mật" +--- + +Privacy Guides là một dự án cộng đồng do một số cộng tác viên tình nguyện tích cực điều hành. Danh sách công khai của các thành viên trong nhóm [có thể tìm thấy trên GitHub](https://github.com/orgs/privacyguides/people). + +## Dữ Liệu Chúng Tôi Thu Thập Từ Khách + +Quyền riêng tư của khách truy cập trang web là rất quan trọng đối với chúng tôi, vì vậy chúng tôi không theo dõi bất kỳ cá nhân nào. Là một khách truy cập vào trang web: + +- Không có thông tin cá nhân được thu thập +- No information such as cookies are stored in the browser +- Không có thông tin nào được chia sẻ, gửi cho hoặc bán cho các bên thứ ba +- Không có thông tin nào được chia sẻ với các công ty quảng cáo +- Không có thông tin nào được khai thác và thu thập cho các cá nhân và hành vi xu hướng +- Không có thông tin nào được kiếm tiền + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Trên một số trang web và dịch vụ chúng tôi cung cấp, nhiều tính năng có thể yêu cầu tài khoản. Ví dụ, một tài khoản có thể được yêu cầu để đăng và trả lời các chủ đề trên nền tảng diễn đàn. + +## Dữ Liệu Chúng Tôi Thu Thập Từ Chủ Tài Khoản + +Để đăng ký hầu hết các tài khoản, chúng tôi sẽ thu thập tên, tên người dùng, email và mật khẩu. Trong trường hợp một trang web yêu cầu nhiều thông tin hơn chỉ là dữ liệu đó, thông tin đó sẽ được đánh dấu và ghi chú rõ ràng trong một tuyên bố về quyền riêng tư riêng cho mỗi trang web. + +Chúng tôi sử dụng dữ liệu tài khoản của bạn để nhận dạng bạn trên trang web và để tạo các trang dành riêng cho bạn, chẳng hạn như trang hồ sơ của bạn. Chúng tôi cũng sẽ sử dụng dữ liệu tài khoản của bạn để xuất bản hồ sơ công khai cho bạn trên các dịch vụ của chúng tôi. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Thông báo cho bạn về các bài đăng và hoạt động khác trên các trang web hoặc dịch vụ. +- Đặt lại mật khẩu của bạn và giúp bảo mật tài khoản của bạn. +- Liên hệ với bạn trong những trường hợp đặc biệt liên quan đến tài khoản của bạn. +- Liên hệ với bạn về các yêu cầu pháp lý, chẳng hạn như yêu cầu gỡ xuống theo DMCA. + +Chúng tôi sẽ lưu trữ dữ liệu tài khoản của bạn miễn là tài khoản của bạn vẫn mở. Sau khi đóng tài khoản, chúng tôi có thể giữ lại một số hoặc tất cả dữ liệu tài khoản của bạn dưới dạng sao lưu hoặc lưu trữ trong tối đa 90 ngày. This information is not required to use any of our services and can be erased at any time. + +Nhóm Privacy Guides thường không có quyền truy cập vào dữ liệu cá nhân ngoài quyền truy cập hạn chế được cấp qua một số bảng kiểm duyệt. Các thắc mắc liên quan đến thông tin cá nhân của bạn nên được gửi trực tiếp đến: + +## Liên hệ với chúng tôi + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Quản trị viên dịch vụ +jonah@privacyguides.org +``` + +Đối với các khiếu nại theo GDPR nói chung, bạn có thể khiếu nại với các cơ quan giám sát bảo vệ dữ liệu địa phương của bạn. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## Về Chính sách này + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/vi/about/privacytools.md b/i18n/vi/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/vi/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/vi/about/services.md b/i18n/vi/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/vi/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/vi/about/statistics.md b/i18n/vi/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/vi/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/vi/advanced/communication-network-types.md b/i18n/vi/advanced/communication-network-types.md new file mode 100644 index 00000000..1f07a2c4 --- /dev/null +++ b/i18n/vi/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "Types of Communication Networks" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use. + +[Recommended Instant Messengers](../real-time-communication.md ""){.md-button} + +## Centralized Networks + +![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left } + +Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization. + +Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate. + +**Advantages:** + +- New features and changes can be implemented more quickly. +- Easier to get started with and to find contacts. +- Most mature and stable features ecosystems, as they are easier to program in a centralized software. +- Privacy issues may be reduced when you trust a server that you're self-hosting. + +**Disadvantages:** + +- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like: +- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage. +- Poor or no documentation for third-party developers. +- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on. +- Self-hosting requires effort and knowledge of how to set up a service. + +## Federated Networks + +![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left } + +Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network. + +When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server). + +**Advantages:** + +- Allows for greater control over your own data when running your own server. +- Allows you to choose whom to trust your data with by choosing between multiple "public" servers. +- Often allows for third-party clients which can provide a more native, customized, or accessible experience. +- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member). + +**Disadvantages:** + +- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network. +- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion. +- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used). +- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used. +- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers. + +## Peer-to-Peer Networks + +![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left } + +P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server. + +Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol). + +Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient. + +P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting. + +**Advantages:** + +- Minimal information is exposed to third-parties. +- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models. + +**Disadvantages:** + +- Reduced feature set: +- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online. +- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online. +- Some common messenger features may not be implemented or incompletely, such as message deletion. +- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention. + +## Anonymous Routing + +![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three. + +There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers." + +Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit. + +**Advantages:** + +- Minimal to no information is exposed to other parties. +- Messages can be relayed in a decentralized manner even if one of the parties is offline. + +**Disadvantages:** + +- Slow message propagation. +- Often limited to fewer media types, mostly text, since the network is slow. +- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline. +- More complex to get started, as the creation and secured backup of a cryptographic private key is required. +- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion. diff --git a/i18n/vi/advanced/dns-overview.md b/i18n/vi/advanced/dns-overview.md new file mode 100644 index 00000000..b47af280 --- /dev/null +++ b/i18n/vi/advanced/dns-overview.md @@ -0,0 +1,306 @@ +--- +title: "DNS Overview" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to IP addresses so browsers and other services can load Internet resources, through a decentralized network of servers. + +## What is DNS? + +When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned. + +DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the ISP via [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol). + +Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When you request the IP address of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses UDP. + +Below, we discuss and provide a tutorial to prove what an outside observer may see using regular unencrypted DNS and [encrypted DNS](#what-is-encrypted-dns). + +### Unencrypted DNS + +1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS. + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +If you run the Wireshark command above, the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction, and can aggregate those frames to produce statistical data useful to the network observer. + +| No. | Time | Source | Destination | Protocol | Length | Info | +| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +An observer could modify any of these packets. + +## What is "encrypted DNS"? + +Encrypted DNS can refer to one of a number of protocols, the most common ones being: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh). + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls. + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83. + +Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies). + +## What can an outside party see? + +In this example we will record what happens when we make a DoH request: + +1. First, start `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. Second, make a request with `curl`: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. After making the request, we can stop the packet capture with CTRL + C. + +4. Analyse the results in Wireshark: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned. + +## Why **shouldn't** I use encrypted DNS? + +In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](../basics/threat-modeling.md). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN, you are already trusting them with all your network activity. + +When we do a DNS lookup, it's generally because we want to access a resource. Below, we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS: + +### IP Address + +The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides. + +This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform (e.g. Github Pages, Cloudflare Pages, Netlify, WordPress, Blogger, etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet. + +### Server Name Indication (SNI) + +Server Name Indication is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection. + +1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. Then we visit [https://privacyguides.org](https://privacyguides.org). + +3. After visiting the website, we want to stop the packet capture with CTRL + C. + +4. Next we want to analyze the results: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello". + +5. Expand the triangle ▸ next to each field: + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak. + +Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` also be encrypted. + +### Online Certificate Status Protocol (OCSP) + +Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted. + +The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status. + +We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command. + +1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file: + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + +2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate. + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + +3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END: + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + +4. Get the OCSP responder for the server certificate: + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use: + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + +5. Start the packet capture: + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + +6. Make the OCSP request: + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + +7. Open the capture: + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle ▸ next to each field: + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + For the "Response" we can also see the "serial number": + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + +8. Or use `tshark` to filter the packets for the Serial Number: + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + +If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number. + +## Should I use encrypted DNS? + +We made this flow chart to describe when you *should* use encrypted DNS: + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + +Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering. + +[List of recommended DNS servers](../dns.md ""){.md-button} + +## What is DNSSEC? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests. + +In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted. + +The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with. + +DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`’s authoritative nameserver. + +Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). + +## What is QNAME minimization? + +A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server). + +Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816). + +## What is EDNS Client Subnet (ECS)? + +The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query. + +It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps. + +This feature does come at a privacy cost, as it tells the DNS server some information about the client's location. diff --git a/i18n/vi/advanced/payments.md b/i18n/vi/advanced/payments.md new file mode 100644 index 00000000..7e046ecd --- /dev/null +++ b/i18n/vi/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! danger + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/vi/advanced/tor-overview.md b/i18n/vi/advanced/tor-overview.md new file mode 100644 index 00000000..e0c5b08b --- /dev/null +++ b/i18n/vi/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor Overview" +icon: 'simple/torproject' +description: Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. +--- + +Tor is a free to use, decentralized network designed for using the internet with as much privacy as possible. If used properly, the network enables private and anonymous browsing and communications. + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +Each of these nodes has its own function: + +### The Entry Node + +The entry node, often called the guard node, is the first node to which your Tor client connects. The entry node is able to see your IP address, however it is unable to see what you are connecting to. + +Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1] + +### The Middle Node + +The middle node is the second node to which your Tor client connects. It can see which node the traffic came from—the entry node—and to which node it goes to next. The middle node cannot, see your IP address or the domain you are connecting to. + +For each new circuit, the middle node is randomly selected out of all available Tor nodes. + +### The Exit Node + +The exit node is the point in which your web traffic leaves the Tor network and is forwarded to your desired destination. The exit node is unable to see your IP address, but it does know what site it's connecting to. + +The exit node will be chosen at random from all available Tor nodes ran with an exit relay flag.[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## Encryption + +Tor encrypts each packet (a block of transmitted data) three times with the keys from the exit, middle, and entry node—in that order. + +Once Tor has built a circuit, data transmission is done as follows: + +1. Firstly: when the packet arrives at the entry node, the first layer of encryption is removed. In this encrypted packet, the entry node will find another encrypted packet with the middle node’s address. The entry node will then forward the packet to the middle node. + +2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node. + +3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address. + +Below is an alternative diagram showing the process. Each node removes its own layer of encryption, and when the destination server returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it does know which node it came from, and so it adds its own layer of encryption and sends it back. + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +Tor allows us to connect to a server without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are or where you are going; and the exit node knows where you are going, but not who you are. Because the exit node is what makes the final connection, the destination server will never know your IP address. + +## Caveats + +Though Tor does provide strong privacy guarantees, one must be aware that Tor is not perfect: + +- Well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. Nor does Tor protect you from exposing yourself by mistake, such as if you share too much information about your real identity. +- Tor exit nodes can also monitor traffic that passes through them. This means traffic which is not encrypted, such as plain HTTP traffic, can be recorded and monitored. If such traffic contains personally identifiable information, then it can deanonymize you to that exit node. Thus, we recommend using HTTPS over Tor where possible. + +If you wish to use Tor for browsing the web, we only recommend the **official** Tor Browser—it is designed to prevent fingerprinting. + +- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## Additional Resources + +- [Tor Browser User Manual](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/vi/android.md b/i18n/vi/android.md new file mode 100644 index 00000000..27bc645c --- /dev/null +++ b/i18n/vi/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'fontawesome/brands/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Google Pixel + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Các thiết bị khác + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Orbot + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. khuyến nghị + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + Các thiết bị cuối đời (chẳng hạn như thiết bị "hỗ trợ mở rộng" của GrapheneOS hoặc CalyxOS) không có các bản vá bảo mật đầy đủ (cập nhật chương trình cơ sở) do OEM ngừng hỗ trợ. Những thiết bị này không thể được coi là hoàn toàn an toàn bất kể phần mềm được cài đặt. + +### GrapheneOS + +!!! khuyến nghị + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** là sự lựa chọn tốt nhất khi nói đến quyền riêng tư và bảo mật. + + GrapheneOS cung cấp thêm [tăng cường bảo mật](https://en.wikipedia.org/wiki/Hardening_(computing)) và các cải tiến về quyền riêng tư. Nó có [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), quyền mạng và cảm biến cũng như nhiều [tính năng bảo mật](https://grapheneos.org/features). GrapheneOS cũng đi kèm với các bản cập nhật chương trình cơ sở đầy đủ và các bản dựng đã ký, vì vậy khởi động đã xác minh được hỗ trợ đầy đủ. + + [Homepage](https://grapheneos.org/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://grapheneos.org/faq#privacy-policy){ .md-button } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### CalyxOS + +!!! khuyến nghị + + ![CalyxOS logo](assets/img/android/calyxos.svg){ align=right } + + **CalyxOS** là một hệ thống có một số tính năng bảo mật trên AOSP, bao gồm [Datura](https://calyxos.org/docs/tech/datura-details) tường lửa, [Signal](https://signal.org) tích hợp trong ứng dụng quay số và nút dừng khẩn cấp được tích hợp sẵn. + CalyxOS cũng đi kèm với các bản cập nhật chương trình cơ sở và các bản dựng đã ký, vì vậy khởi động đã xác minh được hỗ trợ đầy đủ. [Homepage](https://calyxos.org/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://calyxinstitute.org/legal/privacy-policy){ .md-button } + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! warning + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** là phần mềm fork của [LineageOS](https://lineageos.org/). DivestOS kế thừa nhiều [thiết bị được hỗ trợ](https://divestos.org/index.php?page=devices&base=LineageOS) từ LineageOS. Nó có các bản dựng đã ký, nên có thể có [khởi động đã xác minh](https://source.android.com/security/verifiedboot) trên một số thiết bị không phải Pixel. + + [Homepage](https://divestos.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://divestos.org/index.php?page=privacy_policy){ .md-button } + +## Thiết bị Android + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### DivestOS + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! khuyến nghị + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Chúng tôi vẫn đề xuất GrapheneOS hoặc CalyxOS tùy thuộc vào khả năng tương thích của thiết bị của bạn. + + Đối với các thiết bị khác, DivestOS là một lựa chọn thay thế tốt. + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## Ứng dụng chung + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Google Pixel + +!!! khuyến nghị + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** được biết là có bảo mật tốt và hỗ trợ đúng cách [Khởi động đã xác minh](https://source.android.com/security/verifiedboot), ngay cả khi cài đặt hệ điều hành tùy chỉnh. + + Bắt đầu với **Pixel 6** và **6 Pro**, các thiết bị Pixel nhận được bản cập nhật bảo mật được đảm bảo tối thiểu 5 năm, đảm bảo tuổi thọ dài hơn nhiều so với 2-4 năm mà các OEM cạnh tranh thường cung cấp. + + [Store](https://store.google.com/category/phones){ .md-button .md-button--primary } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! warning + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Các thiết bị khác + +!!! khuyến nghị + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Orbot + +!!! khuyến nghị + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. [Homepage](https://orbot.app/){ .md-button .md-button--primary } + + ??? + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! khuyến nghị + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## App Stores + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! khuyến nghị + + Vì CalyxOS bao gồm một bộ điều khiển thiết bị, chúng tôi khuyên bạn nên sử dụng hồ sơ công việc được tích hợp sẵn của chúng để thay thế. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Trình xem PDF an toàn + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### OnePlus + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### Fairphone + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Operating Systems + +- Must be open-source software. +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/vi/assets/img/account-deletion/exposed_passwords.png b/i18n/vi/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/vi/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/vi/assets/img/android/rss-apk-dark.png b/i18n/vi/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/vi/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/vi/assets/img/android/rss-apk-light.png b/i18n/vi/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/vi/assets/img/android/rss-apk-light.png differ diff --git a/i18n/vi/assets/img/android/rss-changes-dark.png b/i18n/vi/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/vi/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/vi/assets/img/android/rss-changes-light.png b/i18n/vi/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/vi/assets/img/android/rss-changes-light.png differ diff --git a/i18n/vi/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/vi/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/how-tor-works/tor-encryption.svg b/i18n/vi/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/how-tor-works/tor-path-dark.svg b/i18n/vi/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/vi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/vi/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/how-tor-works/tor-path.svg b/i18n/vi/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/vi/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/vi/assets/img/multi-factor-authentication/fido.png b/i18n/vi/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/vi/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/vi/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/vi/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/vi/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/vi/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/vi/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/vi/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/vi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/vi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/vi/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/vi/basics/account-creation.md b/i18n/vi/basics/account-creation.md new file mode 100644 index 00000000..afa5d429 --- /dev/null +++ b/i18n/vi/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "Account Creation" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +Often people sign up for services without thinking. Maybe it's a streaming service so you can watch that new show everyone's talking about, or an account that gives you a discount for your favorite fast food place. Whatever the case may be, you should consider the implications for your data now and later on down the line. + +There are risks associated with every new service that you use. Data breaches; disclosure of customer information to third parties; rogue employees accessing data; all are possibilities that must be considered when giving your information out. You need to be confident that you can trust the service, which is why we don't recommend storing valuable data on anything but the most mature and battle-tested products. That usually means services which provide E2EE and have undergone a cryptographic audit. An audit increases assurance that the product was designed without glaring security issues caused by an inexperienced developer. + +It can also be difficult to delete the accounts on some services. Sometimes [overwriting data](account-deletion.md#overwriting-account-information) associated with an account can be possible, but in other cases the service will keep an entire history of changes to the account. + +## Terms of Service & Privacy Policy + +The ToS are the rules that you agree to follow when using the service. With larger services these rules are often enforced by automated systems. Sometimes these automated systems can make mistakes. For example, you may be banned or locked out of your account on some services for using a VPN or VOIP number. Appealing such bans is often difficult, and involves an automated process too, which isn't always successful. This would be one of the reasons why we wouldn't suggest using Gmail for email as an example. Email is crucial for access to other services you might have signed up for. + +The Privacy Policy is how the service says they will use your data and it is worth reading so that you understand how your data will be used. A company or organization might not be legally obligated to follow everything contained in the policy (it depends on the jurisdiction). We would recommend having some idea what your local laws are and what they permit a provider to collect. + +We recommend looking for particular terms such as "data collection", "data analysis", "cookies", "ads" or "3rd-party" services. Sometimes you will be able to opt-out from data collection or from sharing your data, but it is best to choose a service that respects your privacy from the start. + +Keep in mind you're also placing your trust in the company or organization and that they will comply with their own privacy policy. + +## Authentication methods + +There are usually multiple ways to sign up for an account, each with their own benefits and drawbacks. + +### Email and password + +The most common way to create a new account is by an email address and password. When using this method, you should use a password manager and follow [best practices](passwords-overview.md) regarding passwords. + +!!! tip + + You can use your password manager to organize other authentication methods too! Just add the new entry and fill the appropriate fields, you can add notes for things like security questions or a backup key. + +You will be responsible for managing your login credentials. For added security, you can set up [MFA](multi-factor-authentication.md) on your accounts. + +[Recommended password managers](../passwords.md ""){.md-button} + +#### Email aliases + +If you don't want to give your real email address to a service, you have the option to use an alias. We described them in more detail on our email services recommendation page. Essentially, alias services allow you to generate new email addresses that forward all emails to your main address. This can help prevent tracking across services and help you manage the marketing emails that sometimes come with the sign up process. Those can be filtered automatically based on the alias they are sent to. + +Should a service get hacked, you might start receiving phishing or spam emails to the address you used to sign up. Using unique aliases for each service can assist in identifying exactly what service was hacked. + +[Recommended email aliasing services](../email.md#email-aliasing-services ""){.md-button} + +### Single sign-on + +!!! note + + We are discussing Single sign-on for personal use, not enterprise users. + +Single sign-on (SSO) is an authentication method that allows you to register for a service without sharing much information, if any. Whenever you see something along the lines of "Sign-in with *provider name*" on a registration form it's SSO. + +When you choose single sign-on in a website, it will prompt your SSO provider login page and after that your account will be connected. Your password won't be shared but some basic information will (you can review it during the login request). This process is needed every time you want to log in to the same account. + +The main advantages are: + +- **Security**: no risk of being involved in a [data breach](https://en.wikipedia.org/wiki/Data_breach) because the website does not store your credentials. +- **Ease of use**: multiple accounts are managed by a single login. + +But there are disadvantages: + +- **Privacy**: a SSO provider will know the services you use. +- **Centralization**: if your SSO account gets compromised or you aren't able to login to it, all other accounts connected to it are affected. + +SSO can be especially useful in those situations where you could benefit from deeper integration between services. For example, one of those services may offer SSO for the others. Our recommendation is to limit SSO to only where you need it and protect the main account with [MFA](multi-factor-authentication.md). + +All services that use SSO will be as secure as your SSO account. For example, if you want to secure an account with a hardware key but that service doesn't support hardware keys, you can secure your SSO account with a hardware key and now you essentially have hardware MFA on all your accounts. It is worth noting though that weak authentication on your SSO account means that any account tied to that login will also be weak. + +### Phone number + +We recommend avoiding services that require a phone number for sign up. A phone number can identity you across multiple services and depending on data sharing agreements this will make your usage easier to track, particularly if one of those services is breached as the phone number is often **not** encrypted. + +You should avoid giving out your real phone number if you can. Some services will allow the use of VOIP numbers, however these often trigger fraud detection systems, causing an account to be locked down, so we don't recommend that for important accounts. + +In many cases you will need to provide a number that you can receive SMS or calls from, particularly when shopping internationally, in case there is a problem with your order at border screening. It's common for services to use your number as a verification method; don't let yourself get locked out of an important account because you wanted to be clever and give a fake number! + +### Username and password + +Some services allow you to register without using an email address and only require you to set a username and password. These services may provide increased anonymity when combined with a VPN or Tor. Keep in mind that for these accounts there will most likely be **no way to recover your account** in the event you forget your username or password. diff --git a/i18n/vi/basics/account-deletion.md b/i18n/vi/basics/account-deletion.md new file mode 100644 index 00000000..2498d604 --- /dev/null +++ b/i18n/vi/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "Account Deletion" +icon: 'material/account-remove' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +Over time, it can be easy to accumulate a number of online accounts, many of which you may no longer use. Deleting these unused accounts is an important step in reclaiming your privacy, as dormant accounts are vulnerable to data breaches. A data breach is when a service's security is compromised and protected information is viewed, transmitted, or stolen by unauthorized actors. Data breaches are unfortunately all [too common](https://haveibeenpwned.com/PwnedWebsites) these days, and so practicing good digital hygiene is the best way to minimize the impact they have on your life. The goal of this guide then is to help navigate you through the irksome process of account deletion, often made difficult by [deceptive design](https://www.deceptive.design/), for the betterment of your online presence. + +## Finding Old Accounts + +### Password Manager + +If you have a password manager that you've used for your entire digital life, this part will be very easy. Oftentimes, they include built-in functionality for detecting if your credentials were exposed in a data breach—such as Bitwarden's [Data Breach Report](https://bitwarden.com/blog/have-you-been-pwned/). + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +Even if you haven't explicitly used a password manager before, there's a chance you've used the one in your browser or your phone without even realizing it. For example: [Firefox Password Manager](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [Google Password Manager](https://passwords.google.com/intro) and [Edge Password Manager](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336). + +Desktop platforms also often have a password manager which may help you recover passwords you've forgotten about: + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux, Gnome Keyring, which can be accessed through [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) or [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager) + +### Email + +If you didn't use a password manager in the past or you think you have accounts that were never added to your password manager, another option is to search the email account(s) that you believe you signed up on. On your email client, search for keywords such as "verify" or "welcome." Almost every time you make an online account, the service will send a verification link or an introductory message to your email. This can be a good way to find old, forgotten accounts. + +## Deleting Old Accounts + +### Log In + +In order to delete your old accounts, you'll need to first make sure you can log in to them. Again, if the account was in your password manager, this step is easy. If not, you can try to guess your password. Failing that, there are typically options to regain access to your account, commonly available through a "forgot password" link on the login page. It may also be possible that accounts you've abandoned have already been deleted—sometimes services prune all old accounts. + +When attempting to regain access, if the site returns an error message saying that email is not associated with an account, or you never receive a reset link after multiple attempts, then you do not have an account under that email address and should try a different one. If you can't figure out which email address you used, or you no longer have access to that email, you can try contacting the service's customer support. Unfortunately, there is no guarantee that you will be able to reclaim access your account. + +### GDPR (EEA residents only) + +Residents of the EEA have additional rights regarding data erasure specified in [Article 17](https://www.gdpr.org/regulation/article-17.html) of the GDPR. If it's applicable to you, read the privacy policy for any given service to find information on how to exercise your right to erasure. Reading the privacy policy can prove important, as some services have a "Delete Account" option that only disables your account and for real deletion you have to take additional action. Sometimes actual deletion may involve filling out surveys, emailing the data protection officer of the service or even proving your residence in the EEA. If you plan to go this way, do **not** overwrite account information—your identity as an EEA resident may be required. Note that the location of the service does not matter; GDPR applies to anyone serving European users. If the service does not respect your right to erasure, you can contact your national [Data Protection Authority](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) and you may be entitled to monetary compensation. + +### Overwriting Account information + +In some situations where you plan to abandon an account, it may make sense to overwrite the account information with fake data. Once you've made sure you can log in, change all the information in your account to falsified information. The reason for this is that many sites will retain information you previously had even after account deletion. The hope is that they will overwrite the previous information with the newest data you entered. However, there is no guarantee that there won't be backups with the prior information. + +For the account email, either create a new alternate email account via your provider of choice or create an alias using an [email aliasing service](../email.md#email-aliasing-services). You can then delete your alternate email address once you are done. We recommend against using temporary email providers, as oftentimes it is possible to reactivate temporary emails. + +### Delete + +You can check [JustDeleteMe](https://justdeleteme.xyz) for instructions on deleting the account for a specific service. Some sites will graciously have a "Delete Account" option, while others will go as far as to force you to speak with a support agent. The deletion process can vary from site to site, with account deletion being impossible on some. + +For services that don't allow account deletion, the best thing to do is falsify all your information as previously mentioned and strengthen account security. To do so, enable [MFA](multi-factor-authentication.md) and any extra security features offered. As well, change the password to a randomly-generated one that is the maximum allowed size (a [password manager](../passwords.md) can be useful for this). + +If you're satisfied that all information you care about is removed, you can safely forget about this account. If not, it might be a good idea to keep the credentials stored with your other passwords and occasionally re-login to reset the password. + +Even when you are able to delete an account, there is no guarantee that all your information will be removed. In fact, some companies are required by law to keep certain information, particularly when related to financial transactions. It's mostly out of your control what happens to your data when it comes to websites and cloud services. + +## Avoid New Accounts + +As the old saying goes, "an ounce of prevention is worth a pound of cure." Whenever you feel tempted to sign up for a new account, ask yourself, "Do I really need this? Can I accomplish what I need to without an account?" It can often be much harder to delete an account than to create one. And even after deleting or changing the info on your account, there might be a cached version from a third-party—like the [Internet Archive](https://archive.org/). Avoid the temptation when you're able to—your future self will thank you! diff --git a/i18n/vi/basics/common-misconceptions.md b/i18n/vi/basics/common-misconceptions.md new file mode 100644 index 00000000..be1928f0 --- /dev/null +++ b/i18n/vi/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "Common Misconceptions" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do X?" + Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. +--- + +## "Open-source software is always secure" or "Proprietary software is more secure" + +These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] + +On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. + +To avoid biased decisions, it's *vital* that you evaluate the privacy and security standards of the software you use. + +## "Shifting trust can increase privacy" + +We talk about "shifting trust" a lot when discussing solutions like VPNs (which shift the trust you place in your ISP to the VPN provider). While this protects your browsing data from your ISP *specifically*, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. This means that: + +1. You must exercise caution when choosing a provider to shift trust to. +2. You should still use other techniques, like E2EE, to protect your data completely. Merely distrusting one provider to trust another is not securing your data. + +## "Privacy-focused solutions are inherently trustworthy" + +Focusing solely on the privacy policies and marketing of a tool or provider can blind you to its weaknesses. When you're looking for a more private solution, you should determine what the underlying problem is and find technical solutions to that problem. For example, you may want to avoid Google Drive, which gives Google access to all of your data. The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like [Cryptomator](../encryption.md#cryptomator-cloud)) which provides E2EE on any cloud provider. Switching to a "privacy-focused" provider (that doesn't implement E2EE) doesn't solve your problem: it just shifts trust from Google to that provider. + +The privacy policies and business practices of providers you choose are very important, but should be considered secondary to technical guarantees of your privacy: You shouldn't shift trust to another provider when trusting a provider isn't a requirement at all. + +## "Complicated is better" + +We often see people describing privacy threat models that are overly complex. Often, these solutions include problems like many different email accounts or complicated setups with lots of moving parts and conditions. The replies are usually answers to "What is the best way to do *X*?" + +Finding the "best" solution for yourself doesn't necessarily mean you are after an infallible solution with dozens of conditions—these solutions are often difficult to work with realistically. As we discussed previously, security often comes at the cost of convenience. Below, we provide some tips: + +1. ==Actions need to serve a particular purpose:== think about how to do what you want with the fewest actions. +2. ==Remove human failure points:== We fail, get tired, and forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember. +3. ==Use the right level of protection for what you intend.== We often see recommendations of so-called law-enforcement or subpoena-proof solutions. These often require specialist knowledge and generally aren't what people want. There's no point in building an intricate threat model for anonymity if you can be easily de-anonymized by a simple oversight. + +So, how might this look? + +One of the clearest threat models is one where people *know who you are* and one where they do not. There will always be situations where you must declare your legal name and there are others where you don't need to. + +1. **Known identity** - A known identity is used for things where you must declare your name. There are many legal documents and contracts where a legal identity is required. This could range from opening a bank account, signing a property lease, obtaining a passport, customs declarations when importing items, or otherwise dealing with your government. These things will usually lead to credentials such as credit cards, credit rating checks, account numbers, and possibly physical addresses. + + We don't suggest using a VPN or Tor for any of these things, as your identity is already known through other means. + + !!! tip + + When shopping online, the use of a [parcel locker](https://en.wikipedia.org/wiki/Parcel_locker) can help keep your physical address private. + +2. **Unknown identity** - An unknown identity could be a stable pseudonym that you regularly use. It is not anonymous because it doesn't change. If you're part of an online community, you may wish to retain a persona that others know. This pseudonym isn't anonymous because—if monitored for long enough—details about the owner can reveal further information, such as the way they write, their general knowledge about topics of interest, etc. + + You may wish to use a VPN for this, to mask your IP address. Financial transactions are more difficult to mask: You could consider using anonymous cryptocurrencies, such as [Monero](https://www.getmonero.org/). Employing altcoin shifting may also help to disguise where your currency originated. Typically, exchanges require KYC (know your customer) to be completed before they'll allow you to exchange fiat currency into any kind of cryptocurrency. Local meet-up options may also be a solution; however, those are often more expensive and sometimes also require KYC. + +3. **Anonymous identity** - Even with experience, anonymous identities are difficult to maintain over long periods of time. They should be short-term and short-lived identities which are rotated regularly. + + Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) + +[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/vi/basics/common-threats.md b/i18n/vi/basics/common-threats.md new file mode 100644 index 00000000..e278c0cb --- /dev/null +++ b/i18n/vi/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "Common Threats" +icon: 'material/eye-outline' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +Broadly speaking, we categorize our recommendations into the [threats](threat-modeling.md) or goals that apply to most people. ==You may be concerned with none, one, a few, or all of these possibilities==, and the tools and services you use depend on what your goals are. You may have specific threats outside of these categories as well, which is perfectly fine! The important part is developing an understanding of the benefits and shortcomings of the tools you choose to use, because virtually none of them will protect you from every threat. + +- :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. +- :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. +- :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). +- :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. +- :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. +- :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. +- :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. + +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. + +## Anonymity vs. Privacy + +:material-incognito: Anonymity + +Anonymity is often confused with privacy, but they're distinct concepts. While privacy is a set of choices you make about how your data is used and shared, anonymity is the complete disassociation of your online activities from your real identity. + +Whistleblowers and journalists, for example, can have a much more extreme threat model which requires total anonymity. That's not only hiding what they do, what data they have, and not getting hacked by malicious actors or governments, but also hiding who they are entirely. They will often sacrifice any kind of convenience if it means protecting their anonymity, privacy, or security, because their lives could depend on it. Most people don't need to go so far. + +## Security and Privacy + +:material-bug-outline: Passive Attacks + +Security and privacy are also often confused, because you need security to obtain any semblance of privacy: Using tools—even if they're private by design—is futile if they could be easily exploited by attackers who later release your data. However, the inverse isn't necessarily true: The most secure service in the world *isn't necessarily* private. The best example of this is trusting data to Google who, given their scale, have had few security incidents by employing industry-leading security experts to secure their infrastructure. Even though Google provides very secure services, very few people would consider their data private in Google's free consumer products (Gmail, YouTube, etc.) + +When it comes to application security, we generally don't (and sometimes can't) know if the software we use is malicious, or might one day become malicious. Even with the most trustworthy developers, there's generally no guarantee that their software doesn't have a serious vulnerability that could later be exploited. + +To minimize the damage that a malicious piece of software *could* do, you should employ security by compartmentalization. For example, this could come in the form of using different computers for different jobs, using virtual machines to separate different groups of related applications, or using a secure operating system with a strong focus on application sandboxing and mandatory access control. + +!!! tip + + Mobile operating systems generally have better application sandboxing than desktop operating systems: Apps can't obtain root access, and require permission for access to system resources. + + Desktop operating systems generally lag behind on proper sandboxing. ChromeOS has similar sandboxing capabilities to Android, and macOS has full system permission control (and developers can opt-in to sandboxing for applications). However, these operating systems do transmit identifying information to their respective OEMs. Linux tends to not submit information to system vendors, but it has poor protection against exploits and malicious apps. This can be mitigated somewhat with specialized distributions which make significant use of virtual machines or containers, such as [Qubes OS](../../desktop/#qubes-os). + +:material-target-account: Targeted Attacks + +Targeted attacks against a specific person are more problematic to deal with. Common attacks include sending malicious documents via email, exploiting vulnerabilities (e.g. in browsers and operating systems), and physical attacks. If this is a concern for you, you should employ more advanced threat mitigation strategies. + +!!! tip + + By design, **web browsers**, **email clients**, and **office applications** typically run untrusted code, sent to you from third parties. Running multiple virtual machines—to separate applications like these from your host system, as well as each other—is one technique you can use to mitigate the chance of an exploit in these applications compromising the rest of your system. For example, technologies like Qubes OS or Microsoft Defender Application Guard on Windows provide convenient methods to do this. + +If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. + +## Privacy From Service Providers + +:material-server-network: Service Providers + +We live in a world where almost everything is connected to the internet. Our "private" messages, emails, and social interactions are typically stored on a server, somewhere. Generally, when you send someone a message it's stored on a server, and when your friend wants to read the message the server will show it to them. + +The obvious problem with this is that the service provider (or a hacker who has compromised the server) can access your conversations whenever and however they want, without you ever knowing. This applies to many common services, like SMS messaging, Telegram, and Discord. + +Thankfully, E2EE can alleviate this issue by encrypting communications between you and your desired recipients before they are even sent to the server. The confidentiality of your messages is guaranteed, assuming the service provider doesn't have access to the private keys of either party. + +!!! note "Note on Web-based Encryption" + + In practice, the effectiveness of different E2EE implementations varies. Applications, such as [Signal](../real-time-communication.md#signal), run natively on your device, and every copy of the application is the same across different installations. If the service provider were to introduce a [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing)) in their application—in an attempt to steal your private keys—it could later be detected with [reverse engineering](https://en.wikipedia.org/wiki/Reverse_engineering). + + On the other hand, web-based E2EE implementations, such as Proton Mail's webmail or Bitwarden's *Web Vault*, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider's guilt. + + Therefore, you should use native applications over web clients whenever possible. + +Even with E2EE, service providers can still profile you based on **metadata**, which typically isn't protected. While the service provider can't read your messages, they can still observe important things, such as who you're talking to, how often you message them, and when you're typically active. Protection of metadata is fairly uncommon, and—if it's within your [threat model](threat-modeling.md)—you should pay close attention to the technical documentation of the software you're using to see if there's any metadata minimization or protection at all. + +## Mass Surveillance Programs + +:material-eye-outline: Mass Surveillance + +Mass surveillance is the intricate effort to monitor the "behavior, many activities, or information" of an entire (or substantial fraction of a) population.[^1] It often refers to government programs, such as the ones [disclosed by Edward Snowden in 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)). However, it can also be carried out by corporations, either on behalf of government agencies or by their own initiative. + +!!! abstract "Atlas of Surveillance" + + If you want to learn more about surveillance methods and how they're implemented in your city you can also take a look at the [Atlas of Surveillance](https://atlasofsurveillance.org/) by the [Electronic Frontier Foundation](https://www.eff.org/). + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +Governments often justify mass surveillance programs as necessary means to combat terrorism and prevent crime. However, breaching human rights, it's most often used to disproportionately target minority groups and political dissidents, among others. + +!!! quote "ACLU: [*The Privacy Lesson of 9/11: Mass Surveillance is Not the Way Forward*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + In the face of [Edward Snowden's disclosures of government programs such as [PRISM](https://en.wikipedia.org/wiki/PRISM) and [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)], intelligence officials also admitted that the NSA had for years been secretly collecting records about virtually every American’s phone calls — who’s calling whom, when those calls are made, and how long they last. This kind of information, when amassed by the NSA day after day, can reveal incredibly sensitive details about people’s lives and associations, such as whether they have called a pastor, an abortion provider, an addiction counselor, or a suicide hotline. + +Despite growing mass surveillance in the United States, the government has found that mass surveillance programs like Section 215 have had "little unique value" with respect to stopping actual crimes or terrorist plots, with efforts largely duplicating the FBI's own targeted surveillance programs.[^2] + +Online, you can be tracked via a variety of methods: + +- Your IP address +- Browser cookies +- The data you submit to websites +- Your browser or device fingerprint +- Payment method correlation + +\[This list isn't exhaustive]. + +If you're concerned about mass surveillance programs, you can use strategues like compartmentalizing your online identities, blending in with other users, or, whenever possible, simply avoiding giving out identifying information. + +:material-account-cash: Surveillance Capitalism + +> Surveillance capitalism is an economic system centered around the capture and commodification of personal data for the core purpose of profit-making.[^3] + +For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks, such as those operated by Google and Facebook, span the internet far beyond just the sites they control, tracking your actions along the way. Using tools like content blockers to limit network requests to their servers, and reading the privacy policies of the services you use can help you avoid many basic adversaries (although it can't completely prevent tracking).[^4] + +Additionally, even companies outside of the *AdTech* or tracking industry can share your information with [data brokers](https://en.wikipedia.org/wiki/Information_broker) (such as Cambridge Analytica, Experian, or Datalogix) or other parties. You can't automatically assume your data is safe just because the service you're using doesn't fall within the typical AdTech or tracking business model. The strongest protection against corporate data collection is to encrypt or obfuscate your data whenever possible, making it difficult for different providers to correlate data with each other and build a profile on you. + +## Limiting Public Information + +:material-account-search: Public Exposure + +The best way to keep your data private is simply not making it public in the first place. Deleting unwanted information you find about yourself online is one of the best first steps you can take to regain your privacy. + +- [View our guide on account deletion :material-arrow-right-drop-circle:](account-deletion.md) + +On sites where you do share information, checking the privacy settings of your account to limit how widely that data is spread is very important. For example, enable "private mode" on your accounts if given the option: This ensures that your account isn't being indexed by search engines, and that it can't be viewed without your permission. + +If you've already submitted your real information to sites which shouldn't have it, consider using disinformation tactics, like submitting fictitious information related to that online identity. This makes your real information indistinguishable from the false information. + +## Avoiding Censorship + +:material-close-outline: Censorship + +Censorship online can be carried out (to varying degrees) by actors including totalitarian governments, network administrators, and service providers. These efforts to control communication and restrict access to information will always be incompatible with the human right to Freedom of Expression.[^5] + +Censorship on corporate platforms is increasingly common, as platforms like Twitter and Facebook give in to public demand, market pressures, and pressures from government agencies. Government pressures can be covert requests to businesses, such as the White House [requesting the takedown](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) of a provocative YouTube video, or overt, such as the Chinese government requiring companies to adhere to a strict regime of censorship. + +People concerned with the threat of censorship can use technologies like [Tor](../advanced/tor-overview.md) to circumvent it, and support censorship-resistant communication platforms like [Matrix](../real-time-communication.md#element), which doesn't have a centralized account authority that can close accounts arbitrarily. + +!!! tip + + While evading censorship itself can be easy, hiding the fact that you are doing it can be very problematic. + + You should consider which aspects of the network your adversary can observe, and whether you have plausible deniability for your actions. For example, using [encrypted DNS](../advanced/dns-overview.md#what-is-encrypted-dns) can help you bypass rudimentary, DNS-based censorship systems, but it can't truly hide what you are visiting from your ISP. A VPN or Tor can help hide what you are visiting from network administrators, but can't hide that you're using those networks in the first place. Pluggable transports (such as Obfs4proxy, Meek, or Shadowsocks) can help you evade firewalls that block common VPN protocols or Tor, but your circumvention attempts can still be detected by methods like probing or [deep packet inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection). + +You must always consider the risks of trying to bypass censorship, the potential consequences, and how sophisticated your adversary may be. You should be cautious with your software selection, and have a backup plan in case you are caught. + +[^1]: Wikipedia: [*Mass Surveillance*](https://en.wikipedia.org/wiki/Mass_surveillance) and [*Surveillance*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: United States Privacy and Civil Liberties Oversight Board: [*Report on the Telephone Records Program Conducted under Section 215*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: Wikipedia: [*Surveillance capitalism*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[Enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/)" (or, "listing all the bad things that we know about"), as many adblockers and antivirus programs do, fails to adequately protect you from new and unknown threats because they have not yet been added to the filter list. You should also employ other mitigation techniques. +[^5]: United Nations: [*Universal Declaration of Human Rights*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/vi/basics/email-security.md b/i18n/vi/basics/email-security.md new file mode 100644 index 00000000..f0c2fb57 --- /dev/null +++ b/i18n/vi/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: Email Security +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +Email is an insecure form of communication by default. You can improve your email security with tools such as OpenPGP, which add End-to-End Encryption to your messages, but OpenPGP still has a number of drawbacks compared to encryption in other messaging applications, and some email data can never be encrypted inherently due to how email is designed. + +As a result, email is best used for receiving transactional emails (like notifications, verification emails, password resets, etc.) from the services you sign up for online, not for communicating with others. + +## Email Encryption Overview + +The standard way to add E2EE to emails between different email providers is by using OpenPGP. There are different implementations of the OpenPGP standard, the most common being [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) and [OpenPGP.js](https://openpgpjs.org). + +There is another standard which is popular with business called [S/MIME](https://en.wikipedia.org/wiki/S/MIME), however, it requires a certificate issued from a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not all of them issue S/MIME certificates). It has support in [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) and [Outlook for Web or Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480). + +Even if you use OpenPGP, it does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. This is why we recommend [instant messengers](../real-time-communication.md) which implement forward secrecy over email for person-to-person communications whenever possible. + +### What Email Clients Support E2EE? + +Email providers which allow you to use standard access protocols like IMAP and SMTP can be used with any of the [email clients we recommend](../email-clients.md). Depending on the authentication method, this may lead to the decrease security if either the provider or the email client does not support OATH or a bridge application as [multi-factor authentication](multi-factor-authentication.md) is not possible with plain password authentication. + +### How Do I Protect My Private Keys? + +A smartcard (such as a [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) or [Nitrokey](https://www.nitrokey.com)) works by receiving an encrypted email message from a device (phone, tablet, computer, etc) running an email/webmail client. The message is then decrypted by the smartcard and the decrypted content is sent back to the device. + +It is advantageous for the decryption to occur on the smartcard so as to avoid possibly exposing your private key to a compromised device. + +## Email Metadata Overview + +Email metadata is stored in the [message header](https://en.wikipedia.org/wiki/Email#Message_header) of the email message and includes some visible headers that you may have seen such as: `To`, `From`, `Cc`, `Date`, `Subject`. There are also a number of hidden headers included by many email clients and providers that can reveal information about your account. + +Client software may use email metadata to show who a message is from and what time it was received. Servers may use it to determine where an email message must be sent, among [other purposes](https://en.wikipedia.org/wiki/Email#Message_header) which are not always transparent. + +### Who Can View Email Metadata? + +Email metadata is protected from outside observers with [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) protecting it from outside observers, but it is still able to be seen by your email client software (or webmail) and any servers relaying the message from you to any recipients including your email provider. Sometimes email servers will also use third-party services to protect against spam, which generally also have access to your messages. + +### Why Can't Metadata be E2EE? + +Email metadata is crucial to the most basic functionality of email (where it came from, and where it has to go). E2EE was not built into the email protocols originally, instead requiring add-on software like OpenPGP. Because OpenPGP messages still have to work with traditional email providers, it cannot encrypt email metadata, only the message body itself. That means that even when using OpenPGP, outside observers can see lots of information about your messages, such as who you're emailing, the subject lines, when you're emailing, etc. diff --git a/i18n/vi/basics/multi-factor-authentication.md b/i18n/vi/basics/multi-factor-authentication.md new file mode 100644 index 00000000..ae57848d --- /dev/null +++ b/i18n/vi/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "Multi-Factor Authentication" +icon: 'material/two-factor-authentication' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**Multi-Factor Authentication** (**MFA**) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method is time limited codes you might receive from SMS or an app. + +Normally, if a hacker (or adversary) is able to figure out your password then they’d gain access to the account that password belongs to. An account with MFA forces the hacker to have both the password (something you *know*) and a device that you own (something you *have*), like your phone. + +MFA methods vary in security, but are based on the premise that the more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS, Email codes, app push notifications, TOTP, Yubico OTP and FIDO. + +## MFA Method Comparison + +### SMS or Email MFA + +Receiving OTP codes via SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you *have*" idea, because there are a variety of ways a hacker could [take over your phone number](https://en.wikipedia.org/wiki/SIM_swap_scam) or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account. + +### Push Notifications + +Push notification MFA takes the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first. + +We all make mistakes, and there is the risk that you might accept the login attempt by accident. Push notification login authorizations are typically sent to *all* your devices at once, widening the availability of the MFA code if you have many devices. + +The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open, unlike a good TOTP generator app. + +### Time-based One-time Password (TOTP) + +TOTP is one of the most common forms of MFA available. When you set up TOTP, you are generally required to scan a [QR Code](https://en.wikipedia.org/wiki/QR_code) which establishes a "[shared secret](https://en.wikipedia.org/wiki/Shared_secret)" with the service that you intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password. + +The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret, an adversary cannot generate new codes. + +If you have a hardware security key with TOTP support (such as a YubiKey with [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with the intention of making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app. + +Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against [phishing](https://en.wikipedia.org/wiki/Phishing) or reuse attacks. If an adversary obtains a valid code from you, they may use it as many times as they like until it expires (generally 60 seconds). + +An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account. + +Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option. + +### Hardware security keys + +The YubiKey stores data on a tamper-resistant solid-state chip which is [impossible to access](https://security.stackexchange.com/a/245772) non-destructively without an expensive process and a forensics laboratory. + +These keys are generally multi-function and provide a number of methods to authenticate. Below are the most common ones. + +#### Yubico OTP + +Yubico OTP is an authentication protocol typically implemented in hardware security keys. When you decide to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server. + +When logging into a website, all you need to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field. + +The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process. + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +There are some benefits and disadvantages to using Yubico OTP when compared to TOTP. + +The Yubico validation server is a cloud based service, and you're placing trust in Yubico that they are storing data securely and not profiling you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance. + +If your threat model requires you to have different identities on different websites, **do not** use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key. + +#### FIDO (Fast IDentity Online) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) includes a number of standards, first there was U2F and then later [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) which includes the web standard [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). + +U2F and FIDO2 refer to the [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol), which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on. + +WebAuthn is the most secure and private form of second factor authentication. While the authentication experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third-party server. Instead, it uses [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) for authentication. + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +When you create an account, the public key is sent to the service, then when you log in, the service will require you to "sign" some data with your private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal. + +This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and [WebAuthn](https://webauthn.guide) standards. + +
+ +
+ +FIDO2 and WebAuthn have superior security and privacy properties when compared to any MFA methods. + +Typically for web services it is used with WebAuthn which is a part of the [W3C recommendations](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC)). It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect you from phishing attacks, as it helps you to determine that you are using the authentic service and not a fake copy. + +Unlike Yubico OTP, WebAuthn does not use any public ID, so the key is **not** identifiable across different websites. It also does not use any third-party cloud server for authentication. All communication is completed between the key and the website you are logging into. FIDO also uses a counter which is incremented upon use in order to prevent session reuse and cloned keys. + +If a website or service supports WebAuthn for the authentication, it is highly recommended that you use it over any other form of MFA. + +## General Recommendations + +We have these general recommendations: + +### Which Method Should I Use? + +When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2/WebAuthn, you should not be using Yubico OTP or TOTP on your account. + +### Backups + +You should always have backups for your MFA method. Hardware security keys can get lost, stolen or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one. + +When using TOTP with an authenticator app, be sure to back up your recovery keys or the app itself, or copy the "shared secrets" to another instance of the app on a different phone or to an encrypted container (e.g. [VeraCrypt](../encryption.md#veracrypt)). + +### Initial Set Up + +When buying a security key, it is important that you change the default credentials, set up password protection for the key, and enable touch confirmation if your key supports it. Products such as the YubiKey have multiple interfaces with separate credentials for each one of them, so you should go over each interface and set up protection as well. + +### Email and SMS + +If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method. + +If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access, or use a dedicated VoIP number from a provider with similar security to avoid a [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam). + +[MFA tools we recommend](../multi-factor-authentication.md ""){.md-button} + +## More Places to Set Up MFA + +Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, SSH keys or even password databases as well. + +### Windows + +Yubico has a dedicated [Credential Provider](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), which will allow you to set up MFA on your Windows computer. + +### macOS + +macOS has [native support](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer. + +Yubico have a guide [Using Your YubiKey as a Smart Card in macOS](https://support.yubico.com/hc/en-us/articles/360016649059) which can help you set up your YubiKey on macOS. + +After your smartcard/security key is set up, we recommend running this command in the Terminal: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +The command will prevent an adversary from bypassing MFA when the computer boots. + +### Linux + +!!! warning + + If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you set up a proper hostname for your computer before following this guide. + +The `pam_u2f` module on Linux can provide two-factor authentication for logging in on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide [Ubuntu Linux Login Guide - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) which should work on any distribution. The package manager commands—such as `apt-get`—and package names may however differ. This guide does **not** apply to Qubes OS. + +### Qubes OS + +Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS [YubiKey documentation](https://www.qubes-os.org/doc/yubikey/) if you want to set up MFA on Qubes OS. + +### SSH + +#### Hardware Security Keys + +SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's [documentation](https://developers.yubico.com/SSH/) on how to set this up. + +#### Time-based One-time Password (TOTP) + +SSH MFA can also be set up using TOTP. DigitalOcean has provided a tutorial [How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04). Most things should be the same regardless of distribution, however the package manager commands—such as `apt-get`—and package names may differ. + +### KeePass (and KeePassXC) + +KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second-factor authentication. Yubico has provided a document for KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) and there is also one on the [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) website. diff --git a/i18n/vi/basics/passwords-overview.md b/i18n/vi/basics/passwords-overview.md new file mode 100644 index 00000000..6858d8b5 --- /dev/null +++ b/i18n/vi/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "Introduction to Passwords" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought is put into them, which often leads to people using passwords that can be easily guessed or brute-forced. + +## Best Practices + +### Use unique passwords for every service + +Imagine this; you sign up for an account with the same e-mail and password on multiple online services. If one of those service providers is malicious, or their service has a data breach that exposes your password in an unencrypted format, all a bad actor would have to do is try that e-mail and password combination across multiple popular services until they get a hit. It doesn't matter how strong that one password is, because they already have it. + +This is called [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing), and it is one of the most common ways that your accounts can be compromised by bad actors. To avoid this, make sure that you never re-use your passwords. + +### Use randomly generated passwords + +==You should **never** rely on yourself to come up with a good password.== We recommend using [randomly generated passwords](#passwords) or [diceware passphrases](#diceware-passphrases) with sufficient entropy to protect your accounts and devices. + +All of our [recommended password managers](../passwords.md) include a built-in password generator that you can use. + +### Rotating Passwords + +You should avoid changing passwords that you have to remember (such as your password manager's master password) too often unless you have reason to believe it has been compromised, as changing it too often exposes you to the risk of forgetting it. + +When it comes to passwords that you don't have to remember (such as passwords stored inside your password manager), if your [threat model](threat-modeling.md) calls for it, we recommend going through important accounts (especially accounts that don't use multi-factor authentication) and changing their password every couple of months, in case they have been compromised in a data breach that hasn't become public yet. Most password managers allow you to set an expiry date for your password to make this easier to manage. + +!!! tip "Checking for data breaches" + + If your password manager lets you check for compromised passwords, make sure to do so and promptly change any password that may have been exposed in a data breach. Alternatively, you could follow [Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches) with the help of a [news aggregator](../news-aggregators.md). + +## Creating strong passwords + +### Passwords + +A lot of services impose certain criteria when it comes to passwords, including a minimum or maximum length, as well as which special characters, if any, can be used. You should use your password manager's built-in password generator to create passwords that are as long and complex as the service will allow by including capitalized and lowercase letters, numbers and special characters. + +If you need a password you can memorize, we recommend a [diceware passphrase](#diceware-passphrases). + +### Diceware Passphrases + +Diceware is a method for creating passphrases which are easy to remember, but hard to guess. + +Diceware passphrases are a great option when you need to memorize or manually input your credentials, such as for your password manager's master password or your device's encryption password. + +An example of a diceware passphrase is `viewable fastness reluctant squishy seventeen shown pencil`. + +To generate a diceware passphrase using real dice, follow these steps: + +!!! note + + These instructions assume that you are using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate the passphrase, which requires five dice rolls per word. Other wordlists may require more or less rolls per word, and may require a different amount of words to achieve the same entropy. + +1. Roll a six-sided die five times, noting down the number after each roll. + +2. As an example, let's say you rolled `2-5-2-6-6`. Look through the [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) for the word that corresponds to `25266`. + +3. You will find the word `encrypt`. Write that word down. + +4. Repeat this process until your passphrase has as many words as you need, which you should separate with a space. + +!!! warning "Important" + + You should **not** re-roll words until you get a combination of words that appeal to you. The process should be completely random. + +If you don't have access to or would prefer to not use real dice, you can use your password manager's built-in password generator, as most of them have the option to generate diceware passphrases in addition to regular passwords. + +We recommend using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) to generate your diceware passphrases, as it offers the exact same security as the original list, while containing words that are easier to memorize. There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? note "Explanation of entropy and strength of diceware passphrases" + + To demonstrate how strong diceware passphrases are, we'll use the aforementioned seven word passphrase (`viewable fastness reluctant squishy seventeen shown pencil`) and [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) as an example. + + One metric to determine the strength of a diceware passphrase is how much entropy it has. The entropy per word in a diceware passphrase is calculated as $\text{log}_2(\text{WordsInList})$ and the overall entropy of the passphrase is calculated as $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + Therefore, each word in the aforementioned list results in ~12.9 bits of entropy ($\text{log}_2(7776)$), and a seven word passphrase derived from it has ~90.47 bits of entropy ($\text{log}_2(7776^7)$). + + The [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) contains 7776 unique words. To calculate the amount of possible passphrases, all we have to do is $\text{WordsInList}^\text{WordsInPhrase}$, or in our case, $7776^7$. + + Let's put all of this in perspective: A seven word passphrase using [EFF's large wordlist](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) is one of ~1,719,070,799,748,422,500,000,000,000 possible passphrases. + + On average, it takes trying 50% of all the possible combinations to guess your phrase. With that in mind, even if your adversary is capable of ~1,000,000,000,000 guesses per second, it would still take them ~27,255,689 years to guess your passphrase. That is the case even if the following things are true: + + - Your adversary knows that you used the diceware method. + - Your adversary knows the specific wordlist that you used. + - Your adversary knows how many words your passphrase contains. + +To sum it up, diceware passphrases are your best option when you need something that is both easy to remember *and* exceptionally strong. + +## Storing Passwords + +### Password Managers + +The best way to store your passwords is by using a password manager. They allow you to store your passwords in a file or in the cloud and protect them with a single master password. That way, you will only have to remember one strong password, which lets you access the rest of them. + +There are many good options to choose from, both cloud-based and local. Choose one of our recommended password managers and use it to establish strong passwords across all of your accounts. We recommend securing your password manager with a [diceware passphrase](#diceware-passphrases) comprised of at least seven words. + +[List of recommended password managers](../passwords.md ""){.md-button} + +!!! warning "Don't place your passwords and TOTP tokens inside the same password manager" + + When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps). + + Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager. + + Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device. + +### Backups + +You should store an [encrypted](../encryption.md) backup of your passwords on multiple storage devices or a cloud storage provider. This can help you access your passwords if something happens to your primary device or the service you are using. diff --git a/i18n/vi/basics/threat-modeling.md b/i18n/vi/basics/threat-modeling.md new file mode 100644 index 00000000..fc1b3b41 --- /dev/null +++ b/i18n/vi/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "Threat Modeling" +icon: 'material/target-account' +description: Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. +--- + +Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using! + +If you wanted to use the **most** secure tools available, you'd have to sacrifice *a lot* of usability. And, even then, ==nothing is ever fully secure.== There's **high** security, but never **full** security. That's why threat models are important. + +**So, what are these threat models, anyway?** + +==A threat model is a list of the most probable threats to your security and privacy endeavors.== Since it's impossible to protect yourself against **every** attack(er), you should focus on the **most probable** threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure. + +Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job. + +## Creating Your Threat Model + +To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions: + +1. What do I want to protect? +2. Who do I want to protect it from? +3. How likely is it that I will need to protect it? +4. How bad are the consequences if I fail? +5. How much trouble am I willing to go through to try to prevent potential consequences? + +### What do I want to protect? + +An “asset” is something you value and want to protect. In the context of digital security, ==an asset is usually some kind of information.== For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets. + +*Make a list of your assets: data that you keep, where it's kept, who has access to it, and what stops others from accessing it.* + +### Who do I want to protect it from? + +To answer this question, it's important to identify who might want to target you or your information. ==A person or entity that poses a threat to your assets is an “adversary”.== Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network. + +*Make a list of your adversaries or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.* + +Depending on who your adversaries are, under some circumstances, this list might be something you want to destroy after you're done security planning. + +### How likely is it that I will need to protect it? + +==Risk is the likelihood that a particular threat against a particular asset will actually occur.== It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. + +It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). + +Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. + +*Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.* + +### How bad are the consequences if I fail? + +There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. + +==The motives of adversaries differ widely, as do their tactics.== A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing. + +Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. + +*Write down what your adversary might want to do with your private data.* + +### How much trouble am I willing to go through to try to prevent potential consequences? + +==There is no perfect option for security.== Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy. + +For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos. + +*Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.* + +### Try it yourself: Protecting Your Belongings + +These questions can apply to a wide variety of situations, online and offline. As a generic demonstration of how these questions work, let's build a plan to keep your house and possessions safe. + +**What do you want to protect? (Or, *what do you have that is worth protecting?*)** +: + +Your assets might include jewelry, electronics, important documents, or photos. + +**Who do you want to protect it from?** +: + +Your adversaries might include burglars, roommates, or guests. + +**How likely is it that you will need to protect it?** +: + +Does your neighborhood have a history of burglaries? How trustworthy are your roommates or guests? What are the capabilities of your adversaries? What are the risks you should consider? + +**How bad are the consequences if you fail?** +: + +Do you have anything in your house that you cannot replace? Do you have the time or money to replace those things? Do you have insurance that covers goods stolen from your home? + +**How much trouble are you willing to go through to prevent these consequences?** +: + +Are you willing to buy a safe for sensitive documents? Can you afford to buy a high-quality lock? Do you have time to open a security box at your local bank and keep your valuables there? + +Only once you have asked yourself these questions will you be in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you'll want to get the best lock on the market and consider adding a security system. + +Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face. + +## Further Reading + +For people looking to increase their privacy and security online, we've compiled a list of common threats our visitors face or goals our visitors have, to give you some inspiration and demonstrate the basis of our recommendations. + +- [Common Goals and Threats :material-arrow-right-drop-circle:](common-threats.md) + +## Sources + +- [EFF Surveillance Self Defense: Your Security Plan](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/vi/basics/vpn-overview.md b/i18n/vi/basics/vpn-overview.md new file mode 100644 index 00000000..a1a007f5 --- /dev/null +++ b/i18n/vi/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN Overview +icon: material/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +Virtual Private Networks are a way of extending the end of your network to exit somewhere else in the world. An ISP can see the flow of internet traffic entering and exiting your network termination device (i.e. modem). + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +A VPN can help as it can shift trust to a server somewhere else in the world. As a result, the ISP then only sees that you are connected to a VPN and nothing about the activity that you're passing into it. + +## Should I use a VPN? + +**Yes**, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service. + +VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way. + +However, they do hide your actual IP from a third-party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking. + +## When shouldn't I use a VPN? + +Using a VPN in cases where you're using your [known identity](common-threats.md#common-misconceptions) is unlikely be useful. + +Doing so may trigger spam and fraud detection systems, such as if you were to log into your bank's website. + +## What about encryption? + +Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption. + +In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). + +## Should I use encrypted DNS with a VPN? + +Unless your VPN provider hosts the encrypted DNS servers, **no**. Using DOH/DOT (or any other form of encrypted DNS) with third-party servers will simply add more entities to trust and does **absolutely nothing** to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider. + +A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for [TLS certificates](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) with **HTTPS** and warn you about it. If you are not using **HTTPS**, then an adversary can still just modify anything other than your DNS queries and the end result will be little different. + +Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit and would allow the encrypted DNS provider to deanonymize you. + +## Should I use Tor *and* a VPN? + +By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefits to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](../advanced/tor-overview.md). + +## What if I need anonymity? + +VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use [Tor](https://www.torproject.org/) instead. + +## What about VPN providers that provide Tor nodes? + +Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) protocol. [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (used in [WebRTC](https://en.wikipedia.org/wiki/WebRTC) for voice and video sharing, the new [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) protocol, etc), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) and other packets will be dropped. To compensate for this, VPN providers typically will route all non-TCP packets through their VPN server (your first hop). This is the case with [ProtonVPN](https://protonvpn.com/support/tor-vpn/). Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as [Isolated Destination Address](https://www.whonix.org/wiki/Stream_Isolation) (using a different Tor circuit for every domain you visit). + +The feature should be viewed as a convenient way to access the Tor Network, not to stay anonymous. For proper anonymity, use the Tor Browser, TorSocks, or a Tor gateway. + +## When are VPNs useful? + +A VPN may still be useful to you in a variety of scenarios, such as: + +1. Hiding your traffic from **only** your Internet Service Provider. +1. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations. +1. Hiding your IP from third-party websites and services, preventing IP based tracking. + +For situations like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor. + +## Sources and Further Reading + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network Overview](../advanced/tor-overview.md) +1. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides) +1. ["Do I need a VPN?"](https://www.doineedavpn.com), a tool developed by IVPN to challenge aggressive VPN marketing by helping individuals decide if a VPN is right for them. + +## Related VPN Information + +- [The Trouble with VPN and Privacy Review Sites](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/) +- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/vi/calendar.md b/i18n/vi/calendar.md new file mode 100644 index 00000000..86494966 --- /dev/null +++ b/i18n/vi/calendar.md @@ -0,0 +1,92 @@ +--- +title: "Calendar Sync" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +Calendars contain some of your most sensitive data; use products that implement E2EE at rest to prevent a provider from reading them. + +## Nhà cung cấp Cloud/SaaS + +!!! khuyến nghị + + ![Tutanota logo](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota logo](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota** offers a free and encrypted calendar across their supported platforms. [Website](https://tutanota.com/calendar){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://tutanota.com/privacy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-windows: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:fontawesome-brands-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/de.tutao.tutanota) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/tutao/tutanota) + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Self-hostable + +!!! khuyến nghị + + ![Proton](assets/img/calendar/proton-calendar.svg){ align=right } + + **Proton Calendar** is an encrypted calendar service available to Proton members via web or mobile clients. Tất cả dữ liệu được lưu trữ bên trong nó đều được mã hóa đầu cuối khi được lưu trữ trên các máy chủ của ProtonMail. [Website](https://calendar.protonmail.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://protonmail.com/privacy-policy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/ProtonMail/WebClients) + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Qualifications + +- Must sync and store information with E2EE to ensure data is not visible to the service provider. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should integrate with native OS calendar and contact management apps if applicable. diff --git a/i18n/vi/cloud.md b/i18n/vi/cloud.md new file mode 100644 index 00000000..0627a3b0 --- /dev/null +++ b/i18n/vi/cloud.md @@ -0,0 +1,102 @@ +--- +title: "Cloud Storage" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +Many cloud storage providers require your full trust that they will not look at your files. The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? question "Looking for Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive + +!!! khuyến nghị + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [Website](https://drive.protonmail.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://protonmail.com/privacy-policy){ .md-button } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! khuyến nghị + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Requirements + +- Must enforce end-to-end encryption. +- Must offer a free plan or trial period for testing. +- Must support TOTP or FIDO2 multi-factor authentication, or Passkey logins. +- Must offer a web interface which supports basic file management functionality. +- Must allow for easy exports of all files/documents. +- Must use standard, audited encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Clients should be open-source. +- Clients should be audited in their entirety by an independent third-party. +- Should offer native clients for Linux, Android, Windows, macOS, and iOS. + - These clients should integrate with native OS tools for cloud storage providers, such as Files app integration on iOS, or DocumentsProvider functionality on Android. +- Should support easy file-sharing with other users. +- Should offer at least basic file preview and editing functionality on the web interface. + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/vi/cryptocurrency.md b/i18n/vi/cryptocurrency.md new file mode 100644 index 00000000..3a9abb2c --- /dev/null +++ b/i18n/vi/cryptocurrency.md @@ -0,0 +1,59 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! danger + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! khuyến nghị + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/vi/data-redaction.md b/i18n/vi/data-redaction.md new file mode 100644 index 00000000..cbbc4113 --- /dev/null +++ b/i18n/vi/data-redaction.md @@ -0,0 +1,153 @@ +--- +title: "Data and Metadata Redaction" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +When sharing files, be sure to remove associated metadata. Image files commonly include [Exif](https://en.wikipedia.org/wiki/Exif) data. Photos sometimes even include GPS coordinates in the file metadata. + +## Desktop + +### MAT2 + +!!! khuyến nghị + + ![MAT2 logo](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2** is free software, which allows the metadata to be removed from image, audio, torrent, and document file types. It provides both a command line tool and a graphical user interface via an [extension for Nautilus](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus), the default file manager of [GNOME](https://www.gnome.org), and [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin), the default file manager of [KDE](https://kde.org). + + [Homepage](https://exifcleaner.com){ .md-button .md-button--primary } + + ??? + + tải xuống + + - [:fontawesome-brands-windows: Windows](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-apple: macOS](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-linux: Linux](https://github.com/szTheory/exifcleaner/releases) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/szTheory/exifcleaner) downloads + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Mobile + +### ExifEraser (Android) + +!!! khuyến nghị + + ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ align=right } + + **ExifEraser** is a modern, permissionless image metadata erasing application for Android. + + It currently supports JPEG, PNG and WebP files. + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +The metadata that is erased depends on the image's file type: + +* **JPEG**: ICC Profile, Exif, Photoshop Image Resources and XMP/ExtendedXMP metadata will be erased if it exists. +* **PNG**: ICC Profile, Exif and XMP metadata will be erased if it exists. +* **WebP**: ICC Profile, Exif and XMP metadata will be erased if it exists. + +After processing the images, ExifEraser provides you with a full report about what exactly was removed from each image. + +The app offers multiple ways to erase metadata from images. chú ý + +* You can share an image from another application with ExifEraser. +* Through the app itself, you can select a single image, multiple images at once, or even an entire directory. +* It features a "Camera" option, which uses your operating system's camera app to take a photo, and then it removes the metadata from it. +* It allows you to drag photos from another app into ExifEraser when they are both open in split-screen mode. +* Lastly, it allows you to paste an image from your clipboard. + +### Metapho (iOS) + +!!! khuyến nghị + + ![Metapho logo](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho** is a simple and clean viewer for photo metadata such as date, file name, size, camera model, shutter speed, and location. + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! khuyến nghị + + ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ align=right } + + **PrivacyBlur** is a free app which can blur sensitive portions of pictures before sharing them online. + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? [Mã nguồn](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + + ??? + +!!! warning + + Siêu dữ liệu hiện không bị xóa khỏi tệp video nhưng đó là kế hoạch. If you want to redact text in an image, draw a box over the text. For this, we suggest apps like [Pocket Paint](https://github.com/Catrobat/Paintroid). + +## Command-line + +### ExifTool + +!!! khuyến nghị + + ![ExifTool logo](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool** is the original perl library and command-line application for reading, writing, and editing meta information (Exif, IPTC, XMP, and more) in a wide variety of file formats (JPEG, TIFF, PNG, PDF, RAW, and more). + + It's often a component of other Exif removal applications and is in most Linux distribution repositories. + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! example "Deleting data from a directory of files" + + ```bash + exiftool -all= *.file_extension + ``` + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Apps developed for open-source operating systems must be open-source. +- Apps must be free and should not include ads or other limitations. diff --git a/i18n/vi/desktop-browsers.md b/i18n/vi/desktop-browsers.md new file mode 100644 index 00000000..460860e6 --- /dev/null +++ b/i18n/vi/desktop-browsers.md @@ -0,0 +1,364 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! khuyến nghị + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! khuyến nghị + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [Homepage](https://www.bromite.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.bromite.org/privacy){ .md-button } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### Telemetry + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! khuyến nghị + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! khuyến nghị + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Requirements + +- Must be open-source software. +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/vi/desktop.md b/i18n/vi/desktop.md new file mode 100644 index 00000000..76917148 --- /dev/null +++ b/i18n/vi/desktop.md @@ -0,0 +1,179 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! khuyến nghị + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [Homepage](https://getfedora.org/){ .md-button .md-button--primary } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! khuyến nghị + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! khuyến nghị + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [Homepage](https://archlinux.org/){ .md-button .md-button--primary } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! khuyến nghị + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! khuyến nghị + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [Homepage](https://nixos.org/){ .md-button .md-button--primary } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! khuyến nghị + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! khuyến nghị + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! khuyến nghị + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes** là một hệ điều hành mã nguồn mở được thiết kế để cung cấp bảo mật mạnh mẽ cho máy tính để bàn. Qubes dựa trên Xen, X Window System, và Linux, và có thể chạy hầu hết các ứng dụng Linux và sử dụng hầu hết các trình điều khiển Linux. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/vi/dns.md b/i18n/vi/dns.md new file mode 100644 index 00000000..dc45da28 --- /dev/null +++ b/i18n/vi/dns.md @@ -0,0 +1,145 @@ +--- +title: "DNS Resolvers" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity. + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## Recommended Providers + +| DNS Provider | Chính Sách Bảo Mật | Protocols | Logging | ECS | Filtering | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | Some[^1] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | Some[^2] | No | Based on server choice. | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | Optional[^3] | No | Based on server choice. | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | Based on server choice. Filter list being used can be found here. [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | Optional[^5] | Optional | Based on server choice. | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | Some[^6] | Optional | Based on server choice, Malware blocking by default. | + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must support [DNSSEC](advanced/dns-overview.md#what-is-dnssec). +- [QNAME Minimization](advanced/dns-overview.md#what-is-qname-minimization). +- Allow for [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) to be disabled. +- Prefer [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support or geo-steering support. + +## Native Operating System Support + +### Android + +Android 9 and above support DNS over TLS. The settings can be found in: **Settings** → **Network & Internet** → **Private DNS**. + +### Apple Devices + +The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings). + +After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings. + +#### Signed Profiles + +Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html). **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [NextDNS](https://apple.nextdns.io), and [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/). + +!!! info + + `systemd-resolved`, which many Linux distributions use to do their DNS lookups, doesn't yet [support DoH](https://github.com/systemd/systemd/issues/8639). If you want to use DoH, you'll need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS. + +## Encrypted DNS Proxies + +Encrypted DNS proxy software provides a local proxy for the [unencrypted DNS](advanced/dns-overview.md#unencrypted-dns) resolver to forward to. Typically it is used on platforms that don't natively support [encrypted DNS](advanced/dns-overview.md#what-is-encrypted-dns). + +### RethinkDNS + +!!! khuyến nghị + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot), [DNSCrypt](advanced/dns-overview.md#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too. + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! khuyến nghị + + ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ align=right } + + **dnscrypt-proxy** is a DNS proxy with support for [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh), and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS). + + !!! warning "The anonymized DNS feature does [**not**](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic." + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## Self-hosted Solutions + +A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed. + +### AdGuard Home + +!!! khuyến nghị + + ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + AdGuard Home features a polished web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! khuyến nghị + + ![Pi-hole logo](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole** is an open-source [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) which uses [DNS filtering](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/) to block unwanted web content, such as advertisements. + + Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content. + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad's DNS service is available to both subscribers and non-subscribers of Mullvad VPN. Their privacy policy explicitly claims they do not log DNS requests in any way. [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/vi/email-clients.md b/i18n/vi/email-clients.md new file mode 100644 index 00000000..6684003d --- /dev/null +++ b/i18n/vi/email-clients.md @@ -0,0 +1,240 @@ +--- +title: "Email Clients" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! khuyến nghị + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.mozilla.org/privacy/thunderbird){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.thunderbird.net) + - [:fontawesome-brands-apple: macOS](https://www.thunderbird.net) + - [:fontawesome-brands-linux: Linux](https://www.thunderbird.net) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.Thunderbird) + - [:fontawesome-brands-git: Mã nguồn](https://hg.mozilla.org/comm-central) + +#### Recommended Configuration + +We recommend changing some of these settings to make Thunderbird a little more private. + +These options can be found in :material-menu: → **Settings** → **Privacy & Security**. + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### Telemetry + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! khuyến nghị + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! khuyến nghị + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [Website](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.apple.com/legal/privacy/en-ww/){ .md-button } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! warning + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! khuyến nghị + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? [Website](https://kontact.kde.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://kde.org/privacypolicy-apps){ .md-button } + + ??? + +### GNOME Evolution (GNOME) + +!!! khuyến nghị + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. [Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.mailvelope.com/en/privacy-policy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:fontawesome-brands-edge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/mailvelope/mailvelope) downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! khuyến nghị + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + [Homepage](https://k9mail.app){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://k9mail.app/privacy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/com.fsck.k9) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/k9mail) downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! warning + + When replying to someone on a mailing list the "reply" option may also include the mailing list. [Homepage](https://email.faircode.eu){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .md-button } + + ??? + +### Kontact (KDE) + +!!! khuyến nghị + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! khuyến nghị + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! khuyến nghị + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Qualifications + +- Apps developed for open-source operating systems must be open-source. +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/vi/email.md b/i18n/vi/email.md new file mode 100644 index 00000000..934f9a0a --- /dev/null +++ b/i18n/vi/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +Email is practically a necessity for using any online service, however we do not recommend it for person-to-person conversations. Rather than using email to contact other people, consider using an instant messaging medium that supports forward secrecy. + +[Recommended Instant Messengers](real-time-communication.md ""){.md-button} + +For everything else, we recommend a variety of email providers based on sustainable business models and built-in security and privacy features. + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP Compatible Services + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. For example, a Proton Mail user could send an E2EE message to a Mailbox.org user, or you could receive OpenPGP-encrypted notifications from internet services which support it. + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! warning + + When using E2EE technology like OpenPGP, email will still have some metadata that is not encrypted in the header of the email. Read more about [email metadata](basics/email-security.md#email-metadata-overview). + + OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. [How do I protect my private keys?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! khuyến nghị + + ![Proton Mail logo](assets/img/email/protonmail.svg){ align=right } + + **Proton Mail** is an email service with a focus on privacy, encryption, security, and ease of use. They have been in operation since **2013**. Proton AG is based in Genève, Switzerland. Accounts start with 500 MB storage with their free plan. + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton.me/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +Free accounts have some limitations, such as not being able to search body text and not having access to [Proton Mail Bridge](https://proton.me/mail/bridge), which is required to use a [recommended desktop email client](email-clients.md) (e.g. Thunderbird). Paid accounts include features like Proton Mail Bridge, additional storage, and custom domain support. A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton Mail's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +If you have the Proton Unlimited, Business, or Visionary Plan, you also get [SimpleLogin](#simplelogin) Premium for free. + +Proton Mail has internal crash reports that they **do not** share with third parties. This can be disabled in: **Settings** > **Go to Settings** > **Account** > **Security and privacy** > **Send crash reports**. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). Data secured with zero-access encryption is only accessible by you. + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. Contact fields that support zero-access encryption, such as phone numbers, are indicated with a padlock icon. + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. Emails to other Proton Mail accounts are encrypted automatically, and encryption to non-Proton Mail addresses with an OpenPGP key can be enabled easily in your account settings. They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people who don't use Proton Mail to find the OpenPGP keys of Proton Mail accounts easily, for cross-provider E2EE. + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. After 30 days, your account will become delinquent and won't receive incoming mail. You will continue to be billed during this period. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail offers an "Unlimited" account for €9.99/Month, which also enables access to Proton VPN in addition to providing multiple accounts, domains, aliases, and 500GB of storage. + +Proton Mail doesn't offer a digital legacy feature. + +### Mailbox.org + +!!! khuyến nghị + + ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org** is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with 2 GB of storage, which can be upgraded as needed. + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. However, they do accept Cash by mail, cash payment to bank account, bank transfer, credit card, PayPal and couple of German-specific processors: paydirekt and Sofortüberweisung. + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! khuyến nghị + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Nhà cung cấp Cloud/SaaS + +!!! khuyến nghị + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! khuyến nghị + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! khuyến nghị + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! khuyến nghị + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! khuyến nghị + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Framadate + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### Technology + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**Minimum to Qualify:** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### Privacy + +We prefer our recommended providers to collect as little data as possible. + +**Minimum to Qualify:** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### Security + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**Minimum to Qualify:** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/vi/encryption.md b/i18n/vi/encryption.md new file mode 100644 index 00000000..2be6f6bb --- /dev/null +++ b/i18n/vi/encryption.md @@ -0,0 +1,354 @@ +--- +title: "Encryption Software" +icon: material/file-lock +description: Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. +--- + +Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails or files, you should pick an option here. + +## Multi-platform + +The options listed here are multi-platform and great for creating encrypted backups of your data. + +### Cryptomator (Cloud) + +!!! khuyến nghị + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider. + + [Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + - [:fontawesome-brands-git: Mã nguồn](https://www.veracrypt.fr/code) + +Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders. + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! khuyến nghị + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. [Homepage](https://cryptomator.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://cryptomator.org/privacy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://cryptomator.org/downloads) + - [:fontawesome-brands-apple: macOS](https://cryptomator.org/downloads) + - [:fontawesome-brands-linux: Linux](https://cryptomator.org/downloads) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:fontawesome-brands-android: F-Droid repo](https://cryptomator.org/android) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/cryptomator) + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (Disk) + +!!! khuyến nghị + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication. + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! khuyến nghị + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! khuyến nghị + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! khuyến nghị + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! khuyến nghị + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [Homepage](https://hat.sh){ .md-button .md-button--primary } + + ??? + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! khuyến nghị + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.kryptor.co.uk/features#privacy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.kryptor.co.uk) + - [:fontawesome-brands-apple: macOS](https://www.kryptor.co.uk) + - [:fontawesome-brands-linux: Linux](https://www.kryptor.co.uk) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/samuel-lucas6/Kryptor) + +### Tomb + +!!! khuyến nghị + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + + ??? + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! khuyến nghị + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [Homepage](https://gnupg.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://gnupg.org/privacy-policy.html){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://gnupg.org/download.html) + - [:fontawesome-brands-apple: macOS](https://gpgtools.org) + - [:fontawesome-brands-linux: Linux](https://gnupg.org/download/index.html#binary) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:fontawesome-brands-git: Mã nguồn](https://git.gnupgi-bin/gitweb.cgi?p=gnupg.git) + +### GPG4win + +!!! khuyến nghị + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [Homepage](https://gpg4win.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://gpg4win.org/privacy-policy.html){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://gpg4win.org/download.html) + - [:fontawesome-brands-git: Mã nguồn](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! khuyến nghị + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! khuyến nghị + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.openkeychain.org/help/privacy-policy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/org.sufficientlysecure.keychain/) + - [:fontawesome-brands-git: Mã nguồn](https://github.com/open-keychain/open-keychain) + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/vi/file-sharing.md b/i18n/vi/file-sharing.md new file mode 100644 index 00000000..a95bb817 --- /dev/null +++ b/i18n/vi/file-sharing.md @@ -0,0 +1,159 @@ +--- +title: "File Sharing and Sync" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## File Sharing + +### Send + +!!! khuyến nghị + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. [Homepage](https://onionshare.org){ .md-button .md-button--primary } [:pg-tor:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .md-button } + + ??? You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! khuyến nghị + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [Homepage](https://freedombox.org){ .md-button .md-button--primary } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must not store decrypted data on a remote server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! khuyến nghị + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! khuyến nghị + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** là bộ ứng dụng văn phòng mã nguồn mở miễn phí với nhiều chức năng. + + [Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Mã nguồn](https://www.libreoffice.org/about-us/source-code) + +!!! danger + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** là lựa chọn thay thế, đây là bộ ứng dụng văn phòng mã nguồn mở miễn phí với nhiều chức năng. + +### Syncthing (P2P) + +!!! khuyến nghị + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- Must be open-source software. +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/vi/financial-services.md b/i18n/vi/financial-services.md new file mode 100644 index 00000000..e95547fc --- /dev/null +++ b/i18n/vi/financial-services.md @@ -0,0 +1,106 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! khuyến nghị + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! khuyến nghị + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! khuyến nghị + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! khuyến nghị + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/vi/frontends.md b/i18n/vi/frontends.md new file mode 100644 index 00000000..79e9b7b8 --- /dev/null +++ b/i18n/vi/frontends.md @@ -0,0 +1,273 @@ +--- +title: "Frontends" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +Sometimes services will try to force you to sign up for an account by blocking access to content with annoying popups. They might also break without JavaScript enabled. These frontends can allow you to get around these restrictions. + +## LBRY + +### Librarian + +!!! khuyến nghị + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! warning + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! khuyến nghị + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! khuyến nghị + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! khuyến nghị + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! warning + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Yattee + +!!! khuyến nghị + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! warning + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! khuyến nghị + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! warning + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! recommendation annotate + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! Warning + + When using NewPipe, your IP address will be visible to the video providers used. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +### Invidious + +!!! khuyến nghị + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! warning + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! khuyến nghị + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +Recommended frontends... + +- Must be open-source software. +- Must be self-hostable. +- Must provide all basic website functionality available to anonymous users. + +We only consider frontends for websites which are... + +- Not normally accessible without JavaScript. diff --git a/i18n/vi/index.md b/i18n/vi/index.md new file mode 100644 index 00000000..c4fe9c59 --- /dev/null +++ b/i18n/vi/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.vi.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/vi/kb-archive.md b/i18n/vi/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/vi/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/vi/meta/brand.md b/i18n/vi/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/vi/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/vi/meta/git-recommendations.md b/i18n/vi/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/vi/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/vi/meta/uploading-images.md b/i18n/vi/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/vi/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/vi/meta/writing-style.md b/i18n/vi/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/vi/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/vi/mobile-browsers.md b/i18n/vi/mobile-browsers.md new file mode 100644 index 00000000..6ac46fa7 --- /dev/null +++ b/i18n/vi/mobile-browsers.md @@ -0,0 +1,230 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! khuyến nghị + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! khuyến nghị + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! khuyến nghị + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/vi/multi-factor-authentication.md b/i18n/vi/multi-factor-authentication.md new file mode 100644 index 00000000..61ef62c5 --- /dev/null +++ b/i18n/vi/multi-factor-authentication.md @@ -0,0 +1,151 @@ +--- +title: "Multi-Factor Authenticators" +icon: 'material/two-factor-authentication' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## Hardware Security Keys + +### YubiKey + +!!! khuyến nghị + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! khuyến nghị + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! warning + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! warning + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! khuyến nghị + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! khuyến nghị + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/vi/news-aggregators.md b/i18n/vi/news-aggregators.md new file mode 100644 index 00000000..18d1409b --- /dev/null +++ b/i18n/vi/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "News Aggregators" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! khuyến nghị + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. [Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-windows: Windows](https://hyliu.me/fluent-reader) + - [:fontawesome-brands-app-store: Mac App Store](https://apps.apple.com/app/id1520907427) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/yang991178/fluent-reader.git) downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! khuyến nghị + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.gabmus.gfeeds) + - [:fontawesome-brands-gitlab: Mã nguồn](https://gitlab.gnome.org/World/gfeeds) + +### Fluent Reader + +!!! khuyến nghị + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? [Website](https://apps.kde.org/akregator){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://kde.org/privacypolicy-apps){ .md-button } + + ??? + +### GNOME Feeds + +!!! khuyến nghị + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [Homepage](https://yanus171.github.io/Handy-News-Reader/){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=ru.yanus171.feedexfork) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/ru.yanus171.feedexfork/) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/yanus171/Handy-News-Reader) + +### Miniflux + +!!! khuyến nghị + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [Homepage](https://netnewswire.com/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://netnewswire.com/privacypolicy){ .md-button } + + ??? + +### NetNewsWire + +!!! khuyến nghị + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [Homepage](https://miniflux.app){ .md-button .md-button--primary } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! khuyến nghị + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [Homepage](https://newsboat.org){ .md-button .md-button--primary } + + ??? + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must be open-source software. +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/vi/notebooks.md b/i18n/vi/notebooks.md new file mode 100644 index 00000000..b73afa7c --- /dev/null +++ b/i18n/vi/notebooks.md @@ -0,0 +1,108 @@ +--- +title: "Sổ Ghi Chép" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Theo dõi các ghi chú và nhật ký của bạn mà không đưa chúng cho bên thứ ba. + +Nếu bạn hiện đang sử dụng một ứng dụng như Evernote, Google Keep hoặc Microsoft OneNote, chúng tôi khuyên bạn nên chọn một ứng dụng thay thế hỗ trợ E2EE tại đây. + +## Dựa trên đám mây + +### Joplin + +!!! khuyến nghị + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** là một ứng dụng ghi chú và việc cần làm miễn phí, mã nguồn mở và đầy đủ tính năng có thể xử lý một số lượng lớn các ghi chú đánh dấu được sắp xếp thành sổ ghi chép và thẻ. Nó cung cấp E2EE và có thể đồng bộ hóa thông qua Nextcloud, Dropbox, v.v. Nó cũng cung cấp khả năng nhập dễ dàng từ Evernote và ghi chú văn bản thuần túy. + + [Website](https://joplinapp.org/){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:fontawesome-brands-firefox-browser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/net.cozic.joplin) + - [:fontawesome-brands-github: GitHub](https://github.com/laurent22/joplin) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). Dữ liệu vẫn được mã hóa khi chuyển tiếp và tại vị trí đồng bộ hóa bằng khóa chính của bạn. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! khuyến nghị + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + Standard Notes là một ứng dụng ghi chú đơn giản và riêng tư giúp bạn ghi chú dễ dàng và có sẵn ở mọi nơi. Nó có tính năng E2EE trên mọi nền tảng và trải nghiệm máy tính để bàn mạnh mẽ với các chủ đề và trình chỉnh sửa tùy chỉnh. Nó cũng đã được [kiểm toán độc lập (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [Website](https://standardnotes.com){ .md-button .md-button--primary } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://standardnotes.com) + - [:fontawesome-brands-apple: macOS](https://standardnotes.com) + - [:fontawesome-brands-linux: Linux](https://standardnotes.com) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/id1285392450) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:pg-f-droid: F-Droid](https://f-droid.org/en/packages/com.standardnotes) + - [:octicons-browser-16: Browser](https://app.standardnotes.com/) + - [:fontawesome-brands-github: GitHub](https://github.com/standardnotes) + +### EteSync Notes + +!!! khuyến nghị + + ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ align=right } + + **EteSync Notes** là một ứng dụng ghi chú an toàn, được mã hóa qui trình đầu cuối và tôn trọng quyền riêng tư. EteSync cũng cung cấp phần mềm tùy chọn dưới dạng dịch vụ với giá [$24 mỗi năm](https://dashboard.etebase.com/user/partner/pricing/), hoặc bạn có thể tự lưu trữ máy chủ miễn phí. + + [etebase](https://docs.etebase.com), là nền tảng của EteSync, cũng có thể được các ứng dụng khác sử dụng như một phần mềm phụ trợ để lưu trữ dữ liệu được mã hóa từ đầu đến cuối (E2EE). [Website](https://www.etesync.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.etesync.com/tos/#privacy){ .md-button } + + ??? + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! khuyến nghị + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/vi/os/android-overview.md b/i18n/vi/os/android-overview.md new file mode 100644 index 00000000..984df1e0 --- /dev/null +++ b/i18n/vi/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: fontawesome/brands/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! warning + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/vi/os/linux-overview.md b/i18n/vi/os/linux-overview.md new file mode 100644 index 00000000..8ec2c9e7 --- /dev/null +++ b/i18n/vi/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## General Recommendations + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/vi/os/qubes-overview.md b/i18n/vi/os/qubes-overview.md new file mode 100644 index 00000000..5bba1170 --- /dev/null +++ b/i18n/vi/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: pg/qubes-os +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/vi/passwords.md b/i18n/vi/passwords.md new file mode 100644 index 00000000..ccfa8de8 --- /dev/null +++ b/i18n/vi/passwords.md @@ -0,0 +1,361 @@ +--- +title: "Password Managers" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: Password Manager + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: Password Manager + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: Password Manager + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: Password Manager + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. [Homepage](https://keepassxc.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://keepassxc.org/privacy){ .md-button } + + ??? + + tải xuống + + - [:fontawesome-brands-windows: Windows](https://keepassxc.org/download/#windows) + - [:fontawesome-brands-apple: macOS](https://keepassxc.org/download/#mac) + - [:fontawesome-brands-linux: Linux](https://keepassxc.org/download/#linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:fontawesome-brands-firefox: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:fontawesome-brands-chrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/keepassxreboot/keepassxc) Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Dựa trên đám mây + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! khuyến nghị + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! khuyến nghị + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [Website](https://bitwarden.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://bitwarden.com/privacy){ .md-button } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! khuyến nghị + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! khuyến nghị + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! khuyến nghị + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! khuyến nghị + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! khuyến nghị + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must be cross-platform. diff --git a/i18n/vi/productivity.md b/i18n/vi/productivity.md new file mode 100644 index 00000000..67e6f6cd --- /dev/null +++ b/i18n/vi/productivity.md @@ -0,0 +1,170 @@ +--- +title: "Productivity Tools" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Ứng Dụng Văn Phòng + +### LibreOffice + +!!! khuyến nghị + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** là bộ ứng dụng văn phòng mã nguồn mở miễn phí với nhiều chức năng. + + [Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-apple: macOS](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-linux: Linux](https://www.libreoffice.org/download/download/) + - [:pg-flathub: Flatpak](https://www.libreoffice.org/download/download/) + - [:fontawesome-brands-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + - [:pg-openbsd: OpenBSD](https://openports.se/editors/libreoffice) + - [:pg-netbsd: NetBSD](https://pkgsrc.se/misc/libreoffice) + - [:fontawesome-brands-google-play: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-app-store-ios: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:fontawesome-brands-git: Mã nguồn](https://www.libreoffice.org/about-us/source-code) + +!!! danger + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** là lựa chọn thay thế, đây là bộ ứng dụng văn phòng mã nguồn mở miễn phí với nhiều chức năng. [Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .md-button } + + ??? + +### OnlyOffice + +!!! khuyến nghị + + ![Framadate logo](assets/img/productivity/framadate.svg){ align=right } + + **Framadate** là một dịch vụ trực tuyến mã nguồn mở miễn phí để lên kế hoạch cho một cuộc hẹn hoặc đưa ra quyết định một cách nhanh chóng và dễ dàng. Không cần đăng ký. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- Open-source. +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Lập Kế Hoạch + +### PrivateBin + +!!! khuyến nghị + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! khuyến nghị + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- Must be open-source software. +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! khuyến nghị + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/vi/real-time-communication.md b/i18n/vi/real-time-communication.md new file mode 100644 index 00000000..621316c0 --- /dev/null +++ b/i18n/vi/real-time-communication.md @@ -0,0 +1,198 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! khuyến nghị + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! khuyến nghị + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [Website](https://element.io/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://element.io/privacy){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://element.io/get-started) + - [:fontawesome-brands-apple: macOS](https://element.io/get-started) + - [:fontawesome-brands-linux: Linux](https://element.io/get-started) + - [:octicons-browser-16: Browser](https://app.element.io) + - [:fontawesome-brands-google-play: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:pg-f-droid: F-Droid](https://f-droid.org/packages/im.vector.app/) + - [:fontawesome-brands-app-store-ios: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/vector-im/element-web) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! khuyến nghị + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [Homepage](https://briarproject.org/){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://briarproject.org/privacy-policy/){ .md-button } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! warning + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! khuyến nghị + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! khuyến nghị + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/vi/router.md b/i18n/vi/router.md new file mode 100644 index 00000000..abdf4003 --- /dev/null +++ b/i18n/vi/router.md @@ -0,0 +1,53 @@ +--- +title: "Firmware Bộ định tuyến" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Dưới đây là một số hệ điều hành thay thế, có thể được sử dụng trên bộ định tuyến, điểm truy cập Wi-Fi, v.v. + +## OpenWrt + +!!! khuyến nghị + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** là một hệ điều hành (cụ thể là hệ điều hành nhúng) dựa trên nhân Linux, chủ yếu được sử dụng trên các thiết bị nhúng để định tuyến lưu lượng mạng. Các thành phần chính là Linux kernel, using-linux, uClibc và BusyBox. Tất cả các thành phần đã được tối ưu hóa về kích thước, đủ nhỏ để phù hợp với bộ nhớ và lưu trữ hạn chế có sẵn trong bộ định tuyến gia đình. + + [Homepage](https://openwrt.org){ .md-button .md-button--primary } + + ??? + +Bạn có thể tham khảo OpenWrt's [table of hardware](https://openwrt.org/toh/start) để kiểm tra xem thiết bị của bạn có được hỗ trợ hay không. + +## OPNsense + +!!! khuyến nghị + + ![pfSense logo](assets/img/router/pfsense.svg#only-light){ align=right } + ![pfSense logo](assets/img/router/pfsense-dark.svg#only-dark){ align=right } + + pfSense là một bản phân phối phần mềm máy tính tường lửa/bộ định tuyến mã nguồn mở dựa trên FreeBSD. Nó được cài đặt trên máy tính để làm tường lửa/bộ định tuyến chuyên dụng cho mạng và được chú ý về độ tin cậy và cung cấp các tính năng thường chỉ có trong các tường lửa thương mại đắt tiền. + + pfSense thường được triển khai dưới dạng tường lửa vành đai, bộ định tuyến, điểm truy cập không dây, máy chủ DHCP, máy chủ DNS và điểm cuối VPN. + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must be open source. +- Must receive regular updates. +- Must support a wide variety of hardware. diff --git a/i18n/vi/search-engines.md b/i18n/vi/search-engines.md new file mode 100644 index 00000000..cd43dd43 --- /dev/null +++ b/i18n/vi/search-engines.md @@ -0,0 +1,112 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! khuyến nghị + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! khuyến nghị + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). [Website](https://www.startpage.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.startpage.com/en/privacy-policy){ .md-button } + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! khuyến nghị + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [Website](https://www.mojeek.com){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://www.mojeek.com/about/privacy){ .md-button } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! khuyến nghị + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! warning + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/vi/tools.md b/i18n/vi/tools.md new file mode 100644 index 00000000..b4bf897f --- /dev/null +++ b/i18n/vi/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### Mobile + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Firmware Bộ định tuyến + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### Data and Metadata Redaction + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### Encryption Software + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Sổ Ghi Chép + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/vi/tor.md b/i18n/vi/tor.md new file mode 100644 index 00000000..645e3d4e --- /dev/null +++ b/i18n/vi/tor.md @@ -0,0 +1,125 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +The **Tor** network is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool. + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor works by routing your internet traffic through those volunteer-operated servers, instead of making a direct connection to the site you're trying to visit. This obfuscates where the traffic is coming from, and no server in the connection path is able to see the full path of where the traffic is coming from and going to, meaning even the servers you are using to connect cannot break your anonymity. + +[Detailed Tor Overview :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## Connecting to Tor + +There are a variety of ways to connect to the Tor network from your device, the most commonly used being the **Tor Browser**, a fork of Firefox designed for anonymous browsing for desktop computers and Android. In addition to the apps listed below, there are also operating systems designed specifically to connect to the Tor network such as [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os), which provide even greater security and protections than the standard Tor Browser. + +### Tor Browser + +!!! khuyến nghị + + ![Tor Browser logo](assets/img/browsers/tor.svg){ align=right } + + **Tor Browser** is the choice if you need anonymity, as it provides you with access to the Tor network and bridges, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! danger + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. tải xuống + + - [:fontawesome-brands-windows: Windows](https://www.mozilla.org/firefox/windows) + - [:fontawesome-brands-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:fontawesome-brands-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/org.mozilla.firefox) + - [:fontawesome-brands-git: Mã nguồn](https://hg.mozilla.org/mozilla-central) + +The Tor Browser is designed to prevent fingerprinting, or identifying you based on your browser configuration. Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Google Pixel + +!!! khuyến nghị + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! khuyến nghị + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/vi/video-streaming.md b/i18n/vi/video-streaming.md new file mode 100644 index 00000000..6787f9a7 --- /dev/null +++ b/i18n/vi/video-streaming.md @@ -0,0 +1,56 @@ +--- +title: "Video Streaming" +icon: material/video-wireless +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +The primary threat when using a video streaming platform is that your streaming habits and subscription lists could be used to profile you. You should combine these tools with a [VPN](vpn.md) or [Tor](https://www.torproject.org/) to make it harder to profile your usage. + +## LBRY + +!!! khuyến nghị + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** is a decentralized video sharing network. It uses a [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-like network to store the video content, and a [blockchain](https://wikipedia.org/wiki/Blockchain) to store the indexes for those videos. The main benefit of this design is censorship resistance. + + **The LBRY desktop client** helps you stream videos from the LBRY network and stores your subscription list in your own LBRY wallet. + + [Homepage](https://freetubeapp.io){ .md-button .md-button--primary } [Chính Sách Bảo Mật](https://freetubeapp.io/privacy.php){ .md-button } + + ??? tải xuống + + - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) + - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/FreeTubeApp/FreeTube/) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! warning + + While watching and hosting videos, your IP address is visible to the LBRY network. Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org) if your [threat model](basics/threat-modeling.md) requires hiding your IP address. + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. If you synchronize your wallet with LBRY Inc., you have to trust them to not look at your subscription list, [LBC](https://lbry.com/faq/earn-credits) funds, or take control of your channel. + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Framadate + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! cảnh báo + PrivateBin sử dụng JavaScript để xử lý mã hóa, vì vậy bạn phải tin tưởng nhà cung cấp ở mức độ họ không đưa bất kỳ JavaScript độc hại nào vào để lấy khóa cá nhân của bạn. + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** là một pastebin trực tuyến mã nguồn mở, tối giản, nơi máy chủ không có kiến ​​thức về dữ liệu đã dán. Dữ liệu được mã hóa/giải mã trong trình duyệt bằng 256-bit AES. tải xuống + + - [:fontawesome-brands-docker: Dockerhub](https://hub.docker.com/r/vaultwarden/server) + - [:fontawesome-brands-github: Mã nguồn](https://github.com/dani-garcia/vaultwarden) + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/vi/vpn.md b/i18n/vi/vpn.md new file mode 100644 index 00000000..adbd87dc --- /dev/null +++ b/i18n/vi/vpn.md @@ -0,0 +1,327 @@ +--- +title: "VPN Services" +icon: material/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! danger "VPNs do not provide anonymity" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](advanced/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## Recommended Providers + +Our recommended providers use encryption, accept Monero, support WireGuard & OpenVPN, and have a no logging policy. Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! khuyến nghị + + ![IVPN logo](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN** is another premium VPN provider, and they have been in operation since 2009. IVPN is based in Gibraltar. + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-android: Android](https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store](https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows](https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS](https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux](https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! khuyến nghị + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since **2009**. Mullvad is based in Sweden and does not have a free trial. + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2023-01-19 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. They also accept Swish and bank wire transfers. + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! recommendation annotate + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN** is a strong contender in the VPN space, and they have been in operation since 2016. Proton AG is based in Switzerland and offers a limited free tier, as well as a more featured premium option. + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. This is because of a shorter route (fewer hops) to the destination. +{ .annotate } + +1. Last checked: 2022-09-16 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +As of January 2020, Proton VPN has undergone an independent audit by SEC Consult. SEC Consult found some medium and low risk vulnerabilities in Proton VPN's Windows, Android, and iOS applications, all of which were "properly fixed" by Proton VPN before the reports were published. None of the issues identified would have provided an attacker remote access to your device or traffic. You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN mostly supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). Additionally, WireGuard aims to be simpler and more performant. + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. Especially Peer-to-peer applications like Torrent clients. + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Framadate + +!!! danger + + It is important to note that using a VPN provider will not make you anonymous, but it will give you better privacy in certain situations. A VPN is not a tool for illegal activities. Don't rely on a "no log" policy. + +**Please note we are not affiliated with any of the providers we recommend. This allows us to provide completely objective recommendations.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any VPN provider wishing to be recommended, including strong encryption, independent security audits, modern technology, and more. We suggest you familiarize yourself with this list before choosing a VPN provider, and conduct your own research to ensure the VPN provider you choose is as trustworthy as possible. + +### Technology + +We require all our recommended VPN providers to provide OpenVPN configuration files to be used in any client. **If** a VPN provides their own custom client, we require a killswitch to block network data leaks when disconnected. + +**Minimum to Qualify:** + +- Support for strong protocols such as WireGuard & OpenVPN. +- Killswitch built in to clients. +- Multihop support. Multihopping is important to keep data private in case of a single node compromise. +- If VPN clients are provided, they should be [open-source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency about what your device is actually doing. + +**Best Case:** + +- WireGuard and OpenVPN support. +- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.) +- Easy-to-use VPN clients +- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow you to access services hosted on IPv6 addresses. +- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) file sharing software or hosting a server (e.g., Mumble). + +### Privacy + +We prefer our recommended providers to collect as little data as possible. Not collecting personal information on registration, and accepting anonymous forms of payment are required. + +**Minimum to Qualify:** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- No personal information required to register: Only username, password, and email at most. + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### Security + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**Minimum to Qualify:** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**Minimum to Qualify:** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**Minimum to Qualify:** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/i18n/zh-Hant/404.md b/i18n/zh-Hant/404.md new file mode 100644 index 00000000..a8a67d7b --- /dev/null +++ b/i18n/zh-Hant/404.md @@ -0,0 +1,19 @@ +--- +hide: + - feedback +meta: + - + property: "robots" + content: "noindex, nofollow" +--- + +# 404 - 頁面不存在 + +找不到您所請求的頁面 或許您是在找這些嗎? + +- [介紹威脅模型](basics/threat-modeling.md) +- [推薦的 DNS 服務商](dns.md) +- [最佳的桌面瀏覽器](desktop-browsers.md) +- [最好的 VPN 服務商](vpn.md) +- [Privacy Guides 論壇](https://discuss.privacyguides.net) +- [部落格](https://blog.privacyguides.org) diff --git a/i18n/zh-Hant/CODE_OF_CONDUCT.md b/i18n/zh-Hant/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/zh-Hant/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/zh-Hant/about/criteria.md b/i18n/zh-Hant/about/criteria.md new file mode 100644 index 00000000..1e35965f --- /dev/null +++ b/i18n/zh-Hant/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: 通用標準 +--- + +!!! 示例“工作進行中” + + 以下頁面是一項正在進行的工作,並未反映我們目前的建議的全部標準。 過去關於此主題的討論: [# 24] (https://github.com/privacyguides/privacyguides.org/ discussion/24) + +以下是一些必須適用於所有提交給 Privacy Guides 的內容。 每個類別都會有額外的加入要求。 + +## 財務披露 + +我們不通過推薦某些產品賺錢,我們不使用聯盟鏈接,我們不向項目捐贈者提供特殊考慮。 + +## 一般指引 + +我們在考慮新建議時應用這些優先事項: + +- **安全**:工具應在合適的地方遵循安全的最佳做法。 +- **源代碼可取得**:開源專案通常比同等商用替代方案更受歡迎。 +- **跨平臺**:我們通常傾向於建議跨平臺,以避免供應商鎖定。 +- **積極開發**:我們建議的工具應該積極開發,在大多數情況下,未維護的項目將被移除。 +- **可用性**:工具應可讓大多數電腦使用者使用,無需要求過度的技術背景。 +- **Documented**:工具應有清晰和廣泛的文件可供使用。 + +## 開發人員自我提交 + +自薦項目或軟體的開發人員,我們有這些要求。 + +- 必須披露從屬關係,即您在提交的項目中的職位。 + +- 必須有安全白皮書,如果項目涉及處理敏感資訊,如通訊軟體、密碼管理器,加密雲端存儲等。 + - 第三方審計狀態。 我們想知道你是否有一個,或者有一個計劃。 如果可以,請說明由誰來進行審計。 + +- 必須解釋這個項目在隱私方面帶來了什麼。 + - 它能解決任何新的問題嗎? + - 爲什麼人們可以使用它勝過其它替代品? + +- 必須說明該項目確切的威脅模型。 + - 潛在用戶應該清楚項目可以提供什麼,不能提供什麼。 diff --git a/i18n/zh-Hant/about/donate.md b/i18n/zh-Hant/about/donate.md new file mode 100644 index 00000000..c4391285 --- /dev/null +++ b/i18n/zh-Hant/about/donate.md @@ -0,0 +1,50 @@ +--- +title: 支持與贊助 +--- + + +Privacy Guides 需要大量的 [人](https://github.com/privacyguides/privacyguides.org/graphs/contributors) 和 [工作](https://github.com/privacyguides/privacyguides.org/pulse/monthly) ,以保持最新並傳播關於隱私和大規模監控的消息。 如果您喜歡我們的工作,請考慮參與 [編輯網站](https://github.com/privacyguides/privacyguides.org) 或 [貢獻翻譯](https://crowdin.com/project/privacyguides)。 + +如果你想在經濟上支援我們,對我們來說,最方便的方法是通過 Open Collective 捐款,這是一個由我們的財政主機營運的網站。Open Collective 接受信用卡/借記卡、PayPal 和銀行轉帳的付款。 Open Collective 接受信用卡/借記卡、PayPal 和銀行轉帳的付款。 + +[在 OpenCollective.com 上捐款](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +在美國,直接向我們捐贈的Open Collective通常可以免稅,因為我們的財政東道主( Open Collective Foundation )是一個註冊的501 ( c ) 3組織。 捐贈後,您將收到 Open Collective Foundation 的收據。 隱私指南不提供財務建議,您應該聯繫您的稅務顧問,以確定這是否適用於您。 + +如果您已經使用 GitHub 贊助,您也可以在那裡贊助我們的組織。 + +[在 GitHub 上贊助我們](https://github.com/sponsors/privacyguides ""){.md-button} + +## 贊助者清單 + +特別感謝所有支持我們使命的人! :heart: + +*請注意:此部分直接從Open Collective 加載小部件。 本節並不反映Open Collective 以外的捐贈,我們也無法控制本節所列的特定捐贈者。* + + + +## 我們如何使用贊助費用 + +Privacy Guides 是一個 **非營利** 組織。 我們將捐款用於各種目的,包括: + +**域名註冊** +: + +我們有一些網域名稱,如 `privacyguides.org` ,每年花費大約 10 美元。 + +**網站託管** +: + +本網站的流量每月使用大約是數百 GB,我們使用各種服務提供商來提供流量。 + +**線上服務** +: + +我們託管[網際網路服務](https://privacyguides.net) 測試和展示不同的隱私產品,我們喜歡和 [推薦](../tools.md)。 其中一些公開供我們的社區使用( SearXNG , Tor等) ,有些則提供給我們的團隊成員(電子郵件等)。 + +**產品購買** +: + +我們偶爾會購買產品和服務,以測試我們的 [推薦工具](../tools.md)。 + +我們仍在與我們的財政托管機構(Open Collective Foundation)合作,以接收加密貨幣捐贈,目前會計對許多較小的交易是不可行的,但這種情況在未來應該會發生變化。 與此同時,如果您希望捐贈大於 $ 100 美元的加密貨幣,請聯繫 [jonah@privacyguides.org](mailto:jonah@privacyguides.org) diff --git a/i18n/zh-Hant/about/index.md b/i18n/zh-Hant/about/index.md new file mode 100644 index 00000000..532f46a2 --- /dev/null +++ b/i18n/zh-Hant/about/index.md @@ -0,0 +1,102 @@ +--- +title: "About Privacy Guides" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. We are a non-profit collective operated entirely by volunteer [team members](https://discuss.privacyguides.net/g/team) and contributors. Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## Our Team + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: Homepage](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: Email](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: Homepage](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: Homepage](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## Site License + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +:fontawesome-brands-creative-commons: :fontawesome-brands-creative-commons-by: :fontawesome-brands-creative-commons-nd: Unless otherwise noted, the original content on this website is made available under the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). This means that you are free to copy and redistribute the material in any medium or format for any purpose, even commercially; as long as you give appropriate credit to `Privacy Guides (www.privacyguides.org)` and provide a link to the license. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. If you remix, transform, or build upon the content of this website, you may not distribute the modified material. + +This license is in place to prevent people from sharing our work without giving proper credit, and to prevent people from modifying our work in a way that could be used to mislead people. If you find the terms of this license too restrictive for the project you're working on, please reach out to us at `jonah@privacyguides.org`. We are happy to provide alternative licensing options for well-intentioned projects in the privacy space! diff --git a/i18n/zh-Hant/about/notices.md b/i18n/zh-Hant/about/notices.md new file mode 100644 index 00000000..9ccae1ae --- /dev/null +++ b/i18n/zh-Hant/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## Legal Disclaimer + +Privacy Guides is not a law firm. As such, the Privacy Guides website and contributors are not providing legal advice. The material and recommendations in our website and guides do not constitute legal advice nor does contributing to the website or communicating with Privacy Guides or other contributors about our website create an attorney-client relationship. + +Running this website, like any human endeavor, involves uncertainty and trade-offs. We hope this website helps, but it may include mistakes and can’t address every situation. If you have any questions about your situation, we encourage you to do your own research, seek out other experts, and engage in discussions with the Privacy Guides community. If you have any legal questions, you should consult with your own legal counsel before moving forward. + +Privacy Guides is an open source project contributed to under licenses that include terms that, for the protection of the website and its contributors, make clear that the Privacy Guides project and website is offered "as-is", without warranty, and disclaiming liability for damages resulting from using the website or any recommendations contained within. Privacy Guides does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on the website or otherwise relating to such materials on the website or on any third-party sites linked on this site. + +Privacy Guides additionally does not warrant that this website will be constantly available, or available at all. + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +This does not include third-party code embedded in this repository, or code where a superseding license is otherwise noted. The following are notable examples, but this list may not be all-inclusive: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +This means that you can use the human-readable content in this repository for your own project, per the terms outlined in the Creative Commons Attribution-NoDerivatives 4.0 International Public License text. You may do so in any reasonable manner, but not in any way that suggests Privacy Guides endorses you or your use. You **may not** use the Privacy Guides branding in your own project without express approval from this project. Privacy Guides's brand trademarks include the "Privacy Guides" wordmark and shield logo. + +We believe that the logos and other images in `assets` obtained from third-party providers are either in the public domain or **fair use**. In a nutshell, legal [fair use doctrine](https://www.copyright.gov/fair-use/more-info.html) allows the use of copyrighted images in order to identify the subject matter for purposes of public comment. However, these logos and other images may still be subject to trademark laws in one or more jurisdictions. Before using this content, please ensure that it is used to identify the entity or organization that owns the trademark and that you have the right to use it under the laws which apply in the circumstances of your intended use. *When copying content from this website, you are solely responsible for ensuring that you do not infringe someone else's trademark or copyright.* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## Acceptable Use + +You may not use this website in any way that causes or may cause damage to the website or impairment of the availability or accessibility of Privacy Guides, or in any way which is unlawful, illegal, fraudulent, harmful, or in connection with any unlawful, illegal, fraudulent, or harmful purpose or activity. + +You must not conduct any systematic or automated data collection activities on or in relation to this website without express written consent, including: + +* Excessive Automated Scans +* Denial of Service Attacks +* Scraping +* Data Mining +* 'Framing' (IFrames) + +--- + +*Portions of this notice itself were adopted from [opensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) on GitHub. That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/zh-Hant/about/privacy-policy.md b/i18n/zh-Hant/about/privacy-policy.md new file mode 100644 index 00000000..41a6fb7c --- /dev/null +++ b/i18n/zh-Hant/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "隐私政策" +--- + +Privacy Guides is a community project operated by a number of active volunteer contributors. The public list of team members [can be found on GitHub](https://github.com/orgs/privacyguides/people). + +## Data We Collect From Visitors + +The privacy of our website visitors is important to us, so we do not track any individual people. As a visitor to our website: + +- No personal information is collected +- No information such as cookies are stored in the browser +- No information is shared with, sent to or sold to third-parties +- No information is shared with advertising companies +- No information is mined and harvested for personal and behavioral trends +- No information is monetized + +You can view the data we collect on our [statistics](statistics.md) page. + +We run a self-hosted installation of [Plausible Analytics](https://plausible.io) to collect some anonymous usage data for statistical purposes. The goal is to track overall trends in our website traffic, it is not to track individual visitors. All the data is in aggregate only. No personal data is collected. + +Data collected includes referral sources, top pages, visit duration, information from the devices (device type, operating system, country and browser) used during the visit and more. You can learn more about how Plausible works and collects information in a privacy-respecting manner [here](https://plausible.io/data-policy). + +## Data We Collect From Account Holders + +On some websites and services we provide, many features may require an account. For example, an account may be required to post and reply to topics on a forum platform. + +To sign up for most accounts, we will collect a name, username, email, and password. In the event a website requires more information than just that data, that will be clearly marked and noted in a separate privacy statement per-site. + +We use your account data to identify you on the website and to create pages specific to you, such as your profile page. We will also use your account data to publish a public profile for you on our services. + +We use your email to: + +- Notify you about posts and other activity on the websites or services. +- Reset your password and help keep your account secure. +- Contact you in special circumstances related to your account. +- Contact you about legal requests, such as DMCA takedown requests. + +On some websites and services you may provide additional information for your account, such as a short biography, avatar, your location, or your birthday. We make that information available to everyone who can access the website or service in question. This information is not required to use any of our services and can be erased at any time. + +We will store your account data as long as your account remains open. After closing an account, we may retain some or all of your account data in the form of backups or archives for up to 90 days. + +## Contacting Us + +The Privacy Guides team generally does not have access to personal data outside of limited access granted via some moderation panels. Inquiries regarding your personal information should be sent directly to: + +```text +Jonah Aragon +Services Administrator +jonah@privacyguides.org +``` + +For all other inquiries, you can contact any member of our team. + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## About This Policy + +We will post any new versions of this statement [here](privacy-policy.md). We may change how we announce changes in future versions of this document. In the meantime we may update our contact information at any time without announcing a change. Please refer to the [Privacy Policy](privacy-policy.md) for the latest contact information at any time. + +A full revision [history](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) of this page can be found on GitHub. diff --git a/i18n/zh-Hant/about/privacytools.md b/i18n/zh-Hant/about/privacytools.md new file mode 100644 index 00000000..515c21f5 --- /dev/null +++ b/i18n/zh-Hant/about/privacytools.md @@ -0,0 +1,118 @@ +--- +title: "PrivacyTools FAQ" +--- + +# Why we moved on from PrivacyTools + +In September 2021, every active contributor unanimously agreed to move from PrivacyTools to work on this site: Privacy Guides. This decision was made because PrivacyTools’ founder and controller of the domain name had disappeared for an extended period of time and could not be contacted. + +Having built a reputable site and set of services on PrivacyTools.io, this caused grave concerns for the future of PrivacyTools, as any future disruption could wipe out the entire organization with no recovery method. This transition was communicated to the PrivacyTools community many months in advance via a variety of channels including its blog, Twitter, Reddit, and Mastodon to ensure the entire process went as smoothly as possible. We did this to ensure nobody was kept in the dark, which has been our modus operandi since our team was created, and to make sure Privacy Guides was recognized as the same reliable organization that PrivacyTools was before the transition. + +After the organizational move was completed, the founder of PrivacyTools returned and began to spread misinformation about the Privacy Guides project. They continue to spread misinformation in addition to operating a paid link farm on the PrivacyTools domain. We are creating this page to clear up any misconceptions. + +## What is PrivacyTools? + +PrivacyTools was created in 2015 by "BurungHantu," who wanted to make a privacy information resource - helpful tools following the Snowden revelations. The site grew into a flourishing open-source project with [many contributors](https://github.com/privacytools/privacytools.io/graphs/contributors), some eventually given various organizational responsibilities, such as operating online services like Matrix and Mastodon, managing and reviewing changes to the site on GitHub, finding sponsors for the project, writing blog posts and operating social media outreach platforms like Twitter, etc. + +Beginning in 2019, BurungHantu grew more and more distant from the active development of the website and communities, and began delaying payments he was responsible for related to the servers we operated. To avoid having our system administrator pay server costs out of their own pocket, we changed the donation methods listed on the site from BurungHantu's personal PayPal and crypto accounts to a new OpenCollective page on [October 31, 2019](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/). This had the added benefits of making our finances completely transparent, a value we strongly believe in, and tax-deductible in the United States, because they were being held by the Open Collective Foundation 501(c)3. This change was unanimously agreed upon by the team and went uncontested. + +## Why We Moved On + +In 2020, BurungHantu's absence grew much more noticeable. At one point, we required the domain's nameservers to be changed to nameservers controlled by our system administrator to avoid future disruption, and this change was not completed for over a month after the initial request. He would disappear from the public chat and private team chat rooms on Matrix for months at a time, occasionally popping in to give some small feedback or promise to be more active before disappearing once again. + +In October 2020, the PrivacyTools system administrator (Jonah) [left](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) the project because of these difficulties, handing control to another long-time contributor. Jonah had been operating nearly every PrivacyTools service and acting as the *de facto* project lead for website development in BurungHantu's absence, thus his departure was a significant change to the organization. At the time, because of these significant organizational changes, BurungHantu promised the remaining team he would return to take control of the project going forward. ==The PrivacyTools team reached out via several communication methods over the following months, but did not receive any response.== + +## Domain Name Reliance + +At the beginning of 2021, the PrivacyTools team grew worried about the future of the project, because the domain name was set to expire on 1st March 2021. The domain was ultimately renewed by BurungHantu with no comment. + +The team’s concerns were not addressed, and we realized this would be a problem every year: If the domain expired it would have allowed it to be stolen by squatters or spammers, thus ruining the organization's reputation. We also would have had trouble reaching the community to inform them of what took place. + +Without being in any contact with BurungHantu, we decided the best course of action would be to move to a new domain name while we still had guaranteed control over the old domain name, sometime before March 2022. This way, we would be able to cleanly redirect all PrivacyTools resources to the new site without any interruption in service. This decision was made many months in advance and communicated to the entire team in the hopes that BurungHantu would reach out and assure his continued support for the project, because with a recognizable brand name and large communities online, moving away from "PrivacyTools" was the least desirable possible outcome. + +In mid-2021 the PrivacyTools team reached out to Jonah, who agreed to rejoin the team to help with the transition. + +## Community Call to Action + +At the end of July 2021, we [informed](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) the PrivacyTools community of our intention to choose a new name and continue the project on a new domain, to be [chosen](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw) on 2nd August 2022. In the end, "Privacy Guides" was selected, with the `privacyguides.org` domain already owned by Jonah for a side-project from 2020 that went undeveloped. + +## Control of r/privacytoolsIO + +Simultaneously with the ongoing website issues at privacytools.io, the r/privacytoolsIO moderation team was facing challenges with managing the subreddit. The subreddit had always been operated mostly independently of the website's development, but BurungHantu was the primary moderator of the subreddit as well, and he was the only moderator granted "Full Control" privileges. u/trai_dep was the only active moderator at the time, and [posted](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) a request to Reddit's administrators on June 28, 2021, asking to be granted the primary moderator position and full control privileges, in order to make necessary changes to the Subreddit. + +Reddit requires that subreddits have active moderators. If the primary moderator is inactive for a lengthy period of time (such as a year) the primary moderation position can be re-appointed to the next moderator in line. For this request to have been granted, BurungHantu had to have been completely absent from all Reddit activity for a long period of time, which was consistent with his behaviors on other platforms. + +> If you were removed as moderator from a subreddit through Reddit request it is because your lack of response and lack of activity qualified the subreddit for an r/redditrequest transfer. +> +> r/redditrequest is Reddit's way of making sure communities have active moderators and is part of the [Moderator Code of Conduct](https://www.redditinc.com/policies/moderator-code-of-conduct). + +## Beginning the Transition + +On September 14th, 2021, we [announced](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) the beginning of our migration to this new domain: + +> [...] we found it necessary to make this switch sooner rather than later to ensure people would find out about this transition as soon as possible. This gives us adequate time to transition the domain name, which is currently redirecting to www.privacyguides.org, and it hopefully gives everyone enough time to notice the change, update bookmarks and websites, etc. + +This change [entailed:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- Redirecting www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). +- Archiving the source code on GitHub to preserve our past work and issue tracker, which we continued to use for months of future development of this site. +- Posting announcements to our subreddit and various other communities informing people of the official change. +- Formally closing privacytools.io services, like Matrix and Mastodon, and encouraging existing users to migrate as soon as possible. + +Things appeared to be going smoothly, and most of our active community made the switch to our new project exactly as we hoped. + +## Following Events + +Roughly a week following the transition, BurungHantu returned online for the first time in nearly a year, however nobody on our team was willing to return to PrivacyTools because of his historic unreliability. Rather than apologize for his prolonged absence, he immediately went on the offensive and positioned the transition to Privacy Guides as an attack against him and his project. He subsequently [deleted](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) many of these posts when it was pointed out by the community that he had been absent and abandoned the project. + +At this point, BurungHantu claimed he wanted to continue working on privacytools.io on his own and requested that we remove the redirect from www.privacytools.io to [www.privacyguides.org](https://www.privacyguides.org). We obliged and requested that he keep the subdomains for Matrix, Mastodon, and PeerTube active for us to run as a public service to our community for at least a few months, in order to allow users on those platforms to easily migrate to other accounts. Due to the federated nature of the services we provided, they were tied to specific domain names making it very difficult to migrate (and in some cases impossible). + +Unfortunately, because control of the r/privacytoolsIO subreddit was not returned to BurungHantu at his demand (further information below), those subdomains were [cut off](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) at the beginning of October, ending any migration possibilities to any users still using those services. + +Following this, BurungHantu made false accusations about Jonah stealing donations from the project. BurungHantu had over a year since the alleged incident occurred, and yet he never made anyone aware of it until after the Privacy Guides migration. BurungHantu has been repeatedly asked for proof and to comment on the reason for his silence by the team [and the community](https://twitter.com/TommyTran732/status/1526153536962281474), and has not done so. + +BurungHantu also made a [twitter post](https://twitter.com/privacytoolsIO/status/1510560676967710728) alleging that an "attorney" had reached out to him on Twitter and was providing advice, in another attempt to bully us into giving him control of our subreddit, and as part of his smear campaign to muddy the waters surrounding the launch of Privacy Guides while pretending to be a victim. + +## PrivacyTools.io Now + +As of September 25th 2022 we are seeing BurungHantu's overall plans come to fruition on privacytools.io, and this is the very reason we decided to create this explainer page today. The website he is operating appears to be a heavily SEO-optimized version of the site which recommends tools in exchange for financial compensation. Very recently, IVPN and Mullvad, two VPN providers near-universally [recommended](../vpn.md) by the privacy community and notable for their stance against affiliate programs were removed from PrivacyTools. In their place? NordVPN, Surfshark, ExpressVPN, and hide.me; Giant VPN corporations with untrustworthy platforms and business practices, notorious for their aggressive marketing and affiliate programs. + +==**PrivacyTools has become exactly the type of site we [warned against](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) on the PrivacyTools blog in 2019.**== We've tried to keep our distance from PrivacyTools since the transition, but their continued harassment towards our project and now their absurd abuse of the credibility their brand gained over 6 years of open source contributions is extremely troubling to us. Those of us actually fighting for privacy are not fighting against each other, and are not getting our advice from the highest bidder. + +## r/privacytoolsIO Now + +After the launch of [r/PrivacyGuides](https://www.reddit.com/r/privacyguides), it was impractical for u/trai_dep to continue moderating both subreddits, and with the community on-board with the transition, r/privacytoolsIO was [made](https://www.reddit.com/r/privacytoolsIO/comments/qk7qrj/a_new_era_why_rptio_is_now_a_restricted_sub/) a restricted sub in a post on November 1st, 2021: + +> [...] The growth of this Sub was the result of great effort, across several years, by the PrivacyGuides.org team. And by every one of you. +> +> A Subreddit is a great deal of work to administer and moderate. Like a garden, it requires patient tending and daily care. It’s not a task for dilettantes or commitment-challenged people. It can’t thrive under a gardener who abandons it for several years, then shows up demanding this year’s harvest as their tribute. It’s unfair to the team formed years ago. It’s unfair to you. [...] + +Subreddits do not belong to anybody, and they especially do not belong to brand-holders. They belong to their communities, and the community and its moderators made the decision to support the move to r/PrivacyGuides. + +In the months since, BurungHantu has threatened and begged for returning subreddit control to his account in [violation](https://www.reddit.com/r/redditrequest/wiki/top_mod_removal/) of Reddit rules: + +> Retaliation from any moderator with regards to removal requests is disallowed. + +For a community with many thousands of remaining subscribers, we feel that it would be incredibly disrespectful to return control of that massive platform to the person who abandoned it for over a year, and who now operates a website that we feel provides very low-quality information. Preserving the years of past discussions in that community is more important to us, and thus u/trai_dep and the rest of the subreddit moderation team has made the decision to keep r/privacytoolsIO as-is. + +## OpenCollective Now + +Our fundraising platform, OpenCollective, is another source of contention. Our position is that OpenCollective was put in place by our team and managed by our team to fund services we currently operate and which PrivacyTools no longer does. We [reached out](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) to all of our donors regarding our move to Privacy Guides, and we were unanimously supported by our sponsors and community. + +Thus, the funds in OpenCollective belong to Privacy Guides, they were given to our project, and not the owner of a well known domain name. In the announcement made to donors on September 17th, 2021, we offered refunds to any donor who disagrees with the stance we took, but nobody has taken us up on this offer: + +> If any sponsors or backers disagree with or feel misled by these recent events and would like to request a refund given these highly unusual circumstances, please get in touch with our project admin by emailing jonah@triplebit.net. + +## Further Reading + +This topic has been discussed extensively within our communities in various locations, and it seems likely that most people reading this page will already be familiar with the events leading up to the move to Privacy Guides. Some of our previous posts on the matter may have extra detail we omitted here for brevity. They have been linked below for the sake of completion. + +- [June 28, 2021 request for control of r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [July 27, 2021 announcement of our intentions to move on the PrivacyTools blog, written by the team](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [Sept 13, 2021 announcement of the beginning of our transition to Privacy Guides on r/privacytoolsIO](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [Sept 17, 2021 announcement on OpenCollective from Jonah](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [Sept 30, 2021 Twitter thread detailing most of the events now described on this page](https://twitter.com/privacy_guides/status/1443633412800225280) +- [Oct 1, 2021 post by u/dng99 noting subdomain failure](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [Apr 2, 2022 response by u/dng99 to PrivacyTools' accusatory blog post](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [May 16, 2022 response by @TommyTran732 on Twitter](https://twitter.com/TommyTran732/status/1526153497984618496) +- [Sep 3, 2022 post on Techlore's forum by @dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/zh-Hant/about/services.md b/i18n/zh-Hant/about/services.md new file mode 100644 index 00000000..71f2c95b --- /dev/null +++ b/i18n/zh-Hant/about/services.md @@ -0,0 +1,38 @@ +# Privacy Guides Services + +We run a number of web services to test out features and promote cool decentralized, federated, and/or open-source projects. Many of these services are available to the public and are detailed below. + +[:material-comment-alert: Report an issue](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## Discourse + +- Domain: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- Availability: Public +- Source: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- Domain: [code.privacyguides.dev](https://code.privacyguides.dev) +- Availability: Invite-Only + Access may be granted upon request to any team working on *Privacy Guides*-related development or content. +- Source: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- Domain: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- Availability: Invite-Only + Access may be granted upon request to Privacy Guides team members, Matrix moderators, third-party Matrix community administrators, Matrix bot operators, and other individuals in need of a reliable Matrix presence. +- Source: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- Domain: [search.privacyguides.net](https://search.privacyguides.net) +- Availability: Public +- Source: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/zh-Hant/about/statistics.md b/i18n/zh-Hant/about/statistics.md new file mode 100644 index 00000000..8f17240c --- /dev/null +++ b/i18n/zh-Hant/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: Traffic Statistics +--- + +## Website Statistics + + +
Stats powered by Plausible Analytics
+ + + + +## Blog Statistics + + +
Stats powered by Plausible Analytics
+ + + diff --git a/i18n/zh-Hant/advanced/communication-network-types.md b/i18n/zh-Hant/advanced/communication-network-types.md new file mode 100644 index 00000000..53f78636 --- /dev/null +++ b/i18n/zh-Hant/advanced/communication-network-types.md @@ -0,0 +1,103 @@ +--- +title: "通訊網路的類型" +icon: 'material/transit-connection-variant' +description: 簡介常見的即時通訊應用程式網路架構。 +--- + +有幾種網絡架構常運用於在人與人之間傳遞消息。 這些網路提供不同的隱私保證,這就是為什麼在決定使用哪個應用程式時,最好能考慮您的[威脅模型](../basics/threat-modeling.md) 。 + +[推薦的即時通訊工具](../real-time-communication.md ""){.md-button} + +## 集中式網絡 + +![集中網絡圖](../assets/img/layout/network-centralized.svg){ align=left } + +集中式信使是指所有參與者都在同一伺服器或同一組織所控制的伺服器網絡。 + +有些自託管信使允許設置自己的伺服器。 自託管可以提供額外的隱私保證,例如不用記錄或限制讀取元數據(關於誰與誰交談的資料)。 自託管的集中式信使是隔離的,每個人都必須在同一個伺服器上進行通信。 + +**優點** + +- 新功能和變更可以更快地實施。 +- 更容易使用和查找聯系人。 +- 近乎成熟和穩定的生態系統,因為集中式軟件更容易編程。 +- 當您信任自我託管的伺服器時,隱私問題可能會減少。 + +**缺點** + +- [限制控制或存取](https://drewdevault.com/2018/08/08/Signal.html)。 可能包括以下內容: +- 集中型網路 [禁封了](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)可以提供更靈活自定與更佳使用體驗的第三方客戶端。 通常定義在使用條款和條件。 +- 對於第三方開發人員來說,文件記錄很糟。 +- 由單一實體控制服務時,其 [所有權](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/)、隱私政策和服務操作可輕易改變,甚致危及服務。 +- 自我託管需要精力和設置服務的知識。 + +## 聯邦式網絡 + +![聯邦式網絡圖](../assets/img/layout/network-decentralized.svg){ align=left } + +聯合信使使用多個獨立的分散式伺服器,這些伺服器能夠彼此通訊(電子郵件是聯合服務的一個例子)。 聯邦讓系統管理員控制自己的伺服器,成為更大通訊網絡中的一員。 + +當自行託管時,聯邦伺服器的成員可以發現並與其他伺服器的成員進行通信,而有些伺服器可能會選擇保持私密而不加入聯邦(例如工作團隊伺服器)。 + +**優點** + +- 運行自己的伺服器可以更加控制自己的資料。 +- 可從多個“公共”伺服器之中選擇信任的資料託付者。 +- 可讓第三方客戶端提供更原生、定制或親和的體驗。 +- 假設您有存取伺服器的權限或信任有此權限的人(例如,家庭成員),可以驗證伺服器軟體是否與公開原始碼相符。 + +**缺點** + +- 添加新功能較複雜,因為這些功能需要標準化和測試,以確保可與網絡上的所有伺服器配合使用。 +- 根據前一點,與集中式平臺相比,聯邦式網絡欠缺完整功能或容易出現意外,例如離線時的訊息中繼或訊息刪除。 +- 可能會產生某些元數據(例如使用 E2EE 時, “誰在與誰交談”但不知其實際內容的資料)。 +- 聯邦式伺服器通常需要信任伺服器管理員。 他們可能是業餘愛好者,也不是“安全專業人士” ,欠缺標準文件,如隱私政策或服務條款,來詳細說明資料如何被使用。 +- 伺服器管理員有時會封鎖其他伺服器,因為它們無節制地濫用的或違反公認行為的一般規則。 這會阻礙您與這些伺服器成員溝通的能力。 + +## 對等網絡 + +![P2P示意圖](../assets/img/layout/network-distributed.svg){ align=left } + +P2P 軟體連接到 [分佈式網路](https://en.wikipedia.org/wiki/Distributed_networking) 中的節點,在沒有第三方伺服器的情況下將訊息傳遞給收件人。 + +客戶端(對等軟體)通常通過 [分布式計算](https://en.wikipedia.org/wiki/Distributed_computing) 網絡找到彼此。 例如, [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT)被 [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) 和 [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) 使用。 另一種方法是鄰近的網絡,通過WiFi或藍牙建立連接(例如, Briar 或 [Scuttlebutt](https://www.scuttlebutt.nz) 社交網絡協議)。 + +一旦對等體通過任何這些方法找到通往其聯繫的路徑,它們之間就會建立直接連接。 通常訊息內容會加密,但觀察者仍然可以推斷發件人和收件人的位置和身份。 + +P2P 網絡不使用伺服器,對等方彼此之間直接通信,因此不能自我託管。 但是,一些額外的服務可能要靠集中式伺服器,例如用戶看到或轉發離線消息,這些需要自託管伺服器的協助。 + +**優點** + +- 最少的信息暴露給第三方。 +- 現代 P2P 平臺皆已預設為 E2EE。 不像集中和聯邦式網絡,沒有伺服器會攔截和解密您的傳輸。 + +**缺點** + +- 精簡功能集: +- 訊息只能在兩個對等方都在線時發送,但是,客戶端可能會在本地儲存訊息以等待聯絡人在線時送出。 +- 增加移動設備的電池使用量,因為客戶端必須保持與分佈式網絡的連接,以了解誰在線。 +- 缺少某些傳訊功能或不完整,例如訊息刪除。 +- 如果您未將軟體與 [VPN](../vpn.md) 或 [Tor](../tor.md)配合使用,則很可能暴露了自己和通訊聯絡人的 IP 位址。 許多國家都有某種形式的大規模監控和/或元數據保留。 + +## 匿名路由 + +![匿名路由示意圖](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +使用 [匿名路由](https://doi.org/10.1007/978-1-4419-5906-5_628) 的傳訊方式會隱藏發送者、接收者的身份或他們一直在溝通的證據。 理想情況下,這三種東西都該被隱藏。 + +匿名路由[有多種](https://doi.org/10.1145/3182658) 實現方式。 其中最著名 [洋蔥路由](https://en.wikipedia.org/wiki/Onion_routing) (即 [Tor](tor-overview.md)) ,該虛擬 [覆蓋網絡](https://en.wikipedia.org/wiki/Overlay_network) 隱藏節點位置以及收件人和發件人之間的加密訊息。 發送者和接收者不會直接互動,而是通過祕密會合節點,這樣就不會洩漏 IP 位址或物理位置。 節點無法解密訊息,也無法解密最終目的地;只有收件人可以。 中間節點只能解密下一步送到哪裡的指示,消息本體仍保持加密直到送達最終有權限解密的收件人,因此是“洋蔥層”。 + +在匿名路由網絡中自我託管節點無法增加額外隱私優勢,但有助於整個網絡軔性抵禦識別攻擊。 + +**優點** + +- 很少甚至無資訊暴露給其他方。 +- 消息可以以分散的方式接力傳遞,即使其中一方離線。 + +**缺點** + +- 消息傳播速度慢。 +- 通常僅支援少數媒體類型,因為網絡速度慢主要為文字傳輸。 +- 隨機路由選擇節點,某些節點可能遠離發送者和接收者,增加延遲,甚至因某個節點離線而無法傳輸消息。 +- 入手更複雜,因為需要創建和備份加密私鑰。 +- 如同其他分散式平臺,對開發人員而言,添加功能比集中式平臺更複雜。 因此,功能欠缺或未完全執行,例如離線消息中繼或消息刪除。 diff --git a/i18n/zh-Hant/advanced/dns-overview.md b/i18n/zh-Hant/advanced/dns-overview.md new file mode 100644 index 00000000..60f71cb2 --- /dev/null +++ b/i18n/zh-Hant/advanced/dns-overview.md @@ -0,0 +1,354 @@ +--- +title: "DNS 簡介" +icon: material/dns +description: 網域名稱系統是“網際網路電話簿” ,可幫助瀏覽器找到它正在尋找的網站。 +--- + +[網域名稱系統](https://en.wikipedia.org/wiki/Domain_Name_System) 是「網際網路的電話簿」。 DNS 將網域名稱轉換為 IP 位址,以便瀏覽器和其他服務可以通過分散的伺服器網路載入網路資源。 + +## 什麼是 DNS? + +當您訪問一個網站時,會傳回一個數字地址。 以訪問 `privacyguides.org`網站為例,它傳回的地址為 `192.98.54.105` 。 + +DNS 從網際網路的 [早期](https://en.wikipedia.org/wiki/Domain_Name_System#History) 就存在了。 來往 DNS 伺服器的 DNS 請求通常 **不是** 加密的。 一般家用的網路中,客戶的伺服器通常是由 ISP 透過 [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)給予的。 + +未經加密的 DNS 請求很容易**被監視** 或在傳輸過程中**遭到修改modified**。 在某些地區, ISP 被要求做初級的 [DNS 過濾](https://en.wikipedia.org/wiki/DNS_blocking)。 當您要求被封鎖網域的IP位址時,伺服器可能不會回應,或可能會使用其他IP位址回應。 由於DNS通訊協定沒有加密, ISP (或任何網路營運商)可以使用 [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) 來監控請求。 網路服務供應商也可以根據共同特徵封鎖請求,無論你使用哪種 DNS 伺服器。 未加密的 DNS 總是使用 53 號[端口](https://en.wikipedia.org/wiki/Port_(computer_networking)) ,並且總是使用UDP。 + +接下來,我們將討論並提供一個教程來證明外部觀察者可以使用普通的未加密 DNS 和 [加密 DNS ](#what-is-encrypted-dns)看到什麼。 + +### 未加密的 DNS + +1. 使用 [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) ( [Wireshark](https://en.wikipedia.org/wiki/Wireshark) 項目的一部分) ,我們可以監控和記錄網路封包的傳輸。 此命令記錄符合指定規則的封包: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. 我們可以使用 [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) ( Linux , MacOS 等)或 [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) ( Windows )將DNS 查詢發送到伺服器。 Web 瀏覽器等軟體會自動執行這些查詢,除非它們被配置為使用加密的DNS。 + + = = = "Linux , macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + = = = "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. 接下來我們要[分析](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) 結果: + + === "Wireshark" + + ``` + wireshark -r/tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +如果執行上面的 Wireshark 命令,頂部窗格會顯示「[frame](https://en.wikipedia.org/wiki/Ethernet_frame)」,底部窗格會顯示所選框架的所有資料。 企業過濾和監控解決方案(例如政府購買的解決方案)可以自動執行此過程,而無需人工交互,並且可以聚合這些框架以產生對網路觀察者有用的統計數據。 + +| 不。 | 時間 | 來源 | 目的地 | 協議 | 長度 | 資訊 | +| -- | -------- | --------- | --------- | --- | --- | ----------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | 標準查詢 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | 標準查詢回應 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | 標準查詢 0x58ba A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | 標準查詢回應0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +觀察者可以修改這些封包。 + +## 什麼是「加密後的 DNS」 ? + +加密 DNS 可以引用許多協議之一,最常見的是: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) 是第一種查詢加密 DNS 的方法之一。 DNSCrypt 在 443 端口上運作,與 TCP 或 UDP 傳輸協議一起使用。 DNSCrypt 從未向 [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force)提交文件 ,也未通過 [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) 流程,因此 [實用少](https://dnscrypt.info/implementations)並未被廣泛使用。 因此,它大量被更受歡迎的 [DNS over HTTPS](#dns-over-https-doh) 取代。 + +### 通過 TLS 的 DNS) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) 是另一種加密 DNS 通訊方式,其定義於 [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858)。 支持首先在Android 9 , iOS 14和Linux的 [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) 版本237中實現。 近年來,業界偏好已經從 DoT 轉移到 DoH ,因為 DoT 協議[複雜](https://dnscrypt.info/faq/) ,並且在實現中對RFC 的遵照狀況各不相同。 DoT 還在專用端口 853 上運行,但很容易被限制性防火牆阻止。 + +### 通過 HTTPS 的 DNS) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) 定義在 [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) 文件,封包查詢透過[HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) 協議,以 HTTPS 提供安全性。 最初使用於 Firefox 60 和 Chrome 83 等網頁瀏覽器。 + +DoH 原生執行出現在 iOS 14, macOS 11, Microsoft Windows, 與 Android 13 (不過其並未[預設啟動 ](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144))。 一般 Linux 桌面支援仍待 systemd [實現](https://github.com/systemd/systemd/issues/8639), 所以 [還是得安裝第三方軟體](../dns.md#encrypted-dns-proxies)。 + +## 外部人士可以看到什麼? + +在此範例中,我們將記錄當我們提出 DoH 請求時發生的事情: + +1. 首先,打開 `tshark`: + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. 其次,使用 `curl`提出請求: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. 提出請求後,快速鍵 CTRL + C可停止封包捉取。 + +4. 在 Wireshark 中分析結果: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +[連接建立](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) 在加密連接時會進行 [TLS 握手](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) 。 當查看隨後的“應用程序數據”封包時,都不包含所請求的域名或它的 IP 地址。 + +## 什麼時候 **不該** 使用加密的 DNS ? + +在有網路過濾(或審查)的地方,訪問被禁止的資源可能會產生某些後果,您應該在 [威脅模型](../basics/threat-modeling.md)中考慮這些後果。 非常 **不建議**把加密 DNS 用在此目的上。 使用 [Tor](https://torproject.org) 或 [VPN](../vpn.md) 代替。 如果您使用的是VPN ,則應使用 VPN 的 DNS 伺服器。 使用 VPN 時,您已經信任它們與您的所有網路活動。 + +當我們進行 DNS 查詢時,通常是因為我們想要存取資源。 接下來,我們將討論一些即使在使用加密 DNS 時也可能會披露您的瀏覽活動的情況: + +### IP 位址 + +確定瀏覽活動的最簡單方法可能是查看您的設備正在訪問的 IP 位址。 例如,如果觀察者知道 `privacyguides.org` 位於 `198.98.54.105`,而您的裝置正在請求 `198.98.54.105`的數據,則很有可能您正在訪問隱私指南。 + +此方法僅在 IP 位址屬於僅託管少數網站的伺服器時才有用。 如果網站託管在共享平臺上(例如Github Pages , Cloudflare Pages , Netlify , WordPress , Blogger等) ,它也不是很有用。 如果服務器託管在 [反向代理](https://en.wikipedia.org/wiki/Reverse_proxy)之後,這也不是很有用,這在現代互聯網上非常常見。 + +### 伺服器名指示(SNI) + +伺服器名稱指示通常用於IP位址託管多個網站時。 這可能是像 Cloudflare 的服務,或者其他 [阻斷服務攻擊](https://en.wikipedia.org/wiki/Denial-of-service_attack) 保護。 + +1. 再次開始捕捉 `tshark`。 我們添加了一個自身IP 地址的過濾器,因此您不會捕獲過多封包: + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. 然後訪問 [https://privacyguides.org](https://privacyguides.org)。 + +3. 在訪問網站後,以 CTRL + C停止封包捕捉。 + +4. 接下來分析結果: + + ```bash + wireshark -r/tmp/pg.pcap + ``` + + 連接建立後與 privacyguides 網站的TLS 握手。 大約在第5 幀附近。 你會看到一個“客戶你好”。 + +5. 展開每個字段旁邊的三角形 ▸ : + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. 我們可以看到我們正在訪問的網站的SNI值。 `tshark` 命令可以直接爲所有包含 SNI 封包提供值: + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +即便使用「加密 DNS」伺服器,網域也可能會透過 SNI 披露。 [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) 協議帶來了 [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/),可以防止這種洩漏。 + +政府,特別是 [中國](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) 和 [俄羅斯](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/),已經[開始封鎖](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) ,或者有些表示將這樣做。 近來俄羅斯 + +開始屏蔽使用 [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3)的外國網站。 這是因為作為HTTP/3的一部分的 [QUIC](https://en.wikipedia.org/wiki/QUIC) 協議要求 `ClientHello` 也被加密。

+ + + +### 線上憑邆狀態協議 (OCSP) + +瀏覽器會披露瀏覽活動的另一種方式是使用 [線上憑證狀態協議 (Online Certificate Status Protocol)](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)。 訪問有 HTTPS 網站時,瀏覽器會檢查網站的 [憑證](https://en.wikipedia.org/wiki/Public_key_certificate) 是否已被撤銷。 這是透過 HTTP 協議完成的,這意味著它**不是** 加密的。 + +OCSP 請求包含憑證,其帶有獨特的"[序列號](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)"。 它被發送到 “OCSP 回應器”去檢查其狀態。 + +利用 [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) 命令模擬瀏覽器會做什麼。 + +1. 取得伺服器憑證並使用 [`sed`](https://en.wikipedia.org/wiki/Sed) 來保留重要部分並將其寫入檔案: + + + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + + +2. 取得中間憑證。 [憑證授權機構(CA)](https://en.wikipedia.org/wiki/Certificate_authority) 通常不會直接簽署憑證;他們使用所謂的「中間」憑證。 + + + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + + +3. `pg_and_intermediate.cert` 中的第一個憑證實際上是步驟1 的伺服器憑證。 我們可以再次使用 `sed` 來刪除直到 END 第一個實例: + + + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + + +4. 取得伺服器憑證的OCSP 回應器: + + + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + +我們的憑證顯示 Lets Encrypt 憑證回應器。 如果我們想查看憑證的所有細節,我們可以使用: + + + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + + +5. 開始捕取封包: + + + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + + +6. 提出 OCSP 要求: + + + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + + +7. 打開捕捉資料: + + + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + +將會有兩個帶有「OCSP」通訊協定的封包:「Request」和「Response」。 對於“Request” ,可以通過擴展每個字段旁邊的三角形 ▸ 來看到“序列號” : + + + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + +對於“回應” ,我們也可以看到“序列號” : + + + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + + +8. 或者使用 `tshark` 來過濾序列號的封包: + + + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + + +如果網路觀察者拿到可公開取得的公共憑證,就可將序列號與該憑證作匹配,從而確定您正在訪問的網站。 這個過程可以自動化,並且可以將IP地址與序列號相關聯。 也可檢查 [憑證透明度](https://en.wikipedia.org/wiki/Certificate_Transparency) 日誌的序列號。 + + + +## 我應該用加密 DNS 嗎? + +這個流程圖描述了何時 *應該使用* 加密 DNS: + + + +``` mermaid +graph TB + Start[Start] --> anonymous{Trying to be
anonymous?} + anonymous--> | Yes | tor(Use Tor) + anonymous --> | No | censorship{Avoiding
censorship?} + censorship --> | Yes | vpnOrTor(Use
VPN or Tor) + censorship --> | No | privacy{Want privacy
from ISP?} + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP makes
obnoxious
redirects?} + obnoxious --> | Yes | encryptedDNS(Use
encrypted DNS
with 3rd party) + obnoxious --> | No | ispDNS{Does ISP support
encrypted DNS?} + ispDNS --> | Yes | useISP(Use
encrypted DNS
with ISP) + ispDNS --> | No | nothing(Do nothing) +``` + + +與第三方合作的加密 DNS 應限於避開重定向和基本的 [DNS 封鎖](https://en.wikipedia.org/wiki/DNS_blocking) ,也就是確定無後顧或對供應商的基本過濾感興趣時才用第三方。 + +[推薦的 DNS 伺服器列表](../dns.md ""){.md-button} + + + +## 什麼是 DNSSEC ? + +[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC)是 DNS 的一項功能,域名查找的回應予以驗證。 它無法為查詢者提供隱私保護,而是防止攻擊者操縱或毒害對DNS 請求的回應。 + +換句話說, DNSSEC 對資料進行數位簽名,幫助確保其有效性。 為了確保安全查找,過程中的每個層級都會簽名。 因此,DNS 全部的回答都可以被信任。 + +DNSSEC 簽署過程類似於無法仿製的個人獨特簽名於法律文件,法院專家透過簽名驗證該文件效力須依據簽名的真假判定。 這些數位簽名確保資料不會被篡改。 + +DNSSEC 在所有 DNS 層中實施分級數位簽名政策。 例如,查詢 `privacyguides.org` ,根 DNS 伺服器將簽署尾綴 `.org` 伺服器密鑰,然後 `.org` 伺服器再簽署 `privacyguides.org`的授權名稱伺服器的密鑰。 + +改編自 Google [DNS Security Extensions (DNSSEC) overview] (https://cloud.google.com/dns/docs/dnssec)和 Cloudflare [DNSSEC: An Introduction] (https://blog.cloudflare.com/dnssec-an-introduction/) ,兩者均根據[CC BY 4.0] (https://creativecommons.org/licenses/by/4 .0/)授權。 + + + +## 什麼是QNAME最小化? + +QNAME是“限定名稱” ,例如 `privacyguides.org`。 QNAME 最小化可減少從 DNS 伺服器傳送到 [授權名稱伺服器](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server)的資訊量。 + +與其傳送完整域名 `privacyguides.org`, QNAME最小化意味著 DNS 伺服器會請求所有 `.org`尾綴 的記錄。 進一步的技術描述在 [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816)。 + + + +## 什麼是 EDNS 客戶端子網(ECS ) ? + +[EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) 是遞歸DNS 解析器為DNS 查詢的 [主機或客戶端](https://en.wikipedia.org/wiki/Client_(computing)),指定 [子網絡](https://en.wikipedia.org/wiki/Subnetwork) 的方法。 + +它的目的是回答客戶端距離最靠近的伺服器以“加快”資料的傳遞,類似[內容傳遞網絡](https://en.wikipedia.org/wiki/Content_delivery_network),後者通常用於視頻串流和 JavaScript Web 應用程序。 + +此功能確實以隱私為代價,因為它會告訴 DNS伺服器一些有關客戶端位置的資訊。 diff --git a/i18n/zh-Hant/advanced/payments.md b/i18n/zh-Hant/advanced/payments.md new file mode 100644 index 00000000..dcfbb2a8 --- /dev/null +++ b/i18n/zh-Hant/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: 私密支付 +icon: material/hand-coin +--- + +購買習慣的資料視為廣告定位聖杯是有原因的:購買行為會洩漏有關當事人的許多寶貴資訊。 不幸的是,目前的金融體系在設計上不利隱私,使銀行、其他公司和政府能夠輕鬆追蹤交易。 然而,在私下付款方面,您有很多選擇。 + +## 現金 + +幾個世紀以來, **現金** 一直是私人支付的主要形式。 在大多數情況下,現金具有優秀的隱私性,在大多數國家被廣泛接受,並且是 **可替代的**,這意味著它是非唯一的,完全可互換。 + +現金支付法因國家而異。 在美國,10,000美元以上交易需在 [8300表格中](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000)對美國國稅局披露。 收款業必須驗證收款人的姓名、地址、職業、出生日期、社會安全號碼或其他TIN (部分例外)。 少於 3,000 美元交換和匯款,就無須身份證明。 現金鈔票有序號。 商家很少追蹤序號,但執法部門可以在針對性調查中用到它們。 + +儘管如此,現金仍是最好的選擇。 + +## 預付卡 & 禮品卡 + +在大多數雜貨店和便利店用現金購買禮品卡和預付卡相對簡單。 禮品卡通常不收取費用,但預付卡通常會收取費用,因此請留意其費用和到期日期。 為了減少欺詐行為,部分商店可能會在結帳時要求查看身分證件。 + +禮品卡通常每張上限為 200美元,有些禮品卡上限到 2,000 美元。 預付卡(例如:來自 Visa 或 Mastercard )通常卡片額度為 1,000 美元。 + +禮品卡的缺點是受商家政策的約束,這些政策可能有糟糕的條款和限制。 例如,有些商家不接受禮品卡付款,或者對高風險用戶取消禮品卡的價值。 一旦您拿了由商家信用擔保的禮品卡,商家就會對這筆金額有強烈的控制權。 + +預付卡無法從 ATM 提取現金或在 Venmo 以應用程序中進行“點對點”付款。 + +對於大多數人來說,現金仍然是現場購物的最佳選擇。 禮品卡用處在於節省。 預付卡適用於不接受現金的地方。 網路中禮品卡和預付卡比現金更容易使用,也更容易透過加密貨幣獲得。 + +### 網上交易平臺 + +如果您有 [加密貨幣](../cryptocurrency.md),可在線禮品卡市場購買禮品卡。 有服務在更高額度時有提供身份驗證選項,它們也允許帳戶只需提供電子郵件地址。 基本帳戶限額為每天 5,000-10,000 美元,身份驗證帳戶(如果有)的限額則更高。 + +在網上購買禮品卡時,通常會有小折扣。 預付卡通常以面值或收取服務費在網上銷售。 如果您使用加密貨幣購買預付卡和禮品卡,您最好使用強大隱私的 Monero 付款,下面將進一步說明。 使用可追溯的付款方式支付禮物卡,取消了用現金或 Monero 購買禮品卡的隱私優點。 + +- [網上禮品卡市場 :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## 虛擬卡 + +另一種保護個資免受線上商家侵害的方法是使用虛擬的一次性卡片,以掩蓋您的實際銀行或帳單資訊。 這可對付商家數據洩露,營銷機構粗糙的跟蹤或購買聯結以及線上資料盜竊。 **無法完全匿名**您的購買行為,也不能對金融機構隱瞞自身的資訊。 發行虛擬卡的常規金融機構受「瞭解您的客戶」( KYC )法律約束,這意味著您需要提供身份證明文件或其他識別信息。 + +- [推薦付款掩蔽服務 :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +這些往往是線上定期/訂閱付款的好選擇,而預付禮品卡則更適合一次性交易。 + +## 加密貨幣 + +加密貨幣是一種數位形式的貨幣,其設計上沒有中央機構如政府或銀行即自行運作。 *有些* 加密貨幣可以在線上私密交易,但許多使用公開區塊錬則無法保障交易隱私。 加密貨幣是非常不穩定的資產,這它們的價值可能隨時發生急速顯著變化。 因此,不建議加密貨幣作為長期價值儲存。 如果決定使用加密貨幣,請確保已充分了解其隱私,且投資金額不會變成災難性損失。 + +!!! 危險 + + 絕大多數加密貨幣都在* *公共* *區塊鏈上運作,這意味著每筆交易都可公開知道。 這包括最知名的加密貨幣,如比特幣和以太坊。 加密貨幣的交易不應被視為私密,也不會保護您的匿名性。 + + 此外,許多(如果不是大多數)加密貨幣都是騙局。 只用你信任的項目小心進行交易。 + +### 隱私幣 + +有許多加密貨幣聲稱通過匿名交易來提供隱私。 建議探用** 預設**為匿名交易的工具,以避免操作時發生錯誤。 + +- [推薦的加密貨幣 :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +隱私硬幣受到政府機構日益嚴格的監管。 2020年[美國稅務局 IRS 發表 $625,000 賞金](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc),來徵求工具破解 Bitcoin Lightning Network 和 Monero 交易隱私。 最後由 [二家公司](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) 共同獲得 $1250000 美元,但外界並不知道所開發的工具是用在哪一種加密貨幣網路。 由於這些工具的保密性,追蹤加密貨幣的方法都未得到獨立的證實。隱私硬幣交易很可能被運用在針對性地調查,而大規模監控則無法阻止。 + +### 其他貨幣(比特幣、以太坊等) + +絕大多數加密貨幣項目使用公共區塊鏈,這意味著所有交易記錄都很容易追溯和永久保存。 因此,我們強烈不鼓勵把加密貨幣用和隱私相關的事物上。 + +公開區塊錬上的匿名交易*理論上* 可行,比特幣維基就 [提出如何"完全匿名"交易的案例](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation)。 然而,這樣需要複雜的設置,涉及Tor和“獨自挖掘”一個區塊來產生完全獨立的加密貨幣,多年來幾乎沒有任何愛好者實踐過。 + += =您最好還是完全避免這些加密貨幣,並堅持使用預設隱私的加密貨幣。嘗試使用其他加密貨幣超出了本網站的範圍,非常不建議。 + +### 錢包保管 + +加密貨幣有兩種形式的錢包:託管錢包和非託管錢包。 託管錢包由集中式公司/交易所運營,錢包的私鑰由該公司持有,您可以使用用戶名和密碼從任何地方存取。 非託管錢包是您自己控制和管理錢包的私鑰。 假如可以保管好錢包的私鑰安全並備份,非保管錢包比保管錢包具有更大的安全性和審查抵抗力,因為您的加密貨幣不會被保管的公司竊取或凍結。 密鑰保管在隱私貨幣上尤其重要:保管錢包使運營公司能夠查看您的交易,否定了這些加密貨幣的隱私優勢。 + +### 取得 + +私下購買 [加密貨幣](../cryptocurrency.md) ,如Monero 可能很困難。 P2P 市場如 [LocalMonero](https://localmonero.co/),為促進人群交易的平台,也是個可考慮的選擇。 如果使用需要 KYC的交易所是您可接受的風險(只要隨後的交易無法追蹤)。一個更容易的方式是從 [Kraken](https://kraken.com/)等交易所購買 Monero ,或者從 KYC 交易所購買比特幣/萊特幣,然後兌換為 Monero。 然後,您可以將購入的 Monero 提取到自己的非保管錢包,以便 日後私下使用。 + +如果您選擇這條路線,請確保以不同的時間和額度購買與用掉Monero 。 如果你在交易所購買 5000 美元的 Monero ,並在一個小時後花掉這筆錢,外部觀察者會將這些行為作關聯,無關 Monero 走的是通道。 驚人的購買和提前購買大量的Monero 以支應之後小額交易,可以避免這種陷阱。 + +## 其他注意事項 + +使用現金現場付款時,請務必謹記現場隱私。 安全攝影機無處不在。 不妨考慮穿著不顯眼的衣服和口罩(如外科口罩或N95 )。 請勿註冊獎勵計劃或提供自己的相關資訊。 + +在網上購買時,理想情況下應該透過 [Tor](tor-overview.md)進行。 但是,許多商家不允許使用 Tor 購買。 可以考慮使用 [推薦的 VPN](../vpn.md) (使用現金、禮品卡或 Monero 支付),或利用咖啡店或圖書館免費 Wi-Fi 購買。 如果你訂購的是實體物品,則需要提供送遞地址。 您應該考慮使用郵政信箱、私人郵箱或工作地址。 diff --git a/i18n/zh-Hant/advanced/tor-overview.md b/i18n/zh-Hant/advanced/tor-overview.md new file mode 100644 index 00000000..c9cb9bac --- /dev/null +++ b/i18n/zh-Hant/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor 簡介" +icon: 'simple/torproject' +description: Tor 是一個免費使用的去中心化網路,其讓用戶在使用網際網路之際盡可能地保護自己的隱私。 +--- + +Tor 是一個免費使用的去中心化網路,其讓用戶在使用網際網路之際盡可能地保護自己的隱私。 如果使用得當,該網路可以實現私人和匿名瀏覽和通訊。 + +## 連接明網服務的路徑建立 + +「明網服務」是用任何瀏覽器都可訪問的網站,例如 [privacyguides.org](https://www.privacyguides.org)。 Tor 允許您匿名連接到某些網站,由數千個志願者運行的伺服器組成的網絡引導您的流量,這些伺服器稱為節點(或中繼)。 + +每當您連接到 Tor 時,它都會選擇三個節點來構建通往網際網路的路徑,這種路徑稱為「迴路」。 + +
+ ! [Tor 路徑顯示您的設備到達目的地網站之前所連接的入口節點,中間節點和出口節點] (../assets/img/how-tor-works/tor-path.svg#only-light) + ! Tor 路徑顯示您的設備到達目的地網站之前所連接的入口節點,中間節點和出口節點] (../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor 迴路路徑
+
+ +每個節點都有自己的功能: + +### 入口節點 + +入口節點,通常稱為守護節點,是 Tor 客戶端連接的第一個節點。 入口節點能夠看到您的 IP 位址,但無法看到您正在連接的內容。 + +不像其它節點 Tor 客戶端會隨機地選取入口節點後持續使用二~三個月以防護某些外部攻擊 [^1] + +### 中間節點 + +中間節點是 Tor 客戶端連接的第二個節點。 它可以看到流量來自哪個節點(入口節點)以及它下一步要去哪個節點。 中間節點無法看到您的 IP 位址或您連接的網域。 + +對於每個新迴路,中間節點是隨機從所有可用的 Tor 節點中選出。 + +### 出口節點 + +出口節點是您的 Web 流量離開 Tor 網路並轉發到所需目的地的點。 出口節點無法看到您的 IP 位址,但它知道將連接到哪個網站。 + +出口節點將從所有可用的 Tor 節點中隨機選擇,並使用退出中繼標記。[^ 2] + +## Onion 服務的路徑建立 + +“Onion 服務” (也通常被稱為“隱藏服務” )是只能由 Tor 瀏覽器訪問的網站。 這些網站有一個長串隨機生成的域名,結尾為 `.onion`。 + +在Tor中連接到 Onion服務的工作原理與連接到明網服務非常相似,但您的流量在到達目的地伺服器之前會通過 **6 個** 節點。 不過就如之前所言,其中只有三個節點會有助 *您的*匿名性,而另外三個節點則是為了保護 * Onion 服務* 匿名性,隱藏該網站的真正 IP 和位置,就如同 Tor 瀏覽器如何隱蔽您的 IP 一樣。 + +
+ ! [Tor路徑顯示您的流量通過您的三個Tor節點加上三個額外的Tor節點隱藏網站的身份] (../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ! [Tor路徑顯示您的流量被路由通過您的三個Tor節點加上三個額外的Tor節點隱藏網站的身份] (../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor電路路徑與洋蔥服務。 藍色 圍欄中的節點屬於您的瀏覽器,而 紅色 圍欄中的節點屬於伺服器,因此它們的身份對您是隱藏的。
+
+ +## 加密 + +Tor 使用來自出口,中間和入口節點的密鑰對每個封包(傳輸數據區塊)依序進行三次加密。 + +一旦 Tor 構建了電路,數據傳輸將按照以下方式進行: + +1. 首先:當數據包到達入口節點時,第一層加密被移除。 在這個加密封包中,入口節點將找到另一個具有中間節點地址的加密封包。 然後,入口節點將將封包轉發到中間節點。 + +2. 其次:當中間節點從入口節點接收到封包時,它也會利用其密鑰刪除一層加密,找到具有出口節點地址的加密數據包。 然後中間節點將數據包轉發到出口節點。 + +3. 最後:當退出節點收到其數據包時,它將使用其密鑰移除最後一層加密。 出口節點將看到目的地地址,並將封包轉發到該地址。 + +下面是顯示此過程的圖表。 每個節點都會移除自己的加密層,當目的地伺服器傳回數據時,同樣過程會再反向發生。 例如,出口節點不知道你是誰,但它確實知道封包來自哪個節點,因此添加了自己的加密層並將其發送回來。 + +
+ ![Tor 加密](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor 加密](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
通過 Tor 網路發送與接數資料
+
+ +Tor 允許我們連接到伺服器,而不讓任何一方知道完整路徑。 入口節點知道你是誰,但不知道你要去哪裡;中間節點不知道你是誰或你要去哪裡;出口節點知道你要去哪裡,但不知道你是誰。 由於出口節點負責了最終連線,目的地伺服器永遠不會知道您的 IP 位址。 + +## 注意事項 + +雖然 Tor 確實提供了強大的隱私保證,但必須意識到它並不完美: + +- 資金充足的對手有能力被動地觀察全球大多數網絡流量,他們有機會通過先進的流量分析來解除 Tor 用戶的匿名化。 Tor 也不能保護你免於不當地暴露自己,例如你分享了太多關於你真實身份的信息。 +- Tor 出口節點還可以監控通過它們的流量。 這意味著可以記錄和監控未加密的流量,例如純 HTTP 流量。 如果此類流量包含個人身份識別信息,則該出口節點可以將會消除匿名性。 因此,我們建議在可能的情況下使用 HTTPS。 + +如果您希望使用 Tor 瀏覽網頁,我們只建議使用 **官方** Tor 瀏覽器:它旨在防止指紋。 + +- [Tor 瀏覽器 :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## 其他資源 + +- [Tor 瀏覽器用戶手冊](https://tb-manual.torproject.org) +- [ Tor 如何運作 - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor O洋蔥服務- Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: 迴路中的第一個節點被稱為“入口守衛”或“守衛”。 它是一個快速和穩定的中繼站,作迴路中的第一個入口通常會維持 2~3個月,以防止已知的匿名破壞攻擊。 其餘的迴路則會依每次訪問網站而變化,這些中繼節點共同提供Tor 完整隱私保護。 了解更多關於守衛中繼的運作,請參考 [部落格文章](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) 和 [入口守衛論文paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf)。 ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: 中繼標記:迴路位置(例如, “Guard” , “Exit” , “BadExit” ) ,迴路屬性(例如, “Fast” , “Stable” )或角色(例如, “Authority” , “HSDir” )這些中繼節點的特殊( dis- )資格,是由目錄機構分配並在目錄協議規範中進一步定義。 ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/zh-Hant/android.md b/i18n/zh-Hant/android.md new file mode 100644 index 00000000..e8bb56e0 --- /dev/null +++ b/i18n/zh-Hant/android.md @@ -0,0 +1,426 @@ +--- +title: "Android" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Android + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: Google + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: Android + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure PDF Viewer + applicationCategory: Utilities + operatingSystem: Android +--- + +![Android logo](assets/img/android/android.svg){ align=right } + +The **Android Open Source Project** is an open-source mobile operating system led by Google which powers the majority of the world's mobile devices. Most phones sold with Android are modified to include invasive integrations and apps such as Google Play Services, so you can significantly improve your privacy on your mobile device by replacing your phone's default installation with a version of Android without these invasive features. + +[:octicons-home-16:](https://source.android.com/){ .card-link title=Homepage } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=Documentation} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="Source Code" } + +These are the Android operating systems, devices, and apps we recommend to maximize your mobile device's security and privacy. To learn more about Android: + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP Derivatives + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! 備註 + + End-of-life devices (such as GrapheneOS or CalyxOS's "extended support" devices) do not have full security patches (firmware updates) due to the OEM discontinuing support. These devices cannot be considered completely secure regardless of installed software. + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS** is the best choice when it comes to privacy and security. + + GrapheneOS provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security features](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported. + + [:octicons-home-16: Homepage](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS logo](assets/img/android/divestos.svg){ align=right } + + **DivestOS** is a soft-fork of [LineageOS](https://lineageos.org/). + DivestOS inherits many [supported devices](https://divestos.org/index.php?page=devices&base=LineageOS) from LineageOS. It has signed builds, making it possible to have [verified boot](https://source.android.com/security/verifiedboot) on some non-Pixel devices. + + [:octicons-home-16: Homepage](https://divestos.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://divestos.org/index.php?page=privacy_policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://divestos.org/index.php?page=faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/divested-mobile){ .card-link title="Source Code" } + [:octicons-heart-16:](https://divested.dev/index.php?page=donate){ .card-link title=Contribute } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! 警告 + + DivestOS firmware update [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS) and quality control varies across the devices it supports. We still recommend GrapheneOS depending on your device's compatibility. For other devices, DivestOS is a good alternative. + + Not all of the supported devices have verified boot, and some perform it better than others. + +## Android Devices + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![Google Pixel 6](assets/img/android/google-pixel.png){ align=right } + + **Google Pixel** devices are known to have good security and properly support [Verified Boot](https://source.android.com/security/verifiedboot), even when installing custom operating systems. + + Beginning with the **Pixel 6** and **6 Pro**, Pixel devices receive a minimum of 5 years of guaranteed security updates, ensuring a much longer lifespan compared to the 2-4 years competing OEMs typically offer. + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## General Apps + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + **Shelter** is an app that helps you leverage Android's Work Profile functionality to isolate or duplicate apps on your device. + + Shelter supports blocking contact search cross profiles and sharing files across profiles via the default file manager ([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui)). + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! 警告 + + Shelter is recommended over [Insular](https://secure-system.gitlab.io/Insular/) and [Island](https://github.com/oasisfeng/island) as it supports [contact search blocking](https://secure-system.gitlab.io/Insular/faq.html). + + When using Shelter, you are placing complete trust in its developer, as Shelter acts as a [Device Admin](https://developer.android.com/guide/topics/admin/device-admin) to create the Work Profile, and it has extensive access to the data stored within the Work Profile. + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + **Auditor** is an app which leverages hardware security features to provide device integrity monitoring for [supported devices](https://attestation.app/about#device-support). Currently, it only works with GrapheneOS and the device's stock operating system. + + [:octicons-home-16: Homepage](https://attestation.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://attestation.app/about){ .card-link title=Documentation} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="Source Code" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure camera logo](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ align=right } + + **Secure Camera** is a camera app focused on privacy and security which can capture images, videos and QR codes. CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch, and Auto) are also supported on available devices. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/Camera){ .md-button .md-button--primary } + [:octicons-info-16:](https://grapheneos.org/usage#camera){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GrapheneOS/Camera){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! 備註 + + Metadata is not currently deleted from video files but that is planned. + + The image orientation metadata is not deleted. If you enable location (in Secure Camera) that **won't** be deleted either. If you want to delete that later you will need to use an external app such as [ExifEraser](data-redaction.md#exiferaser). + +### Secure PDF Viewer + +!!! recommendation + + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **Secure PDF Viewer** is a PDF viewer based on [pdf.js](https://en.wikipedia.org/wiki/PDF.js) that doesn't require any permissions. The PDF is fed into a [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview). This means that it doesn't require permission directly to access content or files. + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) is used to enforce that the JavaScript and styling properties within the WebView are entirely static content. + + [:octicons-repo-16: Repository](https://github.com/GrapheneOS/PdfViewer){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/GrapheneOS/PdfViewer){ .card-link title="Source Code" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## Obtaining Applications + +### GrapheneOS App Store + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### Aurora Store + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store logo](assets/img/android/aurora-store.webp){ align=right } + + **Aurora Store** is a Google Play Store client which does not require a Google Account, Google Play Services, or microG to download apps. + + [:octicons-home-16: Homepage](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### Manually with RSS Notifications + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. Install [Java JDK](https://www.oracle.com/java/technologies/downloads/). + +2. Download the [Android Studio command line tools](https://developer.android.com/studio#command-tools). + +3. Extract the downloaded archive: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. Run the signature verification command: + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. The resulting hashes can then be compared with another source. Some developers such as Signal [show the fingerprints](https://signal.org/android/apk/) on their website. + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! 備註 + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +### Operating Systems + +- 必須是開源軟體。 +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### Devices + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### Applications + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/zh-Hant/assets/img/account-deletion/exposed_passwords.png b/i18n/zh-Hant/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/zh-Hant/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/zh-Hant/assets/img/android/rss-apk-dark.png b/i18n/zh-Hant/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/zh-Hant/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/zh-Hant/assets/img/android/rss-apk-light.png b/i18n/zh-Hant/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/zh-Hant/assets/img/android/rss-apk-light.png differ diff --git a/i18n/zh-Hant/assets/img/android/rss-changes-dark.png b/i18n/zh-Hant/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/zh-Hant/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/zh-Hant/assets/img/android/rss-changes-light.png b/i18n/zh-Hant/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/zh-Hant/assets/img/android/rss-changes-light.png differ diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-path-dark.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/how-tor-works/tor-path.svg b/i18n/zh-Hant/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/zh-Hant/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh-Hant/assets/img/multi-factor-authentication/fido.png b/i18n/zh-Hant/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/zh-Hant/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/zh-Hant/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/zh-Hant/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/zh-Hant/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/zh-Hant/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/zh-Hant/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/zh-Hant/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/zh-Hant/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/zh-Hant/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/zh-Hant/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/zh-Hant/basics/account-creation.md b/i18n/zh-Hant/basics/account-creation.md new file mode 100644 index 00000000..67910ab8 --- /dev/null +++ b/i18n/zh-Hant/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "帳號創建" +icon: 'material/account-plus' +description: 創建帳戶為實際連線網際網路所必要,請採取下列步驟確保您的線上隱私。 +--- + +人們經常不假思索地註冊網路服務。 這些帳號也許是一個串流媒體服務可觀看人人都在談論的新節目,或是取得喜歡的快餐店折扣。 無論在什麼樣的場景,您都應該考慮現在和以後對個資的影響。 + +在新的服務申請帳號時,都伴著相關風險。 資料洩露;向第三方披露客戶資訊、員工有不當的權限可以訪問所有資料,在給出您的個資時都必須考慮的接下來可能的狀況。 您需要確信足夠信任該服務,這就是為什麼我們建議把重要資料儲放在最成熟且通過測試的產品。 這通常意味著提供 E2EE 並經過加密審計的服務。 審計增加了產品設計的保證,減低因開發人員缺乏經驗所導致的安全問題。 + +某些網路服務並不容易刪除帳號 有時可能會 [覆寫與帳戶相關聯的資料](account-deletion.md#overwriting-account-information) ,但在其他情況下,該服務將保留帳戶變更的完整記錄。 + +## 服務條款 & 隱私權政策 + +服務條款是您在使用服務時同意遵守的規則。 隨著更大的服務,這些規則通常由自動化系統強制執行。 有時這些自動化系統可能會出錯。 例如,您的帳號可能會因為使用 VPN 或 VOIP 號碼而被禁止或無法使用某些服務。 對這種禁令提出上訴通常很困難,而且通常都由系統自動處理而不是人工審核,造成了上訴的困難度。 這也是我們不建議使用 Gmail 作為電子郵件的原因之一。 電子郵件對於訪問您已註冊的其他服務至關重要。 + +隱私權政策是該服務表示他們將如何使用您的數據,因此值得閱讀,以便您了解如何使用您的數據。 公司或組織可能沒有法律義務遵守政策中包含的所有內容(取決於司法管轄區)。 我們建議您了解當地法律以及這些法律允許供應商收集哪些資訊。 + +我們建議您尋找特定的術語,例如「資料收集」、「資料分析」、「Cookie」、「廣告」或「第三方」服務。 有時您可以選擇退出資料收集或拒絕分享資料,但最好從一開始就選擇尊重您隱私權的服務。 + +請記住,您把信任託付給該公司或組織,冀望其真的遵守自己的隱私政策。 + +## 身份驗證方式 + +通常有多種註冊帳戶的方式,每種都有各自的好處和缺點。 + +### 電子郵件和密碼 + +建立新帳戶的最常見方式是使用電子郵件地址和密碼。 使用此方法時,您應該使用密碼管理器,並遵循 [關於密碼的最佳做法](passwords-overview.md) 。 + +!!! 提示 + + 您也可以使用密碼管理器組織其他驗證方式! 只需新增條目並填寫適當的欄位,即可新增安全問題或備份金鑰等事項的備註。 + +您自己負責管理您的登入憑證。 為了增加安全性,您可以在帳戶上設置 [MFA](multi-factor-authentication.md) 。 + +[推薦密碼管理員](../passwords.md ""){.md-button} + +#### 電子郵件別名 + +如果您不想將您的真實電子郵件地址提供給服務,您可以選擇使用別名。 我們在電子郵件服務推薦頁面上更詳細地描述了它們。 基本上,別名服務允許您生成新的電子郵件地址,將所有電子郵件轉發到您的主地址。 這可以幫助防止跨服務跟蹤,並幫助您管理有時會隨註冊過程而來的營銷電子郵件。 這些可以根據它們被發送到的別名自動過濾。 + +如果服務遭到黑客攻擊,您用於註冊的電子郵件可能會收到網絡釣魚或垃圾郵件。 為每個服務使用獨特的別名可以幫助確定哪些服務被駭。 + +[推薦的電子郵件別名服務](../email.md#email-aliasing-services ""){.md-button} + +### 單一登入(Single Sign-On) + +!!! 備註 + + 我們討論的是個人使用的單一登入,而不是企業用戶。 + +單一登入(SSO) 是一種驗證方法,允許您註冊服務,而無需共享太多信息(如果有的話)。 每當您在註冊表單上看到類似「使用 *提供商名稱*登入」時,它就是 SSO。 + +當您在網站中選擇單一登入(Single sign-on )時,它將提示您的 SSO 提供商登入頁面,之後您的帳戶將被連接。 我們不會分享你的密碼,但會分享一些基本資訊(你可以在登入申請期間查看)。 每次您想要登入同一個帳戶時,都需要進行此程序。 + +主要優勢是: + +- **安全性**:沒有涉及 [資料外洩](https://en.wikipedia.org/wiki/Data_breach) 的風險,因為網站沒有儲存您的憑證。 +- **易用性**:多個帳戶由單一登入管理。 + +但也有一些缺陷: + +- **隱私權**: SSO供應商將知道您使用的服務。 +- **集中化**:如果您的SSO帳戶遭到入侵或您無法登錄,則與其相關的所有其他帳戶都會受到影響。 + +SSO在您可以從服務之間更深入的整合中受益的情況下尤其有用。 例如,其中一個服務可能為其他服務提供SSO。 我們建議將SSO限制在您需要的地方,並以 [MFA](multi-factor-authentication.md)保護主帳戶。 + +所有使用 SSO 的服務將與您的 SSO 帳戶一樣安全。 例如,如果您想使用硬件密鑰來保護帳戶,但該服務不支持硬件密鑰,您可以使用硬件密鑰來保護您的SSO帳戶,現在您的所有帳戶上基本上都有硬件MFA。 需要注意的是, 如果你 SSO 帳戶本身的安全性很弱,意味著與該登錄綁定的任何帳戶的安全性也會很弱。 + +### 電話號碼 + +我們建議您避免使用需要電話號碼才能註冊的服務。 電話號碼可以在多個服務中識別您的身份,並且根據數據共享協議,這將使您的使用更容易跟蹤,特別是當其中一個服務被洩漏時,因為電話號碼通常是 **不是** 加密的。 + +如果可以的話,你應該避免透露你的真實電話號碼。 某些服務將允許使用 VOIP 號碼,但這些通常會觸發欺詐偵測系統,導致帳戶被鎖定,因此我們不建議重要帳戶使用此系統。 + +在許多情況下,您需要提供可以接收短信或電話的號碼,特別是在國際購物時,以防您在邊境審查時的訂單出現問題。 服務通常會使用您的號碼作為驗證方式;不要自作聰明使用假的電話號碼,最後讓自己重要的帳戶被鎖定! + +### 使用者名稱與密碼 + +某些服務允許您在不使用電子郵件地址的情況下註冊,並且只需要您設置用戶名稱和密碼。 當與 VPN 或 Tor 結合時,這些服務可能會提供更高的匿名性。 請記住,對於這類型的帳號,如果你忘記了你的用戶名或密碼,很可能會有**沒有辦法恢復你的帳號**。 diff --git a/i18n/zh-Hant/basics/account-deletion.md b/i18n/zh-Hant/basics/account-deletion.md new file mode 100644 index 00000000..57e4ea48 --- /dev/null +++ b/i18n/zh-Hant/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "刪除帳戶" +icon: 'material/account-remove' +description: 一般人很容易累積大量的網路服務帳戶,這裏有一些如何順理這些資料的小訣竅。 +--- + +隨著時間的推移,一般人很容易地積累一些網路帳戶,但可能其中有不少早已不再使用。 刪除這些未使用的帳戶是收回隱私的重要一步,因為休眠帳戶容易受到數據洩露的影響。 資料外洩是指服務的安全性受到破壞,受保護的資訊被未經授權的行為者檢視、傳輸或竊取。 不幸的是近來資料外洩事件 [已見怪不怪](https://haveibeenpwned.com/PwnedWebsites) ,保持良好的數位清潔才能減輕資料外洩對個人生活的衝擊。 本指南的目標是幫助您通過令人討厭的帳戶刪除過程----通常由 [欺騙性設計](https://www.deceptive.design/)讓刪除困難,以改善您的網路現身。 + +## 查找舊帳戶 + +### 密碼管理器。 + +如果您使用一個貫穿整個數位生活的密碼管理器,這部分將非常容易。 通常,它們包括內置功能,用於檢測您的憑證是否在資料洩露中暴露-例如Bitwarden的 [資料洩露報告](https://bitwarden.com/blog/have-you-been-pwned/)。 + +
+ ![Bitwarden's 資料外洩報告特色](../assets/img/account-deletion/exposed_passwords.png) +
+ +即使您之前沒有明確使用過密碼管理器,但可能在無意中早已透過瀏覽器或手機中使用了密碼管理器。 例如: [Firefox 密碼管理器](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins)、 [Google 密碼管理器](https://passwords.google.com/intro) 和 [Edge 密碼管理器](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336)。 + +桌面平臺通常還有一個密碼管理器,可以幫助您恢復忘記的密碼: + +- Windows [憑證管理器r](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [密碼](https://support.apple.com/en-us/HT211145) +- iOS [密碼](https://support.apple.com/en-us/HT211146) +- Linux , Gnome Keyring ,可以通過 [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) 或 [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager)訪問 + +### 電子郵件 + +如果您過去沒有使用密碼管理員,或者您認為您的帳戶從未被添加到密碼管理員,另一個選項是搜索您認為已註冊的電子郵件帳戶。 在電子郵件用戶端上,搜尋「驗證」或「歡迎」等關鍵字。 幾乎每次你建立線上帳戶時,該服務都會向你的電子郵件發送驗證連結或介紹訊息。 這可能是找到舊的,被遺忘的帳戶的好方法。 + +## 刪除舊帳戶 + +### 登入 + +若要刪除舊帳戶,您必須先確認能夠登入帳戶。 同樣,如果帳戶在您的密碼管理員中,則此步驟很簡單。 如果沒有,你可以試著猜測你的密碼。 否則,通常有選項可以重新訪問您的帳戶,通常可以通過登錄頁面的「忘記密碼」鏈接來獲得。 您放棄的帳戶也可能已被刪除:有時服務會自動刪除所有舊帳戶。 + +嘗試重新取得存取權時,如果網站傳回錯誤訊息,表示電子郵件未與帳戶關聯,或在多次嘗試後您從未收到重設連結,則您沒有該電子郵件地址下的帳戶,應嘗試其他帳戶。 如果您無法確定使用了哪個電子郵件地址,或者您無法再存取該電子郵件,您可以嘗試聯絡該服務的客戶支援。 不幸的是,我們無法保證您能夠恢復訪問您的帳戶。 + +### GDPR (僅限歐洲經濟區居民) + +歐盟居民在資料刪除上享有額外權利,其詳見於 GDPR [第 17 條](https://www.gdpr.org/regulation/article-17.html)規定。 如果適用於您,請閱讀任何特定服務的隱私權政策,以查找有關如何行使刪除權利的資訊。 閱讀隱私政策可能很重要,因為某些服務的「刪除帳戶」選項,實際上只是停用您的帳戶,若要真正刪除,您必須採取額外行動。 有時,刪除過程中可能需填寫調查、向服務商的資料保護人員發送電子郵件,甚至提出您為歐盟居民的證明。 如果您打算這樣做,請 **不要** 覆寫帳戶資訊-可能需要歐盟居民身份。 請注意,服務的位置並不重要; GDPR 適用於為歐盟用戶服務的任何人。 若服務商不願尊重您請求刪除的權利,可聯絡所在國的[官方資料保護機關](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en),您可能有權請求金錢賠償。 + +### 覆寫帳戶資訊 + +在某些情況下,可以採用虛假資料來覆蓋帳戶的信息。 當您登入後,請將帳戶中的所有資訊變更為偽造資訊。 原因是許多網站甚至在帳戶刪除後仍會保留您之前擁有的資訊。 希望他們會用你輸入的最新數據覆蓋之前的信息。 但是,無法保證不會有先前信息的備份。 + +對於帳戶電子郵件,請通過您選擇的提供商創建新的替代電子郵件帳戶,或使用 [電子郵件別名服務](../email.md#email-aliasing-services)創建別名。 完成後,您可以刪除替代電子郵件地址。 我們建議您不要使用臨時電子郵件提供商,因為通常可以重新啟用臨時電子郵件。 + +### 刪除帳戶 + +您可以檢查 [JustDeleteMe](https://justdeleteme. xyz) 以獲取有關刪除特定服務帳戶的指示。 有些網站會慷慨地提供「刪除帳戶」選項,而其他網站則會強迫您與支援人員交談。 刪除過程可能因網站而異,有些網站無法刪除帳戶。 + +對於不允許帳戶刪除的服務,最好的做法是偽造前面提到的所有信息,並加強帳戶安全性。 爲此,啓用 [MFA](multi-factor-authentication.md) 和提供的任何額外安全功能。 此外,請將密碼更改為隨機生成的最大允許大小的密碼( [密碼管理器](../passwords.md) 對此很有用)。 + +如果您確信您關心的所有資訊都已被刪除,您可以放心地忘記此帳戶。 如果沒有,最好將憑證與其他密碼一起儲存,並偶爾重新登錄以重設密碼。 + +即使您能夠刪除帳戶,也無法保證您的所有信息都將被刪除。 事實上,法律要求一些公司保留某些信息,特別是與金融交易有關的信息。 當涉及到網站和雲端服務時,您的數據會發生什麼事情,這在很大程度上是您無法控制的。 + +## 避免註冊新帳戶 + +俗話說:「預防更勝治療。」 每當你覺得想要註冊一個新帳戶時,問問自己:「我真的需要註冊這個嗎? 有不需要註冊的替代方案嗎?」 刪除一個帳戶通常比創建一個帳戶要困難得多。 即使刪除或更改帳戶上的資訊,也可能有來自第三方的緩存版本,例如 [Internet Archive](https://archive.org/)。 如果可能的話,不要隨便註冊帳號-未來的你會感謝你現在的決定! diff --git a/i18n/zh-Hant/basics/common-misconceptions.md b/i18n/zh-Hant/basics/common-misconceptions.md new file mode 100644 index 00000000..926d2e3d --- /dev/null +++ b/i18n/zh-Hant/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "常見的迷思" +icon: 'material/robot-confused' +description: 隱私並不是一個直覺的話題,它容易遭行銷話術與其它虛假訊息的綁架。 +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: 開源軟件本質上安全嗎? + acceptedAnswer: + "@type": Answer + text: | + 源代碼是否可公開取得以及軟件本身的授權條件並不會影響其安全性。 開源軟件可能比商有軟件更安全,但這點並非絕對保證。 評估軟體時,應該根據個別情況來評估每個工具的聲譽和安全性。 + - + "@type": Question + name: 將信任轉移到另一個提供商可以增加隱私嗎? + acceptedAnswer: + "@type": Answer + text: | + 在討論 VPN 等解決方案時,我們經常談到「轉移信任」 (將您對 ISP 的信任轉移到 VPN 提供商)。 雖然這可以特別保護瀏覽數據免受 ISP 影響,但挑選的 VPN 提供商仍然可以訪問您的瀏覽數據:資料並非得到完全保護。 + - + "@type": Question + name: 以隱私為中心的解決方案本質上可信賴嗎? + acceptedAnswer: + "@type": Answer + text: | + 僅專注於單一工具或提供商的隱私政策和營銷可能會讓您忽視其弱點。 當您正在尋找更私密的解決方案時,您應該確定潛在的問題是什麼,並找到該問題的技術解決方案。 例如,您可能希望避免 Google 雲端硬碟,這會讓 Google 存取您的所有資料。 這種情況下潛在的問題是缺乏E2EE ,因此應確保切換的提供商有真地落實 E2EE ,或者使用雲端服務商提供的 E2EE 工具(如Cryptomator )。 轉換到“以隱私為中心”的提供商(其不用 E2EE )不能解決您的問題:它只是將信任從 Google 轉移到該供應商。 + - + "@type": Question + name: 我的威脅模型需要多複雜? + acceptedAnswer: + "@type": Answer + text: | + 我們經常看到人們描述過於複雜的隱私威脅模型。 通常,這些解決方案包括許多不同的電子郵件帳戶或具有許多移動部件和條件的複雜設置等問題。 答案通常是“做 X 的最佳方式是什麼?” + 為自己找到“最佳”解決方案並不一定意味著您正在尋找具有數十種條件的絕對解決方案-這些解決方案通常很難實際使用。 正如先前所討論的,安全性通常是以方便為代價。 +--- + +## 「開源軟體永遠是安全的」或「商業軟體更安全」 + +這些迷思源於許多偏見,原始碼是否開放以及軟體的許可並不會以任何方式影響其安全性。 ==開源軟件 *可能* 比商業軟件更安全,但絕對不能保證這一點。==評估軟體時,您應該根據每個工具的聲譽和安全性進行評估。 + +開源軟體*能夠*由第三方人員進行審計,比起同類商用軟體,前者對待潛在漏洞更為透明。 它還允許您查看代碼並禁用您發現的任何可疑功能。 然而,*除非您真的這樣做了*,否則不能保證程式碼曾經被評估過,特別是小型軟體專案。 開放的發展過程有時會遭利用,甚至在大型專案中被引入新的漏洞。 + +另一方面,專有軟件不太透明,但這並不意味著它不安全。 主要的商用軟件專案會由內部和第三方機構進行審計,獨立的安全研究人員仍然可以通過逆向工程等技術發現漏洞。 + +避免決策上的偏見,這點在評估所使用軟體的隱私與安全標準上至關重要。 + +## 「信任的轉移可以增加隱私」 + +在討論 VPN 等解決方案時,我們經常談到「轉移信任」 (將您對 ISP 的信任轉移到 VPN 提供商)。 雖然這可以保護您的瀏覽資料免受 *特定* ISP 的侵害,但您選擇的 VPN 提供商仍然可以訪問您的瀏覽數據:您的資料並非完全受到各方的保護。 這意味著: + +1. 把信任轉付給挑選的服務供應商時,您必須謹慎行事。 +2. 您應該利用其它技巧,如 E2EE 來完全保護您的資料。 僅因個別供應商的信任與否,並不能確保資料的安全。 + +## 「以隱私為中心的解決方案本質上是值得信賴的」 + +僅專注於單一工具或提供商的隱私政策和營銷可能會讓您忽視其弱點。 當您正在尋找更私密的解決方案時,您應該確定潛在的問題是什麼,並找到該問題的技術解決方案。 例如,您可能希望避免 Google 雲端硬碟,這會讓 Google 存取您的所有資料。 這種情況的問題是缺乏 E2EE ,因此您應該確保您轉換的供應商真正實現了E2EE ,或者使用可在任何雲提供商安裝 E2EE 的工具(如 [Cryptomator](../encryption.md#cryptomator-cloud))。 轉換到“以隱私為中心”的提供商(其不用 E2EE )不能解決您的問題:它只是將信任從 Google 轉移到該供應商。 + +您選擇的供應商的隱私政策和商業實踐非常重要,但應視為隱私技術保證的次要條件:當無須信任供應商時,您不必將信任轉移到另一個供應商。 + +## 「愈複雜愈好」 + +我們經常看到人們描述過於複雜的隱私威脅模型。 通常,這些解決方案包括許多不同的電子郵件帳戶或具有許多移動部件和條件的複雜設置等問題。 答案通常是“做 * X *的最佳方式是什麼?” + +為自己找到“最佳”解決方案並不一定意味著您正在尋找具有數十種條件的絕對解決方案-這些解決方案通常很難實際使用。 正如先前所討論的,安全性通常是以方便為代價。 下面,我們提供一些訣竅: + +1. == 行動需要達到特定的目的:== 想想如何用最少的行動做到想做的事。 +2. ==移除人類的失敗點:== 人總會失敗、疲倦、忘記事情。 要保持安全性,請避免依賴大腦記憶的手動條件和流程。 +3. = =使用您要想的適當保護等級。== 我們經常看到所謂的執法或傳票證明解決方案的建議。 這些通常需要專業知識,通常不是人們想要的。 建立一個複雜的匿名威脅模型是沒有意義的,如果您的行為容易地被一個簡單的監督去匿名化。 + +那麼,這看起來會怎麼樣? + +最清晰的威胁模型之一是,部分人*,知道你是谁* ,而另一部分人不知道。 有些必須提出您的法定姓名的情況,但也有其他情況不需要提供全名。 + +1. **已知身份** - 已知身份是用于必須告之姓名的事務。 有許多法律文件和合同需要合法身份。 這可能包括開設銀行帳戶、簽署財產租賃、獲得護照、進口物品時的海關申報,或其他與政府打交道的方式。 這些東西通常會需要憑證,如信用卡,信用評級檢查,帳戶號碼,以及實際地址等。 + + 我們不建議您使用 VPN 或 Tor 來處理這些事情,因為您的身份已經通過其他方式被對方知道。 + + !!! 訣竅 + + 在網上購物時,使用[包裹儲物櫃] (https://zh.wikipedia.org/wiki/Parcel_locker)有助於保護您實際地址的私密性。 + +2. **未知身份** - 未知身份可能是您經常使用的穩定假名。 它已不算匿名了,因為不會變動。 如果您是線上社群的一員,您可能希望保留其他人知道的角色。 這個假名不是匿名的,因為如果監控時間足夠長,關於所有者的詳細信息可以透露更多信息,例如他們的寫作方式,他們對感興趣主題的一般知識等。 + + 您可能希望使用 VPN 來隱藏您的 IP 地址。 金融交易更難掩蓋:您可以考慮使用匿名加密貨幣,例如 [Monero](https://www.getmonero.org/)。 採用山寨幣轉移也可能有助於偽裝您的貨幣來源。 通常情況下,交易所需要完成 KYC (了解您的客戶) ,然後才能將法定貨幣兌換為任何類型的加密貨幣。 線下操作也可能是一個解決方案;然而,這些往往更昂貴,有時也需要 KYC。 + +3. **匿名身份** - 即使有經驗的專家,也很難長時間保持一個帳號的匿名性。 它們應該是短期和短暫的身份,定期輪流。 + + 使用 Tor 可以幫助我們做到這一點。 同樣值得注意的是,通過異步溝通可以實現更大的匿名性:實時溝通容易受到打字模式分析的影響(即不止一段文字,在論壇上分發,通過電子郵件等)。 + +[^1]: 一個值得注意的例子是 [發生在2021年,明尼蘇達大學的研究人員在 Linux 內核開發項目中引入了三個漏洞](https://cse.umn.edu/cs/linux-incident). diff --git a/i18n/zh-Hant/basics/common-threats.md b/i18n/zh-Hant/basics/common-threats.md new file mode 100644 index 00000000..2deb09bd --- /dev/null +++ b/i18n/zh-Hant/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "常見威脅" +icon: 'material/eye-outline' +description: 您的威脅模型雖說是個人的事,但它也是本站許多訪客關心的課題。 +--- + +廣義來講,我們將建議歸類為適用於大多數人的 [威脅](threat-modeling.md) 或目標。 您可能會在意各種可能性的組合,而選用的工具和服務則取決於您的目標何在。 您也可能有超出這些類別之外的特定威脅,這完全有可能! 重要的是要了解您選擇使用的工具的好處和缺點,因為幾乎沒有一種工具可以保護您免受任何威脅。 + +- :material-incognito: 匿名 -保護您的在線活動免受您真實身份影響,保護您防範某些企圖揭露 *您* 身份的侵害。 +- :material-target-account: 針對性的攻擊 -保護免受駭客或其他惡意行為者的攻擊,他們正試圖存取訪問 *您的* 資料或設備。 +- :material-bug-outline: 被動攻擊 -保護免受惡意軟體、數據洩露和其他同時針對多人的攻擊。 +- :material-server-network: 服務供應商 - 保護您的資料免受服務供應商侵害(例如,使用 E2EE ,使您保存在伺服器的資料無法被他人讀取)。 +- :material-eye-outline: 大規模監控 -保護您免受政府機構、組織、網站和服務共同追蹤您的活動。 +- :material-account-cash: 監控資本主義 - 保議自己不會被 Google, Facebook 等大型網路廣告以及其它無數第三方資料收集者監控。 +- :material-account-search: 公開曝光 -限制搜尋引擎或一般大眾可在網路上找到有關您的資訊。 +- :material-close-outline: 審查 -避免資訊被封鎖或自己的網路發言時受到審查。 + +其中一些威脅對您來說可能比其他威脅更嚴重,這取決於您的具體問題。 例如,有權訪問有價值或重要資料的開發人員可能主要關注 :material-target-account: 針對性攻擊,但他們仍然希望保護自己的個資免受 :material-eye-outline: 大規模監控 計劃的影響。 同樣,許多人主要關心其個人資料的 :material-account-search: 公開曝光 ,但他們仍應該警惕聚焦安全的問題,例如 :material-bug-outline: 被動攻擊-例如惡意軟件影響他們的設備。 + +## 匿名 vs. 隱私 + +:material-incognito: 匿名性 + +匿名通常與隱私相混淆,但它們是不同的概念。 隱私是您對如何使用和共享資料所做出的一系列選擇,而匿名是將您的線上活動與真實身份完全分離。 + +舉例來說,揭密者和記者會需要一個更極端、要求完全匿名的威脅模型。 這不僅隱藏了他們所做的事情、擁有的資料,不會被惡意行為者或政府駭客入侵,而且還完全隱暪了他們的身份。 他們經常需犧牲任何形式的便利,以保護自身的匿名性,隱私或安全,因為很可能事關自己的性命。 大多數人都不需要那樣。 + +## 安全與隱私 + +:material-bug-outline: 被動攻擊 + +安全性和隱私也經常被混淆,因為您需要安全性來獲得任何形式的隱私:使用的工具----即便設計私密----但若很容易地受到攻擊者造成資料外洩,一切就是白廢了。 然而,相反的情況並不一定成立:世界上最安全的服務 *不一定是* 私密。 最好的例子是信任把資料交給 Google,因為它們規模龐大聘請業界領先的安全專家來保護其基礎設施,幾乎沒有發生過安全事故。 儘管 Google 提供了非常安全的服務,但很少有人會認為在Google 免費消費產品(Gmail、YouTube 等)中的資料是私有的。 + +當涉及到應用程式安全性時,我們通常不知道(有時甚至無法)使用的軟體是否是惡意或者有一天它會變成惡意。 即使是最值得信賴的開發人員,也無法保證他們的軟體沒有嚴重的漏洞有一天會被利用。 + +減少惡意軟體*可能造成的破壞* ,最好能落實安全劃分方案。 例如,用不同電腦作不同的事、利用虛擬器來分組不同的相關應用程式,或者使用一個高集中的應用程式沙盒和強制訪問控制的安全操作系統。 + +!!! 提示 + + 行動作業系統通常具有比桌面作業系統具備更好的應用程式沙盒:應用程式沒有根存取權限,且需要存取系統資源的權限。 + + 桌面操作系統通常在適當的沙盒化上落後。 ChromeOS 具備與 Android 相似的沙盒功能, macOS 具有完整的系統權限控制(開發人員可以選擇為應用程式加入沙盒)。 然而,這些作業系統確實會將識別資料傳回給各自的原始設備製造商。 Linux 傾向於不對系統供應商提交資料,但它在漏洞和惡意應用程式的保護很差。 這可以通過專門的發行版來緩解,這些發行版大量使用虛擬器或容器,例如 [Qubes OS] (../../desktop/# qubes-os )。 + +:material-target-account: 目標攻擊 + +針對特定人士的針對性攻擊更難處理。 常見的攻擊包括通過電子郵件發送惡意文件、利用(瀏覽器和操作系統的)漏洞以及物理攻擊。 如果這是您擔心這點,應該採用更先進的威脅減輕策略。 + +!!! 提示 + + 在設計上, * *網頁瀏覽器* *、* *電子郵件用戶端* *和* *辦公室應用程式* *常常運行第三方發送無法信任的代碼。 運行多個虛擬器-將這些應用程序與主機系統相互分開,此技術可減少系統遭到應用程序攻擊的機會。 例如, Qubes OS 或 Windows 上的 Microsoft Defender Application Guard 等技術提供了方便的作法。 + +若您特別擔心 **物理攻擊**,就應選用具安全驗證開機的作業系統,例如 Android, iOS, macOS, 或[Windows (帶 TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process)。 應確保您的驅動器是加密的,並且操作系統使用 TPM或 Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) 或 [Element](https://developers.google.com/android/security/android-ready-se) 來限制輸入加密密碼的嘗試率。 您應該避免與不信任的人共享您的電腦,因為大多數桌面作業系統不會單獨加密每個用戶的數據。 + +## 服務供應商的隱私權 + +:material-server-network: 服務提供商 + +我們活在一個幾乎所有東西都連上網際網路的世界。 我們的「私人」訊息、電子郵件和社交互動通常儲存在伺服器的某個地方。 通常,當您向某人發送訊息時,它會儲存在伺服器上,當對方想要閱讀訊息時,伺服器會將其顯示給他們。 + +顯而易見的問題是,服務提供商(或破壞伺服器的黑客)可以隨時隨地訪問您的對話,而您永遠不會知道。 這適用在許多常見服務,如 SMS 簡訊、Teleram 和 Discord。 + +慶幸的是, E2EE 可以加密您與收件人之間的通信,甚至在訊息送到伺服器之前,緩解此問題。 假設服務提供商無法訪問任何一方的私鑰,您的訊息保密性得到保證。 + +!!! 備註 "Web 加密備註" + + 實際上,不同 E2EE 操作的效力各不相同。 應用程式,例如 [Signal](../real-time-communication.md#signal) ,會在您的裝置上原生執行,且此應用程式在不同設備的安裝上都是如此。 如果服務提供商在他們的應用程序中引入 [後門](https://zh.wikipedia.org/wiki/Backdoor_(computing) ----試圖竊取您的私鑰----它稍後可以通過[逆向工程] (https://zh.wikipedia.org/wiki/Reverse_engineering )檢測。 + + 另一方面,執行網頁 E2EE,例如 Proton Mail 的網頁郵件或Bitwarden 的* Web Vault * ,依靠伺服器動態地向瀏覽器提供JavaScript 代碼來處理加密。 惡意伺服器可以針對您發送惡意 JavaScript 代碼以竊取您的加密密鑰(這將非常難以察覺)。 因為伺服器可以選擇為不同的人提供不同的網頁用戶端,即使您注意到攻擊也很難證明提供商有罪。 + + 因此,您應該盡可能使用原生軟體程式多於網頁客戶端。 + +即便使用 E2EE ,服務商仍然可以對 **元數據**進行分析,這通常不受保護。 雖然服務提供商無法讀取您的訊息,但他們仍然可以觀察重要的事情,例如您正在與誰交談、傳送訊息的頻率以及使用活躍時段。 元數據的保護不多,如果它在您的 [威脅模型](threat-modeling.md)中,就應該密切注意使用軟體的技術文檔,看看元數據是否最小化或任何保護。 + +## 大規模監督計劃 + +:material-eye-outline: 大規模監測 + +大規模監控是對全體 (或其中某一群特定)人群進行錯綜複雜的監視活動。[^1] 它通常是指政府項目,例如由[Edward Snowden 在 2013](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present))所揭露的內幕。 然而,它也可以由公司代表政府機構或由他們自己主動進行。 + +!!! 摘要"監控地圖集" + + 如果您想進一步了解監控方法及其在您所在城市的實施方式,您也可以查看[電子前鋒基金會 EFF] (https://www.eff.org/)的[監控地圖集] (https://atlasofsurveillance.org/)。 + + 在法國,您可以看看非營利組織 La Quadrature du Net 維護的 [Technolopolice 網站] (https://technopolice.fr/villes/ )。 + +政府常認為大規模監控計劃是打擊恐怖主義和預防犯罪的必要手段。 然而,少數羣體和政治異見人士最常遭受不成比例地人權侵害。 + +!!! 美國自由民權聯盟 ACLU: [*9/11 的隱私教訓:大規模監控不是前進的道路*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward) + + 面對[愛德華·斯諾登( Edward Snowden )披露的 [PRISM]( https://en.wikipedia.org/wiki/PRISM )和 [Upstream]( https://en.wikipedia.org/wiki/Upstream_collection )]等政府計劃,情報官員承認,國家安全局多年來一直祕密地收集每個美國人電話的記錄—誰在打電話,何時打電話,以及通話時間多久。 當 NSA 日復一日地收集這類資訊時,就可以揭示人們生活相關聯的敏感細節,例如他們是否打電話給牧師、墮胎提供者、成癮顧問或自殺熱線。 + +儘管在美國有越來越多的大規模監控,政府卻發現像依 215 條採取的監控計畫在阻卻犯案與恐怖陰謀上沒有實用價值,它們幾乎只是重複著 FBI 所做的特定監控計畫而已。[^2] + +在網上,您可以通過各種方法進行追蹤: + +- 您的 IP 地址 +- 瀏覽器 cookie +- 您提交到網站的資料 +- 您的瀏覽器或裝置指紋 +- 付款方式關聯 + +\ [此列表並非詳盡無缺]。 + +如果您擔心大規模監控計劃,您可以隨時隨地策略性避免提供識別個資,例如劃分您的網路身份,與其他用戶混合。 + +:material-account-cash: 監控資本主義 + +> 監控資本主義的核心是獲取個人資料並將之商品化,以謀求最大利潤的經濟體系。[^3] + +對於許多人來說,私人公司的追蹤和監視是一個越來越令人擔憂的問題。 無處不在的廣告網絡,例如 Google 和 Facebook 運營的廣告網絡,跨越網際網路遠超過他們控制的網站,在跟蹤您的行為。 使用內容攔截工具來限制對伺服器的請求、閱讀了解所用服務的隱私政策,都有助於避開許多基本對手 (雖然這不能完全防止跟蹤)。[^4] + +此外,即使是 *AdTech* 或追蹤行業以外的公司,也可以與 [資料掮客](https://en.wikipedia.org/wiki/Information_broker) (如Cambridge Analytica、Experian 或 Datalogix )或其他方共享您的資料。 您無法自行假設您的資料是安全的,因為您使用的服務不屬於典型的 AdTech 或跟蹤商業模式。 對抗企業資料收集最好的保護是盡可能加密或混淆您的數據,讓不同的供應商難以將資料相互關聯去建立您的個人剖繪。 + +## 限制公共資訊 + +:material-account-search: 公共曝露 + +保持資料私密性的最佳方法是根本不要公開它。 刪除網路上有關您現已不用的資訊是恢復隱私的最佳第一步。 + +- [查看帳戶刪除指南 :material-arrow-right-drop-circle:](account-deletion.md) + +對於您分享資訊的網站,檢查帳戶的隱私設定以限制資料傳播的範圍非常重要。 例如,如果提供選項,請在您的帳戶上啟用「私人模式」:這可確保您的帳戶不會被搜尋引擎編入索引,而且在未經您的許可下無法查看。 + +如果您已經將真實資訊提交給不應該擁有該資訊的網站,請考慮使用虛假策略,例如提交該網路身份的虛構資訊。 這使得您的真實資訊無法與虛假資訊作區分。 + +## 避免審查 + +:material-close-outline: 審查 + +網口審查包括由極權主義政府、網路管理員和服務提供商等所進行的行為(在不同程度上)。 這些試圖控制通訊與限縮資料取用的作為,往往不見容於意見自由的基本人權。[^5] + +對企業平臺的審查越來越普遍,如Twitter 和 Facebook 等平臺屈服於公眾需求、市場和政府機構的壓力。 政府對企業的施壓可能是隱蔽的,例如白宮私下 [要求拿掉](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) 某個勯動的 Youtube 影片,或是公開者如中國政府命令企業要遵循嚴厲的審查制度。 + +關注審查威脅的人可以使用像 [Tor](../advanced/tor-overview.md) 這樣的技術來規避它,並支持像 [Matrix](../real-time-communication.md#element)這樣的抗審查通信平臺,該平臺沒有可以任意關閉帳戶的集中帳戶權限。 + +!!! 提示 + + 雖然很容易避掉審查,但隱藏您正在做的事可就沒那麼簡單了。 + + 您應該考慮可讓對手觀察哪些網路行為,以及能否對這些行為有合理的否認說辭。 例如,使用[加密 DNS ] (../advanced/dns-overview.md#what-is-encrypted-dns)可以幫助您繞過對 DNS 基本審查系統,但它無法對 ISP 隱藏您正在訪問的內容。 VPN 或 Tor 有助於向網路管理員隱藏您正在訪問的內容,但無法隱藏您正在使用 VPN 或 Tor 。 可插拔傳輸(例如 Obfs4proxy、Meek 或 Shadowsocks )可以幫助您避開阻擋常見VPN 協議或 Tor 的防火牆,但仍然可以通過探測或[深度封包檢查] (https://en.wikipedia.org/wiki/Deep_packet_inspection)等方法檢測您嘗圖作的規避。 + +您必須考慮試圖繞過網路審查的風險、潛在的後果以及您的對手可能很經驗老道。 您應該謹慎選擇軟件,並制定備份計劃以防被抓住。 + +[^1]: 維基百科: [*大型監控*](https://en.wikipedia.org/wiki/Mass_surveillance) 與 [*監控*](https://en.wikipedia.org/wiki/Surveillance). +[^2]: 美國隱私和公民自由監督委員會: [*根據第 215 條進行的電話記錄計劃的報告*](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^3]: 維基百科: [*監控資本主義*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: “[枚舉壞處](https://www.ranum.com/security/computer_security/editorials/dumb/)” (或“列出所知的全部壞事” ),未能充分保護您免受新的和未知的威脅,因為許多廣告攔截程式和防病毒程式尚未被添加到過濾器列表。 您還應採用其他緩解技術。 +[^5]: 聯合國: [*《世界人權宣言》*](https://www.un.org/en/about-us/universal-declaration-of-human-rights). diff --git a/i18n/zh-Hant/basics/email-security.md b/i18n/zh-Hant/basics/email-security.md new file mode 100644 index 00000000..b488aa5c --- /dev/null +++ b/i18n/zh-Hant/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: 電子郵件安全 +icon: material/email +description: 從許多方面來看電子郵件本質上是不安全的,這也是它並非安全通信首選的原因。 +--- + +電子郵件本身即非安全的通訊形式。 您可以使用 OpenPGP 等工具提高電子郵件安全性,這些工具為您的消息添加端到端加密,但與其他消息傳遞應用程序中的加密相比, OpenPGP 仍然存在許多缺點,而且由於電子郵件的設計方式,某些電子郵件數據永遠不會加密。 + +因此,電子郵件最適合用於從您在線註冊的服務接收交易性電子郵件(如通知、驗證電子郵件、密碼重置等),而不是用於與他人溝通。 + +## 郵件是如何加密的 + +將 E2EE 添加到不同電子郵件提供商之間的電子郵件的標準方法是使用 OpenPGP。 OpenPGP 標準有不同的實現,最常見的是 [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) 和 [OpenPGP.js](https://openpgpjs.org)。 + +還有另一種標準被稱為 [S/MIME](https://en.wikipedia.org/wiki/S/MIME),但它需要由 [憑證機構](https://en.wikipedia.org/wiki/Certificate_authority) 頒發的憑證(並非所有憑證都發行S/MIME憑證)。 它支持 [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) 和 [Outlook for Web或Exchange Server 2016 , 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480)。 + +即使您使用OpenPGP ,它也不支持 [向前保密](https://en.wikipedia.org/wiki/Forward_secrecy),這意味著如果您或收件人的私鑰被盜,所有先前加密的消息都將被曝光。 這就是為什麼我們建議 [即時通訊](../real-time-communication.md) ,只要有可能,就實現電子郵件的前向保密性,以進行個人對個人的通信。 + +### 哪些郵件客戶端支持 E2EE? + +電子郵件服務供應商讓您能使用標準訪問協議如 IMAP 與SMTP,以便應用[我們推薦的電子郵件客戶端軟體](../email-clients.md)。 根據驗證方法的不同,如果提供者或電子郵件用戶端不支持OAT或橋接應用程序,這可能會導致安全性降低,因為 [多因素驗證](multi-factor-authentication.md) 在純密碼驗證中是不可能的。 + +### 我要怎樣保護自己的私密鑰匙? + +安全鑰卡 (例如 [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) 或 [Nitrokey](https://www.nitrokey.com)) 可在設備 (手機、平板或桌機等 ) 的電子郵件軟體或網頁電郵上收取加密的郵件訊息。 安全鑰卡會解密該訊息再把解開的內容傳到設備。 + +在智能卡上進行解密是有利的,以避免可能將您的私鑰暴露在受損的設備上。 + +## 電子郵件元資料概覽 + +電子郵件中繼資料儲存在電子郵件的 [個訊息標題](https://en. wikipedia. org/wiki/Email#Message_header) 中,並包含您可能已經看到的一些可見標題,例如: `To`、 `From`、 `Cc`、 `Date`、 `Subject`。 許多電子郵件客戶端和提供商還包含一些隱藏的標題,可以揭示有關您的帳戶的信息。 + +客戶端軟體可能會使用電子郵件中繼資料來顯示來自誰以及收到訊息的時間。 服務器可以使用它來確定電子郵件消息必須發送的位置,其中 [個其他目的](https://en.wikipedia.org/wiki/Email#Message_header) 並不總是透明的。 + +### 誰可以查看電子郵件中繼資料? + +電子郵件元數據受到外部觀察者的保護, [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) 保護它免受外部觀察者的影響,但它仍然能夠被您的電子郵件客戶端軟件(或網絡郵件)和任何伺服器看到,將您的消息轉發給任何收件人,包括您的電子郵件提供商。 有時,電子郵件伺服器也會使用第三方服務來防範垃圾郵件,垃圾郵件通常也可以訪問您的郵件。 + +### 爲什麼元數據不能是E2EE ? + +電子郵件元數據對於電子郵件最基本的功能(它來自何處,以及它必須去向何處)至關重要。 E2EE 最初並未內建於電子郵件協議中,而是需要像 OpenPGP 這樣的附加軟件。 由於 OpenPGP 訊息仍必須與傳統的電子郵件供應商合作,因此它無法加密電子郵件元數據,只能加密訊息正文本身。 這意味著即使在使用 OpenPGP 時,外部觀察者也可以看到關於您的消息的大量信息,例如您正在發送電子郵件的人,主題行,當您發送電子郵件時等。 diff --git a/i18n/zh-Hant/basics/multi-factor-authentication.md b/i18n/zh-Hant/basics/multi-factor-authentication.md new file mode 100644 index 00000000..b54b67e9 --- /dev/null +++ b/i18n/zh-Hant/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "多重身分驗證" +icon: 'material/two-factor-authentication' +description: MFA是保護您線上帳戶的關鍵安全機制,但有些方法比其他方法更強大。 +--- + +**多因素認證**(**MFA**)是一種安全機制,除了輸入用戶名(或電子郵件)和密碼之外,還需要其他步驟。 最常見的方法是您會從簡訊或應用程式收到的有時間限制的代碼。 + +通常情況下,如果駭客(或任何想要盜取您帳號的人)能夠找出您的密碼,那麼他們將獲得密碼屬於的帳戶的存取權。 MFA 的帳戶迫使駭客同時擁有密碼(您 *知道*的東西)和您擁有的設備(您 *擁有*的東西),例如您的手機。 + +不同 MFA 方式的安全性各不相同,但整體來說,讓攻擊者越難訪問您的 MFA 方法越好。 MFA 方式(從最弱到最強)的例子包括簡訊,電子郵件代碼,應用推送通知, TOTP , Yubico OTP 和 FIDO。 + +## MFA 方式的比較 + +### 簡訊或 Email 多重身分驗證 + +透過簡訊或電子郵件接收 OTP 代碼是透過 MFA 保護帳戶安全的最弱方法之一。 通過電子郵件或簡訊接收驗證碼動搖了*"持有安心*”的概念,因為駭客根本不需要實際拿到您的設備,就可透過多種方式 [接管電話號碼](https://en.wikipedia.org/wiki/SIM_swap_scam) 或讀取電子郵件。 如果未經授權的人獲得了您的電子郵件訪問權限,他們將能夠使用該訪問權限重設您的密碼並收到驗證碼,使他們能夠完全訪問您的帳戶。 + +### 推送通知 + +推送通知多重身份認證的形式是將訊息發送到手機上的應用程式,要求您確認新的帳戶登入。 這種方法比短信或電子郵件要好得多,因為攻擊者通常無法在沒有已經登錄的設備的情況下獲得這些推送通知,這意味著他們需要首先破壞您的其他設備之一。 + +我們都會犯錯誤,您可能不小心接受登錄嘗試。 推送通知登入授權通常一次發送到 *所有* 您的設備,如果您有多個設備,則可擴大 MFA 代碼的可用性。 + +推送通知 MFA 的安全性取決於應用程序的品質,伺服器組件以及生成它的開發人員的信任。 安裝應用程式可能會要求授予對裝置上其他資料存取的侵入性權限。 不同於好的TOTP 生成器,個別應用程式還要求特定的應用程序,甚至不需要密碼就可開啟服務。 + +### 暫時性的一次性密碼 (TOTP) + +TOTP 是最常見的 MFA 形式之一。 當您設置TOTP時,您通常需要掃描 [QR Code](https://en.wikipedia.org/wiki/QR_code) ,該掃描與您打算使用的服務建立“[共享祕密](https://en.wikipedia.org/wiki/Shared_secret)”。 共用祕密在驗證器應用程式的數據中受到保護,有時會受到密碼的保護。 + +然後,時間限制代碼從共享機密和當前時間衍生出來。 由於代碼僅在短時間內有效,無法訪問共享機密,因此對手無法生成新代碼。 + +如果您擁有支援 TOTP 的硬體安全金鑰(例如具有 [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)的YubiKey ) ,我們建議您將「共享機密」儲存在硬體上。 像 YubiKey 這類硬體就是為了讓“共享祕密”難以提取、複製而開發的工具。 YubiKey 也不會連接到網際網路,不像使用 TOTP 應用程式的手機。 + +與 [WebAuthn](#fido-fast-identity-online)不同, TOTP 無法應對 [網絡釣魚](https://en.wikipedia.org/wiki/Phishing) 或重複使用攻擊。 如果對手從您身上取得有效的登錄碼,他們可以隨意多次使用它,直到過期(通常是60秒)。 + +對手可以建立一個網站來模仿官方服務,試圖欺騙你提供你的用戶名,密碼和當前的 TOTP 代碼。 如果對手使用這些記錄的憑證,他們可能能夠登錄到真正的服務並劫持帳戶。 + +雖然不完美,但 TOTP 對大多數人來說足夠安全,當 [硬件安全金鑰](../multi-factor-authentication.md#hardware-security-keys) 不受支持時, [驗證器應用程序](../multi-factor-authentication.md#authenticator-apps) 仍然是一個不錯的選擇。 + +### 硬體安全金鑰 + +YubiKey 將資料存在防纂改的強固晶片, 除非運用先進實驗室等級的取證程序,一般非破壞方式[很難存取](https://security.stackexchange.com/a/245772) 。 + +這些金鑰通常具多重功能,並提供了許多驗證方法。 下面是最常見的。 + +#### Yubico OTP + +Yubico OTP 的驗證協議通常是執行在硬體安全金鑰上。 當決定使用 Yubico OTP 時,該密鑰將產生公用 ID ,私有 ID 和祕密密鑰,然後密鑰日上傳到 Yubico OTP 伺服器。 + +在登入網站時,需要做的就是實際觸摸安全金鑰。 安全金鑰將模擬鍵盤並將一次性密碼列印到密碼欄位中。 + +它會將一次性密碼轉發到 Yubico OTP 伺服器進行驗證。 在密鑰和 Yubico 驗證伺服器上的計數器都會迭加。 OTP 只能使用一次,當成功驗證後,計數器會增加,以防止重複使用 OTP。 Yubico 提供了此過程的 [詳細文件](https://developers.yubico.com/OTP/OTPs_Explained.html) 。 + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +與 TOTP 相比,使用Yubico OTP 有一些優缺點。 + +Yubico 驗證伺服器是雲端服務,您把信任託付給 Yubico 相信他們會安全地儲存資料而不會拿來分析您。 與 Yubico OTP 相關聯的公共 ID 可在每個網站上重複使用,並可能讓第三方可對您進行個人剖繪。 與TOTP 一樣, Yubico OTP 無法對抗網路釣魚。 + +若您的威脅模型要求在不同網站使用不同身份, **請不要** 在這些網站中使用同一個硬體安全密鑰 Yubico OTP ,因為每個安全密鑰都有相同的公共 ID。 + +#### FIDO ( 快速線上身份驗證) + +[FIDO ](https://en.wikipedia.org/wiki/FIDO_Alliance) 包含許多標準,首先是U2F ,然後是 [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) ,其中包括 Web 標準 [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn)。 + +U2F 和 FIDO2 指的是 [Client to Authenticator Protocol](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol),這是安全金鑰和電腦之間的協議,例如筆記本電腦或手機。 它補充了 WebAuthn , WebAuthn 為驗證網站登錄( “依賴方” )之組件。 + +WebAuthn是最安全、最私密的第二要素驗證形式。 雖然驗證體驗與 Yubico OTP 類似,但密鑰不會打印出一次性密碼也不會使用第三方伺服器進行驗證。 相反,它使用 [公鑰加密](https://en.wikipedia.org/wiki/Public-key_cryptography) 進行驗證。 + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +當您創建一個帳戶時,公鑰會發送到服務,然後當您登錄時,服務會要求您使用您的私鑰“簽署”一些數據。 這樣做的好處是,服務不會儲存密碼資料,因此對手無從竊取任何東西。 + +這份簡報探討了密碼驗證的歷史,陷阱(如密碼重用)以及FIDO2 和 [WebAuthn](https://webauthn.guide) 標準等課題。 + +
+ +
+ +相較於其它 MFA方法, FIDO2 和 WebAuthn 具有卓越的安全和隱私特點。 + +通Web服務通常與 WebAuthn 一起使用, 這是來自 [W3C 的建議](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC))。 它使用公鑰驗證,並且比在 Yubico OTP 和 TOTP 使用的共享機密更安全,因為它在驗證期間包括原始名稱(通常是域名)。 提供證明以保護您免受網路釣魚攻擊,以幫助您確定使用真實服務而不是假網站服務。 + +與 Yubico OTP不同,WebAuthn不使用任何公共ID ,因此密鑰 **無法** 被不同網站識別。 它也不使用任何第三方雲端伺服器進行驗證。 所有通訊都已在密鑰和所登入的網站之間完成。 FIDO 還使用計數器,該計數器在使用時會增加,以防止期間重用和克隆密鑰。 + +如果網站或服務支援 WebAuthn 驗證,強烈建議您使用它而不是其他形式的 MFA。 + +## 一般性建議 + +我們有這些一般性建議: + +### 我應該選擇哪種方法? + +設置MFA 方法時,請記住,它的安全程度與您使用的最弱的身份驗證方法一樣。 這意味著您只需使用的最佳MFA方法。 例如,如果您已經使用TOTP ,您應該禁用電子郵件和SMS MFA。 如果您已經使用 FIDO2/WebAuthn ,則不應該在您的帳戶上使用 Yubico OTP 或TOTP。 + +### 備份 + +您應該始終備份您的 MFA 方法。 硬體安全金鑰可能會丟失、被盜或隨著時間的推移而停止運作。 建議您擁有一對具有相同帳戶存取權限的硬體安全金鑰,而不僅僅是一個。 + +當與驗證器應用程式一起使用TOTP時,請務必備份您的恢復密鑰或應用程式本身,或將「共享機密」複製到不同手機上的應用程式的另一個實例或加密容器(例如 [VeraCrypt](../encryption.md#veracrypt))。 + +### 初始設定 + +購買安全金鑰時,請務必變更預設憑證、為金鑰設定密碼保護,並在金鑰支援時啟用觸控確認。 YubiKey 等產品有多重介面,各有其獨立憑證,因此您應該仔細查看每個介面並設置保護。 + +### 電子郵件和簡訊 + +如果您必須使用電子郵件進行MFA ,請確保電子郵件帳戶本身具有適當的 MFA 方法。 + +如果您使用簡訊 MFA ,請選擇不會進行未授權的號碼切換的營營商,或使用具有類似安全性的專用VoIP 號碼,以避免 [SIM 交換攻擊](https://en.wikipedia.org/wiki/SIM_swap_scam)。 + +[我們推薦的 MFA 工具](../multi-factor-authentication.md ""){.md-button} + +## 更多設定MFA的地方 + +除了保護您的網站登錄外,多因素身份驗證還可用於保護您的本地設備的登錄、 SSH 密鑰甚至密碼資料庫。 + +### Windows + +Yubico 有專門的 [憑證提供者](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) ,為本地 Windows 帳戶在登錄流程添加了Challenge-Response 驗證。 如果您擁有具 Challenge-Response 驗證支援的 YubiKey ,請查看 [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide),該指南將協助您在 Windows 電腦上設置MFA。 + +### macOS + +macOS 具有 [原生支援](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) 用於使用智慧卡(PIV)進行驗證。 如果您有支援 PIV 介面的智慧卡或硬體安全金鑰(例如 YubiKey) ,建議您遵循智慧卡/硬體安全供應商的文件,為您的macOS 電腦設定第二要素驗證。 + +Yubico 指南 [在macOS](https://support.yubico.com/hc/en-us/articles/360016649059) 中使用 YubiKey 作為智慧卡,可幫助您在 macOS 設置 YubiKey。 + +設定智慧卡/安全金鑰後,我們建議您在終端機中執行此命令: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +該指令會防止對手在電腦啟動時繞過 MFA。 + +### Linux + +!!! 警告 + + 如果系統主機名稱發生變更(例如由於 DHCP ) ,您將無法登入。 在遵循本指南之前,為您的電腦設置正確的主機名至關重要。 + +Linux 上的 `pam_u2f` 模組可以提供雙因素驗證,以便在最流行的 Linux 發行版上登錄。 如果您有支援 U2F 的硬體安全金鑰,可以為您的登入設定 MFA 驗證。 Yubico有一個 [Ubuntu Linux 登錄指南- U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) ,應該適用於任何發行版。 軟體包管理器指令(例如 `apt-get`)和軟體包名稱可能不同。 本指南 **不適用於** Qubes OS. + +### Qubes OS + +Qubes OS 支援 YubiKeys 進行 Challenge-Response 驗證。 如果您擁有具 Challenge-Response 驗證支援的 YubiKey ,請查看 Qubes OS [YubiKey 文檔](https://www.qubes-os.org/doc/yubikey/) ,以在Qubes OS 設置 MFA。 + +### SSH + +#### 硬件安全金鑰 + +SSH MFA 可以使用多種不同的身份驗證方法進行設置,這些方法在硬體安全金鑰中很受歡迎。 建議您查看 Yubico [文件檔](https://developers.yubico.com/SSH/) ,了解如何設置此功能。 + +#### 暫時性的一次性密碼 (TOTP) + +SSH MFA 也可以使用 TOTP 設定。 DigitalOcean 提供教學 [如何在 Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04) 為 SSH 設置多因素身份驗證。 無論是哪一個發行版本,大多數操作方式都相同,但是軟體包管理器命令-例如 `apt-get`-和軟體包名稱可能不同。 + +### KeePass (和KeePassXC ) + +KeePass 和 KeePassXC 資料庫可以使用 Challenge-Response 或 HOTP 作為第二要素驗證進行密碼保護。 Yubico 提供了一份 KeePass [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) 文件, [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) 網站上也有一份。 diff --git a/i18n/zh-Hant/basics/passwords-overview.md b/i18n/zh-Hant/basics/passwords-overview.md new file mode 100644 index 00000000..f644a998 --- /dev/null +++ b/i18n/zh-Hant/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "密碼介紹" +icon: 'material/form-textbox-password' +description: 以下是關於如何建立最強密碼並確保帳戶安全的一些提示和技巧。 +--- + +密碼是我們日常數位生活的重要組成部分。 我們使用它們來保護自己帳戶、設備和祕密。 儘管密碼常常是我們與挖取我們私人資訊的對手之間僅有的唯一阻隔,但人們並未對密碼有充分的考量,導致人們使用的密碼很容易被猜到或強力破解。 + +## 最佳實踐 + +### 每項服務各選用不同的獨特密碼 + +想像一下,您在各個不同的網路服務註冊時都使用同一組電子郵件和密碼。 如果其中一個服務提供商懷有惡意,或者其服務發生資料洩露,以未加密格式暴露了您的密碼,那麼不良行為者只需嘗試跨多個流行服務的電子郵件和密碼組合,就可輕易得手。 密碼強度已無關緊要,因為對手已經打開它了。 + +這稱為 [憑證填充](https://en.wikipedia.org/wiki/Credential_stuffing),是最常見帳戶被不良行為者破壞的方式之一。 為了避免這種情況,請確保您永遠不會重複使用密碼。 + +### 使用隨機生成的密碼 + +==您 **不應該** 僅靠自己去想出好密碼== ;建議使用充足熵量的[隨機產生密碼randomly generated passwords](#passwords) 或 [diceware 口令密語](#diceware-passphrases) ,以保護裝備和帳戶的安全。 + +我們所推薦的 [密碼管理器](../passwords.md) 都內建密碼生成器。 + +### 輪換密碼 + +應避免經常更改必須記住的密碼(例如密碼管理器的主密碼) ,除非有理由相信它已被破壞,否則頻繁更改它往往會使您面臨忘記密碼的風險。 + +對於無需記住的密碼(例如存儲在密碼管理器中的密碼)時,如果您的 [威脅模型](threat-modeling.md) 需要它,建議每隔幾個月查看一次重要帳戶(特別是沒使用多因素身份驗證的帳戶)並更改其密碼,以防它們在尚未公開的資料洩露中遭到破壞。 大多數密碼管理器可為密碼設定到期日期,以便更容易管理。 + +!!! 提示“檢查數據洩露” + + 如果您的密碼管理器可以檢查密碼是否已被破壞,請務必檢查並立即更改可能已暴露在資料外洩的密碼。 或者,您可以在[news aggregator] (../news-aggregators.md)的幫助下關注[Have I Been Pwned 最新資料外洩情報] (https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches)。 + +## 建立強密碼 + +### 密碼 + +許多服務對密碼施加了某些標準,包括最小或最大長度,以及可以使用哪些特殊字符(如果有的話)。 您應該利用密碼管理器內建的密碼生成器來創建夠長、複雜的密碼,只要服務允許,最好是混合大寫和小寫字母、數字和特殊字符搭配。 + +若需要一個記得住的密碼,建議採用 [diceware 口令密語](#diceware-passphrases)。 + +### Diceware 口令密語 + +Diceware 是一種創建密碼短語的方法,這些密短口令易於記憶,但很難猜測。 + +當您需要記憶或手動輸入憑證時,例如密碼管理員的主密碼或設備的加密密碼, Diceware 口令密語是個好選擇。 + +舉一個 Diceware 口令密語的例子 `viewable fastness reluctant squishy seventeen shown pencil`。 + +使用骰子來產生一組 diceware 口令密語,請按照以下步驟: + +!!! 備註 + + 這裏的說明假設您正使用[ EFF的大型單詞清單] (https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)來生成密語,每個單詞需要骰子滾動五次。 其他單詞列表的單詞其骰子滾動次數不一,且可能需要不同單詞數量來達成相同的熵。 + +1. 將1~6 骰子滾動五次,記下每次出現的數字。 + +2. 例如,假設您滾動了 `2-5-2-6-6`。 查看 [EFF 的大型單詞清單](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) ,找出對應於 `25266` 的單詞。 + +3. 你會得到單詞 `encrypt`。 把這個詞寫下來。 + +4. 重複相同手續,直到您的口令密語達到足夠的單詞,請用空格分隔單詞。 + +!!! 警告“重要” + + 你* *不應* *重新滾動單詞,以取得自己喜好的單詞組合。 這個過程應該是完全隨機的。 + +如果您手邊沒有或不想使用真正的骰子,可利用密碼管理器內建密碼生成器,因為大多數密碼生成器除了普通密碼之外還可以選擇生成 diceware 口令密語。 + +我們建議使用 [EFF 的大型單詞清單](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) 來生成您的diceware 口令密語,因為它提供與原始列表完全相同的安全性,同時更容易記憶的單詞。 如果不想要使用英文密語,也有 [其他語言的單詞清單](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline)。 + +??? 附註「diceware 口令密語的熵和強度的說明」 + + 為了證明 diceware 密語的強度,我們將使用前面提到的七個單詞密語(`viewable fastness reluctant squishy seventeen shown pencil` )和 [EFF 的大型單詞列表] (https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)作例子。 + + 判斷 diceware 口令密語強度的衡量標準是確定它有多少熵。 diceware 口令密語中的個別單詞的熵為 $\text{log}_2(\text{WordsInList})$ 而整組密語的熵總量為 $\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$. + + 因此,上述列表中的每個單詞都會產生~ 12.9 位熵(($\text{log}_2 (7776) $) ,而其中取得七個單詞組成的口令密語就具有~ 90.47位熵 ($\text{log}_2 (7776 ^ 7) $ )。 + + [EFF 的大型單詞清單] (https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)包含 7776 個獨特單詞。 要計算可能的口令密語數量,所要做的就是 $\text{WordsInList}^\text{WordsInPhrase}$ ,或者依我們的情況, $ 7776 ^ 7 $。 + + 讓我們從這個角度來看:使用 [EFF 的大型單詞列表] (https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)的七個單詞的口令密短約有1,719,070,799,748,422,500,000,000 種組合。 + + 平均而言,至少要嘗試所有可能組合的一半來猜測您的密語。 考慮到這一點,即使對手每秒能夠猜測~ 1,000,000,000,000 次,他們仍然需要~ 27,255,689 年來猜出您的密語。 即使以下情況屬實,也是如此: + + - 對手知道您使用 diceware 方法。 + - 對手知道您所使用的具體單詞清單。 + - 對手知道您的密語包含多少個單詞。 + +總而言之, diceware 口令密語是最佳選擇,當您需要既容易記住 *又* 非常強大的東西。 + +## 儲存密碼 + +### 密碼管理器。 + +儲存密碼的最佳方式是使用密碼管理器。 可將密碼存儲在檔案或雲端,使用單個主密碼保護與開啟它們。 這樣,您只需要記住一個強大的密碼,就可以訪問其餘密碼。 + +有許多好的選項可參考,不管是雲端和本地設備安裝。 選擇任一推薦的密碼管理器,利用它為所有帳戶建立強密碼。 建議利用至少七個單詞的 [diceware 口令密語](#diceware-passphrases) 來保護密碼管理器的安全。 + +[推薦的密碼管理員列表](../passwords.md ""){.md-button} + +!!! 警告: “不要將密碼和 TOTP 令牌放在同一個密碼管理器中” + + 當使用 TOTP 代碼作為[多因素驗證] (../multifactor-authentication.md)時,最好的安全措施是將 TOTP 代碼保存在[分開的應用程序] (../multifactor-authentication.md#authenticator-apps)中。 + + 將您的 TOTP 令牌存儲在與密碼相同的位置,雖然方便,但假若對手可以存取密碼管理器,則帳戶安全驗證則減少為單一因素。 + + 此外,我們不建議把一次性修復代碼存在密碼管理器。 它們應分開儲存,例如放在離線儲存設備的加密容器中。 + +### 備份 + +您應該將密碼備份 [加密](../encryption.md) 在 數個儲存裝置或雲端儲存服務。 如果您主要裝置或正在使用的服務出問題,這可以幫助您存得密碼。 diff --git a/i18n/zh-Hant/basics/threat-modeling.md b/i18n/zh-Hant/basics/threat-modeling.md new file mode 100644 index 00000000..ffc812f4 --- /dev/null +++ b/i18n/zh-Hant/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "建立威脅模型" +icon: 'material/target-account' +description: 平衡安全性、隱私權和可用性是您在隱私權之旅中將面臨的首要和最困難的任務之一。 +--- + +平衡安全性、隱私權和可用性是您在隱私權之旅中將面臨的首要和最困難的任務之一。 一切都要各方權衡:越安全的東西,它通常越受限制或越不方便。 通常,人們發現那些被推薦的工具的問題是它們太難開始使用了! + +如果要使用**最安全**的工具,就必須犠牲許多*可用性*。 就算如此,也沒有什麼是完全安全的。有 **高** 安全,但從來沒有 **完整** 安全。 這就是為什麼威脅模型很重要。 + +**那麼,這些威脅模型究竟是什麼呢?** + +==威脅模型,列出對您的安全與隱私可能造成的威脅。== 既然無法完全防範**每一次** 攻擊(者),請將精力放在 **最可能發生的** 威脅。 在電腦安全上,威脅指可能破壞您保持私密和安全努力的事件。 + +專注在對您認為重要的威脅,可縮小對所需保護的考慮,以讓您選擇出適合的工具。 + +## 建立您的威脅模型 + +為了分辨所重視的事物會發生什麼,保護它們必須避開哪些人,請回答以下五個問題: + +1. 我想保護什麼? +2. 我想要保護它免受誰的侵害? +3. 我需要保護它的可能性有多大? +4. 若不幸失敗將帶來多嚴重的後果? +5. 我願意承受多少麻煩來防止潛在的後果? + +### 我想保護什麼? + +“資產”是你重視和想要保護的東西。 在討論數位安全時,資產通常是某種資訊。例如,您的電子郵件、聯繫人列表、即時消息、位置和檔案等都是可能的資產。 你的設備本身也可能是資產。 + +*列出您的資產:您保存的資料、保存的地方、誰可以取用它,以及阻止其他人使用它的原因。* + +### 我想要保護它免受誰的侵害? + +要回答這個問題,重要的是要找出誰可能會針對您或您的資訊。 對您的資產構成威脅的個人或實體即是“敵人”。潛在對手可能為:您的老闆、前任情人、商業競爭對手、政府或公共網路上的黑客。 + +*列出對手或那些可能想要獲取您的資產的敵人。 您的名單可能包括個人、政府機構或公司。* + +根據對手是誰,在某些情況下,這份清單可能是在完成安全計劃後必須鎖毀的東西。 + +### 它需要被保護的可能性有多大? + +==風險是指某個資產發生特定威脅實際的可能性。= =它與能力密切相關。 雖然您的手機供應商有能力訪問您的資料,但他們將私人數據散佈在網路以損您聲譽的這種風險發生機率很低。 + +重要的是要能區分可能發生什麼事和事情發生的概率。 例如,您的建築物可能會倒塌,但很常有地震的舊金山發生這種情況的風險遠遠大於地震並不常見的斯德哥爾摩。 + +評估風險既是私人的,也是主觀的過程。 許多人認為某些威脅是不可接受的,無關乎其發生的可能性,而是因它們根本不值得。 在其他情況下,人們忽視高風險,因為他們不認為威脅是問題。 + +*寫下你認真看待哪些威脅,哪些可能太罕見或無害(或太難以對抗)。* + +### 若不幸失敗將帶來多嚴重的後果? + +對手有很多方法可以取用您的資料。 例如,他們通過網路讀取您的私人通訊,或是刪除或破壞您的資料。 + +== 對手的動機差異很大,他們的戰術也是如此。==政府試圖阻止警察暴力影片傳播,簡單地刪除或減少該影片的可用性大概就可以。 相比之下,政治對手可能希望在您不知情的情況下,獲得您的祕密內容並發布。 + +安全規劃涉及了解若對手成功地取用您的資產後,會帶來多嚴重的後果。 要確定這一點,應該考慮對手的能力。 例如,您的手機供應商可以存取您所有的電話記錄。 公共 Wi-Fi 網路上的駭客可以訪問您未加密的通訊。 政府往往有更強的能力。 + +*寫下對手可能想用您的私人資料做什麼。* + +### 我願意承受多少麻煩來防止潛在的後果? + +==沒有完美的安全保障。==不是每個人都有相同的優先事項、關切點或可用資源。 您的風險評估能為您規劃正確的策略,平衡便利性、成本和隱私。 + +例如,在國家安全案件中代表客戶的律師可能願意全力保護該案件的相關通信,例如使用加密電子郵件,而常向女兒發送有趣貓咪短片的母親就不會想要加密。 + +*寫下您可用的選項,以幫助減輕您的獨特威脅。 ,如果您有任何財務、技術或社會上的限制,請予備註。* + +### 自己試試:保護好您的財產 + +這些問題可以適用於線上和線下的各種情況。 示範這些問題如何運作,我們來制定一個保護您房屋和財產安全的計畫。 + +**您想保護什麼? ( 或者*)您有什麼值得保護的? (*)** +: + +您的資產可能包括珠寶、電子產品、重要文件或照片。 + +**你想保護它免受誰的侵害?** +: + +你的對手可能包括竊賊、室友或客人。 + +**您需要保護它的可能性有多大?** +: + +您的社區發生過入室盜竊的案件嗎? 你的室友或客人可信任的程度? 你的對手有哪些能力? 應該考慮哪些風險? + +**失敗的後果有多嚴重?** +: + +你家裡有什麼東西是你無法取代的嗎? 您有時間或金錢來取代這些東西嗎? 是否已為家裏物品投保失竊險? + +**你願意承受多少麻煩來防止這些後果?** +: + +您是否願意為敏感文件購買保險箱? 你能買到高品質的鎖嗎? 您有時間在當地銀租用保險箱並將貴重物品存放在那裡嗎? + +只有真正自問這些問題後,才能評估該採取哪些措施。 如果您的財產具有價值,但被入侵的可能性很低,那麼可能不想在防鎖上投資太多。 但是,如果被入侵的可能性很高,您會希望取得市場上最好的鎖並考慮添加安全系統。 + +制定安全計劃有助於了解您獨有的威脅、評估自己的資產、對手與其能力,以及您面臨風險的可能性。 + +## 延伸閱讀 + +針對希望提高線上隱私和安全性者,我們編制了一份本站訪客面臨的常見威脅或目標清單,為您提供一些靈感並展示我們建議的基礎。 + +- [共同目標與威脅 :material-arrow-right-drop-circle:](common-threats.md) + +## 來源 + +- [EFF監控自衛:您的安全計劃](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/zh-Hant/basics/vpn-overview.md b/i18n/zh-Hant/basics/vpn-overview.md new file mode 100644 index 00000000..633234a8 --- /dev/null +++ b/i18n/zh-Hant/basics/vpn-overview.md @@ -0,0 +1,80 @@ +--- +title: VPN 簡介 +icon: material/vpn +description: 虛擬私用網路將風險從您的ISP 轉移到您信任的第三方。 你應該記住這些事情。 +--- + +虛擬專用網路是將您的網路末端延伸到世界其它地方的一種方式。 ISP 可以看到網路終端設備(例如數據機)的網際網路進出流量。 + +HTTPS 等加密協議通常應用在網際網路,因此雖無法確切地知道您發布或閱讀的內容,但還是可以了解您所請求訪問的 [網域名](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns)。 + +VPN 可以提供幫助,將信任轉移到世界其他地方的伺服器。 因此, ISP只會看到您已連接到VPN ,而不會看到您正在傳遞的活動。 + +## 我應該使用 VPN 嗎? + +**是**,除非你已經在使用Tor。 VPN可以做兩件事:將風險從網際網路服務提供商轉移到 VPN,並將向第三方服務隱藏您的 IP 地址。 + +VPN 無法加密裝置與 VPN 伺服器之間連線以外的資料。 VPN 提供商可以像 ISP 一樣查看和修改您的流量。 而且沒有方式可以驗證 VPN 提供商的“無記錄”政策是否貫徹。 + +VPN 確實可向第三方服務隱藏您的實際 IP ,但前提是IP 沒被洩漏。 它們有助您混在他人之中,以減輕基於 IP 的追蹤。 + +## 什麼時候不該使用 VPN ? + +在 [身份已可辨識](common-threats.md#common-misconceptions) 的情況下,VPN 就沒效用了。 + +這樣做可能會觸發垃圾郵件和欺詐偵測系統,例如您正試圖登入銀行網站。 + +## 那加密呢? + +VPN供應商提供的加密僅發生在您的裝置與伺服器之間。 它保證此特定連結是安全的。 這比用未加密代理的更進一步,因為對手可以攔截您的設備和前述未加密代理之間的通訊並加以修改。 然而軟體或瀏覽器與服務供應商之間的加密並不是依此加密處理。 + +為了保持所瀏覽網站活動的私密和安全,您必須使用 HTTPS。 這將確保您的密碼、會話令牌和查詢對VPN提供商是安全的。 請考慮在瀏覽器中啟用「HTTPS everywhere」,以減輕 [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf)等攻擊。 + +## 我應該將加密 DNS 與 VPN 一起使用嗎? + +除非您的 VPN 服務商自行託管加密的 DNS 伺服器, **不要**. 使用 DOH/DOT (或其它任何 DNS 加密) 與第三方伺服器只有需信任更多實體,在安全隱私則**一點幫助也沒有** 。 您的 VPN 提供商仍可以根據 IP 地址和其他方法查看您訪問的網站。 您現在除了信任 VPN 供應商外,還得同時信任 VPN 供應商和DNS 供應商。 + +推薦加密 DNS 的常見理由是有助於防止 DNS 欺騙。 您的瀏覽器應該已經檢查了 [TLS 憑證](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) 和 **HTTPS** ,並警告您。 如果沒用 **HTTPS**,則對手可以修改您的 DNS 查詢之外的任何東西,最終結果將沒太大差異。 + +**您不應把加密 DNS 與Tor**一起使用。 這將把您所有 DNS 請求引至某單一迴路,這會讓加密 DNS 提供商可對您消除匿名性。 + +## 我應該*同時* 使用 Tor 與 VPN 嗎? + +撔 Tor 與 VPN 一起使用 ,您基本上創建了一個永久的入口節點,這類節點通常帶有與金錢相關追蹤痕跡。 這樣根本沒增加額外好處,反而明顯地擴大了連接時的攻擊面。 如果您希望向 ISP 或政府隱藏您的Tor 使用, Tor 內建一個解決方案:Tor 橋接。 [閱讀更多關於Tor橋接以及為什麼沒必要使用 VPN](../advanced/tor-overview.md)。 + +## 如果我需要匿名怎麼辦? + +VPN無法提供匿名性。 您的VPN提供商可知道您真實 IP 地址,並且通常有一個可以直接與您連結的金錢線索。 您不能依靠 VPN「無記錄」政策來保護您的資料。 請用 [Tor](https://www.torproject.org/) 代替。 + +## 提供Tor 節點的 VPN 提供商好不好呢? + +不要使用此功能。 使用 Tor 的重點是不信任您的 VPN 提供商。 目前 Tor 只支援 [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) 通訊協議。 [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (在 [WebRTC](https://en.wikipedia.org/wiki/WebRTC) 中用於語音和影片分享,新的 [HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) 協議等) , [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) 和其他封包將被丟棄。 為了彌補這一點, VPN 提供商通常會引導全部的non-TCP 封包通過他們的 VPN 伺服器(您的第一個跳)。 [ProtonVPN ](https://protonvpn.com/support/tor-vpn/)的情況就是如此。 此外,使用此 Tor over VPN 設定時,您無法控制 Tor 其他重要的功能,例如 [隔離目標位址](https://www.whonix.org/wiki/Stream_Isolation) (為您訪問不同網域使用不同的Tor 迴路)。 + +該功能應被視為方便訪問 Tor 網絡的方式,而不是為了保持匿名。 為保持適當的匿名性,請使用 Tor 瀏覽器、TorSocks 或 Tor 閘道。 + +## VPN 何時有用? + +VPN在各種情況下仍可能對您有用,例如: + +1. **僅需**對網路連線服務商隱藏您的流量 。 +1. 對 ISP 和反盜版組織隱藏您的下載(如 torrents)。 +1. 從第三方網站和服務中隱藏您的IP ,防止基於IP的追蹤。 + +類似這些情況或者如果您有其他令人信服的理由,可考慮使用我們所列出認為最值得信賴的 VPN 提供商。 使用 VPN 意謂著您 *方便* 這些服務供應者。 任何情況下,最好使用以安全為**設計理念** 的工具,例如 Tor。 + +## 資料來源和進一步閱讀 + +1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert +1. [Tor Network概述](../advanced/tor-overview.md) +1. [IVPN隱私指南](https://www.ivpn.net/privacy-guides) +1. [「我需要 VPN 嗎?」"Do I need a VPN?" ](https://www.doineedavpn.com), +IVPN 開發的工具,幫助個人決定 VPN 是否適合他們,以因應各式 VPN 營銷。 + + + +## VPN 相關資訊 + +- [VPN 問題和隱私評論網站](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [免費 VPN 應用程式調查](https://www.top10vpn.com/free-vpn-app-investigation/) +- [揭露隱身的 VPN 擁有者:由 23 家公司運營101款 VPN 產品](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [這家中國公司祕密支持24個尋求危險權限的流行應用程序](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/zh-Hant/calendar.md b/i18n/zh-Hant/calendar.md new file mode 100644 index 00000000..a131926f --- /dev/null +++ b/i18n/zh-Hant/calendar.md @@ -0,0 +1,70 @@ +--- +title: "行事曆同步" +icon: material/calendar +description: 行事曆包含一些您最敏感的資料,使用實現靜態加密的產品。 +--- + +行事曆包含一些您最敏感的資料;請使用未存取時執行 E2EE 的產品,以防止供應商讀取這些資料。 + +## Tutanota + +!!! recommendation + + ! [Tutanota logo] (assets/img/calendar/tutanota.svg#only-light) {align = right} + ! [Tutanota標誌] (assets/img/calendar/tutanota-dark.svg#only-dark) {align = right} + + * * Tutanota * *在其支援的平臺上提供免費和加密的日曆。 功能包括:所有數據的自動E2EE ,共享功能,匯入/匯出功能,多因素驗證和 [more]( https://tutanota.com/calendar-app-comparison/ )。 + + 多個行事曆和擴展共享功能僅限於付費訂閱者。 + + [:octicons-home-16: Homepage](https://tutanota.com/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar + +!!! recommendation + + ![Proton](assets/img/calendar/proton-calendar.svg) {align = right} + + * * Proton Calendar * *是 Proton 會員可透過網路或行動客戶端使用的加密行事曆服務。 功能包括:所有資料自動 E2EE 、共享、匯入/匯出等等[眾多功能](https://proton.me/support/proton-calendar-guide). 免費會員可以使用單一行事曆,而付費訂閱者最多可以創建20個行事曆。 擴展共享功能也僅限於付費訂閱者。 + + [:octicons-home-16: Homepage](https://proton.me/calendar){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/proton-calendar-guide){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +### 最低合格 + +- 同步與儲存資訊必須使用 E2EE,以確保服務供應商無法看到。 + +### 最好的情况 + +最佳案例標準代表了我們希望從這個類別的完美項目中看到的東西。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 如果合適,最好能整合入原生作業系統行事曆和聯絡人管理應用程式。 diff --git a/i18n/zh-Hant/cloud.md b/i18n/zh-Hant/cloud.md new file mode 100644 index 00000000..c6d69b67 --- /dev/null +++ b/i18n/zh-Hant/cloud.md @@ -0,0 +1,99 @@ +--- +title: "雲端儲存" +icon: material/file-cloud +description: 許多雲端儲存服務供應商需要您相信他們不會查看您的檔案。 這些都是私密替代品! +--- + +許多雲端儲存服務供應商需要您完全信任他們不會查看您的檔案。 下面列出的替代方案通過實施安全的 E2EE,消除了對信任的需要。 + +如果這些替代方案不符合您的需求,建議您考慮使用其他雲端提供商的加密軟件,例如 [Cryptomator](encryption.md#cryptomator-cloud) 。 把 Cryptomator 結合在 **任一種** 雲服務商(包含這裡推薦的) 也是好方法,可減低某服務商原生客立端加密漏洞之風險。 + +??? 提問:找不到 Nextcloud ? + + Nextcloud 是[仍然是一個推薦的工具] (productivity.md) ,可用於自我託管檔案管理套件,但目前不推薦第三方 Nextcloud儲存服務提供商,因為我們[不建議]使用 (https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud 家庭用戶版內置的 E2EE 功能。 + +## Proton Drive + +!!! recommendation + + ! [Proton Drive logo] (assets/img/cloud/protondrive.svg) {align = right} + + * * Proton Drive * *是來自流行的加密電子郵件供應商[Proton Mail] (email.md#proton-mail)的瑞士加密雲存儲供應商。 + + [:octicons-home-16: Homepage](https://proton.me/drive){ .md-button .md-button--primary } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/drive){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1509667851) + +Proton Drive 網路應用程式已於[2021年](https://proton.me/blog/security-audit-all-proton-apps)由 Securitum 獨立審核,並未公開完整詳細資料,但 Securitum 的認證信函指出: + +> 審計人員發現了兩個不嚴重的漏洞。 此外,還提出五項一般性建議。 與此同時,我們確認在滲透測試期間沒有發現重大安全問題。 + +Proton Drive 全新移動客戶端軟體尚未經過第三方公開審核。 + +## Tresorit + +!!! recommendation + + ! [Tresorit logo] (assets/img/cloud/tresorit.svg) {align = right} + + * * Tresorit * *是一家成立於2011年的匈牙利加密雲端儲存服務供應商。 Tresorit 由瑞士郵政擁有,瑞士郵政是瑞士的國家郵政服務。 + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit 已獲得多項獨立安全稽核: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001: 2013[^1] 符合性 [認證](https://www.certipedia.com/quality_marks/9108644476) TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Computest 的滲透測試 + - 該檢查評估了Tresorit 網頁用戶端、Android 應用程式、Windows 應用程式和相關基礎設施的安全性。 + - Computest 發現了兩個已解決的漏洞。 +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Ernst & Young 的滲透測試。 + - 該檢測分析了 Tresorit 完整源代碼,並驗證了落實 Tresorit [白皮書](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf)中描述的概念。 + - Ernst & Young 還測試了網絡、行動和桌面客戶端: “測試結果發現沒有偏離 Tresorit 的資料機密性聲明。 + +他們還獲得了數位信任標籤,這是 [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) 的認證,該認證要求通過與安全性,隱私和可靠性相關的 [35標準](https://digitaltrust-label.swiss/criteria/) 。 + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +### 最低合格要求 + +- 必須執行端到端加密。 +- 必須提供免費計劃或試用期以進行測試。 +- 必須支援 TOTP 或 FIDO2 多因素驗證,或 Passkey 登入。 +- 必須提供支援基本檔案管理功能的網頁介面。 +- 允許輕鬆匯出所有檔案/文件。 +- 必須使用經審核的標準加密。 + +### 最好的情况 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的條件。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 客戶端應是開源的。 +- 客戶端軟體應由獨立的第三方進行全面審計。 +- 應提供 Linux、Android、Windows、macOS 和 iOS 的原生客戶端。 + - 這些用戶端應與雲端儲存供應商的原生作業系統工具整合,例如整合 iOS 的 Files app,或 Android 的 DocumentsProvider 功能。 +- 容易與其他用戶輕鬆共享文件。 +- 至少在網頁界面應提供基本的文件預覽和編輯功能。 + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001): 2013合規性涉及公司的 [資訊安全管理系統](https://en.wikipedia.org/wiki/Information_security_management) ,涵蓋其雲端服務的銷售、開發、維護和支援。 diff --git a/i18n/zh-Hant/cryptocurrency.md b/i18n/zh-Hant/cryptocurrency.md new file mode 100644 index 00000000..5c36aac6 --- /dev/null +++ b/i18n/zh-Hant/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: 加密貨幣 +icon: material/bank-circle +--- + +線上支付是隱私面臨的最大挑戰之一。 下列加密貨幣預設提供交易隱私(大多數加密貨幣**並未保證**如此 ),前提是您對如何有效地進行私人支付有深入了解。 我們強烈建議您在網路購買前先閱讀本站私密付款之介紹: + +[私密付款 :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! 危險 + + 許多(如果不是大多數)加密貨幣項目都是騙局。 只用你信任的項目小心進行交易。 + +## Monero + +!!! recommendation + + ! [Monero 標誌] (assets/img/cryptocurrency/monero.svg) {align = right} + + * * Monero * *使用增強隱私技術的區塊鏈,混淆交易以實現匿名性。 每筆 Monero 交易都隱藏了交易金額、發送和接收地址以及資金來源,使其成為加密貨幣新手的理想選擇。 + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +使用 Monero ,外部觀察者無法破譯 Monero 交易地址、交易金額、地址餘額或交易歷史。 + +為了獲得最佳的隱私,請務必使用非保管錢包,讓查看密鑰保留在設備上。 這意味著只有您能夠花費資金並查看交易進出。 若使用託管錢包,則服務商可看到**全部活動** ;如果用的是"輕量"錢包,則服務商保存了您的私鑰並看到您全部的交易活動。 一些非保管錢包包括: + +- [官方Monero客戶端](https://getmonero.org/downloads) (桌面) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet 支援多種加密貨幣。 僅限 Monero 的 Cake Wallet 版本可在 [Monero.com](https://monero.com/) 上找到。 +- [Feather Wallet](https://featherwallet.org/) (桌面版) +- [Monerujo](https://www.monerujo.io/) (Android) + +為了獲得最大的隱私(即便使用非保管錢包),您應該運行自己的 Monero 節點。 使用別人的節點會暴露一些信息,例如您從中連接到它的IP位址,同步錢包的時間戳記以及您從錢包發送的交易(儘管沒有關於這些交易的其他細節)。 或者,您可以通過Tor或i2p連接到其他人的Monero節點。 + +2021年8月, CipherTrace [宣布爲政府機構提供](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) 增強的 Monero 追蹤功能。 公開貼文顯示,美國財政部金融犯罪執法網絡 [在2022年底授權](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace 的 “Monero 模塊”。 + +Monero 交易圖隱私受到其相對較小的環形簽名的限制,特別是抵抗針對性的攻擊。 Monero's 隱私功能也曾被某些資安研究人員 [質疑](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) ,過去已發現一些弱點與補丁,因此如 CipherTrace 的宣稱並非不可能。 雖然 Monero 大規模監控工具不太可能像比特幣和其他工具一樣存在,但可以肯定的是,追蹤工具有助於進行針對性的調查。 + +Monero 是隱私友好的加密貨幣中最強大的競爭者,但它的隱私聲稱**尚未**被任何方式證明 。 需要更多的時間和研究來評估 Monero 是否足夠抵禦攻擊來提供足夠的隱私。 + +## 標準 + +**請注意,我們與所推薦專案沒有任何牽扯。 ** 除了 [我們的標準準則](about/criteria.md)外,還有一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 推薦項目時,我們會考慮與討論許多因素,且記錄下每一個項目種種工作流程。 + +- 預設情況下,加密貨幣必須提供私密/無法追蹤的交易。 diff --git a/i18n/zh-Hant/data-redaction.md b/i18n/zh-Hant/data-redaction.md new file mode 100644 index 00000000..c2acc05e --- /dev/null +++ b/i18n/zh-Hant/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "資料和中繼資料處理" +icon: material/tag-remove +description: 使用這些工具來移除所分享的相片和文件中的GPS定位和其他識別資訊等中繼資料。 +--- + +分享檔案時,請務必移除相關的中繼資料。 映像文件通常包含 [Exif](https://en.wikipedia.org/wiki/Exif) 數據。 照片有時甚至在文件元數據中包含GPS坐標。 + +## 電腦版應用程式 + +### MAT2 + +!!! recommendation + + ! [MAT2 logo] (assets/img/data-redaction/mat2.svg) {align = right} + + * * MAT2 * *是免費軟體,可以移除圖像,音頻,種子和文件文件類型的中繼資料。 它通過[ Nautilus 擴展元件] (https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus)提供命令行工具和圖形用戶界面,Nautilus 是 [GNOME](https://www.gnome.org)的預設檔案管理器, [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin)是 [KDE](https://kde.org)的預設檔案管理器。 + + Linux 有MAT2 提供支持的第三方圖形界面工具[Metadata Cleaner] (https://gitlab.com/rmnvgr/metadata-cleaner) ,並且[可從 Flathub 取得] (https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner)。 + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title=Documentation} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## 行動 + +### ExifEraser (Android) + +!!! recommendation + + ! [ExifEraser logo] (assets/img/data-redaction/exiferaser.svg) {align = right} + + * * ExifEraser * *是 Android 的現代無需許可的圖像中繼資料擦除應用程式。 + + 它目前支持JPEG , PNG和WebP 檔案格式。 + + [:octicons-repo-16: Repository](https://github.com/Tommy-Geenexus/exif-eraser){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Tommy-Geenexus/exif-eraser#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +被清除的元資料取決於影像的檔案類型: + +* **JPEG**:可清除 ICC Profile、Exif、Photoshop Image Resources 和 XMP/ExtendedXMP 等中繼資料。 +* **PNG**:可清除 ICC Profile、Exif和XMP等中繼資料。 +* **WebP**: 可清除 ICC Profile、Exif 和XMP 等中繼資料。 + +處理完影像後, ExifEraser會為您提供一份完整的報告,說明每張影像中究竟刪除了哪些內容。 + +該應用程式提供了多種方式來清除圖像中的中繼數據。 亦即: + +* 您可以使用 ExifEraser 分享其他應用程序的圖像。 +* 通過應用程序本身,可以一次選擇單個圖像,多個圖像,甚至是整個目錄。 +* 它具有“相機”選項,該選項使用操作系統的相機應用程序拍攝照片,然後從中刪除中繼數據。 +* 在應用分屏模式下,它可以從另一個應用程式拖放圖片到 ExifEraser 。 +* 最後,它允許您從剪貼板黏貼圖像。 + +### Metapho (iOS) + +!!! recommendation + + ! [Metapho logo] (assets/img/data-redaction/metapho.jpg) {align = right} + + * * Metapho * *是一個簡單清晰的相片中繼資料檢視器,例如日期、檔案名稱、大小、相機型號、快門速度和位置。 + + [:octicons-home-16: Homepage](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="Privacy Policy" } + + ??? 下載 + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ! [PrivacyBlur logo] (assets/img/data-redaction/privacyblur.svg) {align = right} + + * * PrivacyBlur * *是一個免費應用程式,在線上分享前先模糊圖片的敏感部分。 + + [:octicons-home-16: Homepage](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! 警告 + + 您* *永遠不要* *使用模糊來編輯[圖片中的文字] (https://bishopfox.com/blog/unredacter-tool-never-pixelation)。 如果要編輯影像中的文字,請在文字上畫一個框。 為此,我們建議使用[Pocket Paint] (https://github.com/Catrobat/Paintroid)等應用程式。 + +## 命令行 + +### ExifTool + +!!! recommendation + + ! [ExifTool logo] (assets/img/data-redaction/exiftool.png) {align = right} + + * * ExifTool * *是原始的perl庫和命令行應用程式,用於讀取、寫入和編輯各種檔案格式 (JPEG , TIFF , PNG, PDF, RAW等)的中繼資訊(Exif , IPTC , XMP...)。 + + 它通常是其他Exif 移除應用程式的組件,並且在大多數 Linux 發行版儲存庫中。 + + [:octicons-home-16: Homepage](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="Source Code" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! 示例「從檔案目錄中刪除資料」 + + ```bash + exiftool -all= *.file_extension + ``` + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 為開源作業系統開發的應用程式必須是開源的。 +- 應用程式必須是免費的,不應包含廣告或其他限制。 diff --git a/i18n/zh-Hant/desktop-browsers.md b/i18n/zh-Hant/desktop-browsers.md new file mode 100644 index 00000000..b712096a --- /dev/null +++ b/i18n/zh-Hant/desktop-browsers.md @@ -0,0 +1,362 @@ +--- +title: "Desktop Browsers" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended desktop web browsers and configurations for standard/non-anonymous browsing. We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox + +!!! recommendation + + ![Firefox logo](assets/img/browsers/firefox.svg){ align=right } + + **Firefox** provides strong privacy settings such as [Enhanced Tracking Protection](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop), which can help block various [types of tracking](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks). + + [:octicons-home-16: Homepage](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! warning + Firefox includes a unique [download token](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) in downloads from Mozilla's website and uses telemetry in Firefox to send the token. The token is **not** included in releases from the [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/). + +### Recommended Configuration + +這些選項可以在 :material-menu: → **設定** → **隱私 & 安全性**中找到。 + +##### Enhanced Tracking Protection + +- [x] Select **Strict** Enhanced Tracking Protection + +This protects you by blocking social media trackers, fingerprinting scripts (note that this does not protect you from *all* fingerprinting), cryptominers, cross-site tracking cookies, and some other tracking content. ETP protects against many common threats, but it does not block all tracking avenues because it is designed to have minimal to no impact on site usability. + +##### Sanitize on Close + +If you want to stay logged in to particular sites, you can allow exceptions in **Cookies and Site Data** → **Manage Exceptions...** + +- [x] Check **Delete cookies and site data when Firefox is closed** + +This protects you from persistent cookies, but does not protect you against cookies acquired during any one browsing session. When this is enabled, it becomes possible to easily cleanse your browser cookies by simply restarting Firefox. You can set exceptions on a per-site basis, if you wish to stay logged in to a particular site you visit often. + +##### Search Suggestions + +- [ ] Uncheck **Provide search suggestions** + +Search suggestion features may not be available in your region. + +Search suggestions send everything you type in the address bar to the default search engine, regardless of whether you submit an actual search. Disabling search suggestions allows you to more precisely control what data you send to your search engine provider. + +##### 遙測 + +- [ ] Uncheck **Allow Firefox to send technical and interaction data to Mozilla** +- [ ] Uncheck **Allow Firefox to install and run studies** +- [ ] Uncheck **Allow Firefox to send backlogged crash reports on your behalf** + +> Firefox sends data about your Firefox version and language; device operating system and hardware configuration; memory, basic information about crashes and errors; outcome of automated processes like updates, safebrowsing, and activation to us. When Firefox sends data to us, your IP address is temporarily collected as part of our server logs. + +Additionally, the Firefox Accounts service collects [some technical data](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts). If you use a Firefox Account you can opt-out: + +1. Open your [profile settings on accounts.firefox.com](https://accounts.firefox.com/settings#data-collection) +2. Uncheck **Data Collection and Use** > **Help improve Firefox Accounts** + +##### HTTPS-Only Mode + +- [x] Select **Enable HTTPS-Only Mode in all windows** + +This prevents you from unintentionally connecting to a website in plain-text HTTP. Sites without HTTPS are uncommon nowadays, so this should have little to no impact on your day to day browsing. + +### Firefox Sync + +[Firefox Sync](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices and protects it with E2EE. + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + +The [Arkenfox project](https://github.com/arkenfox/user.js) provides a set of carefully considered options for Firefox. If you [decide](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) to use Arkenfox, a [few options](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) are subjectively strict and/or may cause some websites to not work properly - [which you can easily change](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) to suit your needs. We **strongly recommend** reading through their full [wiki](https://github.com/arkenfox/user.js/wiki). Arkenfox also enables [container](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users) support. + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + +## Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + 1. We advise against using the Flatpak version of Brave, as it replaces Chromium's sandbox with Flatpak's, which is less effective. Additionally, the package is not maintained by Brave Software, Inc. + +### Recommended Configuration + +These options can be found in :material-menu: → **Settings**. + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Prevent sites from fingerprinting me based on my language preferences** +- [x] Select **Aggressive** under Trackers & ads blocking + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under Block fingerprinting + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Social media blocking + +- [ ] Uncheck all social media components + +##### Privacy and security + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Use Google services for push messaging** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send daily usage ping to Brave** +- [ ] Uncheck **Automatically send diagnostic reports** +- [x] Select **Always use secure connections** in the **Security** menu +- [ ] Uncheck **Private window with Tor** (1) + + !!! tip "Sanitizing on Close" + - [x] Select **Clear cookies and site data when you close all windows** in the *Cookies and other site data* menu + + If you wish to stay logged in to a particular site you visit often, you can set exceptions on a per-site basis under the *Customized behaviors* section. + +
+ +1. Brave is **not** as resistant to fingerprinting as the Tor Browser and far fewer people use Brave with Tor, so you will stand out. Where [strong anonymity is required](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) use the [Tor Browser](tor.md#tor-browser). + +##### Extensions + +Disable built-in extensions you do not use in **Extensions** + +- [ ] Uncheck **Hangouts** +- [ ] Uncheck **WebTorrent** + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +##### Additional settings + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + +### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## Additional Resources + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin** is a popular content blocker that could help you block ads, trackers, and fingerprinting scripts. + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + +##### Other lists + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +### 最低合格要求 + +- 必須是開源軟體。 +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + +### 最佳案例 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的功能。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. +- Does not include add-on functionality (bloatware) that does not impact user privacy. +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. + +[^1]: Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/zh-Hant/desktop.md b/i18n/zh-Hant/desktop.md new file mode 100644 index 00000000..3d926162 --- /dev/null +++ b/i18n/zh-Hant/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Desktop/PC" +icon: simple/linux +description: Linux distributions are commonly recommended for privacy protection and software freedom. +--- + +Linux distributions are commonly recommended for privacy protection and software freedom. If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions. + +- [General Linux Overview :material-arrow-right-drop-circle:](os/linux-overview.md) + +## Traditional Distributions + +### Fedora Workstation + +!!! recommendation + + ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ align=right } + + **Fedora Workstation** is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org). These new technologies often come with improvements in security, privacy, and usability in general. + + [:octicons-home-16: Homepage](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Fedora has a semi-rolling release cycle. While some packages like [GNOME](https://www.gnome.org) are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months. + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed** is a stable rolling release distribution. + + openSUSE Tumbleweed has a [transactional update](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) system that uses [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) to ensure that snapshots can be rolled back should there be a problem. + + [:octicons-home-16: Homepage](https://get.opensuse.org/tumbleweed/){ .md-button .md-button--primary } + [:octicons-info-16:](https://doc.opensuse.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=Contribute } + +Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by [openQA](https://openqa.opensuse.org) to ensure its quality. + +### Arch Linux + +!!! recommendation + + ![Arch logo](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux** is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions). + + [:octicons-home-16: Homepage](https://archlinux.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.archlinux.org/){ .card-link title=Documentation} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=Contribute } + +Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently. + +Being a DIY distribution, you are [expected to set up and maintain](os/linux-overview.md#arch-based-distributions) your system on your own. Arch has an [official installer](https://wiki.archlinux.org/title/Archinstall) to make the installation process a little easier. + +A large portion of [Arch Linux’s packages](https://reproducible.archlinux.org) are [reproducible](https://reproducible-builds.org). + +## Immutable Distributions + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right } + + **Fedora Silverblue** and **Fedora Kinoite** are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the [GNOME](https://www.gnome.org/) desktop environment while Kinoite comes with [KDE](https://kde.org/). Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream. + + [:octicons-home-16: Homepage](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=Documentation} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=Contribute } + +Silverblue (and Kinoite) differ from Fedora Workstation as they replace the [DNF](https://fedoraproject.org/wiki/DNF) package manager with a much more advanced alternative called [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/). The `rpm-ostree` package manager works by downloading a base image for the system, then overlaying packages over it in a [git](https://en.wikipedia.org/wiki/Git)-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image. + +After the update is complete you will reboot the system into the new deployment. `rpm-ostree` keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed. + +[Flatpak](https://www.flatpak.org) is the primary package installation method on these distributions, as `rpm-ostree` is only meant to overlay packages that cannot stay inside of a container on top of the base image. + +As an alternative to Flatpaks, there is the option of [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) to create [Podman](https://podman.io) containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a [useful feature](https://containertoolbx.org) for the discerning developer. + +### NixOS + +!!! recommendation + + ![NixOS logo](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability. + + [:octicons-home-16: Homepage](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=Contribute } + +NixOS’s package manager keeps every version of every package in a different folder in the **Nix store**. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only. + +NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also *test* the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system. + +Nix the package manager uses a purely functional language - which is also called Nix - to define packages. + +[Nixpkgs](https://github.com/nixos/nixpkgs) (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config. + +Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed *pure* environment, which is as independent of the host system as possible, thus making binaries reproducible. + +## Anonymity-Focused Distributions + +### Whonix + +!!! recommendation + + ![Whonix logo](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix** is based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure), a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with [Qubes OS](#qubes-os). + + [:octicons-home-16: Homepage](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=Documentation} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=Contribute } + +Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. + +Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [encrypted swap](https://github.com/Whonix/swap-file-creator), and a hardened memory allocator. + +Future versions of Whonix will likely include [full system AppArmor policies](https://github.com/Whonix/apparmor-profile-everything) and a [sandbox app launcher](https://www.whonix.org/wiki/Sandbox-app-launcher) to fully confine all processes on the system. + +Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has various [disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. + +### Tails + +!!! recommendation + + ![Tails logo](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails** is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses [Tor](tor.md) to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off. + + [:octicons-home-16: Homepage](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=Documentation} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=Contribute } + +Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized. + +Tails includes [uBlock Origin](desktop-browsers.md#ublock-origin) in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. [Whonix](desktop.md#whonix) virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device. + +By design, Tails is meant to completely reset itself after each reboot. Encrypted [persistent storage](https://tails.boum.org/doc/persistent_storage/index.en.html) can be configured to store some data between reboots. + +## Security-focused Distributions + +### Qubes OS + +!!! recommendation + + ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS** is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and use most of the Linux drivers. + + [:octicons-home-16: Homepage](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: Overview](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title=Documentation } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=Contribute } + +Qubes OS is a Xen-based operating system meant to provide strong security for desktop computing through secure virtual machines (VMs), also known as *Qubes*. + +The Qubes OS operating system secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate VMs. Should one part of the system be compromised, the extra isolation is likely to protect the rest of the system. For further details see the Qubes [FAQ](https://www.qubes-os.org/faq/). + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +Our recommended operating systems: + +- Must be open-source. +- Must receive regular software and Linux kernel updates. +- Linux distributions must support [Wayland](os/linux-overview.md#Wayland). +- Must support full-disk encryption during installation. +- Must not freeze regular releases for more than 1 year. We [do not recommend](os/linux-overview.md#release-cycle) "Long Term Support" or "stable" distro releases for desktop usage. +- Must support a wide variety of hardware. diff --git a/i18n/zh-Hant/dns.md b/i18n/zh-Hant/dns.md new file mode 100644 index 00000000..58ae1a5d --- /dev/null +++ b/i18n/zh-Hant/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS解析器" +icon: material/dns +description: 我們建議切換到這些加密 DNS 提供商,以取代您 ISP 所預設的配置。 +--- + +使用第三方伺服器的加密 DNS 只能避開基本的 [DNS 封鎖](https://en.wikipedia.org/wiki/DNS_blocking) ,當您確定不會有不良後果時。 加密的 DNS 無法為您隱藏瀏覽活動。 + +[了解更多 DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## 推薦的 DNS 提供商 + +| DNS 提供者 | 隐私政策 | 協議 | 日誌記錄 | ECS | 篩選 | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------ | --- | --------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | 一些[^1] | 不是 | 根據伺服器的選擇。 使用的過濾器列表可以在這裡找到。 [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | 明文
DoH/3
DoT | 一些[^2] | 不是 | 根據伺服器的選擇。 | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | 明文
DoH/3
DoT
DoQ | 可選[^3] | 不是 | 根據伺服器的選擇。 | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | 否[^4] | 不是 | 根據伺服器的選擇。 正在使用的過濾器列表可以在這裡找到。 [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | 明文
DoH/3
DoT | 可選[^5] | 可選的 | 根據伺服器的選擇。 | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | 明文
DoH
DoT
DNSCrypt | 一些[^6] | 可選的 | 根據伺服器選擇,預設會封鎖惡意程式碼。 | + +## 標準 + +**請注意,我們這裏所推薦專案沒有任何牽扯。 ** 除了 [我們的標準準則](about/criteria.md)外,還有一套明確要求以提出客觀建議。 我們建議您在選擇使用任何項目之前先熟悉此列表,並進行自己的研究,以確保您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為這個網站的各個部分建立明確標準,它可能依情況變化。 如果您對我們的標準有任何疑問,請[在我們的論壇上提問] (https://discuss.privacyguides.net/latest) ,不要因為未列出而認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個專案時,會考慮和討論許多因素,記錄每一個項目都是一件持續的工作。 + +- 必須支援 [ DNSSEC ](advanced/dns-overview.md#what-is-dnssec)。 +- [QNAME 最小化](advanced/dns-overview.md#what-is-qname-minimization). +- 可讓 [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs)禁用 。 +- 首選 [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) 支援或地理轉向支援。 + +## 原生作業系統支援 + +### Android + +Android 9 以上版本支持 DoT (DNS over TLS)。 設定方式可以在以下位置找到: **設定** → **網路 & 網際網路** → **私人 DNS**。 + +### Apple裝置 + +最新版本的 iOS、iPadOS、tvOS 和 macOS 都支持 DoT 和 DoH。 這兩個通訊協議都透過 [組態檔](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) 或透過 [DNS 設定 API ](https://developer.apple.com/documentation/networkextension/dns_settings)獲得原生支援。 + +安裝設定設定檔或使用 DNS 設定API 的應用程式後,即可選擇 DNS 設定。 如果啟用 VPN, 隧道內的解析將使用 VPN 的 DNS 設置,而不是設備系統的設置。 + +#### 已簽署的設定檔 + +Apple不提供用於建立加密DNS設定檔的原生介面。 [Secure DNS profile creator](https://dns.notjakob.com/tool.html) 是一款非正式工具用以建立您自己的加密 DNS 設定檔。不過這個軟體並未得到簽署。 最好是簽署過個人資設定檔;簽署會驗證個人資料的來源,並有助於確保個人資料的完整性。 綠色的「已驗證」標籤會提供給已簽署的配置文件。 代碼簽名的詳細資訊,請參閱 [關於代碼簽名](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html)。 由 [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html)、 [NextDNS](https://apple.nextdns.io)和 [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/)提供的**簽名設定檔** 。 + +!!! 資訊 + + 許多 Linux 發行版用來進行DNS查詢的`systemd-resolved` 還不[支援 DoH] (https://github.com/systemd/systemd/issues/8639)。 如果要使用 DoH ,您需要安裝一個類似 [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy)的代理,並[設定] (https://wiki.archlinux.org/title/Dnscrypt-proxy)讓系統解析器獲取所有 DNS 查詢,並透過 HTTPS 轉發。 + +## 加密的DNS代理 + +加密DNS代理軟體提供了一個本地代理,用於將 [個未加密的DNS](advanced/dns-overview.md#unencrypted-dns) 解析器轉發到。 通常,它用於原本不支持 [加密 DNS ](advanced/dns-overview.md#what-is-encrypted-dns)的平臺。 + +### RethinkDNS + +!!! recommendation + + ! [RethinkDNS logo] (assets/img/android/rethinkdns.svg#only-light) {align = right} + ! [RethinkDNS logo] (assets/img/android/rethinkdns-dark.svg#only-dark) {align = right} + + * * RethinkDNS * *是一個開源 Android 用戶端工具,支持 [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh)、 [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot)、 [DNSCrypt](advanced/dns-overview.md#dnscrypt)和 DNS 代理,以及快取DNS 回應、本地記錄 DNS 查詢,也可用作防火牆。 + + [:octicons-home-16: Homepage](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-proxy + +!!! recommendation + + ! [dnscrypt-proxy logo] (assets/img/dns/dnscrypt-proxy.svg) {align = right} + + * * dnscrypt-proxy * *是 DNS 代理,支持 [DNSCrypt](advanced/dns-overview.md#dnscrypt)、 [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh)和[Anonymized DNS] (https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS)。 + + !!! 警告 "匿名化 DNS 功能[* * 不會 * *] (advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns)匿名化其他網路流量。 + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## 自主託管方案 + +在被控制平臺,自主託管 DNS 可提供有用的過濾,例如智能電視和其他物聯網設備,因為不需要客戶端軟件。 + +### AdGuard首頁 + +!!! recommendation + + ! [AdGuard 首頁標誌] (assets/img/dns/adguard-home.svg) {align = right} + + * * AdGuard * *是一個開源的 [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) ,使用[DNS 過濾] (https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/)來封鎖不需要的網頁內容,例如廣告。 + + AdGuard 首頁提供精美的網頁介面,可查看有用資訊並管理被封鎖的內容。 + + [:octicons-home-16: Homepage](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="Source Code" } + +### Pi-hole + +!!! recommendation + + ! [Pi-hole logo] (assets/img/dns/pi-hole.svg) {align = right} + + * * Pi-hole * *是一個開源的 [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole) ,它使用 [DNS 篩選] (https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/)來阻止不需要的網頁內容,例如廣告。 + + Pi-hole 設計應用在 Raspberry Pi ,但它不限於這種硬體。 該軟體良好的 Web 界面,可查看有用資訊和管理被阻止的內容。 + + [:octicons-home-16: Homepage](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="Source Code" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title=Contribute } + +[^1]: AdGuard 儲存其 DNS 伺服器的總和效能指標,即對特定伺服器的全部請求數量、被封鎖的請求數量,以及處理請求的速度。 他們還會保存和儲存過去24小時內所請求的網域資料庫。 我們需要這些資訊來識別和阻止新的追蹤器和威脅。 我們還記錄了這些追蹤器被封鎖的次數。 我們需要這些資訊以便在過濾器中刪除過時的規則。 [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare 僅收集並儲存發送至 1.1.1.1解析器的有限 DNS 查詢資料。 1.1.1.1解析器服務不會記錄個人資料,且大部分有限的非個人識別查詢資料僅存儲25小時。 [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D 只有記錄使用自定義 DNS 配置的高級解析器。 免費解析器不記錄數據。 [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad 的 DNS 服務可供 Mullvad VPN 的訂閱者和非訂閱者使用。 他們的隱私政策明確聲稱他們不會以任何方式記錄 DNS 請求。 [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS 可以在選擇加入的基礎上提供洞察和記錄功能。 您可以選擇保留的任何日誌選擇時間長短和日誌儲存位置。 如果沒有特別要求,則不會記錄任何數據。 [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9會收集一些資料,以進行威脅監控和回應。 然後這些資料會被重新混合與共享,例如用於安全研究。 Quad9 不會收集或記錄 IP 位址或其他他們認為可識別個人身份的資料。 [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/zh-Hant/email-clients.md b/i18n/zh-Hant/email-clients.md new file mode 100644 index 00000000..a20994ca --- /dev/null +++ b/i18n/zh-Hant/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "電子郵件客戶端程式" +icon: material/email-open +description: 這些電子郵件客戶端尊重隱私並支持OpenPGP電子郵件加密。 +--- + +我們的推薦清單包含支援 [OpenPGP](encryption.md#openpgp) 和如[Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth)強認證的電子郵件用戶端 。 OAuth允許您使用 [多因素驗證](basics/multi-factor-authentication.md) 並防止帳戶被盜。 + +??? 警告:「電子郵件不提供前向保密」 + + 當使用端到端加密( E2EE )技術(如OpenPGP )時,電子郵件仍然會有一些未在電子郵件標頭中加密的[一些中繼數據] ( email.md#email-metadata-overview )。 + + OpenPGP 也不支援[前向保密] (https://en.wikipedia.org/wiki/Forward_secrecy) ,這意味著如果你或收件人的私鑰被盜,所有以前用它加密的訊息都會被曝光: [如何保護我的私鑰?] (basics/email-security.md)考慮使用提供前向保密的媒介: + + [通時通訊] (real-time-communication.md){ .md-button } + +## 跨平臺 + +### Thunderbird + +!!! recommendation + + ! [Thunderbird logo] (assets/img/email-clients/thunderbird.svg) {align = right} + + * * Thunderbird * *是一個免費、開源、跨平臺的電子郵件、新聞組、新聞提要和聊天(XMPP、IRC、Twitter)客戶端,由Thunderbird 社區開發,之前由 Mozilla 基金會開發。 + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### 建議配置 + +我們建議您變更其中一些設定,讓Thunderbird更具私密性。 + +這些選項可以在 :material-menu: → **設定** → **隱私 & 安全性**中找到。 + +##### 網頁內容 + +- [ ]取消勾選 **記住我訪問過的網站和連結** +- [ ]取消勾選 **接受來自網站的cookie** + +##### 遙測 + +- [ ]取消勾選 **允許Thunderbird 向Mozilla**發送技術和互動資訊。 + +#### Thunderbird-user.js (進階) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js),是一組配置選項,旨在禁用 Thunderbird 內過多的網頁瀏覽功能,以減少表面暴露並保持隱私。 其中一些更改是從 [Arkenfox 專案](https://github.com/arkenfox/user.js)中後移的。 + +## 平臺特定 + +### Apple Mail (macOS) + +!!! recommendation + + ! [Apple Mail標誌] (assets/img/email-clients/applemail.png) {align = right} + + * * Apple Mail * *包含在 macOS,並可利用[GPG Suite] (encryption.md#gpg-suite)擴展支援 OpenPGP,增加了發送PGP 加密電子郵件的能力。 + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ! [Canary Mail logo] (assets/img/email-clients/canarymail.svg) {align = right} + + * * Canary Mail * *是一個付費的電子郵件用戶端,提供無縫的端到端加密安全功能,如生物識別應用程式鎖定。 + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! 警告 + + Canary Mail 最近才發布了 Windows 和 Android 用戶端,我們不認為它們已如 iOS和 Mac 用戶端一樣穩定。 + +Canary Mail 源碼為封閉式。 我們推薦它,因為 iOS 電子郵件客戶端支持 PGP E2EE 的選擇很少。 + +### FairEmail (Android) + +!!! recommendation + + ! [FairEmail標誌] (assets/img/email-clients/fairemail.svg) {align = right} + + * * FairEmail * *是一個極簡的開源電子郵件應用程式,使用開放標準(IMAP, SMTP, OpenPGP ),數據和電池使用量低。 + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ! [Evolution logo] (assets/img/email-clients/evolution.svg) {align = right} + + * * Evolution * *是個人資訊管理應用程式,提供綜合郵件、行事曆和聯絡簿功能。 Evolution有廣泛的 [文檔](https://help.gnome.org/users/evolution/stable/)來幫助您開始。 + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ! [K-9 Mail logo] (assets/img/email-clients/k9mail.svg) {align = right} + + * * K-9 Mail * *是一個獨立的郵件應用程式,同時支援 POP3 和IMAP 郵箱,但只支援 IMAP 推送郵件。 + + 未來 K-9 Mai l將成為[官方品牌] (https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird Android 用戶端。 + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! 警告 + + 當回覆郵件群組中的某人時,「回覆」選項也可能包括郵件群組。 如需更多資訊,請參閱[thundernest/k-9 # 3738] (https://github.com/thundernest/k-9/issues/3738)。 + +### Kontact (KDE) + +!!! recommendation + + ! [Kontact logo] (assets/img/email-clients/kontact.svg) {align = right} + + * * Kontact * *是來自 [KDE](https://kde.org)專案的個人資訊管理器(PIM)應用程式。 它提供了郵件客戶端、地址簿、待辦事項和 RSS 客戶端。 + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (瀏覽器) + +!!! recommendation + + ! [Mailvelope logo] (assets/img/email-clients/mailvelope.svg) {align = right} + + * * Mailvelope * *是一個瀏覽器擴充功能,可按照 OpenPGP 加密標準交換加密電子郵件。 + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ! [NeoMutt logo] (assets/img/email-clients/mutt.svg) {align = right} + + * * NeoMutt * *是 Linux 和 BSD 的開源命令行郵件閱讀器(或MUA )。 它是 [Mutt](https://en.wikipedia.org/wiki/Mutt_ (email_client))的分支,具有附加功能。 + + NeoMutt 是一個文字指令的客戶端,具有陡峭的學習曲線。 然而,它有高度自制的特色。 + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +### 最低合格要求 + +- 為開源作業系統開發的應用程式必須是開源的。 +- 必須不收集遙測,或有一個簡單的方法來禁用所有遙測。 +- 必須支援OpenPGP訊息加密。 + +### 最佳案例 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的功能。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 應該為開源的。 +- 應為跨平臺。 +- 預設情況下不應收集任何遙測。 +- 應該原生支持OpenPGP ,即沒有擴展。 +- 應該支持在本地存儲 OpenPGP 加密的電子郵件。 diff --git a/i18n/zh-Hant/email.md b/i18n/zh-Hant/email.md new file mode 100644 index 00000000..175edb50 --- /dev/null +++ b/i18n/zh-Hant/email.md @@ -0,0 +1,503 @@ +--- +title: "電子郵件服務" +icon: material/email +description: 這些電子郵件提供商提供了一個好地方來安全地存儲您的電子郵件,也有不少能與其他供應商相互操作的 OpenPGP 加密。 +--- + +電子郵件實際上是使用任何線上服務的必需品,但我們不建議把它應用於人與人之間的對話。 與其使用電子郵件聯繫他人,不如考慮使用支援前向保密的即時通訊媒介。 + +[推薦的即時通訊工具](real-time-communication.md ""){.md-button} + +除此之外,我們還推薦各種基於可持續商業模式和內置安全和隱私功能的電子郵件提供商。 + +- [OpenPGP 兼容的郵件提供商 :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [其他加密提供者 :material-arrow-right-drop-circle:](#more-providers) +- [電子郵箱別名服務 :material-arrow-right-drop-circle:](#email-aliasing-services) +- [自主託管選項 :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP 兼容服務 + +這些供應商原生支持OpenPGP加密/解密和Web密鑰目錄( WKD )標準,允許供應商無關的E2EE電子郵件。 例如, Proton Mail 用戶可以向 Mailbox.org 用戶發送 E2EE 消息,或者您可以從它支援的網際網路服務接收 OpenPGP 加密通知。 + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! 警告 + + 當使用像 OpenPGP 這類 E2EE 技術時,電子郵件仍然會有一些未加密的元數據。 閱讀更多有關[電子郵件元數據] (basics/email-security.md#email-metadata-overview)的資訊。 + + OpenPGP 也不支持前向保密,這意味著如果你或收件人的私鑰被盜,所有以前用它加密的消息都會洩露。 [如何保護我的私鑰?] (basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ! [Proton Mail logo] (assets/img/email/protonmail.svg) {align = right} + + * * Proton Mail * *是一家專注於隱私、加密、安全性和易用性的電子郵件服務。 自* * 2013 年* *開始運營。 Proton AG 總部位於瑞士日內瓦。 免費帳戶有 500 MB 的存儲j容量。 + + [:octicons-home-16: Homepage](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play] (https://play.google.com/store/apps/details?id=ch.protonmail.android) + - [:simple-appstore: App Store] (https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub] (https://github.com/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows] (https://proton.me/mail/bridge#download) + - [:simple-apple: macOS] (https://proton.me/mail/bridge#download) + - [:simple-linux: Linux] (https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web] (https://mail.proton.me) + +免費帳戶有一些功能限制,例如無法搜索正文文本和無法訪問 [Proton Mail Bridge](https://proton.me/mail/bridge),它可以用在 [推薦的桌面電子郵件客戶端](email-clients.md) (例如Thunderbird )。 付費帳戶包括Proton Mail Bridge、額外儲存空間和自訂網域支援等功能。 Proton Mail 應用程式於2021年11月9日由 [Securitum](https://research.securitum.com)提供 [認證函](https://proton.me/blog/security-audit-all-proton-apps) 。 + +如果您有 Proton Unlimited 、Business 或 Visionary 計劃,也可免費獲得 [SimpleLogin](#simplelogin) Premium。 + +Proton Mail 的內容崩潰報告 **不會**對其它第三方分享。 可以在以下位置停用此功能: **設定** > **前往設定** > **帳戶** > **安全和隱私** > **傳送崩潰報告**。 + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +付費的 Proton Mail 訂閱者可以使用自定網域服務或 [通用電子郵件](https://proton.me/support/catch-all) 功能。 Proton Mail還支持 [子地址](https://proton.me/support/creating-aliases),這對於不想購買網域的人很有用。 + +#### :material-check:{ .pg-green } 私人付款方式 + +Proton Mail [除了標準信用卡/簽帳卡外,還接受](https://proton.me/support/payment-options) 現金郵寄, [比特幣](advanced/payments.md#other-coins-bitcoin-ethereum-etc)和 PayPal 付款。 + +#### :material-check:{ .pg-green } 帳戶安全 + +Proton Mail 支援使用 FIDO2 或 U2F標準 的 TOTP [雙因素驗證](https://proton.me/support/two-factor-authentication-2fa) 和 [硬體安全金鑰](https://proton.me/support/2fa-security-key) 。 使用硬體安全金鑰需要先設定 TOTP 雙因素驗證。 + +#### :material-check:{ .pg-green } 資料安全 + +在用戶未登入時,Proton Mail 使用 [zero-access 加密技術](https://proton.me/blog/zero-access-encryption)來保護電子郵件[行事曆](https://proton.me/news/protoncalendar-security-model)的資料安全。 使用零訪問加密保護的數據只能由您訪問。 + +存儲在 [Proton 通錄](https://proton.me/support/proton-contacts)中的某些資訊,例如顯示名稱和電子郵件地址,並未使用零存取加密進行保護。 支援零存取加密的聯絡人欄位(例如電話號碼)會以掛鎖圖示顯示。 + +#### :material-check:{ .pg-green }電子郵件加密 + +Proton Mail 網頁郵件整合了 [OpenPGP 加密](https://proton.me/support/how-to-use-pgp) 。 發送到其他 Proton Mai l帳戶的電子郵件會自動加密,並且可以在您的帳戶設置中輕鬆啟用使用 OpenPGP 金鑰對非 Proton Mail 地址進行加密。 它可以 [加密非 Proton Mail 郵件地址的訊息](https://proton.me/support/password-protected-emails),不必非得使用 Proton Mail 帳戶或 OpenPGP 之類的軟體。 + +Proton Mail 還支持通過 HTTP 的 [Web 密鑰目錄( WKD )](https://wiki.gnupg.org/WKD)發現公鑰。 這可讓非 Proton Mail 用戶可以輕鬆找到 Proton Mail 帳戶的 OpenPGP 金鑰,以利跨供應商進行 E2EE 。 + + +#### :material-information-outline:{ .pg-blue } 帳戶終止 + +若您的付費帳戶逾期 14天[未付款](https://proton.me/support/delinquency) , 您將無法讀取自己的資料。 30天後,您的帳戶將標記為拖欠狀態,無法再收取郵件。 在此期間,我們會繼續向你收費。 + +#### :material-information-outline:{ .pg-blue } 額外功能 + +Proton Mail 提供每月 9.99 歐元的“無限 Unlimited”帳戶,除了提供多個帳戶、域名、別名和 500GB 儲存空間外,還可以使用 Proton VPN。 + +Proton Mail不提供數字遺產功能。 + +### Mailbox.org + +!!! recommendation + + ! [Mailbox.org 標誌] (assets/img/email/mailboxorg.svg) {align = right} + + * * Mailbox.org * *電子郵件服務,專注於安全、無廣告和使用 100% 民間環保發電能源。 自* * 2014 年* *開始運營。 Mailbox.org總部位於德國柏林。 初級帳戶有 2GB 儲存空間,可以根據需要升級。 + + [:octicons-home-16: Homepage](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org 可以使用自定網域,且支援 [通用電子郵件](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) 地址。 Mailbox.org 也支援 [子地址](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it),如果您不想購買網域,這很有用。 + +#### :material-check:{ .pg-green } 私人付款方式 + +Mailbox.org 不接受任何加密貨幣,因為他們的支付處理商 BitPay 暫停了德國業務。 不過他們可以收郵寄現金、銀行帳戶現金支付、銀行轉帳、信用卡、 PayPa l以及幾個德國特定處理商: paydirekt 和 Sofortüberweisung。 + +#### :material-check:{ .pg-green } 帳戶安全 + +Mailbox.org支援 [雙因素驗證](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) ,僅適用於他們的網絡郵件。 您可以通過 [Yubicloud ](https://www.yubico.com/products/services-software/yubicloud)使用 TOTP 或 [ Yubikey ](https://en.wikipedia.org/wiki/YubiKey) 。 Web 標準如 [WebAuthn ](https://en.wikipedia.org/wiki/WebAuthn) 尚不支援。 + +#### :material-information-outline:{ .pg-blue } 資料安全 + +Mailbox.org 允許使用 [加密郵箱](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox)對傳入郵件進行加密。 收到的新訊息將立即用您的公鑰加密。 + +但是, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange)---- Mailbox.org使用的軟件平臺, [不支持](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) 通訊錄和行事曆加密。 [獨立的選項](calendar.md) 可能更適合該資訊。 + +#### :material-check:{ .pg-green }電子郵件加密 + +Mailbox.org在他們的網絡郵件中有 [個集成的加密](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) ,這簡化了向具有公開OpenPGP密鑰的人發送消息。 它們還允許 [遠端收件人解密 Mailbox.org伺服器上的電子郵件](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) 。 當遠端收件人沒有 OpenPGP 無法解密自己郵箱中的電子郵件時,此功能非常有用。 + +Mailbox.org 還支持通過 HTTP 的 [Web密鑰目錄( WKD )](https://wiki.gnupg.org/WKD)發現公鑰。 因此其它人可以輕鬆找到 Mailbox.org 帳戶的 OpenPGP 金鑰,便於跨提供者使用 E2EE。 + +#### :material-information-outline:{ .pg-blue } 帳戶終止 + +當合約到期後,您的帳戶將受到限制,在 [30天後,它將被永久刪除](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract)。 + +#### :material-information-outline:{ .pg-blue } 額外功能 + +您可以透過 IMAP/SMTP 使用其 [.onion 服務](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org)存取您的 Mailbox.org 帳戶。 然而,他們的網頁郵件介面無法訪問其 .onion 服務,可能會遇到 TLS 憑證錯誤。 + +所有帳戶都附帶有限、[可以加密](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive)的雲端儲存空間 。 Mailbox.org 還提供別名 [@ secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely),它對郵件伺服器之間的連線強制進行TLS加密,否則根本不會發送訊息。 Mailbox.org 除了支援 IMAP 和 POP3 等標準存取通訊協議外,還支援 [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) 。 + +Mailbox.org 所有方案都提供了數位遺產功能。 你可以選擇是否要將任何資料傳遞給繼承人,但對方必須提出你的遺囑證明。 或者,您可以通過姓名和地址提出人選。 + +## 更多供應商 + +這些提供商以零知識加密方式儲存您的電子郵件,使其成為保護儲存電子郵件安全的絕佳選擇。 但是,它們不支持供應商之間可相互操作 E2EE 通信的加密標準。 + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ! [StartMail logo] (assets/img/email/startmail.svg#only-light) {align = right} + ! [StartMail標誌] (assets/img/email/startmail-dark.svg#only-dark) {align = right} + + * * StartMail * *是一項電子郵件服務,通過使用標準OpenPGP加密來關注安全和隱私。 StartMail 自 2014 年開始運營,總部位於荷蘭 Zeist Boulevard 11。 帳戶以10GB開始。 提供 30天的試用期。 + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? 下載 + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +個人帳戶可以使用 [自定或系統生成](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) 別名。 也可用[自定網域](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) 。 + +#### :material-alert-outline:{ .pg-orange } 私人付款方式 + +StartMail 接受 Visa 、MasterCard 、American Express 信用卡和 Paypal。 StartMail還有其他 [付款選項](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) ,例如 [比特幣](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (目前僅適用於個人帳戶)和 SEPA 直接扣賬(使用超過一年的帳戶)。 + +#### :material-check:{ .pg-green } 帳戶安全 + +StartMail 只支援網頁郵件 [ TOTP 雙因素驗證](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA)。 他們無法透過 U2F 安全金鑰驗證。 + +#### :material-information-outline:{ .pg-blue } 資料安全 + +StartMail 還有 [零存取加密](https://www.startmail.com/en/whitepaper/#_Toc458527835),透過其「使用者保管庫」系統保護用戶未登入時的資料安全。 當您登入後,保管庫將被打開,並將電子郵件移出佇列,由相應的私鑰解密。 + +StartMail 支援匯入 [聯絡人](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) ,但它們只能在網頁郵件中存取,而不能透過 [ CalDAV ](https://en.wikipedia.org/wiki/CalDAV)等協議存取。 連絡人資料也不會使用零知識加密儲存。 + +#### :material-check:{ .pg-green }電子郵件加密 + +StartMail 網頁郵件 [整合了加密](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) ,以便使用公開OpenPGP 密鑰發送加密消息。 但是,它們不支持 Web 密鑰目錄標準,這讓其他電子郵件提供商或客戶端軟體不容易找到 Startmail 郵箱的公鑰。 + +#### :material-information-outline:{ .pg-blue } 帳戶終止 + +若帳戶遲未按時繳款 StartMail 在[六個月內三階段警告](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration),最後會永久刪除帳戶。 + +#### :material-information-outline:{ .pg-blue } 額外功能 + +StartMail 允許在電子郵件中使用代理圖像。 如果您允許載入遠端影像,發件人將不會知道您的IP位址。 + +Proton Mail不提供數字遺產功能。 + +### Tutanota + +!!! recommendation + + ! [Tutanota標誌] (assets/img/email/tutanota.svg) {align = right} + + * * Tutanota * * 使用加密、關注安全和隱私的電子郵件服務。 Tutanota自* * 2011 年* *開始運營,總部位於德國漢諾威。 免費帳戶有 1GB 儲存空間。 + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota 不支援 [ IMAP 協議](https://tutanota.com/faq/#imap) 或使用第三方 [電子郵件客戶端](email-clients.md),您也無法將 [外部電子郵件帳戶](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) 添加到 Tutanota應用程式。 目前不支援 [電子郵件匯入](https://github.com/tutao/tutanota/issues/630) 與 [子資料夾](https://github.com/tutao/tutanota/issues/927) ,但很快就 [會改善](https://tutanota.com/blog/posts/kickoff-import)。 電子郵件可以單個 [或選擇資料夾批量](https://tutanota.com/howto#generalMail)匯出 ,但若您有許多資料夾,可能會不方便。 + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +付費Tutanota 帳戶可以有5 [別名](https://tutanota.com/faq#alias) 和 [自定網域](https://tutanota.com/faq#custom-domain)。 Tutanota 不能 [子地址(加號 +定址)](https://tutanota.com/faq#plus),但您可以使用自定義域名的 [通用電于郵件](https://tutanota.com/howto#settings-global)功能 。 + +#### :material-information-outline:{ .pg-blue } 私人付款方式 + +Tutanota 僅接受信用卡和 PayPal ,但 [加密貨幣](cryptocurrency.md) 可用於通過其[ 合作伙伴 Proxystore ](https://tutanota.com/faq/#cryptocurrency) 購買禮品卡。 + +#### :material-check:{ .pg-green } 帳戶安全 + +Tutanota支援 TOTP 或 U2F 的 [雙因素驗證](https://tutanota.com/faq#2fa) 。 + +#### :material-check:{ .pg-green } 資料安全 + +Tutanota 提供 [未登入零存取](https://tutanota.com/faq#what-encrypted) 支援,其應用在電子郵件、 [通訊錄](https://tutanota.com/faq#encrypted-address-book)以及 [行事曆](https://tutanota.com/faq#calendar)。 這意味著儲存在您帳戶中的訊息和其他資料只有您能讀取。 + +#### :material-information-outline:{ .pg-blue } 電子郵件加密 + +Tutanota [不使用 OpenPGP ](https://www.tutanota.com/faq/#pgp)。 只能透過 [臨時 Tutanota郵箱](https://www.tutanota.com/howto/#encrypted-email-external),才能接收非Tutanota電子郵件帳戶寄出的加密電子郵件。 + +#### :material-information-outline:{ .pg-blue } 帳戶終止 + +Tutanota [刪除六個月未登入使用的免費帳戶](https://tutanota.com/faq#inactive-accounts) 。 付費後,可以重用激活已停用的免費帳戶。 + +#### :material-information-outline:{ .pg-blue } 額外功能 + +Tutanota 向非營利組織提供免費 [商業版本](https://tutanota.com/blog/posts/secure-email-for-non-profit) 或大幅折扣。 + +Tutanota 付費版還有一種 [Secure Connect](https://tutanota.com/secure-connect/)功能。 這可以確保客戶的業務聯繫使用 E2EE。 價格爲一年 € 240 歐元。 + +Tutanota不提供數字遺產功能。 + +## 郵箱別名 + +電子郵件別名服務可讓您輕鬆地為每次網站註冊生成一個新的電子郵件地址。 您電子郵件別名會自動把郵件轉發到您選擇的電子郵件地址,以隱藏您“主要”電子郵件地址和電子郵件提供商。 真正的電子郵件別名比許多提供商常用和支持的加地址更好,這允許您創建別名,如yourname +[anythinghere]@ example.com ,因為網站,廣告商和跟蹤網絡可以簡單地刪除+符號之後的任何內容,以知道您的真實電子郵件地址。 + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +電子郵件別名可以作為一種保護措施,一旦您的電子郵件提供商停止運營。 在這種情況下,您可以輕鬆地將別名重新路由到新的電子郵件地址。 但這也意謂,您把信任轉移到另一家別名服務以繼續享用此功能。 + +使用專門的電子郵件別名服務比自定網域上的通用別名有許多好處: + +- 有需要時,可以單獨開啟和關閉別名,防止網站隨機發送電子郵件給您。 +- 從別名地址發送回覆,屏蔽真實電子郵件地址。 + +與「臨時電子郵件」服務相比,它們還有許多好處: + +- 別名是永久性的,如果您需要接收密碼重設等內容,可以再次開啟別名。 +- 電子郵件會發送到您信任的郵箱,而不是儲存在別名服務提供者。 +- 臨時電子郵件服務通常會有公共郵箱,任何知道地址的人都可以訪問,別名則您所私有的。 + +我們建議的電子郵件別名供應商,可讓您在他們控制的網域上創建別名,或您支付適度的年費來自定網域。 如果您想要最大限度的控制,也可以自主託管。 但是,使用自定網域可能會有隱私上的缺點:如果您是唯一使用該自定網域的人,只需查看電子郵件地址中的網域名稱並忽略 (@) 符號之前的所有內容,即可輕鬆跟蹤您的動作。 + +使用別名服務需要信任您的電子郵件提供商和您的別名提供商如何對待您未加密的消息。 有些供應商會透過自動 PGP 加密來稍微減輕這種情況,傳送到最終信箱供應商之前加密所傳送的電子郵件,將您需要信任的各方數量從兩個減少到一個。 + +### AnonAddy + +!!! recommendation + + ! [AnonAddy logo] (assets/img/email/anonaddy.svg#only-light) {align = right} + ! [AnonAddy標誌] (assets/img/email/anonaddy-dark.svg#only-dark) {align = right} + + * * AnonAddy * *可讓您在共享網域上免費創建 20 個網域別名,或無限制的「標準」別名,但後者匿名度低。 + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +您可以創建的共享別名數量(以@ anonaddy.me等共享網域結束)在AnonAddy的免費計劃上限制為20個,在$ 12/年計劃上限制為50個。 您可以創建無限的標準別名(以 @[username].anonaddy.com 或付費方案上的自定域名) ,但是如前所述,這可能不利隱私,因為人們可以僅根據域名將您的標準別名綁定在一起。 無限共享別名的價格爲36美元/年。 + +值得注意的免費功能: + +- [x] 20共享別名 +- [x] 無限的別名 +- [ ] No Outgoing Replies +- [x] 2 個收件人郵箱 +- [x] 自動PGP加密 + +### SimpleLogin + +!!! recommendation + + ! [Simplelogin logo] (assets/img/email/simplelogin.svg) {align = right} + + * * SimpleLogin * *是一項免費服務,可在各種共享域名上提供電子郵件別名,並可選擇提供無限別名和自訂域名等付費功能。 + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin 在 2022年4 月 8 日被 [ Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) 買下。 如果您的主要郵箱使用質子郵件, SimpleLogin是一個不錯的選擇。 由於這兩種產品現在都由同一家公司擁有,您現在只需要信任單一實體。 我們預計 SimpleLogin 未來會與 Proton 產品更緊密地整合。 SimpleLogin 繼續支援轉寄至您所選擇的任何電子郵件供應商。 Securitum [在2022年初審核了](https://simplelogin.io/blog/security-audit/) SimpleLogin ,所有問題 [都已解決](https://simplelogin.io/audit2022/web.pdf)。 + +您可以在設定中將您的 SimpleLogin 帳戶與 Proton 帳戶連結。 如果您有 Proton Unlimited 、Business 或 Visionary 計劃,也可免費獲得 SimpleLogin Premium。 + +值得注意的免費功能: + +- [x] 10共享別名 +- [x] 無限回復 +- [x] 1收件人郵箱 + +## 自主託管電子郵件 + +進階系統管理員可以考慮設定自己的電子郵件伺服器。 郵件伺服器需要注意和持續維護,以確保安全性和郵件傳遞的可靠性。 + +### 結合軟體解決方案 + +!!! recommendation + + ! [Mailcow logo] (assets/img/email/mailcow.svg) {align = right} + + * * Mailcow * *是一個更先進的郵件伺服器,非常適合有豐富 Linux 經驗者。 它的 Docke r容器中擁有您需要的一切:支援 DKIM 的郵件伺服器、防毒和垃圾郵件監控、具有SOGo 的 Webmail 和 ActiveSync ,以及具有2FA 支援的網頁管理介面。 + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ! [Mail-in-a-Box logo] (assets/img/email/mail-in-a-box.svg) {align = right} + + * * Mail-in-a-Box * *是部署 Ubuntu 郵件伺服器的自動設置腳本。 它的目標是讓人們更容易建立自己的郵件伺服器。 + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +為了更清楚手動設定方法,我們挑選了這兩篇文章: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## 標準 + +**請注意,我們與以下推薦的任何供應商並無瓜葛。** 除了 [我們的條件標準](about/criteria.md)外,我們還為任何希望獲得推薦的電子郵件供應商制定了一套明確要求,包括實施業界最佳做法,現代技術等。 我們建議您在選擇電子郵件提供商之前熟悉此列表,並進行自己的研究,以確保您選擇的電子郵件提供商是您的正確選擇。 + +### 技術 + +我們認為這些功能很重要,以便提供安全和最佳的服務。 您應該考慮提供商是否具有您需要的功能。 + +**最低合格要求:** + +- 使用零存取加密技術全程加密電子郵件帳戶資料。 +- 匯出功能為 [Mbox](https://en.wikipedia.org/wiki/Mbox) 或滙出符合 [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) 標準的個人.eml 格式。 +- 允許使用者使用自己的 [網域名稱](https://en.wikipedia.org/wiki/Domain_name)。 自定網域名稱對用戶來說很重要,因為它允許用戶在使用服務時仍維持持自我代理,以防服務變差或被另一家不優先考慮隱私的公司收購。 +- 在自有基礎設施上運作,即不建立在第三方電子郵件服務提供商之上。 + +**最佳案例:** + +- 使用零存取加密對所有帳戶資料(通訊錄、行事曆等)進行加密。 +- 網頁郵件整合 E2EE/PGP加密以更方便使用。 +- 支援 [WKD](https://wiki.gnupg.org/WKD) ,以改善透過HTTP發現公開的OpenPGP金鑰。 GnuPG 使用者可以透過輸入: `gpg --locate-key example_user@example.com` 取得金鑰。 +- 支援外部使用者的臨時信箱。 當您想要發送加密的電子郵件時,這非常有用,而無需將實際副本發送給您的收件人。 這些電子郵件通常具有限定時效,之後會被自動刪除。 它們也不需要收件人配置任何像OpenPGP這樣的加密技術。 +- 可提供 [onion 服務](https://en.wikipedia.org/wiki/.onion)的電子郵件服務供應商。 +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) 支持. +- 為擁有自己網域的用戶提供通用地址或別名功能。 +- 使用標準電子郵件存取協定,例如 IMAP、SMTP 或 [ JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol)。 標準存取協議確保客戶可以輕鬆下載所有電子郵件,一旦他們想切換到其它提供商。 + +### 隱私 + +我們希望所推薦的提供商盡可能少地收集客戶資料。 + +**最低合格要求:** + +- 保護發件人的IP位址。 在 `Received` 標題欄位中過濾它。 +- 除了使用者名稱和密碼外,不要求提供個人身份識別資訊(PII)。 +- 符合 GDPR 的隱私政策 +- 主機機房不要放在美國,因為 [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) [尚未改革](https://epic.org/ecpa/)。 + +**最佳案例:** + +- 接受 [匿名付款選項](advanced/payments.md) ([加密貨幣](cryptocurrency.md),現金,禮品卡等) + +### 安全 + +電子郵件伺服器處理大量非常敏感的資料。 我們期望供應商採用行業最佳實踐來保護其會員。 + +**最低合格要求:** + +- 使用 2FA 保護網頁郵件,如TOTP。 +- 無存取的靜態加密,如零存取加密。 提供者沒有其所持有資料的解密金鑰。 這可以防止流氓員工外洩所存取的資料或遠程對手通過獲得對伺服器的未經授權的訪問來竊取資料。 +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) 支持。 +- 使用 [Hardenize](https://www.hardenize.com/)、 [testssl.sh ](https://testssl.sh/)或 [ Qualys SSL Labs ](https://www.ssllabs.com/ssltest)等工具進行剖繪時,沒有TLS 錯誤或漏洞;這包括與憑證相關的錯誤和弱 DH參數,例如導致 [ Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)) 的錯誤。 +- 伺服器套件偏好(在TLS v1.3上可選),適用於支持正向保密和已驗證加密的強大密碼套件。 +- 有效的 [MTA-STS](https://tools.ietf.org/html/rfc8461) 和[TLS-RPT](https://tools.ietf.org/html/rfc8460) 政策。 +- 有效 [ DANE ](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) 紀錄。 +- 有效的 [SPF ](https://en.wikipedia.org/wiki/Sender_Policy_Framework) 和 [ DKIM ](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) 記錄。 +- 擁有適當的 [DMARC ](https://en.wikipedia.org/wiki/DMARC) 記錄和原則,或使用 [ ARC ](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) 進行驗證。 如果正在使用 DMARC 驗證,則必須將原則設置為 `拒絕` 或 `隔離`。 +- 伺服器套件最好為 TLS 1.2或更高版本以及 [ RFC8996](https://datatracker.ietf.org/doc/rfc8996/)計劃。 +- 假設使用SMTP,[SMTPS](https://en.wikipedia.org/wiki/SMTPS) 提交。 +- 網站安全標準,例如: + - [HTTP 嚴格傳輸安全性](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - 如果從外部網域加載東西時,[子資源完整性](https://en.wikipedia.org/wiki/Subresource_Integrity) 。 +- 必須支援檢視 [訊息表頭](https://en.wikipedia.org/wiki/Email#Message_header),因為它是確定電子郵件是否為網路釣魚嘗試的關鍵取證功能。 + +**最佳案例:** + +- 支持硬體驗證,即 U2F 和 [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn)。 U2F 和 WebAuthn 更安全,因為它們使用儲存於客戶端硬體設備上的私鑰來驗證人員,而使用 TOTP 時共享祕密則直接儲存在網頁伺服器和客戶端。 再者 U2F 和 WebAuthn 更能抵抗網絡釣魚,因為它們的驗證回應是基於已驗證過的 [域名](https://en.wikipedia.org/wiki/Domain_name)。 +- [DNS憑證授權機構授權(CAA)資源記錄](https://tools.ietf.org/html/rfc6844) 除了DANE支持。 +- 實現 [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain),這對於發佈郵件列表 [RFC8617](https://tools.ietf.org/html/rfc8617)非常有用。 +- 漏洞獎勵計劃和/或協調漏洞披露過程。 +- 網站安全標準,例如: + - [內容安全策略(CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### 信任 + +您不會把財務資料給身份作假的人,那麼為什麼會信任讓他們來使用您的電子郵件? 我們要求我們推薦的供應商公開其所有權或領導層級狀況。 我們也希望看到頻繁的透明度報告,特別是關於如何處理政府要求的報告。 + +**最低合格要求:** + +- 面向公眾的領導或所有權。 + +**最佳案例:** + +- 面向公眾的領導 +- 頻繁的透明度報告。 + +### 行銷 + +對於所推薦的電子郵件供應商,我們樂見其負責任的營銷。 + +**最低合格要求:** + +- 必須自主託管資料分析(沒有Google Analytics、Adobe Analytics等)。 對於那些希望選擇退出者,供應商的網站還必須符合 [DNT (請勿追蹤)](https://en.wikipedia.org/wiki/Do_Not_Track) 。 + +不得有任何不負責任的行銷: + +- 宣稱破解不了的加密 使用加密時應意識到,當有一天技術足以破解它時,它就不再是祕密的。 +- 保證 100% 匿名性保護。 當有人聲稱某件事是100 %時,這意味著失敗沒有確定性。 我們知道人們可以很容易地以多種方式去匿名化自己,例如: + +- 用戶在無使用匿名軟件( Tor , VPN等)時訪問留下個人資料(電子郵件帳戶、獨特的假名等)被一再使用, +- [瀏覽器指紋](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**最佳案例:** + +- 清晰易讀的文件。 這包括諸如設置 2FA 、電子郵件客戶端、OpenPGP等。 + +### 附加功能 + +雖然不是嚴格要求,但我們在決定推薦哪些提供商時還會考慮其他一些便利或隱私因素。 diff --git a/i18n/zh-Hant/encryption.md b/i18n/zh-Hant/encryption.md new file mode 100644 index 00000000..3c61c140 --- /dev/null +++ b/i18n/zh-Hant/encryption.md @@ -0,0 +1,356 @@ +--- +title: "加密軟體" +icon: material/file-lock +description: 數據加密是控制誰可以訪問它的唯一方法。 這些工具允許您加密電子郵件和任何其他檔案。 +--- + +數據加密是控制誰可以訪問它的唯一方法。 如果您目前沒有為您的硬盤,電子郵件或文件使用加密軟件,您應該在這裡選擇一個選項。 + +## 多平臺 + +此處列出的選項是多平臺的,非常適合建立資料的加密備份。 + +### Cryptomator (雲端) + +!!! recommendation + + ! [Cryptomator logo] (assets/img/encryption-software/cryptomator.svg) {align = right} + + * * Cryptomator * *是一種加密解決方案,專為將檔案私密保存到任何雲端提供商而設計。 它允許您創建存儲在虛擬驅動器上的保管庫,其內容已加密並與雲端儲存供應商同步。 + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator 使用 AES-256 加密來加密檔案和檔案名稱。 Cryptomator 無法加密中繼資料,例如存取、修改和創建時間戳記,也無法加密檔案和資料夾的數量和大小。 + +一些 Cryptomator 加密程式庫 [已被Cure53審核](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) 。 稽核程式庫的範圍包括: [cryptolib](https://github.com/cryptomator/cryptolib)、 [cryptofs](https://github.com/cryptomator/cryptofs)、 [siv-mode](https://github.com/cryptomator/siv-mode) 和 [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor)。 審計並未包含[cryptolib-swift](https://github.com/cryptomator/cryptolib-swift)它是 Cryptomator 運用在 iOS 程式庫。 + +Cryptomator 詳細介紹了其預期的 [安全目標](https://docs.cryptomator.org/en/latest/security/security-target/)、[安全架構](https://docs.cryptomator.org/en/latest/security/architecture/)和 [最佳實踐](https://docs.cryptomator.org/en/latest/security/best-practices/) ,以進一步詳細使用。 + +### Picocrypt (檔案) + +!!! recommendation + + ! [Picocrypt logo] (assets/img/encryption-software/picocrypt.svg) {align = right} + + * * Picocrypt * *是一個小而簡單的加密工具,提供現代加密。 Picocrypt 使用安全的 XChaCha20 密碼和 Argon2id 密鑰派生功能來提供高級別的安全性。 它使用 Go 標準x/crypto 模塊作為其加密功能。 + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (磁碟) + +!!! recommendation + + ! [VeraCrypt logo] (assets/img/encryption-software/veracrypt.svg#only-light) {align = right} + ! [VeraCrypt logo] (assets/img/encryption-software/veracrypt-dark.svg#only-dark) {align = right} + + * * VeraCrypt * *是一個開源的免費軟件實用程式,用於即時加密。 它可以在檔案中建立虛擬加密磁碟、加密分割區,或透過預先啟動驗證來加密整個儲存裝置。 + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt是已停產的 TrueCrypt 項目的分支。 根據其開發人員的說法,已經實施了安全性改進,並解決了最初的TrueCrypt 代碼審計提出的問題。 + +使用 VeraCrypt 加密時,您可以選擇不同的 [哈希函數](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme)。 我們建議您只需 **** 選擇 [SHA-512](https://en.wikipedia.org/wiki/SHA-512) 並堅持 [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) 區塊密碼。 + +Truecrypt 已完成[多次審計](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits),而 VeraCrypt 也曾接受 [獨立審計](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit)。 + +## 作業系統完整磁碟加密 + +現代作業系統包括 [FDE](https://en.wikipedia.org/wiki/Disk_encryption) ,並將有一個 [安全的加密處理器](https://en.wikipedia.org/wiki/Secure_cryptoprocessor)。 + +### BitLocker + +!!! recommendation + + ! [BitLocker logo] (assets/img/encryption-software/bitlocker.png) {align = right} + + * * BitLocker * *是 Microsoft Windows 捆綁的全磁區加密解決方案。 我們推薦它的主要原因是[使用 TPM] (https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm)。 取證公司[ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft)在[Understanding BitLocker TPM Protection] (https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/)中撰寫了有關此問題的文章。 + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker [僅支援](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) Windows 專業版、企業版和教育版。 它可以在家庭版上啓用,只要符合先決條件。 + +??? 示例“在Windows Home上啓用BitLocker” + + 若要在 Windows 家用版啟用 BitLocker ,必須使用 [GUID 分割表] (https://zh.wikipedia.org/wiki/GUID_Partition_Table)格式化的分割區,並且具有專用的TPM (v1.2, 2.0+)模組。 + + 1. 開啟命令提示符,並使用以下命令檢查磁碟機的分區表格格式。 您應該會在“分區樣式”下方看到“**GPT**” : + + ``` + powershell Get-Disk + ``` + + 2. 在管理員命令提示符中執行此命令以檢查您的TPM版本。 您應該會在 `個SpecVersion`旁邊看到 `2.0` 或 `1.2` : + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. 訪問[進階啟動選項](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). 重新啟動時需要在 Windows 啟動前按下F8 鍵,然後進入 *命令提示符* in **疑難排解** → **進階選項** → **命令提示符**。 + + 4. 使用管理員帳戶登入並在命令提示符中輸入指令以開始加密: + + ``` + manage-bde -on c: - used + ``` + + 5. 關閉命令提示符並繼續啟動正常Windows。 + + 6. 打開 admin 命令提示符並運行以下命令: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! 訣竅 + + 將桌面上的「BitLocker-Recovery-Key.txt」備份到單獨的儲存裝置。 若遺失恢復代碼可能會導致資料無法回復。 + +### FileVault + +!!! recommendation + + ! [FileVault logo] (assets/img/encryption-software/filevault.png) {align = right} + + * * FileVault * *是 macOS 內建的即時磁區加密方案。 建議使用FileVault ,因為它打抵擋 Apple siliconSoC 或 T2 安全晶片[硬體安全問題](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web)。 + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +我們建議您將本地恢復金鑰存放在安全的地方,而不是使用您的iCloud 帳戶進行恢復。 + +### Linux Unified Key設定 + +!!! recommendation + + ! [LUKS logo] (assets/img/encryption-software/luks.png) {align = right} + + * * LUKS * *是 Linux 預設 FDE 方法。 它可用於加密整個磁區、分割區或建立加密容器。 + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? 示例"建立和開啟加密容器" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### 開啟加密容器 + 建議使用'udisksctl`開啟容器和磁區,因為這使用 [Polkit](https://en.wikipedia.org/wiki/Polkit)。 大多數檔案管理器,例如流行的桌面環境中包含的檔案管理器,都可以解鎖加密的檔案。 [udiskie](https://github.com/coldfix/udiskie) 這類工具執行在系統常駐區並提供有用的使用介面。 + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! 備註 "記得備份磁區標頭" + + 我們建議您務必[備份您的LUKS標頭] (https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore)以防部分驅動器故障。 可以通過以下方式完成: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## 瀏覽器端 + +當您需要加密檔案但無法在裝置上安裝軟體或應用程式時,透過瀏覽器來加密可能很有用。 + +### hat.sh + +!!! recommendation + + ! [hat.sh logo] (assets/img/encryption-software/hat-sh.png#only-light) {align = right} + ! [hat.sh logo] (assets/img/encryption-software/hat-shark.png#only-dark) {align = right} + + * * Hat.sh * *是一款在瀏覽器中提供安全用戶端檔案加密的網頁應用程式。 它也可以是自行託管,如果您需要加密文件,但由於組織政策無法在設備上安裝任何軟件,這個方法將非常有用。 + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## 命令列 + +命令行界面的工具可用於集成 [shell 腳本](https://en.wikipedia.org/wiki/Shell_script)。 + +### Kryptor + +!!! recommendation + + ! [Kryptor logo] (assets/img/encryption-software/kryptor.png) {align = right} + + * * Kryptor * *是一個免費的開源文件加密和簽名工具,利用現代安全的加密算法。 它旨在成為更好版本的 [age](https://github.com/FiloSottile/age)和 [Minisign](https://jedisct1.github.io/minisign/),提供一個簡單,更容易的 GPG 替代品。 + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ! [Tomb logo] (assets/img/encryption-software/tomb.png) {align = right} + + * * Tomb * *是 LUKS 的命令行 shell 包裝器。 它通過[第三方工具] (https://github.com/dyne/Tomb#how-does-it-work)支持隱寫。 + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP 有時需要執行特定任務,例如數位簽署和加密電子郵件。 PGP具有許多功能,但也有爭議 [複數](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) ,因為它已經存在了很長時間。 對於簽署或加密檔案等任務,我們建議您使用上述選項。 + +使用 PGP 加密時,您可以選擇在 `gpg.conf` 檔案中設定不同的選項。 我們建議您繼續使用 [ GnuPG 用戶常見問題集](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf)中指定的標準選項。 + +!!! 訣竅 "在生成金鑰時使用未來的預設值" + + [生成密鑰] (https://www.gnupg.org/gph/en/manual/c14.html)時,建議使用`future-default`命令,因為這將指示 GnuPG 使用現代密碼學,例如 [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History)和 [Ed25519](https://ed25519.cr.yp.to/) : + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ! [GNU Privacy Guard logo] (assets/img/encryption-software/gnupg.svg) {align = right} + + * * GnuPG * *是 GPL授權的加密軟體 PGP 替代品。 GnuPG 符合[RFC 4880] (https://tools.ietf.org/html/rfc4880) ,這是目前 OpenPGP 的 IETF 規範。 GnuPG 專案一直致力於[更新] (https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) ,試圖現代化OpenPGP。 GnuPG 是自由軟體基金會GNU 軟體項目的一部分,並已收到德國政府的重大 [資助](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html)。 + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ! [GPG4win logo] (assets/img/encryption-software/gpg4win.svg) {align = right} + + * * GPG4win * *是[Intevation and g10 Code] (https://gpg4win.org/impressum.html) 的Windows 套件。 它包括[各種工具] (https://gpg4win.org/about.html) ,可協助您在 Microsoft Windows 上使用GPG。 該項目最初由德國聯邦信息安全辦公室 (BSI )於2005年發起並[資助](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography)。 + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! 備註 + + 我們建議[Canary Mail] (email-clients.md#canary-mail)在iOS裝置上使用PGP和電子郵件。 + +!!! recommendation + + ! [GPG Suite logo] (assets/img/encryption-software/gpgsuite.png) {align = right} + + * * GPG Suite * *爲 [Apple Mail] (email-clients.md#apple-mail)和macOS 提供OpenPGP 支持。 + + 我們建議您查看他們的[第一步指南] (https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email)和[使用知識庫] (https://gpgtools.tenderapp.com/kb)以取得支援。 + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ! [OpenKeychain logo] (assets/img/encryption-software/openkeychain.svg) {align = right} + + * * OpenKeychain * *是 GnuPG 的Android 實作。 郵件客戶端通常需要它,例如[K-9 Mail] ( email-clients.md#k-9-mail )和 [FairEmail]( email-clients.md#fairemail )以及其他 Android 應用程序提供加密支持。 Cure53 於2015年10月完成了 OpenKeychain 3.6 的[安全審核] (https://www.openkeychain.org/openkeychain-3-6)。 審核 OpenKeychain 方案的[技術細節在此](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015)。 + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為這個網站的各個部分建立明確標準,它可能依情況變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +### 最低合格要求 + +- 跨平臺加密應用程序必須是開源的。 +- 檔案加密應用程式必須支援 Linux、macOS 和 Windows 的解密。 +- 外部磁碟加密應用程式必須支援 Linux、macOS 和 Windows 的解密。 +- 作業系統內部磁碟加密應用程式必須是跨平臺或原生內建作業系統。 + +### 最好的情况 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的條件。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 作業系統(FDE)加密應用程式應使用硬體安全性,例如 TPM 或Secure Enclave。 +- 檔案加密應用程式應有自己的或第三方支援行動平臺。 diff --git a/i18n/zh-Hant/file-sharing.md b/i18n/zh-Hant/file-sharing.md new file mode 100644 index 00000000..7039c6a4 --- /dev/null +++ b/i18n/zh-Hant/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "文件共享和同步" +icon: material/share-variant +description: 探索如何在不同裝置、與朋友和家人私下分享檔案,或匿名上線。 +--- + +探索如何在裝置之間、與朋友和家人私下分享檔案,或匿名上線。 + +## 檔案分享 + +### Send + +!!! recommendation + + ! [Send logo] (assets/img/file-sharing-sync/send.svg) {align = right} + + * * Send * *是分支自 Mozilla 已停止的 Firefox Send服務,它允許您使用鏈接將檔案發送給其他人。 檔案在您的裝置上已加密,因此無法被伺服器讀取,並且它們也可以選擇受密碼保護。 Send 維護者託管[公共實例] (https://send.vis.ee/)。 你可以利用其他公開實例,也可以自行託管 Send。 + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send 可利用網頁界面或文字指令 [ffsend](https://github.com/timvisee/ffsend) 來傳送檔案。 如果您熟悉命令行並經常發送檔案,我們建議您使用文字指令的用戶端以避免基於JavaScript 的加密。 您可以利用 `--host` 指令來標記使用特定的伺服器: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ! [OnionShare logo] (assets/img/file-sharing-sync/onionshare.svg) {align = right} + + * * OnionShare * *是一個開源工具,可讓您安全匿名地共享任何大小的檔案。 它的工作原理是啟動可作為 Tor 洋蔥服務訪問的網頁伺服器,具有一個無法猜測的URL ,您可以與收件人共享以下載或發送檔案。 + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 不得將解密的資料儲存在遠端伺服器上。 +- 必須是開源軟體。 +- 必須有 Linux、macOS 和 Windows 用戶端;或 Web 網頁界面。 + +## FreedomBox + +!!! recommendation + + ! [FreedomBox logo] (assets/img/file-sharing-sync/freedombox.svg) {align = right} + + * * FreedomBox * *是設計在[單板電腦(SBC)] (https://en.wikipedia.org/wiki/Single-board_computer)上執行的作業系統。 其目的是讓設置自主託管的伺服器應用程式變得容易。 + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## 文件同步 + +### Nextcloud (客戶端-伺服器) + +!!! recommendation + + ! [Nextcloud logo] (assets/img/productivity/nextcloud.svg) {align = right} + + * * Nextcloud * *是一套免費開源用戶端伺服器軟體,可在您控制的私人伺服器上建立自己的檔案託管服務。 + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! 危險 + + 我們不建議使用 Nextcloud [E2EE App] (https://apps.nextcloud.com/apps/end_to_end_encryption) ,因為它可能會導致資料丟失;目前它仍是高度實驗性,未達穩定品質。 + +### Syncthing ( P2P ) + +!!! recommendation + + ! [Syncthing logo] (assets/img/file-sharing-sync/syncthing.svg) {align = right} + + * * Syncthing * *是一個開源的點對點連續檔案件同步實用程式。 它可用在本地網路或網際網路的多個設備之間同步檔案。 Syncthing 不使用集中式伺服器;它使用 [Block Exchange Protocol] (https://docs.syncthing.net/specs/bep-v1.html # bep-v1)在裝置之間傳輸資料。 所有資料都使用 TLS 加密。 + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +#### 最低合格要求 + +- 必須不需要第三方遠端/雲端伺服器。 +- 必須是開源軟體。 +- 必須有 Linux、macOS 和 Windows 用戶端;或 Web 網頁界面。 + +#### 最好的情况 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的功能。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 具有適用於 iOS 和 Android 的移動客戶端,其至少支持文件預覽。 +- 支援 iOS 和 Android 照片備份, 或是最好能 支援Android 檔案/資料夾同步。 diff --git a/i18n/zh-Hant/financial-services.md b/i18n/zh-Hant/financial-services.md new file mode 100644 index 00000000..9aca9168 --- /dev/null +++ b/i18n/zh-Hant/financial-services.md @@ -0,0 +1,94 @@ +--- +title: 金融服務 +icon: material/bank +--- + +在線支付是隱私面臨的最大挑戰之一。 這些服務可以幫助您保護隱私,免受商家和其他追蹤者的影響,前提是您對如何有效地進行私人付款有深入的了解。 我們強烈建議您在網路購買前先閱讀本站私密付款之介紹: + +[私密付款 :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## 付款掩蔽服務 + +有許多服務提供“虛擬簽帳卡” ,在線商家接受此種付款方式則在大多數情況下不會透露您實際銀行或帳單信息。 請注意,這些金融服務 **並不是** 匿名,且受「了解您的客戶」( KYC )法律的約束,並可能需要客戶身份證明文件或其他識別信息。 這些服務主要保護您免受商家資料洩露、營銷機構粗糙的跟蹤或購買聯結以及線上資料盜竊;這些並 **不能** 在購買時完全匿名。 + +!!! 提示「檢查您目前的銀行」 + + 許多銀行和信用卡提供商提供本機虛擬卡功能。 如果您使用已提供的選項,則在大多數情況下使用時請依循以下建議。 你不信任把個人資料託付給各方人士。 + +### Privacy.com (美國) + +!!! recommendation + + ! [Privacy.com logo] (assets/img/financial-services/privacy_com.svg#only-light) {align = right} + ! [Privacy.com標誌] (assets/img/financial-services/privacy_com-dark.svg#only-dark) {align = right} + + * * Privacy.com * *的免費方案每月最多創建12 張虛擬卡,設定卡片的支付上限與立即關閉卡片。 付費計劃則每月最多創建 36 張卡,購買時可獲得1% 現金返還,並向銀行隱藏交易信息。 + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com 預設情況下將您購買的商家資訊提供給您的銀行。 付費版的「謹慎商家」功能會向您的銀行隱藏商家資訊,因此銀行只會看到使用 Privacy.com 進行購買,不會看到這筆錢花在哪裡,但這並不是萬無一失的, Privacy.com 仍然了解您花錢的商家。 + +### MySudo (美國,付費) + +!!! recommendation + + ! [MySudo logo] (assets/img/financial-services/mysudo.svg#only-light) {align = right} + ! [MySudo標誌] (assets/img/financial-services/mysudo-dark.svg#only-dark) {align = right} + + * * MySudo * *根據您購買的方案最多提供 9張虛擬卡。 付費方案還包括一些有助於私密購物的功能,例如虛擬電話號碼和電子郵件地址,但我們通常建議使用專業[電子郵件別名提供商] (email.md)進行廣泛的別名使用保護。 + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### 標準 + +**請注意,我們與所推薦專案沒有任何牽扯。 ** 除了 [我們的標準準則](about/criteria.md)外,還有一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 允許創建多張卡片,作為商家和您的個人財務之間的盾牌。 +- 卡片公司不得要求您向商戶提供準確的帳單地址資訊。 + +## 禮品卡市集 + +這些服務可接受 [加密貨幣](cryptocurrency.md)來購買各種商家禮品卡。 其中一些服務提供更高限額的身份驗證選項,它們也只淮許有電子郵件地址的帳戶。 基本帳戶的限額為每天 5,000-10,000 美元,身份驗證帳戶的限額則更高(如果提供)。 + +### Cake Pay + +!!! recommendation + + ! [CakePay標誌] (assets/img/financial-services/cakepay.svg) {align = right} + + * * Cake Pay * * 可用 Monero 購買禮品卡和相關產品。 Cake Wallet 行動應用程式僅購限美國商家可用 ,而 Cake Pay 網頁應用則包括廣泛的全球商家可選。 + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ! [CakePay標誌] (assets/img/financial-services/coincards.svg) {align = right} + + * * CoinCards * * (在美國、加拿大和英國)允許您購買各種商家禮品卡。 + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 接受付款 [使用推薦加密貨幣](cryptocurrency.md)。 +- 無需提供身份證件。 diff --git a/i18n/zh-Hant/frontends.md b/i18n/zh-Hant/frontends.md new file mode 100644 index 00000000..87cf46df --- /dev/null +++ b/i18n/zh-Hant/frontends.md @@ -0,0 +1,267 @@ +--- +title: "前端" +icon: material/flip-to-front +description: 這些用在各式網際網路服務的開源前端,可讓您訪問內容而無需 JavaScript 或其他干援。 +--- + +有時,某些服務會以煩人的彈出窗口來封鎖訪問內容,強迫訪客須註冊帳戶。 如果不啓用JavaScript ,也可能會中斷。 這些前端可以讓您避開這些限制。 + +## LBRY + +### Librarian + +!!! recommendation + + ! [Librarian logo] (assets/img/frontends/librarian.svg#only-light) {align = right} + ! [Librarian logo] (assets/img/frontends/librarian-dark.svg#only-dark) {align = right} + + * * Librarian * *是 [Odysee](https://odysee.com/) (LBRY)的免費開源前端,也是可自我託管的。 + + 有許多公共實例,其中一些實例支援 [Tor]( https://www.torproject.org )onion 服務。 + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! 警告 + + 預設情況下,圖書館員不會代理影片串流。 透過 Libraria 觀看的影片仍可直接連接至 Odysee伺服器(例如 "odycdn.com") ;然而某些情況下可能會啟用代理服務,詳情請參閱實例的隱私權政策。 + +!!! 提示 + + 如果您希望在行動裝置上觀看 LBRY 內容而無需強制遙測,以及想要瀏覽器禁用 JavaScript ,例如 [Tor瀏覽器] ( https://www.torproject.org/ )最安全的級別設置,Librarian 非常有用。 + +在自我出租時,重要的是要讓其他人使用您的實例,以便您融入其中。 謹慎處理 Librarian 的託管事宜,因為其他人的使用會與您的託管有很大關聯。 + +當使用 Libraian 實例時,請務必閱讀該實例的隱私權政策。 Librarian 實例可以由其擁有者修改,因此不見得會完全依照預設政策。 librarian 實例有「隱私營養標籤」功能,以提供政策的概覽。 有些實例有Tor .onion地址,只要您的搜尋查詢不包含PII ,這些地址可以保護某些隱私。 + +## Twitter + +### Nitter + +!!! recommendation + + ! [Nitter logo] (assets/img/frontends/nitter.svg) {align = right} + + * * Nitter * *是 [Twitter](https://twitter.com)的免費開源前端,也是可自我託管。 + + 有許多公共實例,其中一些實例支援 [Tor]( https://www.torproject.org )onion 服務。 + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! 提示 + + 如果想在不登錄的情況下瀏覽 Twitter 內容,或是在瀏覽器中禁用 JavaScript , Nitter非常有用,就像[Tor 瀏覽器] ( https://www.torproject.org/ )在最安全級別會關閉 JavaScript 。 它還可以[為 Twitter 建立 RSS 新聞源] (news-aggregators.md#twitter)。 + +在自我出租時,重要的是要讓其他人使用您的實例,以便您融入其中。 小心處理 Nitter 的託管 ,因為其他人的使用將與您的託管息息相關。 + +當使用 Nitter 實例時,請務必閱讀該實例的隱私權政策。 Nitter 實例可以由其擁有者修改,因此不見得會完全依照預設政策。 有些實例有Tor .onion地址,只要您的搜尋查詢不包含PII ,這些地址可以保護某些隱私。 + +## TikTok + +### ProxiTok + +!!! recommendation + + ! [ProxiTok logo] (assets/img/frontends/proxitok.svg) {align = right} + + * * ProxiTok * *是 [TikTok](https://www.tiktok.com)網站的開源前端,也可自主託管。 + + 有許多公共實例,其中一些實例支援 [Tor]( https://www.torproject.org )onion 服務。 + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! 提示 + + 如果想在瀏覽器中禁用 JavaScript ,例如[Tor瀏覽器] (https://www.torproject.org/)最安全級別, ProxiTok 非常有用。 + +在自我出租時,重要的是要讓其他人使用您的實例,以便您融入其中。 謹慎處理 ProxiTok 的託管事宜,因為其他人的使用會與您的託管有很大關聯。 + +當使用 ProxiTok 實例時,請務必閱讀該實例的隱私權政策。 ProxiTok 實例可以由其擁有者修改,因此不見得會完全依照預設政策。 有些實例有Tor .onion地址,只要您的搜尋查詢不包含PII ,這些地址可以保護某些隱私。 + +## YouTube + +### FreeTube + +!!! recommendation + + ! [FreeTube logo] (assets/img/frontends/freetube.svg) {align = right} + + * * FreeTube * *是 [YouTube](https://youtube.com)的免費開源桌面應用程式。 使用 FreeTube 時,訂閱清單和播放列表會在本地儲存在 本地裝置上。 + + 預設情況下, FreeTube 會封鎖所有 YouTube 廣告。 此外, FreeTube 可選擇與 [SponsorBlock](https://sponsor.ajay.app) 整合,可以跳過贊助的影片段。 + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! 警告 + + 使用 FreeTube 時,IP 位址可能會被 YouTube、[Invidious](https://instances.invidious.io)或 [SponsorBlock](https://sponsor.ajay.app/)所知,具體取決於您的設定。 如果您的[威脅模型] (basics/threat-modeling.md)需要隱藏您的IP 位址,請考慮使用 [VPN](vpn.md)或 [Tor](https://www.torproject.org)。 + +### Yattee + +!!! recommendation + + ! [Yattee logo] (assets/img/frontends/yattee.svg) {align = right} + + * * Yattee * *是一款免費的開源隱私導向影片播放器,適用於iOS、tvOS 和 macOS 觀看 [YouTube](https://youtube.com)。 使用 Yattee 時,訂閱清單和播放列表會儲存在 本地裝置上。 + + 由於 App Store 限制,您需要採取一些[額外步驟] (https://gonzoknows.com/posts/Yattee/)才能使用 Yattee 觀看YouTube。 + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! 警告 + + 使用 Yattee 時,IP位址可能仍會被 YouTube、 [Invidious](https://instances.invidious.io)、 [Piped](https://github.com/TeamPiped/Piped/wiki/Instances)或 [SponsorBlock](https://sponsor.ajay.app/)所知曉,具體取決於您的設定。 如果您的[威脅模型] (basics/threat-modeling.md)需要隱藏您的IP 位址,請考慮使用 [VPN](vpn.md)或 [Tor](https://www.torproject.org)。 + +預設情況下, Yattee 會封鎖所有 YouTube 廣告。 此外, Yattee 可選擇與 [SponsorBlock](https://sponsor.ajay.app) 整合,可以跳過贊助的影片段。 + +### LibreTube (Android) + +!!! recommendation + + ! [LibreTube logo] (assets/img/frontends/libretube.svg#only-light) {align = right} + ! [LibreTube logo] (assets/img/frontends/libretube-dark.svg#only-dark) {align = right} + + * * LibreTube * *是一款免費的 [YouTube](https://youtube.com)開源Android應用程序,使用 [Piped](# piped) API。 + + LibreTube 可將訂閱列表和播放列表存儲於 Android 設備,或者存儲到您選擇的 Piped 實例帳戶,以便利用其他設備無縫訪問。 + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! 警告 + + 使用 LibreTube 時,IP 位址會為所用的 [Piped](https://github.com/TeamPiped/Piped/wiki/Instances)實例和 [SponsorBlock](https://sponsor.ajay.app/)看見,具體取決於您的設定。 如果您的[威脅模型] (basics/threat-modeling.md)需要隱藏您的IP 位址,請考慮使用 [VPN](vpn.md)或 [Tor](https://www.torproject.org)。 + +預設情況下, LibreTube 會封鎖所有 YouTube 廣告。 此外, LibreTube 利用[SponsorBlock](https://sponsor.ajay.app) 來跳過贊助的影片段。 可以自行配置 SponsorBlock 要跳過的影片段類型,或完全禁用它。 播放器上有一個按鈕,如果需要,可以為特定影片禁用它。 + +### NewPipe (Android) + +!!! recommendation annotate + + ! [Newpipe logo] (assets/img/frontends/newpipe.svg) {align = right} + + * * NewPipe * *是 [YouTube](https://youtube.com)、 [SoundCloud](https://soundcloud.com)、 [media.ccc.de](https://media.ccc.de)、 [Bandcamp](https://bandcamp.com)和 [PeerTube](https://joinpeertube.org/) (1)的免費開源 Android應用程式。 + + 訂閱清單和播放列表會儲存在本地的 Android裝置。 + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? 下戴 + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. 預設實例為 [FramaTube](https://framatube.org/),但可在 **Settings** → **Content** → **PeerTube instance ** 添加更多實例。 + +!!! 警告 + + 使用NewPipe時,IP 位址會被所使用的影片供應商看見。 如果您的[威脅模型] (basics/threat-modeling.md)需要隱藏您的IP 位址,請考慮使用 [VPN](vpn.md)或 [Tor](https://www.torproject.org)。 + +### Invidious + +!!! recommendation + + ! [Invidious logo] (assets/img/frontends/invidious.svg#only-light) {align = right} + ! [INVIDIOUS LOGO] (assets/img/frontends/invidious-dark.svg#only-dark) {align = right} + + * * Invidious * *是 [YouTube](https://youtube.com)的免費開源前端,也可自行託管。 + + 有許多公共實例,其中一些實例支援 [Tor]( https://www.torproject.org )onion 服務。 + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! 警告 + + 預設情況下, Invidious不會代理影片串流。 通過 Invidious 觀看的影片會直接連接到 Google 伺服器(例如`googlevideo.com` ),但是有些實例支持影片代理-只需在實例設置中啟用*Proxy videos*或在 URL 中添加`&local = true`。 + +!!! 提示 + + 如果您想在瀏覽器中停用JavaScript ,例如[Tor瀏覽器] (https://www.torproject.org/)最安全級別,Invidious 非常有用。 它本身不提供隱私,故不建議登入任何帳戶。 + +在自我出租時,重要的是要讓其他人使用您的實例,以便您融入其中。 謹慎處理 Invidious 的託管事宜,因為其他人的使用會與您的託管有很大關聯。 + +當使用 Invidious 實例時,請務必閱讀該實例的隱私權政策。 Invidious 實例可以由其擁有者修改,因此不見得會完全依照預設政策。 有些實例有Tor .onion地址,只要您的搜尋查詢不包含PII ,這些地址可以保護某些隱私。 + +### Piped + +!!! recommendation + + ! [Piped logo] (assets/img/frontends/piped.svg) {align = right} + + * * Piped * *是 [YouTube](https://youtube.com)的免費開源前端,也是可自主託管。 + + Piped 需要JavaScript 才能運行,它有許多公共實例。 + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! 提示 + + 如果您想使用 [SponsorBlock](https://sponsor.ajay.app)但不安裝瀏覽器擴展或在不登入帳戶訪問有年齡限制的內容, Piped 非常有用。 它本身不提供隱私,故不建議登入任何帳戶。 + +在自我出租時,重要的是要讓其他人使用您的實例,以便您融入其中。 小心處理 Piped 託管 ,因為其他人的使用將與您的託管息息相關。 + +當使用 Piped 實例時,請務必閱讀該實例的隱私權政策。 Piped 實例可以由其擁有者修改,因此不見得會完全依照預設政策。 + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為這個網站的各個部分建立明確標準,它可能依情況變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +推薦的前端… + +- 必須是開源軟體。 +- 必須是可自行託管。 +- 必須提供匿名訪客完整的網站基本功能。 + +我們只考慮網站的前端是... + +- 沒 JavaScript 無法正常存取。 diff --git a/i18n/zh-Hant/index.md b/i18n/zh-Hant/index.md new file mode 100644 index 00000000..cb75fae2 --- /dev/null +++ b/i18n/zh-Hant/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.zh-Hant.html +hide: + - navigation + - toc + - feedback +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## 為何我該關心? + +##### “我沒有什麼可隱瞞的。 為何我該在意自己的隱私? + +就像異族通婚、女性投票權、言論自由等等權利,隱私權並非總是好好地受保障 在一些獨裁政權下,根本無隱私可言 前人已為隱私權奮鬥了數個世代 ==隱私作為一種基本人權是人人生而固有==每個人都可(不受歧視地)享受此權利。 + +別再把隱私和祕密混為一談 人人都知道浴室裏發生了什麼,但你還是把門關上。 這是因為您需要隱私,而不是保密。 **每個人**都有要保護的東西 隱私讓我們之所以為人 + +[:material-target-account:共同的網際網路威脅](basics/common-threats.md ""){.md-button.md-button--primary} + +## 我該怎麼辦 + +##### 首先,您需要製定計劃 + +冀望您所有的資料完全免受任何人的侵害是不實際、昂貴且耗神的。 但別擔心 安全是一種過程,向前思考以製定出一個適合您的正確計劃。 安全性不是只限於您使用的工具或下載的軟件。 相反,它始於了解您面臨的獨特威脅,以及如何減輕它們。 + +==這個識別威脅和定義對策的過程稱為 **威脅模型**= = ,它構成了完整安全和隱私計劃的基礎。 + +[:material-book-outline: 了解更多關於威脅模型](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## ## 我们需要你! 參與方式如下: + +[:simple-discourse:](https://discuss.privacyguides.net/){title = "加入我們的論壇"} +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){rel = me title = "關注我們的Mastodon"} +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){title = "提供貢獻"} +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){title = "幫助網站翻譯"} +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){title = "在Matrix上與我們聊天"} +[:material-information-outline:](about/index.md){title = "更了解我們"} +[:material-hand-coin-outline:](about/donate.md){title = "支持本項目"} + +像 Privacy Guides 這類網站必須維持最新狀態。 我們需要觀眾留意網站上列出的應用程式的軟體更新,並掌握推薦供應商的最新消息。 跟上互聯網快速變化並不容易,但我們盡力而為。 如果您發現錯誤、認為不應該列出提供商、注意到沒列上的適格提供商、認為瀏覽器附加元件不再是最佳選擇或發現任何其他問題,請告訴我們。 diff --git a/i18n/zh-Hant/kb-archive.md b/i18n/zh-Hant/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/zh-Hant/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/zh-Hant/meta/brand.md b/i18n/zh-Hant/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/zh-Hant/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/zh-Hant/meta/git-recommendations.md b/i18n/zh-Hant/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/zh-Hant/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/zh-Hant/meta/uploading-images.md b/i18n/zh-Hant/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/zh-Hant/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/zh-Hant/meta/writing-style.md b/i18n/zh-Hant/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/zh-Hant/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/zh-Hant/mobile-browsers.md b/i18n/zh-Hant/mobile-browsers.md new file mode 100644 index 00000000..7042d509 --- /dev/null +++ b/i18n/zh-Hant/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "Mobile Browsers" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - Android + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +These are our currently recommended mobile web browsers and configurations for standard/non-anonymous internet browsing. If you need to browse the internet anonymously, you should use [Tor](tor.md) instead. In general, we recommend keeping extensions to a minimum; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + +## Android + +On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, [GeckoView](https://mozilla.github.io/geckoview/), has yet to support [site isolation](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) or enable [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196). + +### Brave + +!!! recommendation + + ![Brave logo](assets/img/browsers/brave.svg){ align=right } + + **Brave Browser** includes a built-in content blocker and [privacy features](https://brave.com/privacy-features/), many of which are enabled by default. + + Brave is built upon the Chromium web browser project, so it should feel familiar and have minimal website compatibility issues. + + [:octicons-home-16: Homepage](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="Source Code" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### Recommended Configuration + +Tor Browser is the only way to truly browse the internet anonymously. When you use Brave, we recommend changing the following settings to protect your privacy from certain parties, but all browsers other than the [Tor Browser](tor.md#tor-browser) will be traceable by *somebody* in some regard or another. + +These options can be found in :material-menu: → **Settings** → **Brave Shields & privacy** + +##### Shields + +Brave includes some anti-fingerprinting measures in its [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) feature. We suggest configuring these options [globally](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-) across all pages that you visit. + +##### Brave shields global defaults + +Shields' options can be downgraded on a per-site basis as needed, but by default we recommend setting the following: + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave allows you to select additional content filters within the internal `brave://adblock` page. We advise against using this feature; instead, keep the default filter lists. Using extra lists will make you stand out from other Brave users and may also increase attack surface if there is an exploit in Brave and a malicious rule is added to one of the lists you use. + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] Uncheck all social media components + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave Sync + +[Brave Sync](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) allows your browsing data (history, bookmarks, etc.) to be accessible on all your devices without requiring an account and protects it with E2EE. + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### Recommended Configuration + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +### 最低合格要求 + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- Any changes required to make the browser more privacy-respecting should not negatively impact user experience. +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### Extension Criteria + +- Must not replicate built-in browser or OS functionality. +- Must directly impact user privacy, i.e. must not simply provide information. diff --git a/i18n/zh-Hant/multi-factor-authentication.md b/i18n/zh-Hant/multi-factor-authentication.md new file mode 100644 index 00000000..ecf15cf6 --- /dev/null +++ b/i18n/zh-Hant/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "多重因素驗證" +icon: 'material/two-factor-authentication' +description: 這些工具可協助您透過多重身份驗證保護網路帳戶,而無需將您的祕密傳送給第三方。 +--- + +## 安全金鑰硬體 + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multifactor-authentication/yubikey.png) + + * * YubiKeys * *是最常用的安全金鑰之一。 有些 YubiKey 型號具廣泛的功能,例如: [Universal 2nd Factor (U2F)] (https://en.wikipedia.org/wiki/Universal_2nd_Factor)、[FIDO2 and WebAuthn] (basics/multifactor-authentication.md#fido-fast-identity-online)、[Yubico OTP] (basics/multifactor-authentication.md#yubico-otp)、[Personal Identity Verification (PIV)] (https://developers.yubico.com/PIV)、 [OpenPGP](https://developers.yubico.com/PGP/)、[TOTP and HOTP] (https://developers.yubico.com/OATH)驗證。 + + YubiKey 好處之一是,一支密鑰( 例如 YubiKey 5 )可以滿足對安全密鑰硬體的全部期待。 我們建議您在購買前先[作個小測驗](https://www.yubico.com/quiz/) ,以確保您做出正確的選擇。 + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +[比較表](https://www.yubico.com/store/compare/) 顯示了各型號 YubiKeys 功能比較。 我們強烈建議您從YubiKey 5系列中挑選。 + +YubiKeys可以利用 [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) 或 [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/)來收授指令。 若要管理 TOTP 代碼,您可以使用 [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)。 Yubico 所有客戶端軟體都是開源。 + +支持 HOTP 和 TOTP 的機型, OTP 介面中有2個插槽可用於HOTP 和32個插槽來存儲 TOTP 機密。 這些機密經加密後存儲在密鑰上,永遠不會將它們暴露在插入的設備上。 一旦向 Yubico Authenticator 提供種子(共享祕密) ,它將只會給出六位數的代碼,但永遠不會提供種子。 此安全模型有助於限制攻擊者,即便運行 Yubico Authenticator的設備受到破壞,讓受到物理攻擊時 Yubikey 仍具抵抗力。 + +!!! 警告 + YubiKey 軔體沒有開源,不可更新。 如果您想要使用較新韌體版本的功能,或者使用中的韌體版本存在漏洞,則需要購買新的金鑰。 + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multifactor-authentication/nitrokey.jpg) {align = right} + + * * Nitrokey * * 能夠[FIDO2 和 WebAuthn] (basics/multifactor-authentication.md#fido-fast-identity-online)的安全金鑰,稱為* * Nitrokey FIDO2 * *。 若要獲得 PGP 支援,您需要購買他們其他鑰匙,例如* * Nitrokey Start * *、* * Nitrokey Pro 2 * *或* * Nitrokey Storage 2 * *。 + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +[比較表](https://www.nitrokey.com/#comparison) 顯示了各型號 Nitrokey 功能比較。 **Nitrokey 3** 具有組合的功能集。 + +可以使用 [Nitrokey 應用程序](https://www.nitrokey.com/download)配置 Nitrokey 模型。 + +支持 HOTP 和 TOTP 的型號,有3個 HOTP 插槽,15 個 TOTP 插槽。 有些 Nitrokeys 可以充當密碼管理器。 可以存儲 16 組憑證,並使用與 OpenPGP 接口相同的密碼對憑證加密。 + +!!! 警告 + + 雖然 Nitrokeys 不會將 HOTP/TOTP 機密釋放給所插入的設備,但HOTP 和 TOTP存儲* *未經加密* * ,容易受到物理攻擊。 如果您需要存儲 HOTP 或 TOTP 這類祕密,強烈建議您使用Yubikey 代替。 + +!!! 警告 + + 重置 Nitrokey 的 OpenPGP 介面會使密碼資料庫變為 [無法存取](https://docs.nitrokey.com/pro/linux/factory-reset)。 + +Nitrokey Pro 2、Nitrokey Storage 2 和即將推出的 Nitrokey 3 支持筆記型電腦的 [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) 軔體與系統完整性驗證。 + +不同於 YubiKey,Nitrokey 軔體是開源。 NitroKey 型號可( **NitroKey Pro 2**除外)可更新軔體。 + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為這個網站的各個部分建立明確標準,它可能依情況變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +#### 最低合格要求 + +- 必須使用高品質、防篡改的硬體安全模組。 +- 必須支援最新的 FIDO2 規格。 +- 必須不允許私鑰提取。 +- 價格超過 35美元的裝置必須支援處理 OpenPGP 和 S/MIME。 + +#### 最好的情况 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的條件。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 應採用 USB-C 格式。 +- 應與 NFC一起使用。 +- 支持 TOTP 機密儲存。 +- 應支持安全軔體更新。 + +## 認證器應用程式 + +驗證器應用程式實施網際網路工程任務組( IETF)採行的安全標準,稱為 **依據時間的單次密碼**或 **TOTP**。 這是一種網站與您共享祕密的方法,驗證器應用程式使用該祕密根據當前時間生成(通常為)六位數驗證碼,您在登錄網站時輸入以供網站檢查。 通常這些驗證碼每30 秒重新生成一次,一旦生成新碼,舊碼就無用了。 即使駭客獲得六位數的驗證碼,也無法逆轉該代碼去取得原始祕密或透過其他方式去預測以後的驗證碼。 + +我們強烈建議您使用行動 TOTP 應用程式而不是桌面替代方案,因為 Android 和 iOS 比大多數桌面作業系統具有更好的安全性和應用程式隔離性。 + +### Aegis Authenticator (Android) + +!!! recommendation + + ! [Aegis logo] (assets/img/multifactor-authentication/aegis.png) {align = right} + + * * Aegis Authenticator * *是一款免費、安全且開源的應用程式,可為您的線上服務管理兩步驗證令牌。 + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ! [Raivo OTP logo] (assets/img/multifactor-authentication/raivo-otp.png) {align = right} + + * * Raivo OTP * *是原生、輕量和安全的時間基礎(TOTP) & 計數器(HOTP)密碼用戶端應用,適用於iOS。 Raivo OTP 提供可選的 iCloud 備份 & 同步。 Raivo OTP也以狀態列應用程式的形式提供給macOS ,但Mac應用程式並不獨立於iOS應用程式運作。 + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為這個網站的各個部分建立明確標準,它可能依情況變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 源代碼必須公開。 +- 無需網際網路連線。 +- 不得同步至第三方雲端同步/備份服務。 + - **可選** 支援與作業系統原生工具的 E2EE 同步是可以的,例如透過 iCloud 進行加密同步。 diff --git a/i18n/zh-Hant/news-aggregators.md b/i18n/zh-Hant/news-aggregators.md new file mode 100644 index 00000000..150bfa52 --- /dev/null +++ b/i18n/zh-Hant/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "新聞聚合器" +icon: material/rss +description: 這些新聞聚合器客戶端可利使用 RSS 等網際網路標準來訂閱追蹤您最喜愛的部落格和新聞網站。 +--- + +[新聞聚合器](https://en.wikipedia.org/wiki/News_aggregator) 是一種訂閱最喜愛的部落格和新聞網站的追蹤方式。 + +## 聚合器客戶端 + +### Akregator + +!!! recommendation + + ! [Akregator logo] (assets/img/news-aggregators/akregator.svg) {align = right} + + * * Akregator * *是 [KDE](https://kde.org) 項目的一部分。 它具有快速搜索、先進的存檔功能和內部瀏覽器可輕鬆閱讀新聞。 + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ! [Feeder logo] (assets/img/news-aggregators/feeder.png) {align = right} + + * * Feeder * *是 Android 版本的 RSS 客戶端,具有許多[特色](https://gitlab.com/spacecowboy/Feeder#features) ,且可與RSS 訊息來源的資料夾配合使用。 它支持 [RSS](https://en.wikipedia.org/wiki/RSS ), [Atom]( https://en.wikipedia.org/wiki/Atom_ ( 網頁標準 )) , [RDF](https://en.wikipedia.org/wiki/RDF%2FXML)和 [JSON Feed] (https://en.wikipedia.org/wiki/JSON_Feed)。 + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ! [Fluent Reader logo] (assets/img/news-aggregators/fluent-reader.svg) {align = right} + + * * Fluent Reader * *是一個安全的跨平臺新聞聚合器,具有方便的隱私功能,例如在退出時刪除 cookie ,嚴格的[內容安全政策(CSP)] (https://en.wikipedia.org/wiki/Content_Security_Policy)和代理支持,這意味著您可以透過 [Tor](tor.md)來使用它。 + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ! [GNOME Feeds logo] (assets/img/news-aggregators/gfeeds.svg) {align = right} + + * * GNOME Feeds * *是 [RSS](https://en.wikipedia.org/wiki/RSS)和 [Atom](https://en.wikipedia.org/wiki/Atom_ (Web_standard))新聞閱讀器,適用於 [GNOME](https://www.gnome.org)。 它的界面很簡單,執行快速。 + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ! [Miniflux logo] (assets/img/news-aggregators/miniflux.svg#only-light) {align = right} + ! [Miniflux標誌] (assets/img/news-aggregators/miniflux-dark.svg#only-dark) {align = right} + + * * Miniflux * *是一個網頁版的新聞聚合器,允許自行託管。 它支持 [RSS](https://en.wikipedia.org/wiki/RSS ), [Atom]( https://en.wikipedia.org/wiki/Atom_ ( 網頁標準 )) , [RDF](https://en.wikipedia.org/wiki/RDF%2FXML)和 [JSON Feed] (https://en.wikipedia.org/wiki/JSON_Feed)。 + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ! [NetNewsWire標誌] (assets/img/news-aggregators/netnewswire.png) {align = right} + + * * NetNewsWire * *是一款免費開源的訊息源閱讀器,適用於macOS 和 iOS ,專注於原生設計和功能集。 它支持典型 feed 格式,以及對 Twitter 和 Reddit feed 的內置支持。 + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ! [Newsboat logo] (assets/img/news-aggregators/newsboat.svg) {align = right} + + * * Newsboat * *是文字控制界面的RSS/Atom 新聞閱讀器。 分支自 [Newsbeuter]( https://zh.wikipedia.org/wiki/Newsbeuter )後,維持積極維護。 非常輕量,適合在[Secure Shell] (https://zh.wikipedia.org/wiki/Secure_Shell )上使用。 + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! !!! 例如 "本节是新的" + + 我們正在努力為這個網站的各個部分建立明確標準,它可能依情況變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 必須是開源軟體。 +- 必須在本地運作,即不得是雲端服務。 + +## 社交媒體 RSS 支援 + +一些社交媒體服務也支持 RSS ,儘管它很少受到推廣。 + +### Reddit + +Reddit 允許您通過 RSS 訂閱 subreddits。 + +!!! 案例 + 替換 `subreddit_name` 改為所要訂閱的 subreddit + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +使用任何 Nitter [實例](https://github.com/zedeus/nitter/wiki/Instances) ,您可以使用 RSS 輕鬆訂閱。 + +!!! 例子 + 1. 選取實例並設定 `nitter_instance`。 + 2. 將 `twitter_account` 替換為帳戶名稱。 + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +您可以訂閱 YouTube頻道而無需登入,不會把使用情況資訊與Google 帳戶關聯。 + +!!! 例子 + + 若要使用 RSS 客戶端訂閱 YouTube 頻道,請先查看您的[channel code] (https://support.google.com/youtube/answer/6180214) ,然後在下方替換[CHANNE ID]」: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/zh-Hant/notebooks.md b/i18n/zh-Hant/notebooks.md new file mode 100644 index 00000000..45160a70 --- /dev/null +++ b/i18n/zh-Hant/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "記事本" +icon: material/notebook-edit-outline +description: 這些加密的筆記錄應用程式可讓您跟進記錄,而無需將它們提供給第三方。 +--- + +保存記錄您的筆記和日誌,不要將它們提供給第三方。 + +如果您目前使用的是 Evernote、Google Keep 或 Microsoft OneNote 等應用程式,我們建議您在這裡選擇一個支援 E2EE 的替代方案。 + +## 雲端型 + +### Joplin + +!!! recommendation + + ! [Joplin logo] (assets/img/notebooks/joplin.svg) {align = right} + + * * Joplin * *是一個免費、開源且功能齊全的筆記和待辦事項應用程式,可以處理大量 Markdown 文件並組織成筆記本和標籤功能。 它提供E2EE ,可以通過Nextcloud , Dropbox等同步。 它也可以輕鬆自 Evernote 和純文本筆記導入。 + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin 不支援 [應用程式本身或個別筆記和筆記本](https://github.com/laurent22/joplin/issues/289)的密碼/PIN保護。 但是您的資料在傳輸與同步位置中仍會使用主密鑰加密。 自2023年1月起, Joplin 支援 [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) 和 [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z)的生物識別應用程式鎖定功能。 + +### Standard Notes + +!!! recommendation + + ! [Standard Notes 標誌] (assets/img/notebooks/standard-notes.svg) {align = right} + + * *Standard Notes * *是一款簡單而私密的筆記應用程式,可隨時隨地輕鬆使用筆記功能。 它在每個平臺上都具有E2EE ,並且具有強大的主題和自訂編輯器的桌面體驗。 它也經過[獨立審計(PDF)] (https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf)。 + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ! [Cryptee logo] (./assets/img/notebooks/cryptee.svg#only-light) {align = right} + ! [Cryptee logo] (./assets/img/notebooks/cryptee-dark.svg#only-dark) {align = right} + + * * Cryptee * *是一個開源的,網頁版本的 E2EE 文件編輯器和照片存儲應用程式。 Cryptee 為漸進式網路應用程式(PWA) ,這意味著它可以在所有現代設備上無縫工作,而無需為每個平臺提供原生應用程序。 + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? 下載 + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee 免費提供100MB 的儲存空間,如果需要更多容量,則另有付費選項。 註冊不需要電子郵件或其他個人身份資訊。 + +## 本地端的記事簿 + +### Org-mode + +!!! recommendation + + ! [Org-mode logo] (assets/img/notebooks/org-mode.svg) {align = right} + + * * Org-mode * *是GNU Emacs的[主要模式] (https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html)。 Org-mode 用於記錄筆記,維護待辦事項列表,規劃項目,並使用快速有效的純文本系統撰寫文件。 可以利用[檔案同步] (file-sharing.md#file-sync)工具進行同步。 + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 客戶端應是開源的。 +- 任何雲端同步都必須是 E2EE。 +- 必須支援將文件匯出為標準格式。 + +### 最佳案例: + +- 本地備份/同步功能應支援加密。 +- 基於雲的平臺應支持文件共享。 diff --git a/i18n/zh-Hant/os/android-overview.md b/i18n/zh-Hant/os/android-overview.md new file mode 100644 index 00000000..ea625680 --- /dev/null +++ b/i18n/zh-Hant/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android Overview +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +Android is a secure operating system that has strong [app sandboxing](https://source.android.com/security/app-sandbox), [Verified Boot](https://source.android.com/security/verifiedboot) (AVB), and a robust [permission](https://developer.android.com/guide/topics/permissions/overview) control system. + +## Choosing an Android Distribution + +When you buy an Android phone, the device's default operating system often comes with invasive integration with apps and services that are not part of the [Android Open-Source Project](https://source.android.com/). An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on. These apps and services increase the attack surface of your device and are the source of various privacy concerns with Android. + +This problem could be solved by using a custom Android distribution that does not come with such invasive integration. Unfortunately, many custom Android distributions often violate the Android security model by not supporting critical security features such as AVB, rollback protection, firmware updates, and so on. Some distributions also ship [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) builds which expose root via [ADB](https://developer.android.com/studio/command-line/adb) and require [more permissive](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code) SELinux policies to accommodate debugging features, resulting in a further increased attack surface and weakened security model. + +Ideally, when choosing a custom Android distribution, you should make sure that it upholds the Android security model. At the very least, the distribution should have production builds, support for AVB, rollback protection, timely firmware and operating system updates, and SELinux in [enforcing mode](https://source.android.com/security/selinux/concepts#enforcement_levels). All of our recommended Android distributions satisfy these criteria. + +[Our Android System Recommendations :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## Avoid Rooting + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses. + +Adblockers, which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](../dns.md) or [VPN](../vpn.md) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server. + +AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations. + +We do not believe that the security sacrifices made by rooting a phone are worth the questionable privacy benefits of those apps. + +## Verified Boot + +[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection). + +Android 10 and above has moved away from full-disk encryption to more flexible [file-based encryption](https://source.android.com/security/encryption/file-based). Your data is encrypted using unique encryption keys, and the operating system files are left unencrypted. + +Verified Boot ensures the integrity of the operating system files, thereby preventing an adversary with physical access from tampering or installing malware on the device. In the unlikely case that malware is able to exploit other parts of the system and gain higher privileged access, Verified Boot will prevent and revert changes to the system partition upon rebooting the device. + +Unfortunately, OEMs are only obliged to support Verified Boot on their stock Android distribution. Only a few OEMs such as Google support custom AVB key enrollment on their devices. Additionally, some AOSP derivatives such as LineageOS or /e/ OS do not support Verified Boot even on hardware with Verified Boot support for third-party operating systems. We recommend that you check for support **before** purchasing a new device. AOSP derivatives which do not support Verified Boot are **not** recommended. + +Many OEMs also have broken implementation of Verified Boot that you have to be aware of beyond their marketing. For example, the Fairphone 3 and 4 are not secure by default, as the [stock bootloader trusts the public AVB signing key](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11). This breaks verified boot on a stock Fairphone device, as the system will boot alternative Android operating systems such (such as /e/) [without any warning](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) about custom operating system usage. + +## Firmware Updates + +Firmware updates are critical for maintaining security and without them your device cannot be secure. OEMs have support agreements with their partners to provide the closed-source components for a limited support period. These are detailed in the monthly [Android Security Bulletins](https://source.android.com/security/bulletin). + +As the components of the phone, such as the processor and radio technologies rely on closed-source components, the updates must be provided by the respective manufacturers. Therefore, it is important that you purchase a device within an active support cycle. [Qualcomm](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) and [Samsung](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) support their devices for 4 years, while cheaper products often have shorter support cycles. With the introduction of the [Pixel 6](https://support.google.com/pixelphone/answer/4457705), Google now makes their own SoC and they will provide a minimum of 5 years of support. + +EOL devices which are no longer supported by the SoC manufacturer cannot receive firmware updates from OEM vendors or after market Android distributors. This means that security issues with those devices will remain unfixed. + +Fairphone, for example, markets their devices as receiving 6 years of support. However, the SoC (Qualcomm Snapdragon 750G on the Fairphone 4) has a considerably shorter EOL date. This means that firmware security updates from Qualcomm for the Fairphone 4 will end in September 2023, regardless of whether Fairphone continues to release software security updates. + +## Android Versions + +It's important to not use an [end-of-life](https://endoflife.date/android) version of Android. Newer versions of Android not only receive security updates for the operating system but also important privacy enhancing updates too. For example, [prior to Android 10](https://developer.android.com/about/versions/10/privacy/changes), any apps with the [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) permission could access sensitive and unique serial numbers of your phone such as [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier), your SIM card's [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity), whereas now they must be system apps to do so. System apps are only provided by the OEM or Android distribution. + +## Android Permissions + +[Permissions on Android](https://developer.android.com/guide/topics/permissions/overview) grant you control over what apps are allowed to access. Google regularly makes [improvements](https://developer.android.com/about/versions/11/privacy/permissions) on the permission system in each successive version. All apps you install are strictly [sandboxed](https://source.android.com/security/app-sandbox), therefore, there is no need to install any antivirus apps. + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! 警告 + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! 備註 + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## Media Access + +Quite a few applications allows you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. + +## User Profiles + +Multiple user profiles can be found in **Settings** → **System** → **Multiple users** and are the simplest way to isolate in Android. + +With user profiles, you can impose restrictions on a specific profile, such as: making calls, using SMS, or installing apps on the device. Each profile is encrypted using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. Multiple user profiles are a more secure method of isolation. + +## Work Profile + +[Work Profiles](https://support.google.com/work/android/answer/6191949) are another way to isolate individual apps and may be more convenient than separate user profiles. + +A **device controller** app such as [Shelter](#recommended-apps) is required to create a Work Profile without an enterprise MDM, unless you're using a custom Android OS which includes one. + +The work profile is dependent on a device controller to function. Features such as *File Shuttle* and *contact search blocking* or any kind of isolation features must be implemented by the controller. You must also fully trust the device controller app, as it has full access to your data inside of the work profile. + +This method is generally less secure than a secondary user profile; however, it does allow you the convenience of running apps in both the work and personal profiles simultaneously. + +## VPN Killswitch + +Android 7 and above supports a VPN killswitch and it is available without the need to install third-party apps. This feature can prevent leaks if the VPN is disconnected. It can be found in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + +## Global Toggles + +Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, we recommend disabling these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. + +## Google + +If you are using a device with Google services, either your stock operating system or an operating system that safely sandboxes Google Play Services like GrapheneOS, there are a number of additional changes you can make to improve your privacy. We still recommend avoiding Google services entirely, or limiting Google Play services to a specific user/work profile by combining a device controller like *Shelter* with GrapheneOS's Sandboxed Google Play. + +### Advanced Protection Program + +If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) support. + +The Advanced Protection Program provides enhanced threat monitoring and enables: + +- Stricter two factor authentication; e.g. that [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **must** be used and disallows the use of [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) and [OAuth](https://en.wikipedia.org/wiki/OAuth) +- Only Google and verified third-party apps can access account data +- Scanning of incoming emails on Gmail accounts for [phishing](https://en.wikipedia.org/wiki/Phishing#Email_phishing) attempts +- Stricter [safe browser scanning](https://www.google.com/chrome/privacy/whitepaper.html#malware) with Google Chrome +- Stricter recovery process for accounts with lost credentials + + If you use non-sandboxed Google Play Services (common on stock operating systems), the Advanced Protection Program also comes with [additional benefits](https://support.google.com/accounts/answer/9764949?hl=en) such as: + +- Not allowing app installation outside of the Google Play Store, the OS vendor's app store, or via [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- Mandatory automatic device scanning with [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- Warning you about unverified applications + +### Google Play System Updates + +In the past, Android security updates had to be shipped by the operating system vendor. Android has become more modular beginning with Android 10, and Google can push security updates for **some** system components via the privileged Play Services. + +If you have an EOL device shipped with Android 10 or above and are unable to run any of our recommended operating systems on your device, you are likely going to be better off sticking with your OEM Android installation (as opposed to an operating system not listed here such as LineageOS or /e/ OS). This will allow you to receive **some** security fixes from Google, while not violating the Android security model by using an insecure Android derivative and increasing your attack surface. We would still recommend upgrading to a supported device as soon as possible. + +### Advertising ID + +All devices with Google Play Services installed automatically generate an [advertising ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) used for targeted advertising. Disable this feature to limit the data collected about you. + +On Android distributions with [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), go to :gear: **Settings** → **Apps** → **Sandboxed Google Play** → **Google Settings** → **Ads**, and select *Delete advertising ID*. + +On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations. Check + +- :gear: **Settings** → **Google** → **Ads** +- :gear: **Settings** → **Privacy** → **Ads** + +You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID. + +### SafetyNet and Play Integrity API + +[SafetyNet](https://developer.android.com/training/safetynet/attestation) and the [Play Integrity APIs](https://developer.android.com/google/play/integrity) are generally used for [banking apps](https://grapheneos.org/usage#banking-apps). Many banking apps will work fine in GrapheneOS with sandboxed Play services, however some non-financial apps have their own crude anti-tampering mechanisms which might fail. GrapheneOS passes the `basicIntegrity` check, but not the certification check `ctsProfileMatch`. Devices with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities. + +As for Google Wallet, we don't recommend this due to their [privacy policy](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en), which states you must opt-out if you don't want your credit rating and personal information shared with affiliate marketing services. diff --git a/i18n/zh-Hant/os/linux-overview.md b/i18n/zh-Hant/os/linux-overview.md new file mode 100644 index 00000000..edb6f1b6 --- /dev/null +++ b/i18n/zh-Hant/os/linux-overview.md @@ -0,0 +1,142 @@ +--- +title: Linux Overview +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +It is often believed that [open-source](https://en.wikipedia.org/wiki/Open-source_software) software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always [the case](https://seirdy.one/posts/2022/02/02/floss-security/). It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +At the moment, desktop Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g.: + +- A verified boot chain, like Apple’s [Secure Boot](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (with [Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)), Android’s [Verified Boot](https://source.android.com/security/verifiedboot), ChromeOS' [Verified boot](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot), or Microsoft Windows’s [boot process](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) with [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). These features and hardware technologies can all help prevent persistent tampering by malware or [evil maid attacks](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- A strong sandboxing solution such as that found in [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md), and [Android](https://source.android.com/security/app-sandbox). Commonly used Linux sandboxing solutions such as [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) and [Firejail](https://firejail.wordpress.com/) still have a long way to go +- Strong [exploit mitigations](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +Despite these drawbacks, desktop Linux distributions are great if you want to: + +- Avoid telemetry that often comes with proprietary operating systems +- Maintain [software freedom](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- Have privacy focused systems such as [Whonix](https://www.whonix.org) or [Tails](https://tails.boum.org/) + +Our website generally uses the term “Linux” to describe desktop Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here. + +[Our Linux Recommendations :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## Choosing your distribution + +Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use. + +### Release cycle + +We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates. + +For frozen distributions such as [Debian](https://www.debian.org/security/faq#handling), package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release. + +We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this: + +
+ +
+ +### Traditional vs Atomic updates + +Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating. + +Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic. + +A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state." + +The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. [Adam Šamalík](https://twitter.com/adsamalik) provided a presentation on how `rpm-ostree` works with Silverblue: + +
+ +
+ +### “Security-focused” distributions + +There is often some confusion between “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use. + +### Arch-based distributions + +Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular [system maintenance](https://wiki.archlinux.org/title/System_maintenance). Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own. + +For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a [mandatory access control](https://en.wikipedia.org/wiki/Mandatory_access_control) system, setting up [kernel module](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) blacklists, hardening boot parameters, manipulating [sysctl](https://en.wikipedia.org/wiki/Sysctl) parameters, and knowing what components they need such as [Polkit](https://en.wikipedia.org/wiki/Polkit). + +Anyone using the [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **must** be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened [in the past](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/). AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use [AUR helpers](https://wiki.archlinux.org/title/AUR_helpers) without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora. + +If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically: + +- **Manjaro**: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest [libraries](https://en.wikipedia.org/wiki/Library_(computing)) from Arch’s repositories. +- **Garuda**: They use [Chaotic-AUR](https://aur.chaotic.cx/) which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. + +### Kicksecure + +While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: [Kicksecure](https://www.kicksecure.com/). Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default. + +### Linux-libre kernel and “Libre” distributions + +We strongly recommend **against** using the Linux-libre kernel, since it [removes security mitigations](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) and [suppresses kernel warnings](https://news.ycombinator.com/item?id=29674846) about vulnerable microcode for ideological reasons. + +## 一般性建議 + +### Drive Encryption + +Most Linux distributions have an option within its installer for enabling [LUKS](../encryption.md#linux-unified-key-setup) FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning), but before [file systems](https://en.wikipedia.org/wiki/File_system) are formatted. We also suggest securely erasing your storage device: + +- [Secure Data Erasure :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + +### Swap + +Consider using [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) or [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). Fedora based distributions [use ZRAM by default](https://fedoraproject.org/wiki/Changes/SwapOnZRAM). + +### Wayland + +We recommend using a desktop environment that supports the [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) display protocol as it was developed with security [in mind](https://lwn.net/Articles/589147/). Its predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), does not support GUI isolation, allowing all windows to [record screen, log and inject inputs in other windows](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html), making any attempt at sandboxing futile. While there are options to do nested X11 such as [Xpra](https://en.wikipedia.org/wiki/Xpra) or [Xephyr](https://en.wikipedia.org/wiki/Xephyr), they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland. + +Fortunately, common environments such as [GNOME](https://www.gnome.org), [KDE](https://kde.org), and the window manager [Sway](https://swaywm.org) have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly). If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager ([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)). + +We recommend **against** using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3. + +### Proprietary Firmware (Microcode Updates) + +Linux distributions such as those which are [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) or DIY (Arch Linux) don’t come with the proprietary [microcode](https://en.wikipedia.org/wiki/Microcode) updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), and other [hardware vulnerabilities](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html). + +We **highly recommend** that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default. + +### Updates + +Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found. + +Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (`apt`, `pacman`, `dnf`, etc.) manually in order to receive important security updates. + +Additionally, some distributions will not download firmware updates automatically. For that you will need to install [`fwupd`](https://wiki.archlinux.org/title/Fwupd). + +## Privacy Tweaks + +### MAC Address Randomization + +Many desktop Linux distributions (Fedora, openSUSE, etc) will come with [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager), to configure Ethernet and Wi-Fi settings. + +It is possible to [randomize](https://fedoramagazine.org/randomize-mac-address-nm/) the [MAC address](https://en.wikipedia.org/wiki/MAC_address) when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does [**not**](https://papers.mathyvanhoef.com/wisec2016.pdf) make you anonymous. + +We recommend changing the setting to **random** instead of **stable**, as suggested in the [article](https://fedoramagazine.org/randomize-mac-address-nm/). + +If you are using [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components), you will need to set [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) which will enable [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=). + +There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the [network switch](https://en.wikipedia.org/wiki/Network_switch). Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware. + +### Other Identifiers + +There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your [threat model](../basics/threat-modeling.md): + +- **Hostnames:** Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings. +- **Usernames:** Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name. +- **Machine ID:**: During installation a unique machine ID is generated and stored on your device. Consider [setting it to a generic ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id). + +### System Counting + +The Fedora Project [counts](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) how many unique systems access its mirrors by using a [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary. + +This [option](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) is currently off by default. We recommend adding `countme=false` to `/etc/dnf/dnf.conf` just in case it is enabled in the future. On systems that use `rpm-ostree` such as Silverblue, the countme option is disabled by masking the [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) timer. + +openSUSE also uses a [unique ID](https://en.opensuse.org/openSUSE:Statistics) to count systems, which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. diff --git a/i18n/zh-Hant/os/qubes-overview.md b/i18n/zh-Hant/os/qubes-overview.md new file mode 100644 index 00000000..17b286b9 --- /dev/null +++ b/i18n/zh-Hant/os/qubes-overview.md @@ -0,0 +1,55 @@ +--- +title: "Qubes Overview" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) is an operating system which uses the [Xen](https://en.wikipedia.org/wiki/Xen) hypervisor to provide strong security for desktop computing through isolated virtual machines. Each VM is called a *Qube* and you can assign each Qube a level of trust based on its purpose. As Qubes OS provides security by using isolation, and only permitting actions on a per case basis, it is the opposite of [badness enumeration](https://www.ranum.com/security/computer_security/editorials/dumb/). + +## How does Qubes OS work? + +Qubes uses [compartmentalization](https://www.qubes-os.org/intro/) to keep the system secure. Qubes are created from templates, the defaults being for Fedora, Debian and [Whonix](../desktop.md#whonix). Qubes OS also allows you to create once-use [disposable](https://www.qubes-os.org/doc/how-to-use-disposables/) virtual machines. + +![Qubes architecture](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes Architecture, Credit: What is Qubes OS Intro
+ +Each Qubes application has a [colored border](https://www.qubes-os.org/screenshots/) that can help you keep track of the virtual machine it is running in. You could, for example, use a specific color for your banking browser, while using a different color for a general untrusted browser. + +![Colored border](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes window borders, Credit: Qubes Screenshots
+ +## Why Should I use Qubes? + +Qubes OS is useful if your [threat model](../basics/threat-modeling.md) requires strong compartmentalization and security, such as if you think you'll be opening untrusted files from untrusted sources. A typical reason for using Qubes OS is to open documents from unknown sources. + +Qubes OS utilizes [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM (i.e., an "AdminVM") for controlling other guest VMs or Qubes on the host OS. Other VMs display individual application windows within Dom0's desktop environment. It allows you to color code windows based on trust levels and run apps that can interact with each other with very granular control. + +### Copying and Pasting Text + +You can [copy and paste text](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/) using `qvm-copy-to-vm` or the below instructions: + +1. Press **Ctrl+C** to tell the VM you're in that you want to copy something. +2. Press **Ctrl+Shift+C** to tell the VM to make this buffer available to the global clipboard. +3. Press **Ctrl+Shift+V** in the destination VM to make the global clipboard available. +4. Press **Ctrl+V** in the destination VM to paste the contents in the buffer. + +### File Exchange + +To copy and paste files and directories (folders) from one VM to another, you can use the option **Copy to Other AppVM...** or **Move to Other AppVM...**. The difference is that the **Move** option will delete the original file. Either option will protect your clipboard from being leaked to any other Qubes. This is more secure than air-gapped file transfer because an air-gapped computer will still be forced to parse partitions or file systems. That is not required with the inter-qube copy system. + +??? info "AppVMs or qubes do not have their own file systems" + + You can [copy and move files](https://www.qubes-os.org/doc/how-to-copy-and-move-files/) between Qubes. When doing so the changes aren't immediately made and can be easily undone in case of an accident. + +### Inter-VM Interactions + +The [qrexec framework](https://www.qubes-os.org/doc/qrexec/) is a core part of Qubes which allows virtual machine communication between domains. It is built on top of the Xen library *vchan*, which facilitates [isolation through policies](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/). + +## Additional Resources + +For additional information we encourage you to consult the extensive Qubes OS documentation pages located on the [Qubes OS Website](https://www.qubes-os.org/doc/). Offline copies can be downloaded from the Qubes OS [documentation repository](https://github.com/QubesOS/qubes-doc). + +- Open Technology Fund: [*Arguably the world's most secure operating system*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. Rutkowska: [*Software compartmentalization vs. physical separation*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. Rutkowska: [*Partitioning my digital life into security domains*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*Related Articles*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/zh-Hant/passwords.md b/i18n/zh-Hant/passwords.md new file mode 100644 index 00000000..a02ecdae --- /dev/null +++ b/i18n/zh-Hant/passwords.md @@ -0,0 +1,341 @@ +--- +title: "密碼管理器。" +icon: material/form-textbox-password +description: 密碼管理員允許您安全地存儲和管理密碼和其他憑證。 +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: 密碼管理器。 + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: 密碼管理器。 + operatingSystem: + - Windows + - macOS + - Linux + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: 密碼管理器。 + operatingSystem: + - Android + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: 密碼管理器。 + operatingSystem: + - Windows + - macOS + - Linux + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: 密碼管理器。 + operatingSystem: Android + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: 密碼管理器。 + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: 密碼管理器。 + operatingSystem: + - Windows + - macOS + - Linux + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +密碼管理員讓您用主密碼安全地儲存、管理密碼和其他憑證。 + +[密碼介紹 :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! 資訊 + + 瀏覽器和作業系統所內置的密碼管理器常常不如專用密碼管理器軟體。 內建的密碼管理器優點是與原生軟體很好地整合,但它通常非常簡單,並且缺乏獨立產品具有的隱私和安全功能。 + + 例如,Microsoft Edge 的密碼管理器根本不提供 E2EE。 Google的密碼管理員有 [optional](https://support.google.com/accounts/answer/11350823)個E2EE ,而[Apple] (https://support.apple.com/en-us/HT202303)預設提供E2EE。 + +## 雲端型 + +這些密碼管理員會將您的密碼同步到雲端伺服器,以便您從所有裝置輕鬆存取,並安全地防止裝置丟失。 + +### Bitwarden + +!!! recommendation + + ! [Bitwarden logo] (assets/img/password-management/bitwarden.svg) {align = right} + + * * Bitwarden * *是一個免費的開源密碼管理器。 它旨在解決個人、團隊和商業組織的密碼管理問題。 Bitwarden 是最佳和最安全的解決方案之一,可存儲所有登錄名和密碼,同時方便地在所有設備之間保持同步。 + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden還具有 [Bitwarden Send](https://bitwarden.com/products/send/)功能,允許您使用 [端到端加密](https://bitwarden.com/help/send-encryption)安全地共享文本和檔案。 發送分享鏈接時可以要求帶[分享密碼](https://bitwarden.com/help/send-privacy/#send-passwords) 。 Bitwarden Send 還具[自動刪除功能](https://bitwarden.com/help/send-lifespan)。 + +您需要使用 [高級付費方案](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) 才能共享檔案。 免費方案只允許文字分享。 + +Bitwarden 伺服器端代碼是 [開源](https://github.com/bitwarden/server),因此如果不想使用 Bitwarden 雲端,可以輕鬆地託管自己的 Bitwarden 同步伺服器。 + +**Vaultwarden** 是以Rust 編寫的Bitwarden 同步伺服器的替代實作,相容官方 Bitwarden 客戶端,非常適合自託管部署取代 Bitwarden 官方資源過載的情況。 如果你想在自己的伺服器上自我託管 Bitwarden ,你幾乎肯定想在 Bitwarden 的官方伺服器代碼上使用 Vaultwarden。 + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ! [1Password logo] (assets/img/password-management/1password.svg) {align = right} + + * * 1Password * *是一個密碼管理器,非常注重安全性和易用性,允許您將密碼、信用卡、軟體許可證和任何其他敏感資訊存儲在安全的數位保管庫。 您的保管庫託管在 1Password 伺服器,費用為[每月收取] (https://1password.com/sign-up/)。 1Password 定期[接受審計](https://support.1password.com/security-assessments/)並提供卓越的客戶支援。 1Password 是封閉原始碼;但是,產品的安全性已徹底記錄在他們的[安全白皮書] (https://1passwordstatic.com/files/security/1password-white-paper.pdf)。 + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +過去**1Password** 僅為 macOS和 iOS的用戶提供了最佳的密碼管理器用戶體驗,不過它現在已在所有平臺上實現了功能平等。 它擁有許多針對家庭和非技術人員方便使用的特色,也有先進的功能。 + +您的1Password保管庫使用您的主密碼和隨機34個字符的安全密鑰來加密其伺服器上的數據。 此安全金鑰為您的資料添加了一層保護,因為無論您的主密碼如何,資料都受到高熵保護。 許多其他密碼管理器解決方案完全依賴於您的主密碼的強度來保護您的數據。 + +相較Bitwarden , 1Password一大優勢是其對原生客戶端的一流支持。 Bitwarden 將許多職責(特別是帳戶管理功能)降級到他們的網頁保管庫界面,而1Password 則是在其原生行動或桌面客戶端中提供了所有功能。 1Password 客戶端也有更直觀的用戶界面 ,更容易使用和導航。 + +### Psono + +!!! recommendation + + ! [Psono logo] (assets/img/password-management/psono.svg) {align = right} + + * * Psono * *是來自德國的免費開源密碼管理器,專注於團隊的密碼管理。 Psono支援安全分享密碼、檔案、書籤和電子郵件。 所有機密都受到主密碼的保護。 + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono為其產品提供廣泛的文檔。 Psono 的網頁用戶端可以自行託管;或者,您可以選擇完整的Community Edition或具有附加功能的Enterprise Edition。 + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +#### 最低合格要求 + +- 必須使用強大的、基於標準的/現代的E2EE。 +- 必須有徹底記錄的加密和安全實踐。 +- 必須公開由信譽良好、獨立的第三方進行的審計。 +- 所有非必要的遙測都必須是可選的。 +- 除了收費之必要外,不得收集過多個人識別資訊(PII)。 + +#### 最佳案例 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的功能。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 遙測應選擇加入(預設情況下禁用)或根本不收集。 +- 應該是開源的,並且可以合理地自我託管。 + +## 本地儲存 + +這些選項允許您在本地管理加密密碼資料庫。 + +### KeePassXC + +!!! recommendation + + ! [KeePassXC logo] (assets/img/password-management/keepassxc.svg) {align = right} + + * * KeePassXC * *是 KeePassX 的社區分支, KeePassX 是KeePass Password Safe 的原生跨平臺端口,其目標是通過新功能和錯誤修復來擴展和改善它,以提供功能豐富,跨平臺和現代開源密碼管理器。 + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC 將其匯出數據存儲為 [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) 文件。 如果您將此檔案匯入另一個密碼管理員,這可能意味著資料丟失。 我們建議您手動檢查每個記錄。 + +### KeePassDX (安卓) + +!!! recommendation + + ! [KeePassDX標誌] (assets/img/password-management/keepassdx.svg) {align = right} + + * * KeePassDX * *是 Android 輕量級密碼管理器,允許編輯KeePass 格式文件中的加密資料,與安全填寫密碼表單。 [Contributor Pro] (https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro)允許解鎖上妝的內容和非標準協議功能,但更重要的是,它有助於並鼓勵開發。 + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ! [Strongbox logo] (assets/img/password-management/strongbox.svg) {align = right} + + * * Strongbox * *是 iOS 和 macOS 原生開源密碼管理器。 支援 KeePass 和 Password Safe 格式, Strongbox 可以與其他密碼管理器(如KeePassXC )一起在非 Apple 平臺上使用。 通過採用[免費增值模式] (https://strongboxsafe.com/pricing/) , Strongbox 免費會員等級提供了大多數功能,而更方便的 [功能](https://strongboxsafe.com/comparison/) -例如生物識別驗證-則必須在訂閱或購買永久授權之後才能享受。 + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +此外,還有一個僅限離線版本: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638)。 這個版本被剝離許多特色,以試圖減少攻擊面。 + +### 命令行 + +這些產品是最低限度的密碼管理器,可以在腳本應用程序中使用。 + +#### gopass + +!!! recommendation + + ! [gopass logo] (assets/img/password-management/gopass.svg) {align = right} + + * * gopass * *是用Go編寫的命令行的密碼管理器。 它適用於所有主要的桌面和伺服器作業系統( Linux , macOS , BSD , Windows )。 + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 需為跨平臺。 diff --git a/i18n/zh-Hant/productivity.md b/i18n/zh-Hant/productivity.md new file mode 100644 index 00000000..daa818fe --- /dev/null +++ b/i18n/zh-Hant/productivity.md @@ -0,0 +1,155 @@ +--- +title: "工作效率工具" +icon: material/file-sign +description: 大多數線上辦公套件不支持 E2EE ,這意味著雲提供商可以存取您所做的一切。 +--- + +大多數線上辦公套件不支持 E2EE ,這意味著雲提供商可以存取您所做的一切。 隱私權政策可在法律上保護您的權利,但不提供技術存取限制。 + +## 協作平台 + +### Nextcloud + +!!! recommendation + + ! [Nextcloud logo] (assets/img/productivity/nextcloud.svg) {align = right} + + * * Nextcloud * *是一套免費開源用戶端伺服器軟體,可在您控制的私人伺服器上建立自己的檔案託管服務。 + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! 危險 + + 我們不建議使用 Nextcloud [E2EE App] (https://apps.nextcloud.com/apps/end_to_end_encryption) ,因為它可能會導致資料丟失;目前它仍是高度實驗性,未達穩定品質。 因此,我們不推薦第三方Nextcloud提供商。 + +### CryptPad + +!!! recommendation + + ! [CryptPad logo] (assets/img/productivity/cryptpad.svg) {align = right} + + * * CryptPad * *隱私設計可替代流行的辦公工具。 網頁服務上的所有內容都是端到端加密,也可輕鬆與其他用戶共享。 + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +一般來說,我們將協作平臺定義為成熟的套件,可以合理地替代Google Drive 等協作平臺。 + +- 開源。 +- 使檔案可透過 WebDAV 訪問,除非因 E2EE 緣故。 +- 具有Linux、macOS和Windows的同步客戶端。 +- 支援文件和試算表編輯。 +- 支持即時文件協作。 +- 支援將文件匯出為標準文件格式(例如ODF )。 + +#### 最好的情况 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的功能。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 應將檔案儲存在傳統檔案系統中。 +- 必須支援 TOTP 或 FIDO2 多因素驗證,或 Passkey 登入。 + +## 辦公套件 + +### LibreOffice + +!!! recommendation + + ! [LibreOffice logo] (assets/img/productivity/libreoffice.svg) {align = right} + + * * LibreOffice * *是一個免費且開源的辦公套件,具有廣泛的功能。 + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ! [OnlyOffice logo] (assets/img/productivity/onlyoffice.svg) {align = right} + + * * OnlyOffice * *是一個基於雲的免費開源辦公套件,具有廣泛的功能,包括與Nextcloud的整合。 + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +一般來說,我們將辦公套件定義為可以合理地替代 Microsoft Word 以滿足大多數需求的應用程式。 + +- 需為跨平臺。 +- 必須是開源軟體。 +- 必須離線運作。 +- 必須支援編輯文件、電子表格和投影片製作投放。 +- 必須將檔案匯出為標準文件格式。 + +## 網路黏貼服務 + +### PrivateBin + +!!! recommendation + + ! [PrivateBin logo] (assets/img/productivity/privatebin.svg) {align = right} + + * * PrivateBin * *是一個極簡主義的開源網路剪貼板 ,伺服器對黏貼的資料一無所知。 資料在瀏覽器中使用 256位元AES 來加密/解密。 它是 ZeroBin 的改進版本。 有一個[實例列表] (https://privatebin.info/directory/)。 + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/zh-Hant/real-time-communication.md b/i18n/zh-Hant/real-time-communication.md new file mode 100644 index 00000000..88df4b58 --- /dev/null +++ b/i18n/zh-Hant/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "Real-Time Communication" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +These are our recommendations for encrypted real-time communication. + +[Types of Communication Networks :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## Encrypted Messengers + +These messengers are great for securing your sensitive communications. + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** is a mobile app developed by Signal Messenger LLC. The app provides instant messaging, as well as voice and video calling. + + All communications are E2EE. Contact lists are encrypted using your Signal PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts you chat with. + + [:octicons-home-16: Homepage](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal supports [private groups](https://signal.org/blog/signal-private-group-system/). The server has no record of your group memberships, group titles, group avatars, or group attributes. Signal has minimal metadata when [Sealed Sender](https://signal.org/blog/sealed-sender/) is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server. Sealed Sender is only enabled for people in your contacts list, but can be enabled for all recipients with the increased risk of receiving spam. Signal requires your phone number as a personal identifier. + +The protocol was independently [audited](https://eprint.iacr.org/2016/1013.pdf) in 2016. The specification for the Signal protocol can be found in their [documentation](https://signal.org/docs/). + +We have some additional tips on configuring and hardening your Signal installation: + +[Signal Configuration and Hardening :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat is an instant messenger that is decentralized and doesn't depend on any unique identifiers such as phone numbers or usernames. Users of SimpleX Chat can scan a QR code or click an invite link to participate in group conversations. + + [:octicons-home-16: Homepage](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +Currently SimpleX Chat only provides a client for Android and iOS. Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! 警告 + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### 最佳案例 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的功能。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/zh-Hant/router.md b/i18n/zh-Hant/router.md new file mode 100644 index 00000000..8b34d6db --- /dev/null +++ b/i18n/zh-Hant/router.md @@ -0,0 +1,50 @@ +--- +title: "路由器軔體" +icon: material/router-wireless +description: 這些替代作業系統可用於保護您的路由器或Wi-Fi接入點。 +--- + +以下是一些替代操作系統,可用於路由器, Wi-Fi接入點等。 + +## OpenWrt + +!!! recommendation + + ! [OpenWrt logo] (assets/img/router/openwrt.svg#only-light) {align = right} + ! [OpenWrt logo] (assets/img/router/openwrt-dark.svg#only-dark) {align = right} + + * * OpenWrt * *是一個基於 Linux 的操作系統;它主要用於嵌入式設備以路由網路流量。 它包括util-linux , uClibc和BusyBox。 所有組件都已為家庭路由器進行了優化。 + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +您可以參考 OpenWrt 的 [硬體表格](https://openwrt.org/toh/start) 檢查您的設備是否支援。 + +## OPNsense + +!!! recommendation + + ! [OPNsense logo] (assets/img/router/opnsense.svg) {align = right} + + * * OPNsense * *是開源的、基於FreeBSD 的防火牆和路由平臺,它包含許多進階功能,如流量整形、負載平衡和 VPN 功能,且有插件的形式提供更多功能。 OPNsense 通常部署作邊界防火牆、路由器、無線存取點、DHCP伺服器、DNS伺服器和 VPN 端點。 + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense 一開始是從 [pfSense](https://en.wikipedia.org/wiki/PfSense)分支另外發展出來,兩個項目都以免費和可靠的防火牆發行版而聞名,它們提供了通常只有昂貴的商業防火牆才具備的功能。 2015 年啟動後,OPNsense 開發人員[引述](https://docs.opnsense.org/history/thefork.html) pfSense 專案中一連串安全與代碼品質問題,因此覺得有必要對須目作分支。再者 Netgate 取得 pfSense 大部份所有權, pfSense 未來的方向也令他們擔憂。 + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為這個網站的各個部分建立明確標準,它可能依情況變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 它必須是開源的。 +- 必須定期更新。 +- 需要支持各種各樣的硬體。 diff --git a/i18n/zh-Hant/search-engines.md b/i18n/zh-Hant/search-engines.md new file mode 100644 index 00000000..a3572d52 --- /dev/null +++ b/i18n/zh-Hant/search-engines.md @@ -0,0 +1,116 @@ +--- +title: "搜尋引擎" +icon: material/search-web +description: 這些尊重隱私的搜尋引擎不會根據您的搜尋建立廣告剖繪。 +--- + +這些尊重隱私的搜尋引擎不會根據您的搜尋建立廣告剖繪。 + +這裡的建議是基於每個服務的隱私政策的優點。 **不能保證**這些隱私政策都有好好落實。 + +如果您的威脅模型需要向搜尋供應商隱藏您的IP位址,請考慮使用 [VPN](vpn.md) 或 [Tor](https://www.torproject.org/) 。 + +## Brave Search + +!!! recommendation + + ! [Brave Search logo] (assets/img/search-engines/brave-search.svg) {align = right} + + * * Brave Search * *由 Brave 開發,主要提供自己獨立索引的結果。 該索引是針對 Google 搜索進行優化,因此與其他替代方案相比,可以提供更具上下文準確性的結果。 + + Brave Search 包括獨特的功能,如討論,突出了對話為中心的結果,如論壇文章。 + + 我們建議您停用[匿名使用指標] (https://search.brave.com/help/usage-metrics) ,因為它預設為啟用,可在設定中停用。 + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search 總部在美國。 他們的 [隱私政策](https://search.brave.com/help/privacy-policy) 規定他們收集聚合使用指標,其中包括正在使用的作業系統和瀏覽器,但沒有收集個人識別資訊。 IP位址會暫時處理,但不會保留。 + +## DuckDuckGo + +!!! recommendation + + ! [DuckDuckGo logo] (assets/img/search-engines/duckduckgo.svg) {align = right} + + * * DuckDuckGo * *最主流的隱私搜尋引擎選項之一。 著名的 DuckDuckGo 搜索功能包括 [bangs]( https://duckduckgo.com/bang)和許多[即時答案] (https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/)。 搜尋引擎依賴商業 Bing API 來提供大多數結果,但它確實使用許多[其他來源](https://help.duckduckgo.com/results/sources/ )來獲取即時答案和其他非主要結果。 + + DuckDuckGo 是 Tor瀏覽器的預設搜尋引擎,也是 Apple Safari 瀏覽器上為數不多的可用選項之一。 + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +Brave Search 總部在美國。 他們的[隱私政策](https://duckduckgo.com/privacy)聲明他們**確實** 記錄使用者搜尋以改善其產品,但不會記錄 IP 地址或其它可識別的個人資訊。 + +DuckDuckGo 提供兩種 [其它版本](https://help.duckduckgo.com/features/non-javascript/) 搜尋引擎,兩者皆不需要JavaScript。 然而,這些版本缺少特色。 這些版本也可以與其 [Tor 洋蔥地址](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) 一起使用,通過為相應的版本附加 [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) 或 [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) 後綴。 + +## SearXNG + +!!! recommendation + + ! [SearXNG logo] (assets/img/search-engines/searxng.svg) {align = right} + + * * SearXNG * *是一個開源、自我託管的中繼搜索引擎,聚合其他搜索引擎的結果,而自身不儲存任何資訊。 它是一個積極維護的 [SearX] (https://github.com/searx/searx)分支。 + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG 是您和它所聚合的搜尋引擎之間的代理。 您的搜尋查詢仍會傳送至 SearXNG 取得搜尋結果的搜尋引擎。 + +在自我託管時,重要的是要讓其他人使用您的實例,以便查詢能夠混入其中。 您應該小心處理 SearXNG 託管,因為若有人在您的執行實例上查找非法內容,可能會引起當局的關注。 + +當您使用 SearXNG 實體時,請務必閱讀他們的隱私權政策。 由於 SearXNG 實體可能會被其擁有者修改,因此它們不一定反映其隱私政策。 有些實體是以 Tor 隱藏服務運行,只要您的搜尋查詢不包含 PII ,這可能會授予一些隱私。 + +## Startpage + +!!! recommendation + + ! [Startpage logo] (assets/img/search-engines/startpage.svg#only-light) {align = right} + ! [Startpage logo] (assets/img/search-engines/startpage-dark.svg#only-dark) {align = right} + + * * Startpage * *是一個提供 Google 搜索結果而聞名的私密搜索引擎。 Startpage 的獨特功能之一是[匿名視圖] (https://www.startpage.com/en/anonymous-view/) ,它努力標準化用戶活動,使其更難被突出識別。 這個功能可用來隱藏 [某些](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) 網路與瀏覽器特徵。 不像名字所暗示的,該功能不應該依賴於匿名。 如果您正在尋找匿名性,請改用[Tor瀏覽器] (tor.md#tor-browser)。 + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! 警告 + + Startpage 定期限制服務對某些 IP位址的存取,例如為 VPN 或Tor 保留的IP。 [DuckDuckGo](#duckduckgo)和[Brave Search] (#brave-search)是更友好的選項,如果您的威脅模型需要向搜索提供商隱藏您的IP位址。 + +Startpage位於荷蘭。 根據他們的 [隱私政策](https://www.startpage.com/en/privacy-policy/),他們記錄細節如:作業系統、瀏覽器類型和語言。 他們不會記錄您的IP位址、搜尋查詢或其他個人識別資訊。 + +Startpage 大股東是System1,它是一家廣告技術公司。 我們不認為這是問題,因為他們有明顯分開的 [隱私政策](https://system1.com/terms/privacy-policy)。 Privacy Guides 團隊2020年 聯繫 Startpage +,以消除對 System1對該服務大量投資的擔憂。 我們對收到的答案感到滿意。

+ + + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + + + + +### 最低合格要求 + +- 不得根據其隱私權政策收集個人身份資訊。 +- 不得要求使用者建立帳戶。 + + + +### 最佳案例 + +最佳案例標準代表了我們希望從這個類別的完美項目應具備的功能。 推薦產品可能沒有此功能,但若有這些功能則會讓排名更為提高。 + +- 應該以開源軟體為基礎。 +- 不應該封鎖 Tor退出節點的 IP位址。 diff --git a/i18n/zh-Hant/tools.md b/i18n/zh-Hant/tools.md new file mode 100644 index 00000000..13693d05 --- /dev/null +++ b/i18n/zh-Hant/tools.md @@ -0,0 +1,477 @@ +--- +title: "Privacy Tools" +icon: material/tools +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +If you're looking for a specific solution to something, these are the hardware and software tools we recommend in a variety of categories. Our recommended privacy tools are primarily chosen based on security features, with additional emphasis on decentralized and open-source tools. They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +For more details about each project, why they were chosen, and additional tips or tricks we recommend, click the "Learn more" link in each section, or click on the recommendation itself to be taken to that specific section of the page. + +## Tor Network + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](tor.md#tor-browser) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](tor.md#orbot) +- ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ .twemoji }![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ .twemoji } [Snowflake](tor.md#snowflake) (1) + +
+ +1. Snowflake does not increase privacy, however it allows you to easily contribute to the Tor network and help people in censored networks achieve better privacy. + +[Learn more :material-arrow-right-drop-circle:](tor.md) + +## Desktop Web Browsers + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md) + +### Additional Resources + +
+ +- ![uBlock Origin logo](assets/img/browsers/ublock_origin.svg){ .twemoji } [uBlock Origin](desktop-browsers.md#ublock-origin) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop-browsers.md#additional-resources) + +## Mobile Web Browsers + +
+ +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md) + +### Additional Resources + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[Learn more :material-arrow-right-drop-circle:](mobile-browsers.md#adguard) + +## Operating Systems + +### 行動 + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md) + +#### Android Apps + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[Learn more :material-arrow-right-drop-circle:](android.md#general-apps) + +### Desktop/PC + +
+ +- ![Qubes OS logo](assets/img/qubes/qubes_os.svg){ .twemoji } [Qubes OS (Xen VM Distribution)](desktop.md#qubes-os) +- ![Fedora logo](assets/img/linux-desktop/fedora-workstation.svg){ .twemoji } [Fedora Workstation](desktop.md#fedora-workstation) +- ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensuse-tumbleweed.svg){ .twemoji } [OpenSUSE Tumbleweed](desktop.md#opensuse-tumbleweed) +- ![Arch logo](assets/img/linux-desktop/archlinux.svg){ .twemoji } [Arch Linux](desktop.md#arch-linux) +- ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ .twemoji } [Fedora Silverblue & Kinoite](desktop.md#fedora-silverblue) +- ![nixOS logo](assets/img/linux-desktop/nixos.svg){ .twemoji } [NixOS](desktop.md#nixos) +- ![Whonix logo](assets/img/linux-desktop/whonix.svg){ .twemoji } [Whonix (Tor)](desktop.md#whonix) +- ![Tails logo](assets/img/linux-desktop/tails.svg){ .twemoji } [Tails (Live Boot)](desktop.md#tails) + +
+ +[Learn more :material-arrow-right-drop-circle:](desktop.md) + +### Router Firmware + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[Learn more :material-arrow-right-drop-circle:](router.md) + +## Service Providers + +### Cloud Storage + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[Learn more :material-arrow-right-drop-circle:](cloud.md) + +### DNS + +#### DNS Providers + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[Learn more :material-arrow-right-drop-circle:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ .twemoji }![RethinkDNS logo](assets/img/android/rethinkdns-dark.svg#only-dark){ .twemoji } [RethinkDNS](dns.md#rethinkdns) +- ![dnscrypt-proxy logo](assets/img/dns/dnscrypt-proxy.svg){ .twemoji } [dnscrypt-proxy](dns.md#dnscrypt-proxy) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[Learn more :material-arrow-right-drop-circle:](dns.md#self-hosted-solutions) + +### Email + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md) + +#### Email Aliasing Services + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[Learn more :material-arrow-right-drop-circle:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[Learn more :material-arrow-right-drop-circle:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[Learn more :material-arrow-right-drop-circle:](search-engines.md) + +### VPN Providers + +??? 注意 "VPN 不會讓您匿名" + + Using a VPN will **not** keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic. + + If you are looking for **anonymity**, you should use the Tor Browser **instead** of a VPN. + + If you're looking for added **security**, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices. + + [Learn more :material-arrow-right-drop-circle:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[Learn more :material-arrow-right-drop-circle:](vpn.md) + +## Software + +### Calendar Sync + +
+ +- ![Tutanota logo](assets/img/calendar/tutanota.svg){ .twemoji } [Tutanota](calendar.md#tutanota) +- ![Proton Calendar logo](assets/img/calendar/proton-calendar.svg){ .twemoji } [Proton Calendar](calendar.md#proton-calendar) + +
+ +[Learn more :material-arrow-right-drop-circle:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[Learn more :material-arrow-right-drop-circle:](cryptocurrency.md) + +### 資料和中繼資料處理 + +
+ +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[Learn more :material-arrow-right-drop-circle:](data-redaction.md) + +### Email Clients + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[Learn more :material-arrow-right-drop-circle:](email-clients.md) + +### 加密軟體 + +??? info "Operating System Disk Encryption" + + For encrypting your operating system drive, we typically recommend using whichever encryption tool your operating system provides, whether that is **BitLocker** on Windows, **FileVault** on macOS, or **LUKS** on Linux. These tools are included with the operating system and typically use hardware encryption elements such as a TPM that other full-disk encryption software like VeraCrypt do not. VeraCrypt is still suitable for non-operating system disks such as external drives, especially drives that may be accessed from multiple operating systems. + + [Learn more :material-arrow-right-drop-circle:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[Learn more :material-arrow-right-drop-circle:](encryption.md#openpgp) + +### File Sharing and Sync + +
+ +- ![Send logo](assets/img/file-sharing-sync/send.svg){ .twemoji } [Send](file-sharing.md#send) +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[Learn more :material-arrow-right-drop-circle:](file-sharing.md) + +### Frontends + +
+ +- ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](frontends.md#librarian) +- ![Nitter logo](assets/img/frontends/nitter.svg){ .twemoji } [Nitter (Twitter, Web)](frontends.md#nitter) +- ![FreeTube logo](assets/img/frontends/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](frontends.md#freetube) +- ![Yattee logo](assets/img/frontends/yattee.svg){ .twemoji } [Yattee (YouTube; iOS, tvOS, macOS)](frontends.md#yattee) +- ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ .twemoji }![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ .twemoji } [LibreTube (YouTube, Android)](frontends.md#libretube-android) +- ![NewPipe logo](assets/img/frontends/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](frontends.md#newpipe-android) +- ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](frontends.md#invidious) +- ![Piped logo](assets/img/frontends/piped.svg){ .twemoji } [Piped (YouTube, Web)](frontends.md#piped) + +
+ +[Learn more :material-arrow-right-drop-circle:](frontends.md) + +### Multi-Factor Authentication Tools + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[Learn more :material-arrow-right-drop-circle:](multi-factor-authentication.md) + +### News Aggregators + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[Learn more :material-arrow-right-drop-circle:](news-aggregators.md) + +### Notebooks + +
+ +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Cryptee logo](assets/img/notebooks/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/notebooks/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](notebooks.md#cryptee) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[Learn more :material-arrow-right-drop-circle:](notebooks.md) + +### Password Managers + +
+ +- ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ .twemoji } [Bitwarden](passwords.md#bitwarden) +- ![1Password logo](assets/img/password-management/1password.svg){ .twemoji } [1Password](passwords.md#1password) +- ![Psono logo](assets/img/password-management/psono.svg){ .twemoji } [Psono](passwords.md#psono) +- ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ .twemoji } [KeePassXC](passwords.md#keepassxc) +- ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ .twemoji } [KeePassDX (Android)](passwords.md#keepassdx-android) +- ![Strongbox logo](assets/img/password-management/strongbox.svg){ .twemoji } [Strongbox (iOS & macOS)](passwords.md#strongbox-ios-macos) +- ![gopass logo](assets/img/password-management/gopass.svg){ .twemoji } [gopass](passwords.md#gopass) + +
+ +[Learn more :material-arrow-right-drop-circle:](passwords.md) + +### Productivity Tools + +
+ +- ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](productivity.md#nextcloud) +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[Learn more :material-arrow-right-drop-circle:](productivity.md) + +### Real-Time Communication + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar](real-time-communication.md#briar) +- ![SimpleX Chat logo](assets/img/messengers/simplex.svg){ .twemoji } [SimpleX Chat](real-time-communication.md#simplex-chat) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) + +
+ +[Learn more :material-arrow-right-drop-circle:](real-time-communication.md) + +### Video Streaming Clients + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[Learn more :material-arrow-right-drop-circle:](video-streaming.md) diff --git a/i18n/zh-Hant/tor.md b/i18n/zh-Hant/tor.md new file mode 100644 index 00000000..a1376d63 --- /dev/null +++ b/i18n/zh-Hant/tor.md @@ -0,0 +1,119 @@ +--- +title: "Tor Network" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +**Tor** 網絡是一組由志願者操作的伺服器,可讓您免費連線,並改善您的隱私權和安全性。 個人和組織還可以通過 Tor 網絡與“.onion 隱藏服務”分享資訊,而不會損害他們的隱私。 很難阻止和追蹤 Tor 流量,因此它是一種有效的審查規避工具。 + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor 的工作原理是通過志願者運營的服務器來引導您的網際網路路徑,而不是直接連接到您試圖訪問的網站。 這樣可以混淆流量來源,所連接的伺服器都無法看到流量來去的完整路徑,也意味著即使您連接的伺服器無法破壞您的匿名性。 + +[詳細的 Tor 總覽 :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## 正在連接到Tor + +有多種方式可以從您的設備連上 Tor 網絡,最常用的是 ** Tor 瀏覽器**,這是 Firefox 的一個分支,專為桌面電腦和 Android 的匿名瀏覽而設計。 除了下面列出的應用程序外,還有專門設計用於連接到 Tor 網絡的操作系統,例如 [Qubes OS 作業系統](desktop.md#qubes-os) [Whonix](desktop.md#whonix),它們提供比標準 Tor 瀏覽器更高的安全性和保護。 + +### Tor Browser + +!!! recommendation + + ! [Tor 瀏覽器標誌] (assets/img/browsers/tor.svg) {align = right} + + * * Tor 瀏覽器* *需要匿名的好選擇,為您提供 Tor 網絡和橋接的存取權限,它包含預設設置和擴展其自動配置安全級別有: *標準* 、 *更安全*和*最安全*三種。 + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play] (https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android] (https://www.torproject.org/download/#android) + - [:simple-windows11: Windows] (https://www.torproject.org/download/) + - [:simple-apple: macOS] (https://www.torproject.org/download/) + - [:simple-linux: Linux] (https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD] (https://www.freshports.org/security/tor) + +!!! 危險 + + 您應該* *永遠不要* *在Tor瀏覽器上安裝任何其他擴充功能,或編輯「關於:配置」設定,包括我們為Firefox建議的設定。 瀏覽器擴充套件和非標準設置會使您在 Tor 網絡上突顯出來,從而使您的瀏覽器更容易變成 [fingerprint]( https://support.torproject.org/glossary/browser-fingerprinting )。 + +Tor 瀏覽器旨在防止指紋識別----根據您的瀏覽器配置識別您。 因此,您 **不應** 修改瀏覽器超出預設 [安全級別](https://tb-manual.torproject.org/security-settings/)。 + +### Orbot + +!!! recommendation + + ! [Orbot標誌] (assets/img/self-contained-networks/orbot.svg) {align = right} + + * * Orbot * *是一款免費的Tor VPN ,適用於智慧型手機,可讓裝置上的任何應用程式流量通過 Tor 網絡。 + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-googleplay: Google Play] (https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store] (https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub] (https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! 提示“ Android 使用訣竅” + + Orbot 可以代理個別應用程式,如果它們有支援 SOCKS 或 HTTP 代理。 它也能使用 [VpnService]( https://developer.android.com/reference/android/net/VpnService )代理您的所有網路連接,其 VPN killswitch 設置在 :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**.。 + + Guardian Project 的[F-Droid repository] (https://guardianproject.info/fdroid)和[Google Play] (https://play.google.com/store/apps/details?id=org.torproject.android)上Orbot 往往不是最新版,因此請考慮直接從 [GitHub repository] (https://github.com/guardianproject/orbot/releases) 下載。 + + 所有版本都使用同一個簽名,因此它們應該相互兼容。 + +## 中繼和橋接 + +### Snowflake + +!!! recommendation + + ! [Snowflake logo] (assets/img/browsers/snowflake.svg#only-light) {align = right} + ! [Snowflake logo] (assets/img/browsers/snowflake-dark.svg#only-dark) {align = right} + + * * Snowflake * *允許您在瀏覽器中操作「Snowflake proxy」,將網路頻寛捐給 Tor 專案。 + + 被審查的人可以使用 Snowflake 代理來連接 Tor 網絡。 Snowflake 是貢獻 Tor 網絡的好方法,即便您沒有運行 Tor 中繼或橋接的技術知識。 + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? 下載 + + - [:simple-firefoxbrowser: Firefox] (https://addons.mozilla.org/zh-CN/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome] (https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web] (https://snowflake.torproject.org/embed "保持此頁面開啟成為Snowflake代理") + +??? 提示: Embedded Snowflake + + 您可以在瀏覽器中啟用 Snowflake ,只需按下下方開關,即可= =保持此頁面開啟= =。 您還可以安裝 Snowflake 瀏覽器擴充元件,當開啟瀏覽器時它會一直執行,但添加第三方擴充元件可能會增加遭攻擊面。 + +
+ 如果沒有顯示嵌入,請確保您沒有封鎖來自`torproject.org`的第三方框架。 或者,請造訪[此頁面] (https://snowflake.torproject.org/embed.html)。 + +Snowflake 無法加強隱私,也不會在您的個人瀏覽器中連接 Tor網絡。 但如果您的網際網路連接沒有被審查的情形,請考慮使用它,幫助受審查網路中的人們能有更好的隱私。 無需擔心人們通過您的代理訪問哪些網站----他們的可見瀏覽 IP 地址將與其 Tor 出口節點相匹配,而不是您的 IP 地址。 + +運行 Snowflake 代理風險很低,甚至低於運行 Tor 中繼或橋接器,而這些中繼器或橋接器已經不算是特別高風險的工作。 但是,它通過您的網路進行代理流量,在某些方面可能會產生影響,特別是您的網路頻寬有限制的話。 在運行代理之前,要確保已清楚了解[ Snowflake 運作方式](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) 。 + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/zh-Hant/video-streaming.md b/i18n/zh-Hant/video-streaming.md new file mode 100644 index 00000000..e6947cec --- /dev/null +++ b/i18n/zh-Hant/video-streaming.md @@ -0,0 +1,51 @@ +--- +title: "影片串流" +icon: material/video-wireless +description: 這些服務可讓您串流互聯網內容,而不會記錄個人興趣建立廣告剖繪。 +--- + +使用影片串流平臺時的主要威脅是您的串流習慣和訂閱清單可能被用來剖繪分析您的個人喜好。 您應該將這些工具與 [VPN](vpn.md) 或 [Tor](https://www.torproject.org/) 相結合,以便更難分析您的使用情況。 + +## LBRY + +!!! recommendation + + ! [LBRY標誌] (assets/img/video-streaming/lbry.svg) {align = right} + + * * LBRY 網路* *是一個分散式視頻共享網絡。 它透過類似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)-l網路來儲存影片內容,再利用 [區塊錬](https://wikipedia.org/wiki/Blockchain) 來存儲影片之索引。 這種設計的主要好處是抵抗審查。 + + * * LBRY 桌面用戶端* *可協助串流來自 LBRY 網路的影片,並將訂閱清單儲存在自己的 LBRY 錢包。 + + [:octicons-home-16: Homepage](https://lbry.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://lbry.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://lbry.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/lbryio/lbry-desktop){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-windows11: Windows](https://lbry.com/windows) + - [:simple-apple: macOS](https://lbry.com/osx) + - [:simple-linux: Linux](https://lbry.com/linux) + +!!! 備註 + + 建議僅使用* * LBRY桌面用戶端* * ,因為 F-Droid、Play Store 和App Store 中的 [Odysee](https://odysee.com)網站和 LBRY 用戶端具有強制同步和遙測功能。 + +!!! 警告 + + 在觀看和託管影片時,LBRY 網路可看到您的 IP 位址。 如果您的[威脅模型] (basics/threat-modeling.md)需要隱藏您的IP 位址,請考慮使用 [VPN](vpn.md)或 [Tor](https://www.torproject.org)。 + +建議**不要** 錢包與 LBRY Inc. 設為同步,因為尚不支援錢包同步的加密功能。 如果您將錢包與 LBRY Inc.同步,則必須信任他們不會查看您的訂閱列表, [LBC](https://lbry.com/faq/earn-credits) 資金或控制您的頻道。 + +您可以禁用 *儲存託管資料,其設置方法為* 選項中的 :gear: **設置** → **進階設置**,來避免在長時間使用 LBRY 時暴露 IP 地址和觀看的視頻。 + +## 標準 + +**請注意,我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外,我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表,並進行自己的研究,以確保它是您的正確選擇。 + +!!! 示例“此部分是新的” + + 我們正在努力為我們網站的每個部分建立定義的標準,這可能會有所變化。 如果您對我們的標準有任何疑問,請在[論壇上提問] (https://discuss.privacyguides.net/latest) ,如果沒有列出,請不要認為我們在提出建議時沒有考慮到某些事情。 當我們推薦一個項目時,有許多因素被考慮和討論,記錄每一個項目都是正在進行式。 + +- 無需集中式帳戶就可觀看影片。 + - 分散式驗證,例如通過行動錢包的私鑰進行驗證是可以接受的。 diff --git a/i18n/zh-Hant/vpn.md b/i18n/zh-Hant/vpn.md new file mode 100644 index 00000000..718f6c95 --- /dev/null +++ b/i18n/zh-Hant/vpn.md @@ -0,0 +1,404 @@ +--- +title: "VPN 服務" +icon: material/vpn +description: 這些是保護您線上隱私和安全的最佳 VPN 服務。 在這裡找一個不會監視您的供應商。 +--- + +連接到網際網路連線供應商、公共Wi-Fi 網路或下載文件時,如何能有更好的 **隱私**保護 ,只要了解所涉及的風險, VPN 可能是您的解決方案。 我們認為這些供應商高於其他供應商: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! 注意 "VPN 不會讓您匿名" + + 使用 VPN 將* *不會* *讓您的瀏覽習慣被匿名,也不會替不安全( HTTP )流量增加額外的安全性。 + + 如果您追求的是* *匿名性* * ,應該使用 Tor 瀏覽器* *代替* * VPN。 + + 如果要的是更多* *安全性* * ,您應該確保您全程使用 HTTPS 連接到網站。 VPN 不能取代良好的安全措施。 + + [Download Tor] (https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ] (advanced/tor-overview.md){ .md-button } + +[VPN 概述 :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## 推薦的 DNS 提供商 + +我們推薦的提供商使用加密、可接受Monero 、支持WireGuard & OpenVPN ,且具有不記錄政策。 閱讀我們的 [完整列表標準](#criteria) 以獲取更多信息。 + +### IVPN + +!!! recommendation + + ! [IVPN logo] (assets/img/vpn/ivpn.svg) {align = right} + + * * IVPN * *是另一家高級 VPN 提供商,自 2009年開始運營。 IVPN 位於直布羅陀。 + + [:octicons-home-16: Homepage](https://www.ivpn.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.ivpn.net/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.ivpn.net/knowledgebase/general/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ivpn){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-android: Android] (https://www.ivpn.net/apps-android/) + - [:simple-appstore: App Store] (https://apps.apple.com/app/ivpn-serious-privacy-protection/id1193122683) + - [:simple-windows11: Windows] (https://www.ivpn.net/apps-windows/) + - [:simple-apple: macOS] (https://www.ivpn.net/apps-macos/) + - [:simple-linux: Linux] (https://www.ivpn.net/apps-linux/) + +#### :material-check:{ .pg-green } 35 個國家 + +IVPN 在 35 個國家/地區擁有 [伺服器](https://www.ivpn.net/server-locations)。 (1)選擇離您最近的伺服器 VPN 供應商,將減少發送網路流量的延遲。 這是因為到目的地的路線較短(跳數較少)。 +{ .annotate } + +1. 上次檢查日期: 2022-09-16 + +我們認為,如果 VPN 提供商使用 [專用伺服器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是更便宜(與其他客戶共享)的解決方案 ,例如 [虛擬專用服務器](https://en.wikipedia.org/wiki/Virtual_private_server),則 VPN提供商的私鑰更安全。 + +#### :material-check:{ .pg-green } 獨立稽核 + +IVPN 通過 Cure53 的 + +不留記錄審計,該審計結果與 IVPN 的不留記錄聲明一致。 IVPN 還在2020年1月完成了Cure53 [全面的 pentest 報告](https://cure53.de/summary-report_ivpn_2019.pdf) 。 IVPN 也表示打算未來會定期提出 [年度報告](https://www.ivpn.net/blog/independent-security-audit-concluded)。 2022年4月進行[進一步評估](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) ,並由執行單位 Cure53 發佈[在其網站](https://cure53.de/pentest-report_IVPN_2022.pdf)。

+ + + +#### :material-check:{ .pg-green } 開源客戶端 + +2020 二月後 [IVPN 應用程式已公開其源代碼](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source)。 源代碼可以從他們的 [GitHub組織](https://github.com/ivpn)獲得。 + + + +#### :material-check:{ .pg-green } 接受現金和Monero + +除了接受信用卡/簽帳卡和 PayPal 外, IVPN 還接受比特幣 **Monero** 和 **現金/當地貨幣** (年度方案繳費)作為匿名付款方式。 + + + +#### :material-check:{ .pg-green } WireGuard支持 + +IVPN 支援 WireGuard 協議。 [WireGuard](https://www.wireguard.com) 是一個較新的協議,使用最先進的 [加密技術](https://www.wireguard.com/protocol/)。 此外, WireGuard的目標是更簡單,更高效。 + +IVPN [建議](https://www.ivpn.net/wireguard/)搭配 WireGuard 一起使用, IVPN's 所有應用程式皆已預設 WireGuard 協議。 IVPN 亦提供 WireGuard 設置生成器以用於官方版本的 WireGuard [應用軟體](https://www.wireguard.com/install/)。 + + + +#### :material-check:{ .pg-green } 遠端端口轉發 + +使用昇級方案可用遠端 [端口轉發](https://en.wikipedia.org/wiki/Port_forwarding) 。 [可以由客戶端區域激活](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html)端口轉發 。 只有使用 WireGuard 或 OpenVPN 協議,IVPN 方可轉發端口,但在[美國的伺服器](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html) 不支援此功能。 + + + +#### :material-check:{ .pg-green } 手機客戶端 + +除標準的 OpenVPN 配置文件外, IVPN可以在 [App Store ](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683)、 [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client)和 [GitHub](https://github.com/ivpn/android-app/releases) 下載移動客戶端,以輕鬆連接到他們的伺服器。 + + + +#### :material-information-outline:{ .pg-blue } 額外功能 + +IVPN 客戶端支援雙因素驗證(Mullvad 客戶端不支援)。 IVPN 有"[反追蹤](https://www.ivpn.net/antitracker)" 功能,以阻絕來自網路層的廣告與追蹤。 + + + +### Mullvad + +!!! recommendation + + ! [Mullvad 標誌] (assets/img/vpn/mullvad.svg) {align = right} + + * * Mullvad * *是一個快速且便宜的VPN ,非常注重透明和安全性。 自* * 2009 年* *開始運營。 Mullvad 總部位於瑞典,不提供免費試用。 + + [:octicons-home-16: Homepage](https://mullvad.net){ .md-button .md-button--primary } + [:simple-torbrowser:](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mullvad){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play] (https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store] (https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub] (https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows] (https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS] (https://mullvad.net/en/download/macos/) + - [:simple-linux: ] (https://mullvad.net/en/download/linux/) + + + + +#### :material-check:{ .pg-green } 41 個國家 + +Mullvad 在 41 個國家/地區設有 [伺服器](https://mullvad.net/servers/)。(1)選擇離您最近伺服器,這將減少您網路流量的延遲。 這是因為到目的地的路線較短(跳數較少)。 + +{ .annotate } + +1. 上次檢查日期: 2023-01-19 + +我們認為,如果 VPN 提供商使用 [專用伺服器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是更便宜(與其他客戶共享)的解決方案 ,例如 [虛擬專用服務器](https://en.wikipedia.org/wiki/Virtual_private_server),則 VPN提供商的私鑰更安全。 + + + +#### :material-check:{ .pg-green } 獨立稽核 + +Cure53 審計了 Mullvad's VPN 客戶端軟體, Assured AB 對他們進行穿透測試,相關報告在[ cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf)。 安全研究人員得出結論: + + + +> Cure53 和 Assured AB 對審計結果感到滿意,Mullvad 留下整體正面的印象。 由於 Mullvad VPN 內部團隊在安全上的投入,測試人員肯定了該項目從安全角度來看是正確的。 + +2020年宣布第二次審計 [](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) , [最終報告結果](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) 可在 Cure53 網站上獲得: + + + +> 2020年5月~6月針對 Mullvad 的專案結果是相當正面。 [...] Mullvad 使用的整體應用生態系統給人留下了結構完善之印象。 該應用程序的整體結構更容易以結構化的方式推出補丁和修復。 Cure53 的發現展示了不斷審核和重新評估當前泄漏向量的重要性,以始終確保最終用戶的隱私。 Mullvad 在保護最終用戶免受常見 PII 洩漏和隱私相關風險方面做得很好。 + +2021年宣布[基礎設施審計](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) ,並在 Cure53 網站上公布[最終審計報告](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) 。 2022年6月另一份委託 Assured 所作的報告 。

+ + + +#### :material-check:{ .pg-green } 開源客戶端 + +Mullvad 在[GitHub 提供其桌面和移動客戶端的源代碼](https://github.com/mullvad/mullvadvpn-app)。 + + + +#### :material-check:{ .pg-green } 接受現金和Monero + +除了接受信用卡/簽帳卡和 PayPal 外, IVPN 還接受比特幣 **Monero** 和 **現金/當地貨幣** (年度方案繳費)作為匿名付款方式。 他們也接受 Swish 和銀行電匯。 + + + +#### :material-check:{ .pg-green } WireGuard支持 + +Mullvad 支持 WireGuard ®協議。 [WireGuard](https://www.wireguard.com) 是一個較新的協議,使用最先進的 [加密技術](https://www.wireguard.com/protocol/)。 此外, WireGuard的目標是更簡單,更高效。 + +Mullvad [建議](https://mullvad.net/en/help/why-wireguard/) 搭配 WireGuard 使用。 Android, iOS, macOS, 與 Linux Mullvad 應用軟體已將 WireGuard 調為預設協議,但 Windows 則須要自行 [手動打開](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard。 Mullvad 提供 WireGuard 配置生成器,搭配 WireGuard 官方 [應用程序](https://www.wireguard.com/install/)。 + + + +#### :material-check:{ .pg-green } IPv6 支持 + +Mullvad 支持未來的網路主流 [IPv6](https://en.wikipedia.org/wiki/IPv6)。 他們的網路可讓您 [存取託管在 IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) 的服務,有些供應商會阻止IPv6 連接。 + + + +#### :material-check:{ .pg-green } Remote Port Forwarding + +遠端 [端口輚發](https://en.wikipedia.org/wiki/Port_forwarding) 可允許單次付款的使用者,但長期/訂閱付款的帳戶不可使用。 這是為了防止 Mullvad 能夠根據端口使用情況和存儲的訂閱資訊來辨識使用者。 請參見 Mullvad VPN 端口轉發 了解更多資訊。

+ + + +#### :material-check:{ .pg-green } 手機客戶端 + +Mullvad 有 [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) 和 [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) 用戶端,兩者易於使用的界面,無須手動配置 WireGuard 連接。 Android 客戶端也從 [GitHub](https://github.com/mullvad/mullvadvpn-app/releases)下載。 + + + +#### :material-information-outline:{ .pg-blue } 額外功能 + +Mullvad 對 [自有或租用](https://mullvad.net/en/servers/)的節點非常透明。 他們在 ShadowSocks + OpenVPN 配置中使用 [ShadowSocks](https://shadowsocks.org/) ,以更能抵抗 [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) 試圖阻止 VPN 之防火牆。 據推測, [中國使用不同的方法來阻止 ShadowSocks 伺服器](https://github.com/net4people/bbs/issues/22)。 Mullvad 網站也可以通過 Tor 訪問 [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion)。 + + + +### Proton VPN + +!!! recommendation annotate + + ! [Proton VPN標誌] (assets/img/vpn/protonvpn.svg) {align = right} + + * * Proton VPN * *是 VPN 領域強大競爭者,自 2016 年開始營運。 Proton AG 總部位於瑞士,提供有限的免費會員等級,以及更多功能的付費選項。 + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } + + ??? 下載 + + - [:simple-googleplay: Google Play] (https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store] (https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub] (https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows] (https://protonvpn.com/download-windows) + - [:simple-linux: Linux] (https://protonvpn.com/support/linux-vpn-setup/) + + + + +#### :material-check:{ .pg-green } 67個國家 + +Proton VPN 在67個國家/地區設有 [伺服器](https://protonvpn.com/vpn-servers). (1)選擇距離您最近的伺服器的VPN供應商,將減少您網路流量的延遲。 這是因為到目的地的路線較短(跳數較少)。 + +{ .annotate } + +1. 上次檢查日期: 2022-09-16 + +我們認為,如果 VPN 提供商使用 [專用伺服器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是更便宜(與其他客戶共享)的解決方案 ,例如 [虛擬專用服務器](https://en.wikipedia.org/wiki/Virtual_private_server),則 VPN提供商的私鑰更安全。 + + + +#### :material-check:{ .pg-green } 獨立稽核 + +截至 2020年1月, Proton VPN 已接受 SEC Consult 的獨立審計。 SEC Consult 在 Proton VPN Windows、Android 和 iOS應用程序中發現一些中低風險漏洞,Proton VPN 已在報告發布之前全部“正確修復”這些漏洞。 所發現的問題都不會讓攻擊者遠端存取您的裝置或流量。 您可以透過 [protonvpn.com](https://protonvpn.com/blog/open-source/)查看各個平臺的報告。 2022 年 4月Proton VPN 通過 [另一次審計](https://protonvpn.com/blog/no-logs-audit/) ,[ Securitum 所作的報告在此](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf)。 [Securitum](https://research.securitum.com) 在 2021年11月9日簽發 [Proton VPN 的應用程式認證函](https://proton.me/blog/security-audit-all-proton-apps) 。 + + + +#### :material-check:{ .pg-green } 開源客戶端 + +Proton VPN 在 [GitHub](https://github.com/ProtonVPN) 提供其桌面和移動客戶端的源代碼。 + + + +#### :material-check:{ .pg-green } 接受現金 + +除信用卡/簽帳卡、PayPal 和 [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc)之外,Proton VPN 還接受 **現金/當地貨幣** 等匿名付款方式。 + + + +#### :material-check:{ .pg-green } WireGuard支持 + +Proton VPN 支持 WireGuard ®協議。 [WireGuard](https://www.wireguard.com) 是一個較新的協議,使用最先進的 [加密技術](https://www.wireguard.com/protocol/)。 此外, WireGuard的目標是更簡單,更高效。 + +Proton VPN [建議](https://protonvpn.com/blog/wireguard/) 搭配 WireGuard 使用。 Proton VPN 在 Windows, macOS, iOS, Android, ChromeOS, 以及 Android TV 等平台的應用軟體, WireGuard 已是預設協議,不過[尚未支援](https://protonvpn.com/support/how-to-change-vpn-protocols/) Linux 作業系統的應用軟體。 + + + +#### :material-alert-outline:{ .pg-orange } 遠端端口轉發 + +Proton VPN 目前只支援 Windows 遠端 [端口轉發](https://protonvpn.com/support/port-forwarding/) ,它可能會影響某些應用程式。 尤其是像 Torrent 客戶端這類 P2P 應用程式。 + + + +#### :material-check:{ .pg-green } 手機客戶端 + +除了提供標準的 OpenVPN 配置檔案外, Proton VPN 還有 [ App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085)、 [ Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US)和 [個GitHub](https://github.com/ProtonVPN/android-app/releases) 的移動客戶端,可以輕鬆連接到其伺服器。 + + + +#### :material-information-outline:{ .pg-blue } 額外功能 + +除 Linux 以外,Proton VPN 客戶端目前支持所有平臺上的雙因素身份驗證。 在瑞士、冰島和瑞典,Proton VPN 擁有自己的伺服器和資料中心。 他們透過自己的 DNS 服務,來封鎖廣告和已知的惡意軟體網域。 此外, Proton VPN 還提供“Tor”伺服器,讓您可輕鬆連接到洋蔥網站,但我們仍然強烈建議這類目的,最好還是使用 [官方 Tor 瀏覽器](https://www.torproject.org/) 。 + + + +#### :material-alert-outline:{ .pg-orange } Killswitch 無法用在 Intel 處理器的 Mac 電腦 + +Intel 處理器的 Mac 電腦 若用 VPN killswitch 會發生 [系統崩潰](https://protonvpn.com/support/macos-t2-chip-kill-switch/) 。 如果您需要此功能,但使用的是搭載 Intel 晶片組的Mac ,則應考慮使用其他 VPN 服務。 + + + +## 標準 + +!!! 危險 + + 重要的是要注意,使用 VPN 不會使您匿名,但在某些情況下可以提供更好的隱私。 VPN不是非法活動的工具。 不要依靠“不留記錄”政策。 + + +**請注意我們和所推薦的服務商沒有任何利害關係。 這使我們能夠提供完全客觀的建議。** 除了 [我們的標準條件](about/criteria.md)外,我們還為任何希望獲得推薦的 VPN 服務商制定了一套明確的要求,包括強大的加密、獨立的安全審計、現代技術等。 我們建議您在選擇 VPN 供應商之前先熟悉此清單,並進行自己的研究,盡可能地確保您選擇的 VPN 供應商值得信賴。 + + + +### 技術 + +我們要求所有推薦的 VPN 服務商有提供 OpenVPN 配置檔案,以便用在任何客戶端。 **如果** VPN 提供自定用戶端,則要求有 killswitch 來阻止未連接 VPN 時網路資料遭洩漏。 + +**最低合格要求:** + +- 支援強固的協議,如 WireGuard & OpenVPN。 +- 客戶端內建 Killswitch。 +- Multihop支持。 萬一單個節點受損,多跳方式就非常重要,才能保持數據的私密性。 +- 如果提供 VPN 用戶端,它們應該為 [開源](https://en.wikipedia.org/wiki/Open_source),就如同所內置的 VPN 軟體。 我們相信, 可取得的[源代碼](https://en.wikipedia.org/wiki/Source_code) 可為用戶設備實際運作提供更高的透明度。 + +**最佳案例:** + +- 支持 WireGuard 和 OpenVPN。 +- Killswitch 具高度可配置選項(啟用/禁用某些網路、開機時啟閉等上) +- 易於使用的 VPN 客戶端 +- 支援 [IPv6](https://en.wikipedia.org/wiki/IPv6)協議 我們預期伺服器將允許透過 IPv6 傳入連線,並允許您存取託管在IPv6 位址上的服務。 +- [遠端端口轉發](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) 的功能可協助在使用P2P ([對等](https://en.wikipedia.org/wiki/Peer-to-peer))檔案共享軟體或自建伺服器(例如Mumble )時建立連接。 + + + +### 隱私 + +我們希望所推薦的提供商盡可能減少客戶資料收集。 不收集註冊時的個人資訊,並接受匿名形式的付款是必需的。 + +**最低合格要求:** + +- [匿名加密貨幣](cryptocurrency.md) **或** 現金支付選項。 +- 註冊時無需個人資料:最多只需提供使用者名稱、密碼和電子郵件。 + +**最佳案例:** + +- 接受多種 [匿名付款方式](advanced/payments.md)。 +- 無需任何個人資訊(自動生成的用戶名稱、不要求電子郵件等)。 + + + +### 安全 + +若 VPN 不能提供足夠安全性,它就毫無意義。 我們要求所有推薦的供應商遵守其 OpenVPN 連接的現行安全標準。 理想中,預設他們會使用更多面向未來的加密方案。 我們要求有獨立的第三方來審核供應商的安全性,理想情況下是每年都能進行全方方面審計。 + +**最低合格要求:** + +- 強固加密方案:具有 SHA-256 驗證的 OpenVPN; RSA-2048 或更好的握手; AES-256-GCM 或 AES-256-CBC 數據加密。 +- 完全前向保密 (PFS) +- 公佈信譽良好第三方公司的安全審計。 + +**最佳案例:** + +- 最強加密: RSA-4096。 +- 完全前向保密 (PFS) +- 由信譽良好的第三方公司執行公佈的全面安全審計。 +- 漏洞獎勵計劃和/或協調漏洞披露過程。 + + + +### 信任 + +您不會把財務資料交給身份作假的人,又怎會信任他們來處置您的網路資料? 我們要求推薦的供應商公開其所有權或領導層級狀況。 我們也希望看到頻繁的透明度報告,特別是關於如何處理政府要求的報告。 + +**最低合格要求:** + +- 面向公眾的領導或所有權。 + +**最佳案例:** + +- 面向公眾的領導 +- 頻繁的透明度報告。 + + + +### 行銷 + +對於所推薦的 VPN 服務商,我們樂見更負責任的營銷。 + +**最低合格要求:** + +- 必須自行託管分析工具(例如不用 Google Analytics )。 供應商的網站還必須符合 [DNT(請勿追蹤)](https://en.wikipedia.org/wiki/Do_Not_Track) 的要求。 + +不得有任何不負責任的行銷: + +- 保證 100% 匿名性保護。 當有人聲稱某件事是100% 時,這意味他對失敗也無從確定。 我們知道有許多方式可以輕易地去匿名化,例如: + - 重複未用匿名軟體( Tor 、VPN等)情況下所留的個人資料(例如電子郵件帳戶、獨特的假名等)。 + - [瀏覽器指紋](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- 聲稱單一迴路中 VPN 比 Tor “更匿名” , Tor 是由三個或更多個跳組成經常變化的迴路。 +- 使用負責任的語言:也就是說,可以說VPN “已斷開”或“未連接” ,但是聲稱某人“暴露” , “易受攻擊”或“受損”是不必要的使用可能不正確的警告語言。 例如,此人可能只是使用其他VPN提供商的服務或使用Tor。 + +**最佳案例:** + +負責任的行銷,既具教育意義又對消費者實用,可能包括: + +- 與何時應使用 [Tor](tor.md) 的準確比較。 +- VPN 服務商網站可否透過 [.onion服務](https://en.wikipedia.org/wiki/.onion)訪問。 + + + +### 附加功能 + +雖不是嚴格要求,在決定推薦哪些服務商時我們還會考慮其他一些便利或隱私因素。 其中包括i廣告/跟蹤阻擋功能、warrant canaries、多跳連接、出色的客戶支持、允許同時連接的數量等。 diff --git a/i18n/zh/404.md b/i18n/zh/404.md new file mode 100644 index 00000000..ded3df25 --- /dev/null +++ b/i18n/zh/404.md @@ -0,0 +1,19 @@ +--- +hide: + - 反馈 +meta: + - + property: "机器人" + content: "索引,nofollow" +--- + +# 404 - 页面不存在 + +我们找不到你请求的页面! 或许你是在找这些吗? + +- [威胁模型分析简介](basics/threat-modeling.md) +- [推荐的DNS提供商](dns.md) +- [最好的桌面浏览器](desktop-browsers.md) +- [最好的VPN提供商](vpn.md) +- [Privacy Guides论坛](https://discuss.privacyguides.net) +- [我们的博客](https://blog.privacyguides.org) diff --git a/i18n/zh/CODE_OF_CONDUCT.md b/i18n/zh/CODE_OF_CONDUCT.md new file mode 100644 index 00000000..88a0e910 --- /dev/null +++ b/i18n/zh/CODE_OF_CONDUCT.md @@ -0,0 +1,53 @@ +# Community Code of Conduct + +**We pledge** to make our community a harassment-free experience for everyone. + +**We strive** to create a positive environment, using welcoming and inclusive language, and being respectful of the viewpoints of others. + +**We do not allow** inappropriate or otherwise unacceptable behavior, such as sexualized language, trolling and insulting comments, or otherwise promoting intolerance or harassment. + +## Community Standards + +What we expect from members of our communities: + +1. **Don't spread misinformation** + + We are creating an evidence-based educational community around information privacy and security, not a home for conspiracy theories. For example, when making a claim that a certain piece of software is malicious or that certain telemetry data is privacy invasive, explain in detail what is collected and how it collected. Claims of this nature must be backed by technical evidence. + +1. **Don't abuse our willingness to help** + + Our community members are not your free tech support. We are happy to help you with specific steps on your privacy journey if you are willing to put in effort on your end. We are not willing to answer endlessly repeated questions about generic computer problems you could have answered yourself with a 30-second internet search. Don't be a [help vampire](https://slash7.com/2006/12/22/vampires/). + +1. **Behave in a positive and constructive manner** + + Examples of behavior that contributes to a positive environment for our community include: + + - Demonstrating empathy and kindness toward other people + - Being respectful of differing opinions, viewpoints, and experiences + - Giving and gracefully accepting constructive feedback + - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience + - Focusing on what is best not just for us as individuals, but for the overall community + +### Unacceptable Behavior + +The following behaviors are considered harassment and are unacceptable within our community: + +- The use of sexualized language or imagery, and sexual attention or advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting + +## Scope + +Our Code of Conduct applies within all project spaces, as well as when an individual is representing the Privacy Guides project in other communities. + +We are responsible for clarifying the standards of our community, and have the right to remove or alter the comments of those participating within our community, as necessary and at our discretion. + +### Contact + +If you observe a problem on a platform like Matrix or Reddit, please contact our moderators on that platform in chat, via DM, or through any designated "Modmail" system. + +If you have a problem elsewhere, or a problem our community moderators are unable to resolve, reach out to `jonah@privacyguides.org` and/or `dngray@privacyguides.org`. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. diff --git a/i18n/zh/about/criteria.md b/i18n/zh/about/criteria.md new file mode 100644 index 00000000..b2110434 --- /dev/null +++ b/i18n/zh/about/criteria.md @@ -0,0 +1,40 @@ +--- +title: 通用标准 +--- + +!!! 示例“正在进行的工作” + + 以下页面是一项正在进行的工作,目前并不反映我们建议的全部标准。 过去关于这个主题的讨论。[#24](https://github.com/privacyguides/privacyguides.org/discussions/24) + +以下是一些必须适用于所有提交给隐私指南的事项。 每个类别都会有额外的纳入要求。 + +## 财务披露 + +我们不通过推荐某些产品赚钱,我们不使用联盟链接,我们也不为项目捐赠者提供特殊考虑。 + +## 一般准则 + +我们在考虑新的建议时采用这些优先事项。 + +- **安全**:工具应该在适用的地方遵循安全的最佳做法。 +- **来源的可用性**: 开放源码项目通常比同等的专有替代品更受欢迎。 +- **跨平台**:我们通常倾向于建议跨平台,以避免厂商锁定。 +- **积极开发**:我们推荐的工具应该积极开发,未维护的项目在大多数情况下会被删除。 +- **可用性**:工具应该是大多数计算机用户可以使用的,不应该要求有过度的技术背景。 +- **文档化**:工具应该有明确和广泛的使用文档。 + +## 开发商自行提交的资料 + +我们对希望提交其项目或软件供审议的开发者有这些要求。 + +- 必须披露隶属关系,即您在提交的项目中的职位。 + +- 如果是涉及处理敏感信息的项目,如信使、密码管理器、加密的云存储等,必须有一份安全白皮书。 + - 第三方审计情况。 我们想知道你是否有一个或计划了一个。 如果可能,请说明谁将进行审计。 + +- 必须解释该项目在隐私方面带来了什么。 + - 它是否解决了任何新问题? + - 为什么有人要使用它而不是其他的东西呢? + +- 必须说明其项目的确切威胁模式是什么。 + - 潜在的用户应该清楚地知道该项目能提供什么,以及不能提供什么。 diff --git a/i18n/zh/about/donate.md b/i18n/zh/about/donate.md new file mode 100644 index 00000000..c7ff3e58 --- /dev/null +++ b/i18n/zh/about/donate.md @@ -0,0 +1,50 @@ +--- +title: 支持我们 +--- + + +需要大量的 [人](https://github.com/privacyguides/privacyguides.org/graphs/contributors) 和 [工作](https://github.com/privacyguides/privacyguides.org/pulse/monthly) ,以保持《隐私指南》的更新和传播有关隐私和大规模监控的信息。 如果你喜欢我们的工作,帮助我们的最好方式是通过参与 [编辑网站](https://github.com/privacyguides/privacyguides.org) 或 [贡献翻译](https://crowdin.com/project/privacyguides)。 + +如果你想在经济上支持我们,对我们来说,最方便的方法是通过Open Collective捐款,这是一个由我们的财政主机运营的网站。 Open Collective接受通过信用卡/借记卡、PayPal和银行转账付款。 + +[在OpenCollective.com上捐款](https://opencollective.com/privacyguides/donate ""){.md-button.md-button--primary} + +在美国,直接捐给我们Open Collective的捐款通常是可以免税的,因为我们的财政主机(Open Collective基金会)是一个注册的501(c)3组织。 捐赠后,你会收到开放集体基金会的收据。 《隐私指南》不提供财务建议,你应该联系你的税务顾问,了解这是否适用于你。 + +如果你已经利用了GitHub的赞助,你也可以在那里赞助我们的组织。 + +[在GitHub上赞助我们](https://github.com/sponsors/privacyguides ""){.md-button} + +## 支持者 + +特别感谢所有支持我们任务的人! :heart: + +*请注意:本节直接从Open Collective加载一个小部件。 这一部分并不反映在Open Collective之外的捐赠,我们也无法控制这一部分中的具体捐赠者。* + + + +## 我们如何使用捐赠费 + +隐私指南是一个 **非营利性** 组织。 我们将捐款用于各种目的,包括。 + +**域名注册** +: + +我们有一些域名,如 `privacyguides.org` ,这些域名每年花费我们约10美元来维护其注册。 + +**虚拟主机** +: + +本网站的流量每月使用数百千兆字节的数据,我们使用各种服务提供商来跟上这种流量。 + +**在线服务** +: + +我们的主机 [互联网服务](https://privacyguides.net) ,用于测试和展示我们喜欢的不同隐私产品, [推荐](../tools.md)。 其中一些是公开提供给我们社区使用的(SearXNG、Tor等),一些是提供给我们的团队成员的(电子邮件等)。 + +**购买商品** +: + +我们偶尔会购买产品和服务,以测试我们 [推荐的工具](../tools.md)。 + +我们仍在与我们的财政主机(Open Collective Foundation)合作,以接收加密货币捐款,目前,对于许多较小的交易来说,会计是不可行的,但这在未来应该会改变。 同时,如果您希望进行大额(> $100)加密货币捐赠,请联系 [jonah@privacyguides.org](mailto:jonah@privacyguides.org)。 diff --git a/i18n/zh/about/index.md b/i18n/zh/about/index.md new file mode 100644 index 00000000..107107ac --- /dev/null +++ b/i18n/zh/about/index.md @@ -0,0 +1,102 @@ +--- +title: "关于隐私指南(Privacy Guides)" +description: Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy. +schema: + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides +--- + +![Privacy Guides logo](../assets/brand/png/square/pg-yellow.png){ align=right } + +**Privacy Guides** is a socially motivated website that provides [information](/kb) for protecting your data security and privacy. Our mission is to inform the public about the value of digital privacy, and global government initiatives which aim to monitor your online activity. 我们是一个非营利性的集体,完全由志愿者 [团队成员](https://discuss.privacyguides.net/g/team) 和贡献者运作。 Our website is free of advertisements and not affiliated with any of the listed providers. + +[:octicons-home-16:](https://www.privacyguides.org/){ .card-link title=Homepage } +[:octicons-code-16:](https://github.com/privacyguides/privacyguides.org){ .card-link title="Source Code" } +[:octicons-heart-16:](donate.md){ .card-link title=Contribute } + +> To find [privacy-focused alternative] apps, check out sites like Good Reports and **Privacy Guides**, which list privacy-focused apps in a variety of categories, notably including email providers (usually on paid plans) that aren’t run by the big tech companies. + +— [New York Times](https://www.nytimes.com/wirecutter/guides/online-security-social-media-privacy/) + +> If you're looking for a new VPN, you can go to the discount code of just about any podcast. If you are looking for a **good** VPN, you need professional help. The same goes for email clients, browsers, operating systems and password managers. How do you know which of these is the best, most privacy-friendly option? For that there is **Privacy Guides**, a platform on which a number of volunteers search day in, day out for the best privacy-friendly tools to use on the internet. + +— [Tweakers.net](https://tweakers.net/reviews/10568/op-zoek-naar-privacyvriendelijke-tools-niek-de-wilde-van-privacy-guides.html) [Translated from Dutch] + +Also featured on: [Ars Technica](https://arstechnica.com/gadgets/2022/02/is-firefox-ok/), [Wirecutter](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-windows-pc/) [[2](https://www.nytimes.com/wirecutter/guides/practical-guide-to-securing-your-mac/)], [NPO Radio 1](https://www.nporadio1.nl/nieuws/binnenland/8eaff3a2-8b29-4f63-9b74-36d2b28b1fe1/ooit-online-eens-wat-doms-geplaatst-ga-jezelf-eens-googlen-en-kijk-dan-wat-je-tegenkomt), and [Wired](https://www.wired.com/story/firefox-mozilla-2022/). + +## History + +Privacy Guides was launched in September 2021 as a continuation of the [defunct](privacytools.md) "PrivacyTools" open-source educational project. We recognized the importance of independent, criteria-focused product recommendations and general knowledge in the privacy space, which is why we needed to preserve the work that had been created by so many contributors since 2015 and make sure that information had a stable home on the web indefinitely. + +In 2022, we completed the transition of our main website framework from Jekyll to MkDocs, using the `mkdocs-material` documentation software. This change made open-source contributions to our site significantly easier for outsiders, because instead of needing to know complicated syntax to write posts effectively, contributing is now as easy as writing a standard Markdown document. + +We additionally launched our new discussion forum at [discuss.privacyguides.net](https://discuss.privacyguides.net/) as a community platform to share ideas and ask questions about our mission. This augments our existing community on Matrix, and replaced our previous GitHub Discussions platform, decreasing our reliance on proprietary discussion platforms. + +So far in 2023 we've launched international translations of our website in [French](/fr/), [Hebrew](/he/), and [Dutch](/nl/), with more languages on the way, made possible by our excellent translation team on [Crowdin](https://crowdin.com/project/privacyguides). We plan to continue carrying forward our mission of outreach and education, and finding ways to more clearly highlight the dangers of a lack of privacy awareness in the modern digital age, and the prevalence and harms of security breaches across the technology industry. + +## 我们的团队 + +??? person "@jonah" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/jonah) + - [:simple-github: GitHub](https://github.com/jonaharagon "@jonaharagon") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@jonah "@jonah@neat.computer"){rel=me} + - [:fontawesome-solid-house: 主页](https://www.jonaharagon.com) + +??? person "@niek-de-wilde" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/Niek-de-Wilde) + - [:simple-github: GitHub](https://github.com/blacklight447 "@blacklight447") + - [:simple-mastodon: Mastodon](https://mastodon.social/@blacklight447 "@blacklight447@mastodon.social"){rel=me} + +??? person "@dngray" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/dngray) + - [:simple-github: GitHub](https://github.com/dngray "@dngray") + - [:simple-mastodon: Mastodon](https://mastodon.social/@dngray "@dngray@mastodon.social"){rel=me} + - [:fontawesome-solid-envelope: 电子邮件](mailto:dngray@privacyguides.org) + +??? person "@freddy" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/freddy) + - [:simple-github: GitHub](https://github.com/freddy-m "@freddy-m") + - [:simple-mastodon: Mastodon](https://social.lol/@freddy "@freddy@social.lol"){rel=me} + - [:fontawesome-solid-envelope: 电子邮件](mailto:freddy@privacyguides.org) + - [:fontawesome-solid-house: 主页](https://freddy.omg.lol) + +??? person "@mfwmyfacewhen" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/mfwmyfacewhen) + - [:simple-github: GitHub](https://github.com/mfwmyfacewhen "@mfwmyfacewhen") + - [:fontawesome-solid-house: 主页](https://mfw.omg.lol) + +??? person "@olivia" + + - [:simple-discourse: Discourse](https://discuss.privacyguides.net/u/olivia) + - [:simple-github: GitHub](https://github.com/hook9 "@hook9") + - [:simple-mastodon: Mastodon](https://mastodon.neat.computer/@oliviablob "@oliviablob@neat.computer"){rel=me} + +Additionally, [many people](https://github.com/privacyguides/privacyguides.org/graphs/contributors) have made contributions to the project. You can too, we're open sourced on GitHub, and accepting translation suggestions on [Crowdin](https://crowdin.com/project/privacyguides). + +Our team members review all changes made to the website and handle administrative duties such as web hosting and financials, however they do not personally profit from any contributions made to this site. Our financials are transparently hosted by the Open Collective Foundation 501(c)(3) at [opencollective.com/privacyguides](https://opencollective.com/privacyguides). Donations to Privacy Guides are generally tax-deductible in the United States. + +## 网站许可证 + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +除非另有说明,否则本网站上的所有内容均根据 [Creative Commons Attribution-NoDerivatives 4.0国际公共许可证](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE)的条款提供。 这意味着你可以自由地以任何媒介或形式复制和重新分发材料,用于任何目的,甚至是商业目的;只要你适当地注明 `隐私指南(www.privacyguides.org)` ,并提供许可证的链接。 您可以以任何合理的方式这样做,但不得以任何方式暗示隐私指南认可您或您的使用。 如果您重构、转换或建立在此网站的内容,您可能无法分发修改过的材料。 + +设立这个许可证是为了防止人们在不给予适当信用的情况下分享我们的作品,并防止人们以可能被用来误导的方式修改我们的作品。 如果你觉得这个许可证的条款对你正在进行的项目来说限制性太大,请与我们联系: `jonah@privacyguides.org`。 我们很高兴为隐私领域的善意项目提供替代的许可选项 diff --git a/i18n/zh/about/notices.md b/i18n/zh/about/notices.md new file mode 100644 index 00000000..7bee873f --- /dev/null +++ b/i18n/zh/about/notices.md @@ -0,0 +1,50 @@ +--- +title: "Notices and Disclaimers" +--- + +## 法律声明 + +隐私指南不是律师事务所。 因此,隐私指南网站和撰稿人并不提供法律意见。 我们网站和指南中的材料和建议不构成法律意见,也不会为网站做出贡献或就我们网站与隐私指南或其他贡献者进行沟通,从而建立律师-客户关系。 + +与任何人类努力一样,运行此网站都涉及不确定性和权衡。 我们希望这个网站有所帮助,但它可能包含错误,无法解决所有问题。 如果您对自己的情况有任何疑问,我们建议您自己进行研究,寻求其他专家,并与隐私指南社区进行讨论。 如果您有任何法律问题,请先咨询您自己的法律顾问,然后再继续。 + +隐私指南是一个开放源码项目,根据许可证做出贡献,其中包括为了保护网站及其贡献者,明确规定隐私指南项目和网站可“按原样”提供,不提供保证,并且不对使用网站或网站中的任何建议所造成的损害承担责任。 此外, 隐私指南不保证、不代表使用本网站、或其他与资料相关,或任何关联本网站的其他网站上资料的准确性,可能导致的结果或可靠性。 + +此外,隐私指南不保证本网站将始终可用或完全可用。 + +## Licensing Overview + +!!! danger "" + + The following is a human-readable summary of (and not a substitute for) the [license](/license). + +Unless otherwise noted, all **content** on this website is made available under the terms of the [Creative Commons Attribution-NoDerivatives 4.0 International Public License](https://github.com/privacyguides/privacyguides.org/blob/main/LICENSE). The underlying **source code** used to generate this website and display that content is released under the [MIT License](https://github.com/privacyguides/privacyguides.org/tree/main/LICENSE-CODE). + +这不包括嵌入此存储库的第三方代码,也不包括其他标注了替代许可证的代码。 以下是一些值得注意的例子,但这一清单可能不包括所有方面: + +* [MathJax](https://github.com/privacyguides/privacyguides.org/blob/main/theme/assets/javascripts/mathjax.js) is licensed under the [Apache License 2.0](https://github.com/privacyguides/privacyguides.org/blob/main/docs/assets/javascripts/LICENSE.mathjax.txt). +* The [Bagnard](https://github.com/privacyguides/brand/tree/main/WOFF/bagnard) heading font is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/bagnard/LICENSE.txt). +* The [Public Sans](https://github.com/privacyguides/brand/tree/main/WOFF/public_sans) font used for most text on the site is licensed under the terms detailed [here](https://github.com/privacyguides/brand/blob/main/WOFF/public_sans/LICENSE.txt). +* The [DM Mono](https://github.com/privacyguides/brand/tree/main/WOFF/dm_mono) font used for monospaced text on the site is licensed under the [SIL Open Font License 1.1](https://github.com/privacyguides/brand/blob/main/WOFF/dm_mono/LICENSE.txt). + +这意味着您可以根据Creative Commons Attribution-NoDerivatives 4.0国际公共许可证文本中列出的条款,将此存储库中的可读内容用于您自己的项目。 您可以以任何合理的方式这样做,但不得以任何方式暗示隐私指南认可您或您的使用。 **未经本项目的明确批准,您 **,不得在您自己的项目中使用隐私指南的品牌。 隐私指南的品牌商标包括“隐私指南”字样和盾形标志。 + +我们认为从第三方提供商获得的 `资产` 中的标志和其他图像属于公共领域或 **合理使用**。 简而言之,法律 [公正使用原则](https://www.copyright.gov/fair-use/more-info.html) 允许使用受版权保护的图像来识别主题,以供公众评论。 然而,在一个或多个司法管辖区,这些徽标和其他图像仍可能受商标法的约束。 在使用此内容之前,请确保其用于识别拥有商标的实体或组织,并且根据适用于您预期使用情况的法律,您有权使用商标。 *从本网站复制内容时,您应自行负责确保您不侵犯他人的商标或版权。* + +When you contribute to our website you are doing so under the above licenses, and you are granting Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform and distribute your contribution as part of our project. + +## 可接受用途 + +您不得以任何方式使用本网站,造成或可能造成对本网站的损害或损害隐私指南的可用性或可访问性,或以任何非法、非法、欺诈、有害或与任何非法、非法、欺诈或有害目的或活动相关的方式使用本网站。 + +未经明确的书面同意,您不得在本网站上或与本网站相关进行任何系统或自动化的数据收集活动,包括: + +* 过多的自动扫描 +* 拒绝服务攻击 +* Scraping +* 数据挖掘 +* 'Framing' (IFrames) + +--- + +*本通知本身的部分内容来自GitHub上的 [openensource.guide](https://github.com/github/opensource.guide/blob/master/notices.md) 。 That resource and this page itself are released under [CC-BY-4.0](https://creativecommons.org/licenses/by-sa/4.0/).* diff --git a/i18n/zh/about/privacy-policy.md b/i18n/zh/about/privacy-policy.md new file mode 100644 index 00000000..b3058221 --- /dev/null +++ b/i18n/zh/about/privacy-policy.md @@ -0,0 +1,61 @@ +--- +title: "隐私政策" +--- + +隐私指南是一个社区项目,由一些活跃的志愿者贡献者运营。 团队成员的公开列表 [可在GitHub](https://github.com/orgs/privacyguides/people)上找到。 + +## 我们从访客那里收集的数据 + +我们非常重视网站访问者的隐私,因此我们不会跟踪任何个人。 作为我们网站的访问者: + +- 未收集任何个人信息 +- 浏览器中不储存诸如Cookies之类的信息 +- 不与第三方共享、发送或出售任何信息 +- 没有与广告公司共享任何信息 +- 没有挖掘和收集有关个人和行为趋势的信息 +- 没有信息被货币化 + +你可以在我们的 [统计](statistics.md) 页面上查看我们收集的数据。 + +我们运行 [Plausible Analytics (分析)](https://plausible.io) 的自托管安装,以收集一些匿名使用数据,用于统计目的。 我们的目标是跟踪网站流量的总体趋势,而不是跟踪个人访问者。 所有数据仅为汇总数据。 没有收集任何个人数据。 + +收集的数据包括推荐来源、首页、访问持续时间、访问期间使用的设备信息(设备类型、操作系统、国家/地区和浏览器)等。 您可以在此处了解有关Plausible如何以尊重隐私的方式工作和收集信息的更多信息 [](https://plausible.io/data-policy). + +## 我们从账户持有人处收集的数据 + +在我们提供的某些网站和服务中,许多功能可能需要帐户。 例如,可能需要帐户在论坛平台上发布和回复主题。 + +要注册大多数帐户,我们将收集姓名、用户名、电子邮件和密码。 如果网站需要的信息不仅仅是该数据,则会在每个网站的单独隐私声明中清晰标记和注明该信息。 + +我们使用您的帐户数据在网站上识别您的身份,并创建专门针对您的页面,例如您的个人资料页面。 我们还将使用您的帐户数据在我们的服务上为您发布公开个人资料。 + +我们使用您的电子邮件: + +- 通知您网站或服务上的帖子和其他活动。 +- 重置密码,确保账号安全。 +- 在与您的账号相关的特殊情况下与您联系。 +- 就法律要求(如DMCA删除请求)与您联系。 + +在一些网站和服务上,你可以为你的账户提供额外的信息,如简短的传记、头像、你的位置或你的生日。 我们将这些信息提供给每个可以访问有关网站或服务的人。 使用我们的任何服务都不需要这些信息,而且可以在任何时候删除。 + +只要你的账户仍然开放,我们就会储存你的账户数据。 关闭账户后,我们可能会以备份或存档的形式保留您的部分或全部账户数据,最长时间为90天。 + +## 联系我们 + +隐私指南团队通常不能访问个人数据,除了通过一些修改面板授予的有限访问权。 有关您的个人信息的询问应直接发送至。 + +```text +Jonah Aragon +服务管理员 +jonah@privacyguides.org +``` + +对于所有其他查询,你可以联系我们团队的任何成员。 + +For complaints under GDPR more generally, you may lodge complaints with your local data protection supervisory authorities. In France it's the Commission Nationale de l'Informatique et des Libertés which take care and handle the complaints. They provide a [template of complaint letter](https://www.cnil.fr/en/plaintes) to use. + +## 关于本政策 + +我们将 [在此发布](privacy-policy.md)本声明的新版本。 我们可能会更改此文档未来版本中更改公告的方式。 在此期间,我们可以随时更新我们的联系信息,而不会宣布更改。 请随时参阅 [隐私政策](privacy-policy.md) ,了解最新的联系信息。 + +本页的完整修订版 [历史](https://github.com/privacyguides/privacyguides.org/commits/main/docs/about/privacy-policy.md) ,可在GitHub上找到。 diff --git a/i18n/zh/about/privacytools.md b/i18n/zh/about/privacytools.md new file mode 100644 index 00000000..3891280e --- /dev/null +++ b/i18n/zh/about/privacytools.md @@ -0,0 +1,143 @@ +--- +title: "隐私工具常见问题" +--- + +# 我们为什么从隐私工具转向隐私指南 + +2021年9月,每个活跃的贡献者都一致同意从隐私工具转到这个网站工作:隐私指南。 之所以做出此决定,是因为PrivacyTools的创始人和域名控制者已消失很长一段时间,无法与之联系。 + +在PrivacyTools.io上构建了一个信誉良好的网站和服务,这对隐私工具的未来造成了严重打击,因为任何未来的意外都可能在没有恢复方法的情况下毁灭整个组织。 这种转变在几个月前通过包括博客、Twitter、Reddit和Mastodon在内的各种渠道传达给隐私工具社区,以确保整个过程尽可能顺利进行。 我们这样做是为了确保没有人被蒙在鼓里,这也是我们团队成立以来的工作方式,同时也是为了确保隐私指南被公认为与转型前的隐私工具一样的可靠组织。 + +在组织搬迁完成后,隐私工具的创始人回来了,并开始传播关于隐私指南项目的错误信息。 他们除了继续传播错误信息外,还在PrivacyTools域名上经营一个付费链接农场。 我们创建这个页面是为了澄清误解。 + +## 什么是隐私工具? + +PrivacyTools由“BurungHantu”于2015年创立,他希望在斯诺登揭露事件后创造一个隐私信息资源--实用的工具。 该网站发展成为一个蓬勃发展的开源项目,有 [个众多贡献者](https://github.com/privacytools/privacytools.io/graphs/contributors),其中一些最终承担了各种组织责任,例如运营Matrix和Mastodon等在线服务,管理和审查GitHub网站的变化,为该项目寻找赞助商,撰写博客文章,以及运营Twitter等社交媒体外联平台等。 + +从2019年开始, BurungHantu越来越远离网站和社区的积极发展,并开始延迟与我们运营的服务器相关的付款。 为了避免我们的系统管理员自掏腰包支付服务器费用,我们将网站上列出的捐赠方式从BurungHantu的个人PayPal和加密货币账户改为新的OpenCollective页面, [,2019年10月31日](https://web.archive.org/web/20210729184557/https://blog.privacytools.io/privacytools-io-joins-the-open-collective-foundation/)。 这具有额外的好处,使我们的财务完全透明,我们坚信这一价值,并且在美国可以免税,因为它们由开放集体基金会501 (c) 3持有。 这一变动得到了团队的一致同意,没有引起争议。 + +## 我们为什么要继续前进 + +2020年, BurungHantu的缺席变得更加明显。 有一次,我们要求将该域名的名称服务器改为由我们的系统管理员控制的名称服务器,以避免未来的中断,而这一改变在最初的要求后一个多月才完成。 他在Matrix的公共聊天室和私人团队聊天室里一连消失了好几个月,偶尔会突然出现,给一些小的反馈,或者承诺会更加活跃,然后再次消失。 + +2020年10月,PrivacyTools 系统管理员 (Jonah) [因这些困难离开了](https://web.archive.org/web/20210729190742/https://blog.privacytools.io/blacklight447-taking-over/) 这个项目,将控制权交给另一个长期贡献者。 Jonah一直在操作几乎所有的PrivacyTools服务,并在BurungHantu不在的情况下担任 *事实上的网站开发项目负责人,因此他的离开对组织来说是一个重大变化。 当时,由于这些重大的组织变化,BurungHantu向剩余的团队承诺,他将回来控制这个项目的发展。 在接下来的几个月里, PrivacyTools团队通过几种沟通方式进行了联系,但没有收到任何回复。

+ +## 域名可靠性 + +2021年初,PrivacyTools团队对项目的未来越来越担心,因为域名将在2021年3月1日到期。 该域名最终由BurungHantu更新,没有发表评论。 + +团队的担忧没有得到解决,我们意识到这将是每年的一个问题。如果域名过期,就会让它被占用者或垃圾邮件发送者窃取,从而毁掉该组织的声誉。 我们也很难联系到社区,让他们了解所发生的事情。 + +在没有与BurungHantu进行任何接触的情况下,我们决定最好的行动方案是在我们仍能保证对旧域名的控制权的情况下,在2022年3月之前的某个时候转移到一个新的域名。 这样,我们就能干净地将所有的PrivacyTools资源重定向到新的网站,而不会出现任何服务中断的情况。 这个决定是提前好几个月做出的,并传达给了整个团队,希望BurungHantu能够伸出援手,保证他继续支持这个项目,因为有了一个可识别的品牌名称和庞大的网上社区,从 "PrivacyTools "转移出去是最不可取的结果。 + +在2021年中期,PrivacyTools团队联系了乔纳,他同意重新加入团队,帮助完成过渡。 + +## 社区呼吁行动 + + 在2021年7月底,我们 +,通知PrivacyTools社区,我们打算选择一个新的名字,并在一个新的域名上继续项目,将在2022年8月2日选择 [](https://web.archive.org/web/20210729190935/https://aragon.cloud/apps/forms/cMPxG9KyopapBbcw)。 最后,"Privacy Guides "被选中, `privacyguides.org` 域名已经被Jonah拥有,用于2020年的一个副业项目,但没有得到发展。

+ + + +## 控制r/privacytoolsIO + +在privacytools.io网站出现问题的同时,r/privacytoolsIO的管理团队也面临着管理该子版块的挑战。 该子版块一直以来都是基本独立于网站发展的,但BurungHantu也是该子版块的主要版主,而且他是唯一被授予 "完全控制 "特权的版主。 u/trai_dep是当时唯一活跃的版主, [,在2021年6月28日向Reddit的管理员发布了](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) ,要求获得主要版主职位和完全控制权限,以便对Subreddit进行必要的修改。 + +Reddit要求子版块有活跃的版主。 如果主版主长时间不活动(如一年),主版主的位置可以重新任命给下一个版主。 为了使这一请求得到批准,BurungHantu必须在很长一段时间内完全不参与所有Reddit活动,这与他在其他平台上的行为是一致的。 + + + +> 如果你通过Reddit请求被撤掉了子版块的版主,那是因为你缺乏回应和缺乏活动,使该子版块有资格进行r/redditrequest转移。 +> +> r/redditrequest是Reddit确保社区有积极的版主的方式,是 [版主行为准则的一部分](https://www.redditinc.com/policies/moderator-code-of-conduct)。 + + + +## 开始过渡 + +2021年9月14日,我们 [,宣布](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) ,开始迁移到这个新领域。 + + + +> [...] 我们发现有必要尽早进行这一转换,以确保人们尽快发现这一过渡。 这给了我们足够的时间来过渡域名,目前正在重定向到www.privacyguides.org,并希望给每个人足够的时间来注意这一变化,更新书签和网站等。 + +这一变化 [,需要:](https://www.reddit.com/r/PrivacyGuides/comments/pnhn4a/rprivacyguides_privacyguidesorg_what_you_need_to/) + +- 重定向 www.privacytools.io 到 [www.privacyguides.org](https://www.privacyguides.org)。 +- 在GitHub上存档源代码,以保存我们过去的工作和问题跟踪器,我们继续使用该网站未来几个月的开发。 +- 在我们的subreddit和其他各种社区发布公告,告知人们官方的变化。 +- 正式关闭privacytools.io服务,如Matrix和Mastodon,并鼓励现有用户尽快迁移。 + +事情似乎进行得很顺利,我们活跃的社区中的大多数人都完全按照我们的希望转换到我们的新项目。 + + + +## 后续事件 + +在过渡期后的大约一周,BurungHantu在近一年来首次回到了网上,然而我们团队中没有人愿意回到PrivacyTools,因为他历来不可靠。 他没有为自己的长期缺席道歉,而是立即展开攻势,将向隐私指南的过渡定位为对他和他的项目的攻击。 随后,当社区指出他缺席并放弃了这个项目时,他 [,删除了](https://www.reddit.com/r/privacytoolsIO/comments/pp9yie/comment/hd49wbn) ,其中许多帖子。 + +此时,BurungHantu声称他想继续自己的privacytools.io的工作,并要求我们删除从www.privacytools.io 到 [www.privacyguides.org](https://www.privacyguides.org)的重定向。 我们答应了他的请求,并要求他保持Matrix、Mastodon和PeerTube的子域名的活跃性,以便我们作为一项公共服务在社区内运行至少几个月,以便让这些平台上的用户能够轻松地迁移到其他账户。 由于我们所提供的服务的联合性质,它们与特定的域名联系在一起,使得迁移非常困难(在某些情况下不可能迁移)。 + + 不幸的是,由于r/privacytoolsIO子版块的控制权没有按照BurungHantu的要求归还他(进一步信息见下文),这些子版块在10月初被 ,终止了任何仍在使用这些服务的用户的迁移可能性。

+ +在这之后,BurungHantu对Jonah从项目中窃取捐款提出了不实指控。 BurungHantu在所谓的事件发生后有一年多的时间,但他从未让任何人知道,直到隐私指南迁移之后。 BurungHantu多次被要求提供证据,并要求团队 [和社区](https://twitter.com/TommyTran732/status/1526153536962281474),对其沉默的原因进行评论,但他没有这样做。 + +BurungHantu还在Twitter上发了一篇 [的帖子](https://twitter.com/privacytoolsIO/status/1510560676967710728) ,声称一名“律师”在Twitter上与他联系并提供建议,再次试图欺负我们让他控制我们的subreddit ,并作为他的诽谤运动的一部分,在假装成为受害者的同时,搅乱了隐私指南发布周围的水域。 + + + +## PrivacyTools.io的现状 + +截至2022年9月25日,我们看到BurungHantu的整体计划在privacytools.io上实现,而这正是我们今天决定创建这个解释页的原因。 他运营的网站似乎是该网站的SEO优化版本,该网站推荐工具以换取经济补偿。 [最近,IVPN和Mullvad这两个VPN供应商几乎被隐私社区普遍推荐为](../vpn.md) ,并因其反对联盟计划的立场而备受关注,被从PrivacyTools中删除。 在他们的位置上? NordVPN、Surfshark、ExpressVPN和hide.me;巨大的VPN公司拥有不值得信赖的平台和商业行为,因其积极的营销和联盟计划而臭名昭著。 + +==**PrivacyTools正是成为了我们 [,在2019年的PrivacyTools博客上警告过的那种网站](https://web.archive.org/web/20210729205249/https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/) 。**== 自转型以来,我们一直试图与PrivacyTools保持距离,但他们对我们项目的持续骚扰,以及现在对他们的品牌在6年的开源贡献中获得的信誉的荒谬滥用,令我们感到非常不安。 我们这些真正为隐私而战的人并不是在相互斗争,也不是从出价最高的人那里得到我们的建议。 + + + +## r/privacytoolsIO 的现状 + + 在推出 [r/PrivacyGuides](https://www.reddit.com/r/privacyguides),让u/trai_dep继续主持这两个子版块是不现实的,在社区同意过渡的情况下,r/privacytoolsIO在2021年11月1日的帖子中被 ,成为一个受限制的子版块。

+ + + +> [...] 该小组的成长是PrivacyGuides.org团队数年来努力的结果。 还有你们每一个人。 +> +> 一个Subreddit需要大量的工作来管理和调节。 就像一个花园一样,它需要耐心的照料和日常护理。 这不是一个适合放荡不羁的人或有承诺问题的人的任务。 它不可能在一个抛弃了它好几年的园丁手下茁壮成长,然后出现在那里要求今年的收获作为他们的贡品。 这对多年前组建的团队是不公平的。 这对你不公平。 [...] + +子版块不属于任何人,尤其不属于品牌持有人。 他们属于自己的社区,而社区及其版主做出了支持移至r/PrivacyGuides的决定。 + + 在此后的几个月里,BurungHantu威胁并乞求将subreddit的控制权归还给他的账户, ,违反了Reddit的规则。

+ + + +> 不允许任何版主对删除请求进行报复。 + +对于一个拥有数千名剩余用户的社区来说,我们觉得把这个庞大的平台的控制权还给那个抛弃了它一年多的人,而且他现在经营着一个我们认为提供非常低质量信息的网站,这将是非常不尊重的。 对我们来说,保留该社区过去多年的讨论更为重要,因此u/trai_dep和其他子版块的管理团队做出决定,保持r/privacytoolsIO的现状。 + + + +## OpenCollective Now + +我们的筹款平台OpenCollective是另一个争论的焦点。 我们的立场是,OpenCollective是由我们的团队建立的,并由我们的团队管理,以资助我们目前经营的服务,而PrivacyTools不再做这些。 我们 ,就我们转向隐私指南的问题向所有的捐赠者进行了宣传,我们得到了赞助商和社区的一致支持。

+ +因此,OpenCollective中的资金属于Privacy Guides,它们被赋予了我们的项目,而不是一个知名域名的所有者。 在2021年9月17日向捐赠者发布的公告中,我们向任何不同意我们立场的捐赠者提供退款,但没有人接受这一提议。 + + + +> 如果任何赞助商或支持者不同意或觉得被最近的这些事件误导,并希望在这些极不寻常的情况下要求退款,请通过电子邮件与我们的项目管理员联系,jonah@triplebit.net。 + + + +## 延伸阅读 + +这个话题已经在我们社区的不同地方进行了广泛的讨论,而且似乎大多数人在阅读这个页面时都已经熟悉了导致转向隐私指南的事件。 我们以前关于这个问题的一些帖子可能有额外的细节,为了简洁起见,我们在这里省略了。 为了完整起见,它们已被链接到下面。 + +- [2021年6月28日,请求控制r/privacytoolsIO](https://www.reddit.com/r/redditrequest/comments/o9tllh/requesting_rprivacytoolsio_im_only_active_mod_top/) +- [2021年7月27日,在PrivacyTools博客上宣布了我们的搬迁意向,由团队撰写](https://web.archive.org/web/20210729184422/https://blog.privacytools.io/the-future-of-privacytools/) +- [2021年9月13日,在r/privacytoolsIO上宣布我们开始过渡到隐私指南。](https://www.reddit.com/r/privacytoolsIO/comments/pnql46/rprivacyguides_privacyguidesorg_what_you_need_to/) +- [2021年9月17日,Jonah在OpenCollective上发布的公告](https://opencollective.com/privacyguides/updates/transitioning-to-privacy-guides) +- [2021 年9月30日,Twitter 主题详细介绍了本页上描述的大部分事件](https://twitter.com/privacy_guides/status/1443633412800225280) +- [2021年10月1日,u/dng99发帖指出子域名失败。](https://www.reddit.com/r/PrivacyGuides/comments/pymthv/comment/hexwrps/) +- [2022年4月2日u/dng99对PrivacyTools的指责性博文的回应](https://www.reddit.com/comments/tuo7mm/comment/i35kw5a/) +- [2022年5月16日,由@TommyTran732在Twitter上回应](https://twitter.com/TommyTran732/status/1526153497984618496) +- [2022年9月3日在Techlore的论坛上发表的帖子:@dngray](https://discuss.techlore.tech/t/has-anyone-seen-this-video-wondering-your-thoughts/792/20) diff --git a/i18n/zh/about/services.md b/i18n/zh/about/services.md new file mode 100644 index 00000000..bcedcf04 --- /dev/null +++ b/i18n/zh/about/services.md @@ -0,0 +1,38 @@ +# 隐私指南服务 + +我们运行一些网络服务来测试功能,并推广很酷的去中心化、联盟化和/或开源项目。 这些服务中有许多是向公众提供的,详情如下。 + +[:material-comment-alert: 报告问题](https://discuss.privacyguides.net/c/services/2 ""){.md-button.md-button--primary} + +## 论坛 + +- 域名: [discuss.privacyguides.net](https://discuss.privacyguides.net) +- 可用性:公开的 +- 来源: [github.com/discourse/discourse](https://github.com/discourse/discourse) + +## Gitea + +- 域名: [code.privacyguides.dev](https://code.privacyguides.dev) +- 可用性。仅限邀请 + ,任何从事 *《隐私指南》*相关开发或内容的团队可应要求获得访问权。 +- 来源: [snapcraft.io/gitea](https://snapcraft.io/gitea) + +## Matrix + +- 域名: [matrix.privacyguides.org](https://matrix.privacyguides.org) +- 可用性。仅限邀请 + ,可根据要求将访问权授予Privacy Guides团队成员、Matrix版主、第三方Matrix社区管理员、Matrix机器人操作员以及其他需要可靠Matrix存在的个人。 +- 来源: [github.com/spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy) + +## SearXNG + +- 域名: [search.privacyguides.net](https://search.privacyguides.net) +- 可用性:公开的 +- 来源: [github.com/searxng/searxng-docker](https://github.com/searxng/searxng-docker) + +## Invidious + +- Domain: [invidious.privacyguides.net](https://invidious.privacyguides.net) +- Availability: Semi-Public + We host Invidious primarily to serve embedded YouTube videos on our website, this instance is not intended for general-purpose use and may be limited at any time. +- Source: [github.com/iv-org/invidious](https://github.com/iv-org/invidious) diff --git a/i18n/zh/about/statistics.md b/i18n/zh/about/statistics.md new file mode 100644 index 00000000..bbcd8d29 --- /dev/null +++ b/i18n/zh/about/statistics.md @@ -0,0 +1,61 @@ +--- +title: 流量统计 +--- + +## 网站统计 + + +
统计资料由 Plausible Analytics提供
+ + + + +## 博客统计 + + +
统计资料由 Plausible Analytics提供
+ + + diff --git a/i18n/zh/advanced/communication-network-types.md b/i18n/zh/advanced/communication-network-types.md new file mode 100644 index 00000000..435e4562 --- /dev/null +++ b/i18n/zh/advanced/communication-network-types.md @@ -0,0 +1,104 @@ +--- +title: "通信网络类型" +icon: 'material/transit-connection-variant' +description: An overview of several network architectures commonly used by instant messaging applications. +--- + +有几种网络架构常用于人与人之间的信息传递。 这些网络可以提供不同的隐私保证,这就是为什么在决定使用哪种应用程序时,应该考虑你的 [威胁模型](../basics/threat-modeling.md)。 + +[推荐的即时通讯工具](../real-time-communication.md ""){.md-button} + +## 集中式网络 + +![集中式网络示意图](../assets/img/layout/network-centralized.svg){ align=left } + +集中式通讯软件是指所有参与者都在同一服务器或由同一组织控制的服务器网络上。 + +一些自托管通讯软件允许您设置自己的服务器。 自托管可以提供额外的隐私保证,例如没有使用日志或对元数据(关于谁与谁交谈的数据)的访问限制。 自我托管的集中式通讯是孤立的,所有人都必须在同一个服务器上进行交流。 + +**优点:** + +- 新的功能和更改可以更快地实施。 +- 更容易开始使用和寻找联系人。 +- 成熟和稳定的功能生态系统,因为它们集成于一套体系。 +- 当您选择自托管服务器时,隐私问题能缓解不少。 + +**缺点** + +- 可以包括 [访问限制和审查](https://drewdevault.com/2018/08/08/Signal.html)。 这可能包括以下内容: +- 封禁将可能提供更灵活的定制或更好的体验的[第三方客户端](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)。 通常在使用条款和条件中定义。 +- 为第三方开发者提供的文件很差或没有。 +- 当单个实体控制服务时,[所有权](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/),隐私政策和服务的行为很容易改变,可能会在以后危及服务。 +- 自托管需要耐心和知识。 + +## 联邦网络 + +![联邦网络示意图](../assets/img/layout/network-decentralized.svg){ align=left } + +联邦网络使用多个独立的去中心化服务器,这些服务器能够相互通信(例如电子邮件)。 联邦允许系统管理员控制自己的服务器,并且仍然是更大的网络的一部分。 + +自托管时,联合服务器的成员可以发现其他服务器的成员并与其进行通信,尽管某些服务器可以选择通过不联邦化(例如工作团队服务器)来保持私密性。 + +**优点:** + +- 允许在运行自己的服务器时更好地控制自己的数据。 +- 允许您通过在多个“公共”服务器之间选择信任谁。 +- 通常允许第三方客户端提供更原生、定制或可访问的体验。 +- 可以验证服务器与公共源代码匹配,假设您有权访问服务器或您信任这样做的人(例如,家庭成员)。 + +**缺点** + +- 添加新功能更加复杂,因为这些功能需要进行标准化和测试,以确保网络上的所有服务器都能一起使用。 +- 由于前一点,与集中式平台相比,功能可能缺乏,不完整或以意想不到的方式工作,例如脱机或消息删除时的消息中继。 +- 一些元数据可能是泄漏的(例如,像 "谁在和谁说话 "这样的信息,但如果使用E2EE,则没有实际的消息内容)。 +- 通常需要信任服务器的管理员。 他们可能是业余爱好者,也可能不是“安全专业人士” ,并且可能不会提供标准文档,如隐私政策或服务条款,详细说明如何使用您的数据。 +- 因为其他服务器的滥用行为或违反了公认的行为的一般规则,服务器管理员有时会选择封锁其他服务器 这会妨碍您与这些服务器的成员进行通信。 + +## 点对点网络 + +![P2P网络示意图](../assets/img/layout/network-distributed.svg){ align=left } + +点对点聊天软件连接到一个由节点组成的 [分布式网络](https://en.wikipedia.org/wiki/Distributed_networking) ,在没有第三方服务器的情况下将信息转发给收件人。 + +客户端(对等节点)通常通过使用 [分布式网络](https://en.wikipedia.org/wiki/Distributed_computing) 找到对方。 这方面的例子包括 [分布式哈希表](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT),由 [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) 和 [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) 等使用。 另一种方法是基于近距离的网络,通过WiFi或蓝牙建立连接(例如,Briar或 [Scuttlebutt](https://www.scuttlebutt.nz) 社交网络协议)。 + +一旦一个节点通过这些方法中的任何一种找到了通往其联系人的路线,它们之间就会建立直接连接。 虽然信息通常是加密的,但观察者仍然可以推断出发件人和收件人的位置和身份。 + +P2P网络不使用服务器,因为节点之间直接通信,因此不存在自我托管。 不过,一些附加服务可能依赖于集中式服务器,例如用户发现或中继离线消息,自托管对此仍有帮助。 + +**优点:** + +- 很小的第三方暴露。 +- 现代P2P平台默认端对端加密。 与集中式和联邦式模式不同,没有任何服务器可能会拦截和解密你的信息。 + +**缺点** + +- 缺少很多特性: +- 消息只有在两个节点都在线时才能发送,然而,你的客户端可以将消息存储在本地,以等待联系人重新上线。 +- 通常会增加移动设备的电池用量,因为客户端必须保持与分布式网络的连接,以了解联系人的在线情况。 +- 某些常见的Messenger功能可能没有实现或不完整,例如消息删除。 +- 如果你不与 [VPN](../vpn.md) 或 [Tor](../tor.md)结合使用该软件,你的IP地址和与你通信的联系人的IP地址可能会被暴露。 许多国家都有某种形式的大规模监控或元数据保留。 + +## 匿名路由 + +![匿名网络示意图](../assets/img/layout/network-anonymous-routing.svg){ align=left } + +使用 [匿名路由](https://doi.org/10.1007/978-1-4419-5906-5_628) 的Messenger隐藏发送方、接收方的身份或他们一直在通信的证据。 理想情况下,Messenger应该将这三者都隐藏起来。 + +有 [许多](https://doi.org/10.1145/3182658) 不同的方法来实现匿名网络。 其中最著名的是 +洋葱路由 (即 [Tor](tor-overview.md)),它通过一个强加密的 [覆盖网络](https://en.wikipedia.org/wiki/Overlay_network) ,隐藏每个节点的位置以及每个信息的接收者和发送者来通信。 发件人和收件人从不直接交互,只通过一个秘密的会合节点会面,这样就不会泄露IP地址或物理位置。 节点不能解密信息,也不能解密最终目的地;只有收件人可以。 每个中间节点只能解密一部分,表明下一步将把仍然加密的信息发送到哪里,直到它到达可以完全解密的收件人那里,因此命名为 "洋葱路由"。

+ +在匿名网络中自托管一个节点并不为托管者提供额外的隐私,而是有助于整个网络对识别攻击的抗性,对每个人都有好处。 + +**优点:** + +- 最小第三方暴露。 +- 消息可以以去中心的方式中继,即使其中一方处于离线状态。 + +**缺点** + +- 慢 +- 通常仅限于较少的媒体类型,主要是文本,因为很慢。 +- 如果通过随机路由选择节点,则某些节点可能远离发送方和接收方,增加延迟,甚至在其中一个节点脱机时无法传输消息。 +- 开始时比较复杂,因为需要创建和安全备份一个加密私钥。 +- 就像其他去中心化平台一样,对开发者来说,增加功能比中心化平台更复杂。 因此,功能可能缺乏或未完全实现,例如脱机消息中继或消息删除。 diff --git a/i18n/zh/advanced/dns-overview.md b/i18n/zh/advanced/dns-overview.md new file mode 100644 index 00000000..7e5419b4 --- /dev/null +++ b/i18n/zh/advanced/dns-overview.md @@ -0,0 +1,354 @@ +--- +title: "DNS简介" +icon: material/dns +description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for. +--- + +[域名系统](https://en.wikipedia.org/wiki/Domain_Name_System) 是“互联网电话簿”。 DNS将域名转换为IP地址,以便浏览器和其他服务可以通过分散的服务器网络加载互联网资源。 + +## 什么是DNS? + +当您访问某个网站时,系统会返回一个数字地址。 例如,当你访问 `privacyguides.org`时,会返回地址 `192.98.54.105`。 + +DNS自互联网的 [早期](https://en.wikipedia.org/wiki/Domain_Name_System#History) 以来一直存在。 与DNS服务器间的通讯通常是 **未** 加密的。 在家用场景下,客户通过 [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)获得由ISP提供的服务器。 + +未加密的DNS请求可能会被轻易地 **被监视** ,或者在传输过程中 **被修改**。 在世界的某些地方,Isp被要求做原始的 [DNS过滤](https://en.wikipedia.org/wiki/DNS_blocking)。 当你请求一个被封锁的域名的IP地址时,服务器可能不会回应,或可能以不同的IP地址回应。 由于DNS协议没有加密,ISP(或任何网络运营商)可以使用 [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) 来监控请求。 ISP还可以基于共有特性阻止请求,无论使用的是哪个DNS服务器。 未加密的DNS始终使用 [端口](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 ,并且始终使用UDP。 + +下面,我们将探讨并提供一个教程来验证一下外部观察者对于使用常规未加密DNS和 [加密DNS](#what-is-encrypted-dns)这两种情况下分别可能看到什么。 + +### 未加密DNS + +1. 使用 [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) ( [Wireshark](https://en.wikipedia.org/wiki/Wireshark) 项目的一部分),我们可以监测和记录互联网数据包流。 此命令记录符合指定规则的数据包: + + ```bash + tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8 + ``` + +2. 然后我们可以使用 [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux,MacOS等)或 [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows)将DNS查询发送到两个服务器。 Web浏览器等软件会自动执行这些查找,除非它们被配置为使用加密的DNS。 + + === "Linux, macOS" + + ``` + dig +noall +answer privacyguides.org @1.1.1.1 + dig +noall +answer privacyguides.org @8.8.8.8 + ``` + === "Windows" + + ``` + nslookup privacyguides.org 1.1.1.1 + nslookup privacyguides.org 8.8.8.8 + ``` + +3. 接下来,我们来 [分析](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) 输出的结果: + + === "Wireshark" + + ``` + wireshark -r /tmp/dns.pcap + ``` + + === "tshark" + + ``` + tshark -r /tmp/dns.pcap + ``` + +如果运行上面的Wireshark命令,顶部窗格显示“[帧](https://en.wikipedia.org/wiki/Ethernet_frame)” ,底部窗格显示有关所选帧的所有数据。 企业过滤和监控解决方案(如政府购买的解决方案)可以自动完成这一过程,无需人工干预,并可以汇总多帧数据以产生对网络观察者有用的统计数据。 + +| No. | 时间 | 来源 | 目的地 | 协议 | 长度 | 信息 | +| --- | -------- | --------- | --------- | --- | --- | ---------------------------------------------------------------------- | +| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | 云存储 | 104 | Standard query 0x58ba A privacyguides.org OPT | +| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | 云存储 | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT | +| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | 云存储 | 104 | Standard query 0xf1a9 A privacyguides.org OPT | +| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | 云存储 | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT | + +观察者可以修改这些数据包中的任何一个。 + +## 什么是“加密DNS” ? + +加密DNS可以指代若干协议中的一种,最常见的协议是: + +### DNSCrypt + +[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) 是首批加密DNS查询的方法之一。 DNSCrypt在端口443上运行,并可以使用TCP或UDP传输协议。 DNSCrypt从未提交给 [互联网工程任务组(IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) 也没有经过 [征求意见(RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) 过程,因此除了少数 [实现](https://dnscrypt.info/implementations)之外没有被广泛使用。 因此,它在很大程度上被更流行的 [DNS over HTTPS](#dns-over-https-doh)取代了。 + +### DNS over TLS (DoT) + +[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) 是另一种加密DNS通信的方法,在 [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858)中被定义。 首次得到支持是在安卓9、iOS 14和Linux上,被版本号237的 [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) 实现。 近年来,业界的偏好已经从DoT转向DoH,因为DoT是一个 [复杂的协议](https://dnscrypt.info/faq/) ,并且在现有的实现中对RFC的遵守情况各不相同。 DoT也在一个专用的853端口上运行,该端口很容易被限制性的防火墙阻断。 + +### DNS over HTTPS (DoH) + +[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS)由[RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) 定义,查询通过[HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) 协议打包并通过 HTTPS保障安全性. 由Firefox 60和Chrome 83等Web浏览器首次实现支持。 由Firefox 60和Chrome 83等Web浏览器首次实现支持。 + +DoH的原生实现出现在iOS 14、macOS 11、微软Windows和Android 13中(然而,它不会被默认启用 [](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144))。 一般的Linux桌面支持还在等待systemd [实现](https://github.com/systemd/systemd/issues/8639) ,所以 [目前依然需要安装第三方软件](../dns.md#linux)。 + +## 外部一方能看到什么? + +在本示例中,我们将记录当我们提出DoH请求时会发生什么: + +1. 首先,启动 `tshark`。 + + ```bash + tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1" + ``` + +2. 其次,使用 `curl`提出请求: + + ```bash + curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org + ``` + +3. 在提出请求后,我们可以用 CTRL + C停止抓包。 + +4. 在Wireshark中分析结果: + + ```bash + wireshark -r /tmp/dns_doh.pcap + ``` + +我们可以看到任何加密连接都需要发生的 [连接建立](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) 和 [TLS握手](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) 过程。 当查看下面的“应用程序数据”数据包时,没有一个数据包包含我们请求的域或返回的IP地址。 + +## 为什么我**不应该** 使用加密的DNS? + +在有互联网过滤(或审查)的地方,访问被禁止的资源可能会有自己的后果,你应该在你的 [威胁模型](../basics/threat-modeling.md)。 我们 **不** 建议为此目的使用加密的DNS。 使用 [Tor](https://torproject.org) 或 [VPN](../vpn.md) 来代替。 如果您使用的是VPN ,则应使用VPN的DNS服务器。 使用VPN时,您已经信任它们的所有网络活动。 + +当我们进行DNS查找时,通常是因为我们想要访问资源。 下面,我们将讨论一些即使在使用加密的DNS时也可能泄露你的浏览活动的方法。 + +### IP 地址 + +确定浏览活动的最简单方法可能是查看你的设备所访问的IP地址。 例如,如果观察者知道 `privacyguides.org` 在 `198.98.54.105`,而你的设备正在从 `198.98.54.105`请求数据,你很有可能正在访问隐私指南。 + +这种方法只有在IP地址属于一个只承载少数网站的服务器时才有用。 如果网站托管在一个共享平台上(如Github Pages、Cloudflare Pages、Netlify、WordPress、Blogger等),它也不是很有用。 如果服务器托管在一个 [反向代理](https://en.wikipedia.org/wiki/Reverse_proxy),它也不是很有用,这在现代互联网上非常普遍。 + +### 服务器名称指示(SNI) + +服务器名称指示通常在一个IP地址承载许多网站时使用。 这可能是一个像Cloudflare这样的服务,或其他一些 [拒绝服务攻击](https://en.wikipedia.org/wiki/Denial-of-service_attack) 保护。 + +1. 再次开始捕获 `tshark`。 我们用我们的IP地址添加了一个过滤器,所以你不会捕获很多数据包。 + + ```bash + tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105 + ``` + +2. 然后我们访问 [https://privacyguides.org](https://privacyguides.org)。 + +3. 访问完网站后,我们要用 CTRL + C停止抓包。 + +4. 接下来我们要分析结果: + + ```bash + wireshark -r /tmp/pg.pcap + ``` + + 我们将看到连接的建立,然后是隐私指南网站的TLS握手。 第5帧左右。 你会看到一个 "Client Hello"。 + +5. 展开每个字段旁边的三角形 ▸。 + + ```text + ▸ Transport Layer Security + ▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello + ▸ Handshake Protocol: Client Hello + ▸ Extension: server_name (len=22) + ▸ Server Name Indication extension + ``` + +6. 我们可以看到SNI值,它披露了我们正在访问的网站。 `tshark` 命令可以直接给你包含SNI值的所有数据包的值。 + + ```bash + tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name + ``` + +这意味着即使我们使用 "加密DNS "服务器,域名也可能通过SNI被披露。 [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) 协议带来了 [Client Hello](https://blog.cloudflare.com/encrypted-client-hello/),可以防止这种泄漏。 + + 各国政府,特别是 [中国](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) 和 [俄罗斯](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/),已经开始阻止 + +,或表示希望这样做。 [最近,俄罗斯开始封锁使用 [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) 标准的外国网站](https://github.com/net4people/bbs/issues/108)。 这是因为作为HTTP/3一部分的 [QUIC](https://en.wikipedia.org/wiki/QUIC) 协议要求 `ClientHello` 也被加密。

+ + + +### 在线证书状态协议(OCSP) + +你的浏览器披露你的浏览活动的另一种方式是通过 [在线证书状态协议](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)。 当访问一个HTTPS网站时,浏览器可能会检查该网站的 [证书](https://en.wikipedia.org/wiki/Public_key_certificate) 是否已被撤销。 这通常是通过HTTP协议完成的,这意味着它是 **,而不是** 加密的。 + +该OCSP请求包含证书"[序列号](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)",该证书是唯一的。 它被发送到 "OCSP响应者",以检查其状态。 + +我们可以使用 [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) 命令来模拟浏览器会做什么。 + +1. 获取服务器证书,并使用 [`sed`](https://en.wikipedia.org/wiki/Sed) ,只保留重要部分,并将其写入文件。 + + + + ```bash + openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert + ``` + + +2. 获得中间证书。 [证书颁发机构(CA)](https://en.wikipedia.org/wiki/Certificate_authority) ,通常不直接签署证书;他们使用所谓的 "中间 "证书。 + + + + ```bash + openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 | + sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert + ``` + + +3. `pg_and_intermediate.cert` 中的第一个证书实际上是步骤1中的服务器证书。 我们可以再次使用 `sed` ,删除直到END的第一个实例。 + + + + ```bash + sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \ + /tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert + ``` + + +4. 获取服务器证书的OCSP应答器。 + + + + ```bash + openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert + ``` + + +我们的证书显示的是Lets Encrypt证书响应者。 如果我们想查看证书的所有详细信息,我们可以使用: + + + + ```bash + openssl x509 -text -noout -in /tmp/pg_server.cert + ``` + + +5. 开始捕获数据包。 + + + + ```bash + tshark -w /tmp/pg_ocsp.pcap -f "tcp port http" + ``` + + +6. 提出OCSP请求。 + + + + ```bash + openssl ocsp -issuer /tmp/intermediate_chain.cert \ + -cert /tmp/pg_server.cert \ + -text \ + -url http://r3.o.lencr.org + ``` + + +7. 打开捕获。 + + + + ```bash + wireshark -r /tmp/pg_ocsp.pcap + ``` + + +在 "OCSP "协议中会有两个数据包:一个 "请求 "和一个 "响应"。 对于 "请求",我们可以通过展开每个字段旁边的三角形 ▸ ,看到 "序列号"。 + + + + ```bash + ▸ Online Certificate Status Protocol + ▸ tbsRequest + ▸ requestList: 1 item + ▸ Request + ▸ reqCert + serialNumber + ``` + + +对于 "回应",我们也可以看到 "序列号"。 + + + + ```bash + ▸ Online Certificate Status Protocol + ▸ responseBytes + ▸ BasicOCSPResponse + ▸ tbsResponseData + ▸ responses: 1 item + ▸ SingleResponse + ▸ certID + serialNumber + ``` + + +8. 或者使用 `tshark` 来过滤序列号的数据包。 + + + + ```bash + tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber + ``` + + +如果网络观察者拥有公开的公共证书,他们可以将序列号与该证书相匹配,从而从中确定你所访问的网站。 这个过程可以自动化,并能将IP地址与序列号联系起来。 也可以检查 [证书透明度](https://en.wikipedia.org/wiki/Certificate_Transparency) 日志中的序列号。 + + + +## 我应该使用加密的DNS吗? + +我们做了这个流程图来描述你什么时候 *应该* 使用加密的DNS。 + + + +``` mermaid +图TB + 开始[Start] --> 匿名{尝试
匿名?} + anonymous--> | Yes | tor(使用Tor) + anonymous--> | No | censorship{Avoiding
censorship?} + 审查 --> | 是 | vpnOrTor(使用
VPN或Tor) + 审查 --> | 不 | 隐私{想从ISP那里获得隐私
?}。 + privacy --> | Yes | vpnOrTor + privacy --> | No | obnoxious{ISP使
obnoxious
redirects? } + obnoxious --> | Yes | encryptedDNS(使用第三方的
加密DNS
) + obnoxious --> | No | ispDNS{ISP是否支持
加密DNS? } + ispDNS --> | 是 | useISP(与ISP一起使用
加密DNS
) + ispDNS --> | 否 | nothing(什么都不做) +``` + + +第三方的加密DNS应该只用于绕过重定向和基本的 [DNS拦截](https://en.wikipedia.org/wiki/DNS_blocking) ,当你能确定不会有任何后果,或者你对一个能做一些基本过滤的供应商感兴趣时。 + +[推荐的DNS服务器列表](../dns.md ""){.md-button} + + + +## 什么是DNSSEC? + +[域名系统安全扩展](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC)是DNS的一项功能,对域名查询的响应进行认证。 它不为这些查询提供隐私保护,而是防止攻击者操纵或毒害对DNS请求的响应。 + +换句话说,DNSSEC对数据进行数字签名,以帮助确保其有效性。 为了确保安全查询,签名发生在DNS查询过程中的每一级。 因此,来自DNS的所有答案都可以被信任。 + +DNSSEC的签署过程类似于某人用笔签署一份法律文件;该人用一个独特的签名签署,其他人无法创建,法院专家可以查看该签名并验证该文件是由该人签署的。 这些数字签名确保数据没有被篡改。 + +DNSSEC在DNS的所有层面上实现了分层的数字签名政策。 例如,在 `privacyguides.org` 查询的情况下,根 DNS 服务器将签署 `.org` 名称服务器的密钥,然后 `.org` 名称服务器将签署 `privacyguides.org`的权威名称服务器的密钥。 + +改编自Google的[DNS安全扩展(DNSSEC)概述](https://cloud.google.com/dns/docs/dnssec)和Cloudflare的[DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/),两者均以[CC BY 4.0](https://creativecommons.org/licenses/by/4.0/)授权。 + + + +## 什么是QNAME最小化? + +QNAME是一个 "限定名称",例如 `privacyguides.org`。 QNAME最小化减少了从DNS服务器发送至 [权威名称服务器的信息量](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server)。 + +而不是发送整个域名 `privacyguides.org`,QNAME最小化意味着DNS服务器将要求所有以 `.org`结尾的记录。 进一步的技术描述在 [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816)中定义。 + + + +## 什么是EDNS客户子网(ECS)? + +[EDNS 客户端子网](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) 是递归 DNS 解析器为 [主机或客户端](https://en.wikipedia.org/wiki/Client_(computing)) 进行 DNS 查询时,指定一个 [子网](https://en.wikipedia.org/wiki/Subnetwork) 的一种方法。 + +它的目的是 "加快 "数据的交付,给客户一个属于离他们很近的服务器的答案,如 [内容交付网络](https://en.wikipedia.org/wiki/Content_delivery_network),这通常用于视频流和服务JavaScript网络应用。 + +这项功能确实是以隐私为代价的,因为它告诉DNS服务器一些关于客户端位置的信息。 diff --git a/i18n/zh/advanced/payments.md b/i18n/zh/advanced/payments.md new file mode 100644 index 00000000..13de5c4d --- /dev/null +++ b/i18n/zh/advanced/payments.md @@ -0,0 +1,84 @@ +--- +title: Private Payments +icon: material/hand-coin +--- + +There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately. + +## Cash + +For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable. + +Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payee’s name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations. + +Despite this, it’s typically the best option. + +## Prepaid Cards & Gift Cards + +It’s relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually don’t have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud. + +Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card. + +Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants don’t accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit. + +Prepaid cards don’t allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps. + +Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that don’t accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash. + +### Online Marketplaces + +If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero. + +- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces) + +## Virtual Cards + +Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information. + +- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services) + +These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions. + +## Cryptocurrency + +Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose. + +!!! 危险 + + The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity. + + Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust. + +### Privacy Coins + +There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors. + +- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins) + +Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance. + +### Other Coins (Bitcoin, Ethereum, etc.) + +The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons. + +Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years. + +==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged. + +### Wallet Custody + +With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies. + +### Acquisition + +Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward. + +If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall. + +## Additional Considerations + +When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Don’t sign up for rewards programs or provide any other information about yourself. + +When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants don’t allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address. diff --git a/i18n/zh/advanced/tor-overview.md b/i18n/zh/advanced/tor-overview.md new file mode 100644 index 00000000..d50f9e22 --- /dev/null +++ b/i18n/zh/advanced/tor-overview.md @@ -0,0 +1,94 @@ +--- +title: "Tor概述" +icon: 'simple/torproject' +description: Tor是一个免费使用的去中心化网络,专为尽量隐私地使用互联网而设计。 +--- + +Tor是一个免费使用的去中心化网络,专为尽量隐私地使用互联网而设计。 如果使用得当,该网络可以实现隐私且匿名地浏览和通信。 + +## Path Building to Clearnet Services + +"Clearnet services" are websites which you can access with any browser, like [privacyguides.org](https://www.privacyguides.org). Tor lets you connect to these websites anonymously by routing your traffic through a network comprised of thousands of volunteer-run servers called nodes (or relays). + +Every time you [connect to Tor](../tor.md), it will choose three nodes to build a path to the internet—this path is called a "circuit." + +
+ ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path.svg#only-light) + ![Tor path showing your device connecting to an entry node, middle node, and exit node before reaching the destination website](../assets/img/how-tor-works/tor-path-dark.svg#only-dark) +
Tor circuit pathway
+
+ +每个节点都有自己的功能: + +### 入口节点 + +入口节点,通常被称为守护节点,是你的Tor客户端连接到的第一个节点。 入口节点能够看到你的IP地址,但它无法看到你正在连接什么。 + +与其他节点不同,Tor客户端会随机选择一个入口节点并坚持两到三个月,以保护你免受某些攻击。[^1] + +### 中间节点 + +中间节点是你的Tor客户端连接的第二个节点。 它可以看到流量来自哪个节点--入口节点--以及它接下来要去哪个节点。 中间节点不能,看到你的IP地址或你正在连接的域。 + +对于每个新线路,在所有可用的Tor节点中随机选择中间节点。 + +### 出口节点 + +出口节点是你的网络流量离开Tor网络并被转发到待达目的地的地方。 出口节点无法看到你的IP地址,但它确实知道正在连接到哪个网站。 + +出口节点将从运行有出口中继标志的所有可用Tor节点中随机选择。[^2] + +## Path Building to Onion Services + +"Onion Services" (also commonly referred to as "hidden services") are websites which can only be accessed by the Tor browser. These websites have a long randomly generated domain name ending with `.onion`. + +Connecting to an Onion Service in Tor works very similarly to connecting to a clearnet service, but your traffic is routed through a total of **six** nodes before reaching the destination server. Just like before however, only three of these nodes are contributing to *your* anonymity, the other three nodes protect *the Onion Service's* anonymity, hiding the website's true IP and location in the same manner that Tor Browser is hiding yours. + +
+ ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light) + ![Tor path showing your traffic being routed through your three Tor nodes plus three additional Tor nodes which hide the website's identity](../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark) +
Tor circuit pathway with Onion Services. Nodes in the blue fence belong to your browser, while nodes in the red fence belong to the server, so their identity is hidden from you.
+
+ +## 加密 + +Tor用出口、中间和入口节点的密钥对每个数据包(一个传输的数据块)进行三次加密--按顺序进行。 + +一旦Tor建立了一个电路,数据传输就会按以下方式进行。 + +1. 首先:当数据包到达入口节点时,第一层的加密被移除。 在这个加密的数据包中,入口节点会发现另一个带有中间节点地址的加密数据包。 然后,入口节点将把数据包转发给中间节点。 + +2. 第二:当中间节点收到来自入口节点的数据包时,它也会用自己的密钥去掉一层加密,这时会发现一个带有出口节点地址的加密数据包。 然后,中间节点将把数据包转发给出口节点。 + +3. 最后:当出口节点收到其数据包时,它将用其密钥去除最后一层加密。 出口节点将看到目标地址并将数据包转发到该地址。 + +下面是一个显示该过程的替代图。 每个节点都会移除自己的加密层,而当目的地服务器返回数据时,同样的过程会完全反向发生。 例如,出口节点不知道你是谁,但它知道它来自哪个节点,因此它添加了自己的加密层并将其发送回来。 + +
+ ![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light) + ![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark) +
Sending and receiving data through the Tor Network
+
+ +通过使用Tor,我们可以在没有任何一方知道整个线路的情况下连接到一个服务器。 入口节点知道你是谁,但不知道你要去哪里;中间节点不知道你是谁,也不知道你要去哪里;而出口节点知道你要去哪里,但不知道你是谁。 因为出口节点是进行最终连接的,目标服务器永远不会知道你的IP地址。 + +## Caveats (注意) + +尽管Tor确实提供了强有力的隐私保障,但您必须意识到Tor并不完美: + +- 资金充足、能够被动地观察全球大多数网络通信量的对手有机会通过先进的通信量分析将Tor用户去匿名化。 Tor也不能防止您错误地暴露自己,例如分享了太多关于您真实身份的信息。 +- Tor出口节点也可以监控通过它们的流量。 这意味着没有加密的流量,如普通的HTTP流量,可以被记录和监控。 如果这种流量包含个人可识别信息,那么那个出口节点可以把你去匿名化。 因此,我们建议尽可能使用HTTPS over Tor。 + +如果您希望使用Tor浏览网页,我们只建议使用 **官方** Tor浏览器,该浏览器旨在防止指纹。 + +- [Tor浏览器 :material-arrow-right-drop-circle:](../tor.md#tor-browser) + +## 其它资源 + +- [Tor浏览器用户手册](https://tb-manual.torproject.org) +- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) (YouTube) +- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) (YouTube) + +[^1]: 您线路上的第一个中继称为“入口警卫“或“警卫”。 它是一个快速而稳定的中继,会在2-3个月内持续作为你的线路的第一个中继,以防止已知的破坏匿名性的攻击。 你的线路其余部分会随着你访问的每个新网站而改变,所有这些中继器一起提供Tor的全部隐私保护。 关于警卫中继器如何工作的更多信息,请参阅这篇 [博文](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) 和 [关于入口警卫的论文](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf)。 ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/)) + +[^2]: 中继标志:由目录权限分配并在目录协议规范中进一步定义的线路位置(例如, “Guard”、“Exit”、“BadExit” )、线路属性(例如, “Fast”、“Stable” )或角色(例如, “Authority”、“HSDir” )的中继的特殊( dis- )限定。 ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html)) diff --git a/i18n/zh/android.md b/i18n/zh/android.md new file mode 100644 index 00000000..964bea3e --- /dev/null +++ b/i18n/zh/android.md @@ -0,0 +1,423 @@ +--- +title: "安卓" +icon: 'simple/android' +description: You can replace the operating system on your Android phone with these secure and privacy-respecting alternatives. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Android Operating Systems + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: 安卓 + image: /assets/img/android/android.svg + url: https://source.android.com/ + sameAs: https://en.wikipedia.org/wiki/Android_(operating_system) + - + "@context": http://schema.org + "@type": CreativeWork + name: GrapheneOS + image: /assets/img/android/grapheneos.svg + url: https://grapheneos.org/ + sameAs: https://en.wikipedia.org/wiki/GrapheneOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": CreativeWork + name: Divest + image: /assets/img/android/divestos.svg + url: https://divestos.org/ + sameAs: https://en.wikipedia.org/wiki/DivestOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": Product + name: Pixel + brand: + "@type": Brand + name: 谷歌 + image: /assets/img/android/google-pixel.png + sameAs: https://en.wikipedia.org/wiki/Google_Pixel + review: + "@type": Review + author: + "@type": Organization + name: Privacy Guides + - + "@context": http://schema.org + "@type": MobileApplication + name: Shelter + applicationCategory: Utilities + operatingSystem: 安卓 + - + "@context": http://schema.org + "@type": MobileApplication + name: Auditor + applicationCategory: Utilities + operatingSystem: 安卓 + - + "@context": http://schema.org + "@type": MobileApplication + name: Secure Camera + applicationCategory: Utilities + operatingSystem: 安卓 + - + "@context": http://schema.org + "@type": MobileApplication + name: 安全的PDF查看器(Secure PDF Viewer) + applicationCategory: Utilities + operatingSystem: 安卓 +--- + +![安卓徽标](assets/img/android/android.svg){ align=right } + +**安卓开源项目** 是一个由谷歌领导的开源移动操作系统,为世界上大多数移动设备提供动力。 大多数使用安卓系统销售的手机都经过修改,包括侵入性的集成和应用程序,如谷歌游戏服务,所以你可以通过用没有这些侵入性功能的安卓系统版本替换你的手机默认安装,来大大改善你在移动设备上的隐私。 + +[:octicons-home-16:](https://source.android.com/){ .card-link title="首页" } +[:octicons-info-16:](https://source.android.com/docs){ .card-link title=文档} +[:octicons-code-16:](https://cs.android.com/android/platform/superproject/){ .card-link title="源代码" } + +这些是我们推荐的安卓操作系统、设备和应用程序,以最大限度地提高你的移动设备的安全和隐私。 要了解更多关于安卓的信息。 + +[General Android Overview :material-arrow-right-drop-circle:](os/android-overview.md ""){.md-button} + +[Why we recommend GrapheneOS over CalyxOS :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/ ""){.md-button} + +## AOSP 衍生品 + +We recommend installing one of these custom Android operating systems on your device, listed in order of preference, depending on your device's compatibility with these operating systems. + +!!! note + + 由于OEM停止支持,寿命终止的设备(如GrapheneOS或CalyxOS的 "扩展支持 "设备)没有完整的安全补丁(固件更新)。 无论安装何种软件,都不能认为这些设备是完全安全的。 + +### GrapheneOS + +!!! recommendation + + ![GrapheneOS标志](assets/img/android/grapheneos.svg#only-light){ align=right } + ![GrapheneOS标志](assets/img/android/grapheneos-dark.svg#only-dark){ align=right } + + **GrapheneOS**是涉及隐私和安全的最佳选择。 + + GrapheneOS提供了额外的[安全加固](https://en.wikipedia.org/wiki/Hardening_(计算))和隐私改进。 它有一个[加固的内存分配器](https://github.com/GrapheneOS/hardened_malloc)、网络和传感器权限,以及其他各种[安全功能](https://grapheneos.org/features)。 GrapheneOS还带有完整的固件更新和签名构建,因此完全支持验证性启动。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="源代码" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title="贡献" } + +GrapheneOS supports [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play), which runs [Google Play Services](https://en.wikipedia.org/wiki/Google_Play_Services) fully sandboxed like any other regular app. This means you can take advantage of most Google Play Services, such as [push notifications](https://firebase.google.com/docs/cloud-messaging/), while giving you full control over their permissions and access, and while containing them to a specific [work profile](os/android-overview.md#work-profile) or [user profile](os/android-overview.md#user-profiles) of your choice. + +Google Pixel phones are the only devices that currently meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support). + +### DivestOS + +!!! recommendation + + ![DivestOS标志](assets/img/android/divestos.svg){ align=right } + + **DivestOS**是 [LineageOS](https://lineageos.org/)的一个软分叉。 + DivestOS从LineageOS继承了许多[支持的设备](https://divestos.org/index.php?page=devices&base=LineageOS)。 它有签名的构建,使得在一些非Pixel设备上可以有[验证的启动](https://source.android.com/security/verifiedboot)。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://grapheneos.org/faq#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://grapheneos.org/source){ .card-link title="源代码" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title="贡献" } + +DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, and a custom [hosts](https://divested.dev/index.php?page=dnsbl) file. Its hardened WebView, [Mulch](https://gitlab.com/divested-mobile/mulch), enables [CFI](https://en.wikipedia.org/wiki/Control-flow_integrity) for all architectures and [network state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning), and receives out-of-band updates. DivestOS also includes kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. + +DivestOS implements some system hardening patches originally developed for GrapheneOS. DivestOS 16.0 and higher implements GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle, [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), [exec-spawning](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/#additional-hardening), [JNI](https://en.wikipedia.org/wiki/Java_Native_Interface) [constification](https://en.wikipedia.org/wiki/Const_(computer_programming)), and partial [bionic](https://en.wikipedia.org/wiki/Bionic_(software)) hardening patchsets. 17.1 and higher features GrapheneOS's per-network full [MAC randomization](https://en.wikipedia.org/wiki/MAC_address#Randomization) option, [`ptrace_scope`](https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html) control, and automatic reboot/Wi-Fi/Bluetooth [timeout options](https://grapheneos.org/features). + +DivestOS uses F-Droid as its default app store. Normally, we would recommend avoiding F-Droid due to its numerous [security issues](#f-droid). However, doing so on DivestOS isn't viable; the developers update their apps via their own F-Droid repositories ([DivestOS Official](https://divestos.org/fdroid/official/?fingerprint=E4BE8D6ABFA4D9D4FEEF03CDDA7FF62A73FD64B75566F6DD4E5E577550BE8467) and [DivestOS WebView](https://divestos.org/fdroid/webview/?fingerprint=FB426DA1750A53D7724C8A582B4D34174E64A84B38940E5D5A802E1DFF9A40D2)). We recommend disabling the official F-Droid app and using [Neo Store](https://github.com/NeoApplications/Neo-Store/) with the DivestOS repositories enabled to keep those components up to date. For other apps, our recommended methods of obtaining them still apply. + +!!! 推荐 + + DivestOS的固件更新 [status](https://gitlab.com/divested-mobile/firmware-empty/-/blob/master/STATUS)和质量控制在其支持的设备中各不相同。 我们仍然推荐GrapheneOS,这取决于你设备的兼容性。 对于其他设备,DivestOS是一个不错的选择。 + + 并非所有支持的设备都有验证启动,有些设备的验证启动性能比其他设备好。 + +## 安卓设备 + +When purchasing a device, we recommend getting one as new as possible. The software and firmware of mobile devices are only supported for a limited time, so buying new extends that lifespan as much as possible. + +Avoid buying phones from mobile network operators. These often have a **locked bootloader** and do not support [OEM unlocking](https://source.android.com/devices/bootloader/locking_unlocking). These phone variants will prevent you from installing any kind of alternative Android distribution. + +Be very **careful** about buying second hand phones from online marketplaces. Always check the reputation of the seller. If the device is stolen, there's a possibility of [IMEI blacklisting](https://www.gsma.com/security/resources/imei-blacklisting/). There is also a risk involved with you being associated with the activity of the previous owner. + +A few more tips regarding Android devices and operating system compatibility: + +- Do not buy devices that have reached or are near their end-of-life, additional firmware updates must be provided by the manufacturer. +- Do not buy preloaded LineageOS or /e/ OS phones or any Android phones without proper [Verified Boot](https://source.android.com/security/verifiedboot) support and firmware updates. These devices also have no way for you to check whether they've been tampered with. +- In short, if a device or Android distribution is not listed here, there is probably a good reason. Check out our [forum](https://discuss.privacyguides.net/) to find details! + +### Google Pixel + +Google Pixel phones are the **only** devices we recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element. + +!!! recommendation + + ![谷歌Pixel 6](assets/img/android/google-pixel.png){ align=right } + + 众所周知,**谷歌Pixel**设备具有良好的安全性,并适当支持[验证启动](https://source.android.com/security/verifiedboot),即使在安装自定义操作系统时也是如此。 + + 从**Pixel 6**和**6 Pro**开始,Pixel设备将获得至少5年的安全更新保证,确保其使用寿命比其他竞争OEM厂商通常提供的2-4年要长得多。 + + [:material-shopping: Store](https://store.google.com/category/phones){ .md-button .md-button--primary } + +Secure Elements like the Titan M2 are more limited than the processor's Trusted Execution Environment used by most other phones as they are only used for secrets storage, hardware attestation, and rate limiting, not for running "trusted" programs. Phones without a Secure Element have to use the TEE for *all* of those functions, resulting in a larger attack surface. + +Google Pixel phones use a TEE OS called Trusty which is [open-source](https://source.android.com/security/trusty#whyTrusty), unlike many other phones. + +The installation of GrapheneOS on a Pixel phone is easy with their [web installer](https://grapheneos.org/install/web). If you don't feel comfortable doing it yourself and are willing to spend a bit of extra money, check out the [NitroPhone](https://shop.nitrokey.com/shop) as they come preloaded with GrapheneOS from the reputable [Nitrokey](https://www.nitrokey.com/about) company. + +A few more tips for purchasing a Google Pixel: + +- If you're after a bargain on a Pixel device, we suggest buying an "**a**" model, just after the next flagship is released. Discounts are usually available because Google will be trying to clear their stock. +- Consider price beating options and specials offered at physical stores. +- Look at online community bargain sites in your country. These can alert you to good sales. +- Google provides a list showing the [support cycle](https://support.google.com/nexus/answer/4457705) for each one of their devices. The price per day for a device can be calculated as: $\text{Cost} \over \text {EOL Date}-\text{Current Date}$, meaning that the longer use of the device the lower cost per day. + +## 常规应用程序 + +We recommend a wide variety of Android apps throughout this site. The apps listed here are Android-exclusive and specifically enhance or replace key system functionality. + +### Shelter + +!!! recommendation + + ![Shelter logo](assets/img/android/shelter.svg){ align=right } + + * *Shelter* *是一款应用程序,可帮助您利用Android的工作配置文件功能隔离或复制设备上的应用程序。 + + Shelter支持阻止联系人跨档案搜索,并通过默认文件管理器([DocumentsUI](https://source.android.com/devices/architecture/modular-system/documentsui))跨档案共享文件。 + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="源代码" } + [:octicons-heart-16:](https://www.patreon.com/PeterCxy){ .card-link title=贡献 } + + ??? 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.typeblog.shelter) + +!!! 推荐 + + 推荐使用Shelter而不是 [Insular](https://secure-system.gitlab.io/Insular/)和 [Island](https://github.com/oasisfeng/island),因为它支持[联系人搜索屏蔽](https://secure-system.gitlab.io/Insular/faq.html)。 + + 当使用Shelter时,你完全信任它的开发者,因为Shelter作为一个[设备管理员](https://developer.android.com/guide/topics/admin/device-admin)来创建工作档案,它可以广泛地访问存储在工作档案中的数据。 + +### Auditor + +!!! recommendation + + ![Auditor logo](assets/img/android/auditor.svg#only-light){ align=right } + ![Auditor logo](assets/img/android/auditor-dark.svg#only-dark){ align=right } + + * *Auditor* * 是一款利用硬件安全功能为[支持的设备](https://attestation.app/about#device-support) 提供设备完整性监控的应用程序。 目前,它只适用于GrapheneOS和设备的库存操作系统。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://attestation.app/about#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://attestation.app/source){ .card-link title="源代码" } + [:octicons-heart-16:](https://attestation.app/donate){ .card-link title="贡献" } downloads "下载" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.attestation.auditor.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Auditor/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Auditor performs attestation and intrusion detection by: + +- Using a [Trust On First Use (TOFU)](https://en.wikipedia.org/wiki/Trust_on_first_use) model between an *auditor* and *auditee*, the pair establish a private key in the [hardware-backed keystore](https://source.android.com/security/keystore/) of the *Auditor*. +- The *auditor* can either be another instance of the Auditor app or the [Remote Attestation Service](https://attestation.app). +- The *auditor* records the current state and configuration of the *auditee*. +- Should tampering with the operating system of the *auditee* happen after the pairing is complete, the auditor will be aware of the change in the device state and configurations. +- You will be alerted to the change. + +No personally identifiable information is submitted to the attestation service. We recommend that you sign up with an anonymous account and enable remote attestation for continuous monitoring. + +If your [threat model](basics/threat-modeling.md) requires privacy, you could consider using [Orbot](tor.md#orbot) or a VPN to hide your IP address from the attestation service. To make sure that your hardware and operating system is genuine, [perform local attestation](https://grapheneos.org/install/web#verifying-installation) immediately after the device has been installed and prior to any internet connection. + +### Secure Camera + +!!! recommendation + + ![Secure 摄像头标志](assets/img/android/secure_camera.svg#only-light){ align=right } + ![Secure 摄像头标志](assets/img/android/secure_camara-dark#only-dark){ aligh=right } + + **Secure Camera** 是一个专注于隐私和安全的相机应用,它可以捕捉图像、视频和二维码。 CameraX供应商扩展(肖像、HDR、夜视、面部修饰和自动)也在可用设备上得到支持。 + + [:octicons-repo-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + + [:octicons-info-16:](https://github.com/GrapheneOS/Camera#privacy-policy){ .card-link title="隐私政策" } + [:octicons-code-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title="源代码" } + [](){ .card-link title="贡献" } downloads "下载" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.camera.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/Camera/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +Main privacy features include: + +- Auto removal of [Exif](https://en.wikipedia.org/wiki/Exif) metadata (enabled by default) +- Use of the new [Media](https://developer.android.com/training/data-storage/shared/media) API, therefore [storage permissions](https://developer.android.com/training/data-storage) are not required +- Microphone permission not required unless you want to record sound + +!!! note + + 目前,元数据没有从视频文件中删除,但这是计划中的。 + + 图像方向元数据未被删除。 如果你启用位置(在安全相机中),**也不会被删除。 如果你以后想删除,你将需要使用一个外部应用程序,如 [ExifEraser](data-redaction.md#exiferaser)。 + +### 安全的PDF查看器(Secure PDF Viewer) + +!!! recommendation + + ![安全PDF浏览器标志](assets/img/android/secure_pdf_viewer.svg#only-light){ align=right } + ![安全PDF浏览器标志](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ align=right } + + **安全PDF浏览器**是一个基于 [pdf.js](https://en.wikipedia.org/wiki/PDF.js)的PDF浏览器,不需要任何权限。 该PDF被送入一个 [sandboxed](https://en.wikipedia.org/wiki/Sandbox_(software_development)) [webview](https://developer.android.com/guide/webapps/webview)。 这意味着它不需要权限就能直接访问内容或文件。 + + [Content-Security-Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)是用来强制要求WebView内的JavaScript和造型属性完全是静态内容。 + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="源代码" } + [:octicons-heart-16:](https://grapheneos.org/donate){ .card-link title=贡献 } + + ??? downloads "下载" + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=app.grapheneos.pdfviewer.play) + - [:simple-github: GitHub](https://github.com/GrapheneOS/PdfViewer/releases) + - [:material-cube-outline: GrapheneOS App Store](https://github.com/GrapheneOS/Apps/releases) + +## 获取应用程序 + +### GrapheneOS应用商店 + +GrapheneOS's app store is available on [GitHub](https://github.com/GrapheneOS/Apps/releases). It supports Android 12 and above and is capable of updating itself. The app store has standalone applications built by the GrapheneOS project such as the [Auditor](https://attestation.app/), [Camera](https://github.com/GrapheneOS/Camera), and [PDF Viewer](https://github.com/GrapheneOS/PdfViewer). If you are looking for these applications, we highly recommend that you get them from GrapheneOS's app store instead of the Play Store, as the apps on their store are signed by the GrapheneOS's project own signature that Google does not have access to. + +### 奥罗拉商店(Aurora Store) + +The Google Play Store requires a Google account to login which is not great for privacy. You can get around this by using an alternative client, such as Aurora Store. + +!!! recommendation + + ![Aurora Store徽标](assets/img/android/aurora-store.webp){ align=right } + + * *Aurora Store* *是Google Play Store客户端,无需Google帐户、Google Play服务或microG即可下载应用程序。 + + [:octicons-home-16: 主页](https://auroraoss.com/){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/AuroraOSS/AuroraStore){ .card-link title="源代码" } + + ??? 下载 + + - [:simple-gitlab: GitLab](https://gitlab.com/AuroraOSS/AuroraStore/-/releases) + +Aurora Store does not allow you to download paid apps with their anonymous account feature. You can optionally log in with your Google account with Aurora Store to download apps you have purchased, which does give access to the list of apps you've installed to Google, however you still benefit from not requiring the full Google Play client and Google Play Services or microG on your device. + +### 手动使用RSS通知 + +For apps that are released on platforms like GitHub and GitLab, you may be able to add an RSS feed to your [news aggregator](/news-aggregators) that will help you keep track of new releases. + +![RSS APK](./assets/img/android/rss-apk-light.png#only-light) ![RSS APK](./assets/img/android/rss-apk-dark.png#only-dark) ![APK Changes](./assets/img/android/rss-changes-light.png#only-light) ![APK Changes](./assets/img/android/rss-changes-dark.png#only-dark) + +#### GitHub + +On GitHub, using [Secure Camera](#secure-camera) as an example, you would navigate to its [releases page](https://github.com/GrapheneOS/Camera/releases) and append `.atom` to the URL: + +`https://github.com/GrapheneOS/Camera/releases.atom` + +#### GitLab + +On GitLab, using [Aurora Store](#aurora-store) as an example, you would navigate to its [project repository](https://gitlab.com/AuroraOSS/AuroraStore) and append `/-/tags?format=atom` to the URL: + +`https://gitlab.com/AuroraOSS/AuroraStore/-/tags?format=atom` + +#### Verifying APK Fingerprints + +If you download APK files to install manually, you can verify their signature with the [`apksigner`](https://developer.android.com/studio/command-line/apksigner) tool, which is a part of Android [build-tools](https://developer.android.com/studio/releases/build-tools). + +1. 安装 [Java JDK](https://www.oracle.com/java/technologies/downloads/)。 + +2. 下载 [Android Studio命令行工具](https://developer.android.com/studio#command-tools)。 + +3. 解压缩下载的存档: + + ```bash + unzip commandlinetools-*.zip + cd cmdline-tools + ./bin/sdkmanager --sdk_root=./ "build-tools;29.0.3" + ``` + +4. 运行签名验证命令。 + + ```bash + ./build-tools/29.0.3/apksigner verify --print-certs ../Camera-37.apk + ``` + +5. 然后,所产生的哈希值可以与另一个来源进行比较。 一些开发商,如Signal [,在其网站上显示了指纹](https://signal.org/android/apk/)。 + + ```bash + Signer #1 certificate DN: CN=GrapheneOS + Signer #1 certificate SHA-256 digest: 6436b155b917c2f9a9ed1d15c4993a5968ffabc94947c13f2aeee14b7b27ed59 + Signer #1 certificate SHA-1 digest: 23e108677a2e1b1d6e6b056f3bb951df7ad5570c + Signer #1 certificate MD5 digest: dbbcd0cac71bd6fa2102a0297c6e0dd3 + ``` + +### F-Droid + +![F-Droid logo](assets/img/android/f-droid.svg){ align=right width=120px } + +==We do **not** currently recommend F-Droid as a way to obtain apps.== F-Droid is often recommended as an alternative to Google Play, particularly in the privacy community. The option to add third-party repositories and not be confined to Google's walled garden has led to its popularity. F-Droid additionally has [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/) for some applications and is dedicated to free and open-source software. However, there are [notable problems](https://privsec.dev/posts/android/f-droid-security-issues/) with the official F-Droid client, their quality control, and how they build, sign, and deliver packages. + +Due to their process of building apps, apps in the official F-Droid repository often fall behind on updates. F-Droid maintainers also reuse package IDs while signing apps with their own keys, which is not ideal as it gives the F-Droid team ultimate trust. + +Other popular third-party repositories such as [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) alleviate some of these concerns. The IzzyOnDroid repository pulls builds directly from GitHub and is the next best thing to the developers' own repositories. However, it is not something that we can recommend, as apps are typically [removed](https://github.com/vfsfitvnm/ViMusic/issues/240#issuecomment-1225564446) from that respository when they make it to the main F-Droid repository. While that makes sense (since the goal of that particular repository is to host apps before they're accepted into the main F-Droid repository), it can leave you with installed apps which no longer receive updates. + +That said, the [F-Droid](https://f-droid.org/en/packages/) and [IzzyOnDroid](https://apt.izzysoft.de/fdroid/) repositories are home to countless apps, so they can be a useful tool to search for and discover open-source apps that you can then download through Play Store, Aurora Store, or by getting the APK directly from the developer. It is important to keep in mind that some apps in these repositories have not been updated in years and may rely on unsupported libraries, among other things, posing a potential security risk. You should use your best judgement when looking for new apps via this method. + +!!! note + + In some rare cases, the developer of an app will only distribute it through F-Droid ([Gadgetbridge](https://gadgetbridge.org/) is one example of this). If you really need an app like that, we recommend using [Neo Store](https://github.com/NeoApplications/Neo-Store/) instead of the official F-Droid app to obtain it. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### 服务供应商 + +- 它必须是开源软件。 +- Must support bootloader locking with custom AVB key support. +- Must receive major Android updates within 0-1 months of release. +- Must receive Android feature updates (minor version) within 0-14 days of release. +- Must receive regular security patches within 0-5 days of release. +- Must **not** be "rooted" out of the box. +- Must **not** enable Google Play Services by default. +- Must **not** require system modification to support Google Play Services. + +### 设备 + +- Must support at least one of our recommended custom operating systems. +- Must be currently sold new in stores. +- Must receive a minimum of 5 years of security updates. +- Must have dedicated secure element hardware. + +### 应用程序 + +- Applications on this page must not be applicable to any other software category on the site. +- General applications should extend or replace core system functionality. +- Applications should receive regular updates and maintenance. diff --git a/i18n/zh/assets/img/account-deletion/exposed_passwords.png b/i18n/zh/assets/img/account-deletion/exposed_passwords.png new file mode 100644 index 00000000..5295c902 Binary files /dev/null and b/i18n/zh/assets/img/account-deletion/exposed_passwords.png differ diff --git a/i18n/zh/assets/img/android/rss-apk-dark.png b/i18n/zh/assets/img/android/rss-apk-dark.png new file mode 100644 index 00000000..974869a4 Binary files /dev/null and b/i18n/zh/assets/img/android/rss-apk-dark.png differ diff --git a/i18n/zh/assets/img/android/rss-apk-light.png b/i18n/zh/assets/img/android/rss-apk-light.png new file mode 100644 index 00000000..21d6ef03 Binary files /dev/null and b/i18n/zh/assets/img/android/rss-apk-light.png differ diff --git a/i18n/zh/assets/img/android/rss-changes-dark.png b/i18n/zh/assets/img/android/rss-changes-dark.png new file mode 100644 index 00000000..b4628357 Binary files /dev/null and b/i18n/zh/assets/img/android/rss-changes-dark.png differ diff --git a/i18n/zh/assets/img/android/rss-changes-light.png b/i18n/zh/assets/img/android/rss-changes-light.png new file mode 100644 index 00000000..f88f7b40 Binary files /dev/null and b/i18n/zh/assets/img/android/rss-changes-light.png differ diff --git a/i18n/zh/assets/img/how-tor-works/tor-encryption-dark.svg b/i18n/zh/assets/img/how-tor-works/tor-encryption-dark.svg new file mode 100644 index 00000000..95e68157 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-encryption-dark.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/how-tor-works/tor-encryption.svg b/i18n/zh/assets/img/how-tor-works/tor-encryption.svg new file mode 100644 index 00000000..f5b1e291 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-encryption.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + Device + + + + Sending data to a website + + + + + Receiving data from a website + + + + + Your + + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + PrivacyGuides.org + + + + + Entry + + + + + Middle + + + + + Exit + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/how-tor-works/tor-path-dark.svg b/i18n/zh/assets/img/how-tor-works/tor-path-dark.svg new file mode 100644 index 00000000..9002c9b1 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-path-dark.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/how-tor-works/tor-path-hidden-service-dark.svg b/i18n/zh/assets/img/how-tor-works/tor-path-hidden-service-dark.svg new file mode 100644 index 00000000..d7fb035b --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-path-hidden-service-dark.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/how-tor-works/tor-path-hidden-service.svg b/i18n/zh/assets/img/how-tor-works/tor-path-hidden-service.svg new file mode 100644 index 00000000..98a41573 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-path-hidden-service.svg @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + + + Device + + + + + + Guard + + + Relay + + + Relay + + + + + hidden...onion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rendezvous + + + Relay + + + + + Entry + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/how-tor-works/tor-path.svg b/i18n/zh/assets/img/how-tor-works/tor-path.svg new file mode 100644 index 00000000..cb53d8b1 --- /dev/null +++ b/i18n/zh/assets/img/how-tor-works/tor-path.svg @@ -0,0 +1,79 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + Your + Device + + + + Entry + + + + + Middle + + + + + Exit + + + + + PrivacyGuides.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/i18n/zh/assets/img/multi-factor-authentication/fido.png b/i18n/zh/assets/img/multi-factor-authentication/fido.png new file mode 100644 index 00000000..7a4a0d17 Binary files /dev/null and b/i18n/zh/assets/img/multi-factor-authentication/fido.png differ diff --git a/i18n/zh/assets/img/multi-factor-authentication/yubico-otp.png b/i18n/zh/assets/img/multi-factor-authentication/yubico-otp.png new file mode 100644 index 00000000..f81058d8 Binary files /dev/null and b/i18n/zh/assets/img/multi-factor-authentication/yubico-otp.png differ diff --git a/i18n/zh/assets/img/qubes/qubes-trust-level-architecture.png b/i18n/zh/assets/img/qubes/qubes-trust-level-architecture.png new file mode 100644 index 00000000..cde3771e Binary files /dev/null and b/i18n/zh/assets/img/qubes/qubes-trust-level-architecture.png differ diff --git a/i18n/zh/assets/img/qubes/r4.0-xfce-three-domains-at-work.png b/i18n/zh/assets/img/qubes/r4.0-xfce-three-domains-at-work.png new file mode 100644 index 00000000..d7138149 Binary files /dev/null and b/i18n/zh/assets/img/qubes/r4.0-xfce-three-domains-at-work.png differ diff --git a/i18n/zh/basics/account-creation.md b/i18n/zh/basics/account-creation.md new file mode 100644 index 00000000..70f5811f --- /dev/null +++ b/i18n/zh/basics/account-creation.md @@ -0,0 +1,81 @@ +--- +title: "账户创建" +icon: 'material/account-plus' +description: Creating accounts online is practically an internet necessity, take these steps to make sure you stay private. +--- + +人们经常不假思索地注册服务。 也许它是一个流媒体服务,这样你就可以看到每个人都在谈论的新节目,或者一个为你最喜欢的快餐店提供折扣的账户。 无论情况如何,你应该考虑现在和以后对你的数据的影响。 + +你所使用的每一项新服务都有风险。 数据泄露;向第三方披露客户信息;流氓雇员访问数据;所有这些都是在提供你的信息时必须考虑的可能性。 你需要确信你可以信任该服务,这就是为什么我们不建议将有价值的数据存储在任何东西上,除了最成熟和经过战斗考验的产品。 这通常意味着提供E2EE并经过加密审计的服务。 审计增加了对产品的保证,即产品的设计没有由缺乏经验的开发者造成的明显的安全问题。 + +在一些服务上删除账户也可能很困难。 有时 [覆盖与一个账户相关的数据](account-deletion.md#overwriting-account-information) ,但在其他情况下,该服务将保留整个账户的变化历史。 + +## 用户协议和隐私政策 + +服务条款是你在使用服务时同意遵守的规则。 对于较大的服务,这些规则通常由自动系统执行。 有时这些自动系统会犯错误。 例如,你可能因为使用VPN或VOIP号码而被禁止或被锁定在某些服务的账户中。 对这种禁令提出上诉往往很困难,而且也涉及到一个自动程序,并不总是成功。 这将是我们不建议使用Gmail的电子邮件作为例子的原因之一。 电子邮件对于访问你可能已经注册的其他服务至关重要。 + +隐私政策是该服务说他们将如何使用你的数据,它值得阅读,以便你了解你的数据将如何被使用。 一个公司或组织可能在法律上没有义务遵守政策中的所有内容(这取决于司法管辖区)。 我们建议对你当地的法律有一些了解,以及他们允许供应商收集什么。 + +我们建议寻找特定的术语,如 "数据收集"、"数据分析"、"cookies"、"广告 "或 "第三方 "服务。 有时你可以选择不收集数据或不分享你的数据,但最好是选择一个从一开始就尊重你的隐私的服务。 + +请记住,你也将你的信任寄托在该公司或组织身上,他们会遵守自己的隐私政策。 + +## 身份验证方法 + +通常有多种注册账户的方式,每种方式都有各自的好处和缺点。 + +### 电子邮件和密码 + +创建新账户最常见的方式是通过电子邮件地址和密码。 当使用这种方法时,你应该使用一个密码管理器,并遵循 [有关密码的最佳实践](passwords-overview.md)。 + +!!! tip + + 你也可以用你的密码管理器来组织其他认证方法 只需添加新条目并填写相应的字段,你可以为安全问题或备份钥匙等事项添加注释。 + +你将负责管理你的登录凭证。 为了增加安全性,你可以在你的账户上设置 [MFA](multi-factor-authentication.md)。 + +[推荐的密码管理器](../passwords.md ""){.md-button} + +#### 邮箱别名 + +如果你不想把你的真实电子邮件地址提供给一个服务,你可以选择使用一个别名。 我们在我们的电子邮件服务推荐页面上对它们进行了更详细的描述。 本质上,别名服务允许你生成新的电子邮件地址,将所有电子邮件转发到你的主地址。 这可以帮助防止跨服务的追踪,并帮助你管理有时伴随着注册过程的营销电子邮件。 这些可以根据它们被发送到的别名自动过滤。 + +如果一项服务被黑客攻击,你可能会开始收到钓鱼或垃圾邮件到你用来注册的地址。 为每项服务使用独特的别名,可以帮助准确识别什么服务被黑。 + +[推荐的电子邮件别名服务](../email.md#email-aliasing-services ""){.md-button} + +### 单点登录 + +!!! note + + 我们讨论的是个人使用的单点登录,而不是企业用户。 + +单点登录(SSO)是一种认证方法,允许你在不分享很多信息的情况下注册一个服务。 只要你在注册表上看到类似于 "用 *提供商名称*"的内容,就是SSO。 + +当你在一个网站上选择单点登录时,它会提示你的SSO供应商的登录页面,之后你的账户就会被连接起来。 你的密码不会被分享,但一些基本信息会被分享(你可以在登录请求中查看)。 每次你想登录同一个账户时,都需要这个过程。 + +主要的优点是: + +- **安全性**:没有卷入 [数据泄露的风险](https://en.wikipedia.org/wiki/Data_breach) ,因为网站不储存你的凭证。 +- **易用性**:多个账户由一个登录账号管理。 + +但也有弊端: + +- **隐私**:SSO供应商会知道你使用的服务。 +- **集中化**:如果你的SSO账户被泄露或你无法登录,所有与之相连的其他账户都会受到影响。 + +SSO在那些你可以从服务之间的深度整合中获益的情况下,可以特别有用。 例如,这些服务中的一个可能为其他服务提供SSO。 我们的建议是将SSO限制在你需要的地方,用 [MFA](multi-factor-authentication.md)来保护主账户。 + +所有使用SSO的服务将和你的SSO账户一样安全。 例如,如果你想用硬件密钥保护一个账户,但该服务不支持硬件密钥,你可以用硬件密钥保护你的SSO账户,现在你的所有账户基本上都有硬件MFA。 但值得注意的是,SSO账户上的弱认证意味着与该登录方式相关的任何账户也会很弱。 + +### 手机号 + +我们建议避免使用那些需要电话号码才能注册的服务。 一个电话号码可以在多个服务中识别你的身份,根据数据共享协议,这将使你的使用情况更容易被追踪,特别是当这些服务之一被破坏时,因为电话号码通常是 **,而不是** 加密。 + +如果可以的话,你应该避免提供你的真实电话号码。 有些服务会允许使用VOIP号码,但是这些号码往往会触发欺诈检测系统,导致账户被锁定,所以我们不建议重要账户使用这种号码。 + +在许多情况下,你将需要提供一个可以接收短信或电话的号码,特别是在国际购物时,以防你的订单在边境检查时出现问题。 服务机构使用你的号码作为验证方法是很常见的;不要因为你想耍小聪明,给了一个假的号码,而让自己被锁定在一个重要的账户之外。 + +### 用户名和密码 + +有些服务允许你不使用电子邮件地址进行注册,只要求你设置一个用户名和密码。 这些服务在与VPN或Tor结合使用时,可以提供更多的匿名性。 **请记住,对于这些账户,如果你忘记了你的用户名或密码,很可能没有办法恢复你的账户**。 diff --git a/i18n/zh/basics/account-deletion.md b/i18n/zh/basics/account-deletion.md new file mode 100644 index 00000000..b42c7777 --- /dev/null +++ b/i18n/zh/basics/account-deletion.md @@ -0,0 +1,62 @@ +--- +title: "删除帐户" +icon: '资料/账户-删除' +description: It's easy to accumulate a large number of internet accounts, here are some tips on how to prune your collection. +--- + +随着时间的推移,很容易积累一些在线账户,其中许多账户你可能不再使用。 删除这些未使用的账户是找回隐私的一个重要步骤,因为休眠账户很容易受到数据泄露的影响。 数据泄露是指一项服务的安全性受到损害,受保护的信息被未经授权的人查看、传输或窃取。 不幸的是,而今数据泄露 [太过于常见](https://haveibeenpwned.com/PwnedWebsites) ,因此保持良好的数字卫生是将它们对你生活的影响降到最低的最好方法。 本指南的目标就是引导您经由令人讨厌的帐户删除过程来优化你的线上生活,这些过程通常采用了 [欺骗性设计](https://www.deceptive.design/)使得其变得更加困难。 + +## 查找旧帐户 + +### 密码管理器 + +如果您有一个贯穿整个数字生活来使用的密码管理器,这个部分将非常简单。 通常情况下,它们内置有检测你的凭证是否在数据泄露中被暴露的功能--例如Bitwarden的 [数据泄露报告](https://bitwarden.com/blog/have-you-been-pwned/)。 + +
+ ![Bitwarden's Data Breach Report feature](../assets/img/account-deletion/exposed_passwords.png) +
+ +即使你以前没有明确使用过密码管理器,你也有可能在不知不觉中使用了你的浏览器或手机中的密码管理器。 例如。 [火狐密码管理器](https://support.mozilla.org/kb/password-manager-remember-delete-edit-logins), [谷歌密码管理器](https://passwords.google.com/intro) 和 [Edge密码管理器](https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336)。 + +桌面平台通常也有一个密码管理器,可以帮助你恢复你忘记的密码。 + +- Windows [Credential Manager](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) +- macOS [Passwords](https://support.apple.com/en-us/HT211145) +- iOS [Passwords](https://support.apple.com/en-us/HT211146) +- Linux,Gnome Keyring,可以通过 [Seahorse](https://help.gnome.org/users/seahorse/stable/passwords-view.html.en) 或 [KDE Wallet Manager](https://userbase.kde.org/KDE_Wallet_Manager)访问。 + +### DNS + +如果你过去没有使用密码管理器,或者你认为你有从未被添加到密码管理器的账户,另一个选择是搜索印象里当时注册用的电子邮箱。 在你的电子邮件客户端,搜索关键词,如 "验证 "或 "欢迎"。 几乎每次您创建在线帐户时,注册的服务都会向您的电子邮箱发送验证链接或介绍性消息。 这可能是找到被遗忘的旧账户的一个好方法。 + +## 删除旧账户 + +### 登录 + +为了删除你的旧账户,你需要首先确保你能登录到这些账户。 同样,如果该账户是在你的密码管理器中,这一步很容易。 如果没有,你可以尝试猜测你的密码。 如果做不到这一点,通常可以选择重新获得你账户的访问权限,通常可以通过登录页面上的 "忘记密码 "链接获得。 也有可能你放弃的账户已经被删除了--有时服务机构会裁除所有旧账户。 + +当试图重新获得访问权时,如果网站返回错误信息说该电子邮件没有与一个账户相关联,或者你在多次尝试后从未收到重置链接,那么你在该邮箱地址下没有账户,应该尝试另一个地址。 如果你无法找出你使用的电子邮件地址,或者你不再能访问该电子邮件,你可以尝试联系该服务的客户支持。 很遗憾,我们无法保证您能够恢复对账号的访问权限。 + +### GDPR(仅限欧洲经济区居民) + +欧洲经济区的居民在数据删除方面有额外的权利,具体见 [GDPR第17条](https://www.gdpr.org/regulation/article-17.html)。 如果适用于你,请阅读任何特定服务的隐私政策,以找到关于如何行使你的删除权的信息。 阅读隐私政策可能被证明是重要的,因为一些服务有一个 "删除账户 "的选项,它只是禁用你的账户,而要真正删除,你必须采取额外行动。 有时,实际删除可能涉及填写调查表、向服务的数据保护人员发送电子邮件,甚至证明你在欧洲经济区拥有住所。 如果你打算这么做, **不要** 覆盖账户信息--你作为欧洲经济区居民的身份可能被要求。 请注意,服务的地点并不重要;GDPR适用于任何为欧洲用户服务的人。 如果服务不尊重你的删除权,你可以联系你的国家的 [数据保护局](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en) ,你可能有权获得金钱赔偿。 + +### 覆盖账户信息 + +在某些情况下,如果你打算放弃一个账户,用假数据覆盖账户信息可能是有意义的。 一旦你确定你可以登录,将你账户中的所有信息改为伪造的信息。 原因是许多网站会保留你以前的信息,即使是在删除账户后。 这一方法寄希望于他们能用你输入的最新数据来覆盖以前的信息。 但是,无法保证不会使用以前的信息进行备份。 + +对于账户的电子邮件,可以通过你选择的供应商创建一个新的备用电子邮件账户,或者使用 [电子邮件别名服务创建一个别名](/email/#email-aliasing-services)。 一旦完成,您可以删除备用电子邮件地址。 我们建议不要使用临时电子邮件供应商,因为很多时候这类临时电子邮件有可能被重新激活。 + +### 删除 + +你可以查看 [JustDeleteMe](https://justdeleteme.xyz) ,了解关于删除特定服务的账户的说明。 有些网站会慷慨地提供“删除帐户”选项,而其他网站则会迫使您与客服代表交谈。 删除过程可能因网站而异,在一些网站上无法删除账户。 + +对于不允许删除账户的服务,最好的办法是像前面提到的那样伪造你的所有信息,加强账户安全。 要做到这一点,请启用 [MFA](multi-factor-authentication.md) 和提供的任何额外安全功能。 同样,将密码更改为随机生成的最大允许大小( [密码管理器](/passwords/#local-password-managers) 对此很有用)。 + +如果你对所有你关心的信息都被删除感到满意,你可以安全地忘记这个账户。 如果没有,把凭证与你的其他密码存放在一起,偶尔重新登录以重置密码可能是一个好主意。 + +即使你能够删除一个账户,也不能保证你的所有信息都会被删除。 事实上,一些公司被法律要求保留某些信息,特别是与金融交易有关的信息。 当涉及到网站和云服务时,你的数据会发生什么大多是你无法控制的。 + +## 避免新账户 + +老话说,"上医治未病"。 每当你觉得被诱惑去注册一个新账户时,问问自己,"我真的需要这个吗? 没有账户,我可以完成我需要的东西吗?" 删除一个账户往往比创建一个账户要难得多。 而且,即使在删除或改变你的账户信息后,可能还有一个来自第三方的缓存版本,如 [Internet Archive](https://archive.org/)。 当你能够避免诱惑时--你未来的自己会感谢你的。 diff --git a/i18n/zh/basics/common-misconceptions.md b/i18n/zh/basics/common-misconceptions.md new file mode 100644 index 00000000..ea0f01a8 --- /dev/null +++ b/i18n/zh/basics/common-misconceptions.md @@ -0,0 +1,94 @@ +--- +title: "常见误区" +icon: 'material/robot-confused' +description: Privacy isn't a straightforward topic, and it's easy to get caught up in marketing claims and other disinformation. +schema: + - + "@context": https://schema.org + "@type": FAQPage + mainEntity: + - + "@type": Question + name: Is open source software inherently secure? + acceptedAnswer: + "@type": Answer + text: | + Whether the source code is available and how software is licensed does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you should look at the reputation and security of each tool on an individual basis. + - + "@type": Question + name: Can shifting trust to another provider increase privacy? + acceptedAnswer: + "@type": Answer + text: | + 在讨论像VPN这样的解决方案时,我们经常谈到 "转移信任"(它将你对ISP的信任转移到VPN供应商身上)。 While this protects your browsing data from your ISP specifically, the VPN provider you choose still has access to your browsing data: Your data isn't completely secured from all parties. + - + "@type": Question + name: Are privacy-focused solutions inherently trustworthy? + acceptedAnswer: + "@type": Answer + text: | + 仅仅关注一个工具或供应商的隐私政策和营销,会让你看不到它的弱点。 当你在寻找一个更私人的解决方案时,你应该确定根本的问题是什么,并为这个问题找到技术解决方案。 例如,您可能希望避免使用Google云端硬盘,因为它允许Google访问您的所有数据。 The underlying problem in this case is lack of E2EE, so you should make sure that the provider you switch to actually implements E2EE, or use a tool (like Cryptomator) which provides E2EE on any cloud provider. 转换到一个 "注重隐私 "的供应商(不实施E2EE)并不能解决你的问题:它只是将信任从谷歌转移到该供应商。 + - + "@type": Question + name: How complicated should my threat model be? + acceptedAnswer: + "@type": Answer + text: | + 我们经常看到人们描述的隐私威胁模型过于复杂。 通常情况下,这些解决方案包括许多不同的电子邮件账户或有许多移动部件和条件的复杂设置等问题。 The replies are usually answers to "What is the best way to do X?" + 为自己寻找 "最佳 "解决方案并不一定意味着你要追求一个有几十种条件的无懈可击的解决方案--这些解决方案往往难以现实地发挥作用。 正如我们之前所讨论的,安全往往是以便利为代价的。 +--- + +## “开源软件始终是安全的”或“专有软件更安全” + +这些神话源于一些偏见,但软件产品的来源和许可并不以任何方式内在地影响其安全性。 ==开源软件 *有可能* 比专有软件更安全, 但对于这一点没有绝对保证。== 在你评估软件时,需要去逐一检查每个工具的声誉和安全性。 + + 开源软件 *,可以由第三方进行审计,而且通常比专有的同类软件对潜在的漏洞更加透明。 它还允许你审查代码并禁用你自己发现的任何可疑功能。 然而, *,除非你这样做*,否则不能保证代码曾经被评估过,特别是对于较小的软件项目。 开放的开发过程有时也被利用,甚至在大型项目中引入新的漏洞。[^1]

+ +从另一个角度看,专利软件的透明度较低,但这并不意味着它不安全。 主要的专利软件项目可以由内部和第三方机构进行审计,而独立的安全研究人员仍然可以通过逆向工程等技术找到漏洞。 + +为了避免决策出现偏差, *,你要评估你所使用的软件的隐私和安全标准,这一点至关重要*。 + +## "转移信任可以增加隐私" + +在讨论像VPN这样的解决方案时,我们经常谈到 "转移信任"(它将你对ISP的信任转移到VPN供应商身上)。 虽然这可以保护你的浏览数据不被你的ISP *,特别是*,但你选择的VPN供应商仍然可以访问你的浏览数据。你的数据并不是完全不受各方保护的。 这意味着: + +1. 在选择将信任转移给一个供应商时,你必须谨慎行事。 +2. 你仍然应该使用其他技术,如E2EE,来完全保护你的数据。 仅仅是不信任一个供应商而信任另一个供应商,并不能保证你的数据安全。 + +## "以隐私为重点的解决方案本质上是值得信赖的" + +仅仅关注一个工具或供应商的隐私政策和营销,会让你看不到它的弱点。 当你在寻找一个更私人的解决方案时,你应该确定根本的问题是什么,并为这个问题找到技术解决方案。 例如,您可能希望避免使用Google云端硬盘,因为它允许Google访问您的所有数据。 这种情况下的根本问题是缺乏E2EE,所以你应该确保你切换到的供应商确实实现了E2EE,或者使用一个工具(如 [Cryptomator](../encryption.md#cryptomator-cloud)),在任何云供应商上提供E2EE。 转换到一个 "注重隐私 "的供应商(不实施E2EE)并不能解决你的问题:它只是将信任从谷歌转移到该供应商。 + +你所选择的供应商的隐私政策和商业惯例是非常重要的,但应该被认为是次要的,因为对你的隐私的技术保证。当信任一个供应商根本不是一个要求时,你不应该把信任转移到另一个供应商身上。 + +## "复杂的是更好的" + +我们经常看到人们描述的隐私威胁模型过于复杂。 通常情况下,这些解决方案包括许多不同的电子邮件账户或有许多移动部件和条件的复杂设置等问题。 答案通常是“做 *×*的最佳方式是什么?”。 + +为自己寻找 "最佳 "解决方案并不一定意味着你要追求一个有几十种条件的无懈可击的解决方案--这些解决方案往往难以现实地发挥作用。 正如我们之前所讨论的,安全往往是以便利为代价的。 下面,我们提供一些提示。 + +1. ==行动需要服务于一个特定的目的:==思考如何用最少的行动完成你想要的东西。 +2. ==消除人类的失败点:==我们会失败,会累,会忘记事情。 为了维护安全,避免依赖你必须记住的手动条件和流程。 +3. ==为你的意图使用正确的保护水平。==我们经常看到所谓的执法或防传唤解决方案的建议。 这些往往需要专业知识,通常不是人们想要的。 如果你可以通过一个简单的疏忽轻易地去掉匿名,那么为匿名建立一个复杂的威胁模型就没有意义。 + +那么,如何看待这个问题? + +最清晰的威胁模型之一是,部分人*,知道你是谁* ,而另一部分人不知道。 总有一些情况下你必须申报你的合法姓名,也有一些情况下你不需要这样做。 + +1. **已知身份** - 已知身份是用于必须申报姓名的事情。 有许多法律文件和合同都需要合法身份。 这可能包括开设银行账户、签署房产租赁合同、获得护照、进口物品时的海关申报,或以其他方式与你的政府打交道。 这些东西通常会导致信用卡、信用等级检查、账户号码,以及可能的实际地址等凭证。 + + 我们不建议使用VPN或Tor来做这些事情,因为你的身份已经通过其他方式被了解。 + + !!! tip + + 网购时,使用[快递柜](https://en.wikipedia.org/wiki/Parcel_locker)可以帮助你保持实际住址的隐私。 + +2. **未知身份** -未知身份可能是您经常使用的稳定化名。 它不是匿名的,因为它没有变化。 如果你是一个网络社区的一部分,你可能希望保留一个别人知道的角色。 这个化名不是匿名的,因为如果监测的时间足够长,关于主人的细节可以揭示进一步的信息,如他们的写作方式,他们对感兴趣的话题的一般知识,等等。 + + 你可能希望为此使用VPN,以掩盖你的IP地址。 金融交易更难掩盖。你可以考虑使用匿名的加密货币,如 [Monero](https://www.getmonero.org/)。 采用altcoin转移也可能有助于掩盖你的货币来源。 通常情况下,交易所需要完成KYC(了解你的客户),然后才允许你将法币兑换成任何种类的加密货币。 当地见面会选项也可能是一种解决方案;然而,这些往往更昂贵,有时也需要KYC。 + +3. **匿名身份** - 即使有经验,匿名身份也很难长期维持。 它们应该是短期和短命的身份,定期轮换。 + + 使用Tor可以帮助解决这个问题。 还值得注意的是,通过异步通信可以实现更大的匿名性。实时通信容易受到打字模式的分析(即超过一段文字,在论坛上分发,通过电子邮件等)。 + +[^1]: 其中一个明显的例子是 [2021年明尼苏达大学的研究人员将三个漏洞引入了Linux内核开发项目的事件](https://cse.umn.edu/cs/linux-incident)。 diff --git a/i18n/zh/basics/common-threats.md b/i18n/zh/basics/common-threats.md new file mode 100644 index 00000000..b74eaeb6 --- /dev/null +++ b/i18n/zh/basics/common-threats.md @@ -0,0 +1,148 @@ +--- +title: "常见威胁" +icon: '资料/视野' +description: Your threat model is personal to you, but these are some of the things many visitors to this site care about. +--- + +广义而言,可以将我们有关[威胁](threat-modeling.md) 或者适用于大多数人的目标的建议分为这几类。 ==你可能关注其中零个、 一个、 几个、 或所有这些可能性==, 你应该使用的工具和服务取决于你的目标。 你可能也有这些类别之外的特定威胁,这完全可以! 重要的是要去了解您选择的这些工具的优缺点,因为也许任何工具都不能够保护您免受所有可以想象到的威胁。 + +- :material-incognito: 匿名性 - 隔离你的线上活动和你的真实身份, 特别是要保护 *你的* 身份不被人揭露。 +- :material-target-account: 定向攻击 -防御专业黑客或恶意代理人获得,特别是 *你的* 数据或设备的访问权。 +- :material-bug-outline: 被动攻击 - 防御诸如恶意软件、数据泄露和其他一些同时针对许多人的攻击。 +- :material-server-network: 服务供应商 - 保护您的数据不受服务供应商的影响,例如,通过端到端加密使您的数据无法被服务器读取。 +- :material-eye-outline: 大规模监控 - 防止政府机构、组织、网站和服务联合起来共同追踪你的活动。 +- :material-account-cash: 监视资本主义 - 保护自己不受谷歌和Facebook等大型广告网络以及其他无数第三方数据收集者的影响 +- :material-account-search: 公开曝光 - 限制搜索引擎或一般公众在线访问到关于你的信息的能力。 +- :material-close-outline: 审查 - 避免信息的获取受到审查或者在网上的发言被审查。 + +其中一些威胁可能比其他威胁更重要,具体取决于您的关注点。 例如,一个能接触到有价值或关键数据的软件开发者可能主要关注 :material-target-account: 定向攻击,但除此之外,他们可能仍然希望保护自己的个人数据不被卷进 :material-eye-outline: 大规模监控 计划。 同样,"普通人 "可能主要关心他们的个人数据的 :material-account-search: ,公开曝光 ,但他们仍应警惕那些侧重于安全的问题,比如:material-bug-outline: ,被动攻击,就像那些会影响到设备的恶意软件 。 + +## 匿名与隐私 + +:material-incognito: 匿名性 + +匿名和隐私经常被混淆,但这是两个截然不同的概念。 隐私是你对如何使用和分享你的数据所做的一系列选择,而匿名则是将你的在线活动与你的现实生活身份完全脱离关系。 + +例如,举报人和记者可能会有一个相对极端的威胁模型,需要完全匿名。 这不仅是在隐藏他们所做的事情,他们有哪些数据,不被黑客或政府入侵,而且还完全隐藏他们是谁。 这意味着为了保护他们的匿名性、隐私或安全,他们可以牺牲任何形式的便利,因为他们的生命可能依赖于前者。 大多数普通人都不需要去这样做。 + +## 安全和隐私 + +:material-bug-outline: 被动攻击 + +安全和隐私经常被混为一谈,因为你需要安全来获得任何形式的隐私。如果这些工具可以很容易地被攻击者利用并随后泄漏你的数据,那么无论再怎么看似隐私都无济于事。 然而,反之亦然;世界上最安全的服务 *不一定是* 私密的。 这方面最好的例子是将数据托付给谷歌,鉴于其规模,谷歌能够通过雇用行业领先的安全专家来保护他们的基础设施,从而最大限度地减少了安全事件。 尽管谷歌提供了非常安全的服务,但很少有人会认为他们在谷歌的免费消费者产品(Gmail、YouTube等) 中的数据是私有的。 + +当涉及到应用程序安全时,我们通常不知道(有时甚至无法知道)我们使用的软件是否是恶意的,或者在未来的某一天会不会变成恶意的。 即使是最值得信赖的开发人员,通常也不能保证他们的软件没有可能在以后被利用的严重漏洞。 + +为了最大限度地减少恶意软件可能造成的损害,您应该采用隔离方式进行安全防护。 这可以是使用不同的计算机进行不同的工作,使用虚拟机来分离不同的相关应用程序组,或者使用一个安全的操作系统,重点是要有应用程序沙盒和强制性的访问控制。 + +!!! tip + + 在应用程序沙盒方面,移动操作系统通常比桌面操作系统更安全。 + + 应用程序无法获得根访问权限,只能访问您授予它们访问权限的系统资源。 桌面操作系统在成熟的沙箱方面通常比较落后。 ChromeOS具有与安卓类似的沙盒属性,而macOS具有完整的系统权限控制和(针对开发者)可选的应用程序沙盒,然而这些操作系统的确会将识别信息传输给各自的OEM。 Linux倾向于不向系统供应商提交信息,但它对漏洞和恶意应用程序的保护很差。 这一点可以通过大量使用虚拟机或容器的专门发行版(如Qubes OS)得到一定程度的缓解。 + +:material-target-account: 定向攻击 + +针对特定用户的有针对性的攻击更加难以处理。 常见的攻击途径包括通过电子邮件发送恶意文件,利用浏览器和操作系统的漏洞,以及物理攻击。 如果您担心这一点,则可能需要采用更高级的威胁缓解策略。 + +!!! tip + + **网络浏览器**、**电子邮件客户端**和**办公应用程序**在设计上通常都运行源自第三方的不可信代码。 运行多个虚拟机来将此类应用程序从主机系统中分离出来,以及彼此分离,是您可以使用的一种技术,以避免这些应用程序中的漏洞被利用,危及系统的其余部分。 例如,Qubes OS或Windows上的Microsoft Defender Application Guard等技术提供了无缝执行此操作的便捷方法。 + +如果你担心 **物理攻击** ,你应该使用具有安全验证启动实现的操作系统,如Android、iOS、macOS、 [Windows(带TPM)](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process)。 你还应该确保你的驱动器是加密的,并且操作系统使用TPM或安全 [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) 或 [Element](https://developers.google.com/android/security/android-ready-se) ,以限制输入加密口令的重试速率。 你应该避免与你不信任的人分享你的电脑,因为大多数桌面操作系统没有按用户单独加密数据。 + +## 来自服务提供商的隐私 + +:material-server-network: 服务提供商 + +我们生活在一个几乎所有东西都与互联网相连的世界里。 我们的 "私人 "信息、电子邮件、社交互动通常存储在某个服务器上。 通常,当您向某人发送消息时,该消息会存储在服务器上,当您的朋友想要阅读该消息时,服务器会将其显示给他们。 + +这样做的明显问题是,服务提供商(或入侵服务器的黑客)可以随时随地查看你的 "私人 "对话,而你却对此一无所知。 这适用于许多常见服务,如短信、Telegram、Discord等。 + +值得庆幸的是,可以通过在发送到服务器之前就对您与收件人之间的通信进行端到端加密来缓解此问题。 只要服务提供者不能获得任何一方的私钥,就能保证你的信息的保密性。 + +!!! 注释“关于基于web的加密的说明” + + 在实践中,不同的端到端加密实现的有效性各不相同。 [Signal](../real-time-communication.md#signal)这类应用程序在您的设备本地运行,并且应用程序副本在不同的安装下保持相同。 如果服务提供商在他们的应用程序中设置后门,试图窃取你的私钥,这可以在未来通过逆向工程检测出来。 + + 另一方面,基于Web的端到端加密实现(如Proton Mail的webmail或Bitwarden的web vault)依赖于服务器动态地向浏览器提供JavaScript代码来处理加密操作。 一个恶意的服务器可以针对一个特定的用户,向他们发送恶意的JavaScript代码来窃取他们的加密密钥,而用户是很难注意到这样的事情的。 即使用户注意到有人试图窃取他们的密钥,也很难证明是提供商试图这样做,因为服务器可以选择向不同的用户提供不同的网络客户端。 + + 因此,当依赖端到端加密时,你应该尽可能选择使用本地应用程序而不是网络客户端。 + +即使有端对端加密,服务提供商仍然可以根据 **元数据**,对你进行剖析,而这些元数据通常不受保护。 虽然服务提供商无法阅读您的消息以查看您所说的内容,但他们仍然可以观察到您正在与谁通话、您给他们发送消息的频率以及您通常活跃的时间等情况。 对元数据的保护是相当不常见的,如果你关心这一点,应该密切关注你所使用的软件的技术文档,看看是否有任何元数据最小化或保护。 + +## 大规模监控计划 + +:material-eye-outline: 大规模监控 + +大规模监控是指对许多或所有特定人群进行监控的工作。 它通常是指像[Edward Snowden在2013披露](https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present))的那一类政府项目。 + +!!! 摘要“监测地图” + + 如果你想了解更多关于监视方法以及它们在你的城市是如何实施的,你也可以看看[电子前沿基金会](https://atlasofsurveillance.org/)的[监视地图]。 + + In France you can take a look at the [Technolopolice website](https://technopolice.fr/villes/) maintained by the non-profit association La Quadrature du Net. + +政府经常为大规模监控项目辩护,认为这是打击恐怖主义和防止犯罪的必要手段。 然而,它侵犯人权,最常被用来不成比例地针对少数群体和持不同政见者等。 + +!!! 引用 "美国公民自由联盟。 [*9/11的隐私教训。大规模监控不是前进的方向*](https://www.aclu.org/news/national-security/the-privacy-lesson-of-9-11-mass-surveillance-is-not-the-way-forward)" + + 面对[爱德华-斯诺登披露的政府项目,如 [PRISM](https://en.wikipedia.org/wiki/PRISM)和 [Upstream](https://en.wikipedia.org/wiki/Upstream_collection)],情报官员也承认,国家安全局多年来一直在秘密收集几乎每个美国人的电话记录--谁在给谁打电话,这些电话是什么时候打的,以及它们持续多长时间。 你应该考虑你的对手能观察到网络的哪些方面,以及你的行动是否有合理的可否认性。 + +尽管美国的大规模监控越来越多,但政府发现,像第215条这样的大规模监控计划在阻止实际犯罪或恐怖主义阴谋方面 "没有什么独特的价值",其努力主要是重复联邦调查局自己的目标监控计划。[^2] + +尽管美国的大规模监控越来越多,但政府发现,像第215条这样的大规模监控计划在阻止实际犯罪或恐怖主义阴谋方面 "没有什么独特的价值",这份工作基本上只是在重复联邦调查局本身的目标监控计划。[^1] + +- 你的IP地址 +- 浏览器 Cookie +- 你提交给网站的数据 +- 你的浏览器或设备指纹 +- 支付方式的关联 + +\ [此列表并非详尽无遗]。 + +如果你担心大规模的监控项目,你可以使用一些策略,比如将你的在线身份进行分隔,与其他用户混在一起,或者尽可能地避免提供身份信息。 + +:material-account-cash: 监视资本主义 + +> 监视资本主义是一种以获取个人数据和将个人数据商品化为核心,从而以此营利的经济体系。[^2] + +确保您的数据私密性的最佳方法是首先不要将其放在外面。 删除你在网上发现的关于自己的信息是你为了恢复隐私可以采取的最佳初步措施之一。 使用内容拦截器等工具来限制对其服务器的网络请求,并阅读你使用的服务的隐私政策,可以帮助你避免许多基本的对手(尽管它不能完全防止跟踪)。[^4] + +在你分享信息的网站上,检查你账户的隐私设置以限制该数据的传播范围是非常重要的。 例如,如果您的帐户具有“隐私模式” ,请启用此功能以确保您的帐户不会被搜索引擎索引,并且不会被未经您事先审核的人查看。 对企业数据收集最有力的保护是尽可能地加密或混淆你的数据,使不同的供应商难以将数据相互关联并建立你的档案。 + +## 限制公共信息 + +:material-account-search: 公开曝光 + +保持数据私密性的最佳方法是首先不要将其公开。 删除你在网上发现的不需要的信息是你可以采取的最好的第一步,以重新获得你的隐私。 + +- [查看我们的账户删除指南 :material-arrow-right-drop-circle:](account-deletion.md) + +极权主义政府、网络管理员和服务提供商都可以在不同程度上进行在线审查,以控制用户的言论和用户可以获得的信息。 这些过滤互联网的行为将永远与言论自由的理想不相容。 + +随着Twitter和Facebook等平台对公众需求、市场压力和政府机构的压力做出让步,企业平台的审查制度也越来越普遍。 政府可以向企业隐蔽,例如白宫 [要求删除](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) 某个挑衅性的YouTube视频;也可以是公开的,例如中国政府要求企业遵守严格的审查制度。 + +## 避免审查 + +:material-close-outline: 审查 + +包括极权主义政府、网络管理员和服务提供商在内的行为者都可以(在不同程度上)进行网上审查。 这些控制通讯和限制获取信息的努力,总是与言论自由的人权不相容。[^5] + +企业平台的审查制度越来越普遍,因为像Twitter和Facebook这样的平台屈服于公众需求、市场压力和政府机构的压力。 政府可以向企业隐蔽,例如白宫 [要求删除](https://www.nytimes.com/2012/09/17/technology/on-the-web-a-fine-line-on-free-speech-across-globe.html) 某个挑衅性的YouTube视频;也可以是公开的,例如中国政府要求企业遵守严格的审查制度。 + +关注审查制度威胁的人可以使用像 [Tor](../advanced/tor-overview.md) 这样的技术来规避审查制度,并支持像 [Matrix](../real-time-communication.md#element)这样的抗审查通信平台,该平台没有一个可以任意关闭账户的集中式账户管理机构。 + +!!! tip + + 虽然逃避审查本身很容易,但隐藏你正在做的事实可能非常有问题。 + + 你应该考虑你的对手可以观察到网络的哪些方面,以及你的行动是否有合理的可否认性。 例如,使用[加密DNS](.../advanced/dns-overview.md#what-is-encrypted-dns)可以帮助你绕过初级的、基于DNS的审查系统,但它不能真正向ISP隐藏你正在访问的内容。 VPN或Tor可以帮助向网络管理员隐藏你正在访问的内容,但不能隐藏你首先在使用这些网络。 可插拔的传输工具(如Obfs4proxy、Meek或Shadowsocks)可以帮助你逃避阻挡普通VPN协议或Tor的防火墙,但你的规避尝试仍然可以被探测或[深度包检查](https://en.wikipedia.org/wiki/Deep_packet_inspection)等方法发现。 + +你必须始终考虑试图绕过审查制度的风险,潜在的后果,以及你的对手可能有多复杂。 你应该谨慎地选择软件,并有一个备份计划,以防被发现。 + +[^1]: 美国隐私和公民自由监督委员会。 [关于根据第215条进行的电话记录计划的报告](https://documents.pclob.gov/prod/Documents/OversightReport/ec542143-1079-424a-84b3-acc354698560/215-Report_on_the_Telephone_Records_Program.pdf) +[^2]: 维基百科: [监控资本主义](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^3]: 维基百科。 [*监视资本主义*](https://en.wikipedia.org/wiki/Surveillance_capitalism) +[^4]: "[列举坏事](https://www.ranum.com/security/computer_security/editorials/dumb/)"(或 "列出我们知道的所有坏事"),正如许多广告拦截器和防病毒程序所做的那样,无法充分保护你免受新的和未知的威胁,因为它们还没有被添加到过滤器列表中。 你还应该采用其他缓解技术。 +[^5]: 联合国。 [*世界人权宣言》*](https://www.un.org/en/about-us/universal-declaration-of-human-rights)。 diff --git a/i18n/zh/basics/email-security.md b/i18n/zh/basics/email-security.md new file mode 100644 index 00000000..aae3a0f4 --- /dev/null +++ b/i18n/zh/basics/email-security.md @@ -0,0 +1,41 @@ +--- +title: 电子邮件安全 +icon: material/email +description: Email is inherently insecure in many ways, and these are some of the reasons it isn't our top choice for secure communications. +--- + +电子邮件在默认情况下是一种不安全的通信形式。 你可以用OpenPGP等工具来提高你的电子邮件的安全性,这些工具为你的邮件增加了端对端加密功能,但OpenPGP与其他消息应用程序的加密相比,仍有一些缺点,而且由于电子邮件的设计方式,一些电子邮件数据永远无法得到固有的加密。 + +因此,电子邮件最好用于接收来自你在线注册的服务的交易性邮件(如通知、验证邮件、密码重置等),而不是用于与他人交流。 + +## 电子邮件加密概述 + +在不同的电邮供应商之间为电子邮件添加端到端加密的标准方法是使用OpenPGP。 OpenPGP标准有不同的实现方式,最常见的是 [GnuPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) 和 [OpenPGP.js](https://openpgpjs.org)。 + +有另一种标准受到商业界的欢迎,称为 [S/MIME](https://en.wikipedia.org/wiki/S/MIME),然而,它需要一个由 [证书颁发机构](https://en.wikipedia.org/wiki/Certificate_authority) (不是所有的证书颁发机构都颁发S/MIME证书)颁发的证书。 它在 [Google Workplace](https://support.google.com/a/topic/9061730?hl=en&ref_topic=9061731) 和 [Outlook for Web 或 Exchange Server 2016, 2019](https://support.office.com/en-us/article/encrypt-messages-by-using-s-mime-in-outlook-on-the-web-878c79fc-7088-4b39-966f-14512658f480)得到支持。 + +即使你使用OpenPGP,它也不支持 [前向加密](https://en.wikipedia.org/wiki/Forward_secrecy),这意味着如果你或收件人的私钥被盗,所有在之前使用它加密的信息都将被暴露。 这就是为什么我们推荐 [即时通讯工具](../real-time-communication.md) ,比起电子邮件,它尽可能更好地在人与人之间的通信中实现前向保密性。 + +### 哪些电子邮件客户端支持端到端加密? + +允许你使用IMAP和SMTP等标准访问协议的电子邮件提供商可以与我们推荐的任何 [电子邮件客户端一起使用](../email-clients.md)。 根据认证方法,如果供应商或电子邮件客户端不支持OATH或桥接应用,这可能会导致安全性下降,因为 [多因素认证](/basics/multi-factor-authentication/) ,不可能使用普通密码认证。 + +### 我如何保护我的私钥? + +智能卡(如 [Yubikey](https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP) 或 [Nitrokey](https://www.nitrokey.com))通过从运行电子邮件/网络邮件客户端的设备(手机、平板电脑、计算机等)接收加密的电子邮件信息来工作。 然后,该信息被智能卡解密,解密后的内容被送回设备。 + +在智能卡上进行解密是很有利的,这样可以避免将你的私钥暴露给某个被攻破的设备。 + +## 电子邮件元数据概述 + +电子邮件元数据存储在电子邮件的 [信息标题](https://en.wikipedia.org/wiki/Email#Message_header) ,包括一些你可能已经看到的可见标题,如: `To`, `From`, `Cc`, `Date`, `Subject`。 许多电子邮件客户和供应商还包括一些隐藏的标题,可以揭示有关你的账户的信息。 + +客户端软件可以使用电子邮件元数据来显示信息来自谁,以及什么时间收到的。 服务器可能使用它来确定电子邮件必须发送到哪里,其中还有一些不那么透明的 [其他目的](https://en.wikipedia.org/wiki/Email#Message_header) 。 + +### 谁可以查看电子邮件元数据? + +电子邮件元数据通过 [Opportunistic TLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) ,保护其不受外界观察者的影响,但它仍然能够被你的电子邮件客户端软件(或网络邮件)和任何将你的信息转发给任何收件人(包括你的电子邮件供应商)的服务器看到。 有时,电子邮件服务器也会使用第三方服务来防止垃圾邮件,这些服务一般也能接触到你的邮件。 + +### 为什么元数据不能被端到端加密? + +电子邮件元数据对于电子邮件最基本的功能(它从哪里来,又要到哪里去)至关重要。 E2EE最初没有内置于电子邮件协议中,而是需要像OpenPGP这样的附加软件。 因为OpenPGP信息仍然要与传统的电子邮件供应商合作,它不能对电子邮件元数据进行加密,只能对信息主体本身进行加密。 这意味着,即使使用OpenPGP,外部观察者也可以看到你的信息的很多信息,如你给谁发电子邮件,主题行,你什么时候发电子邮件,等等。 diff --git a/i18n/zh/basics/multi-factor-authentication.md b/i18n/zh/basics/multi-factor-authentication.md new file mode 100644 index 00000000..04812dc4 --- /dev/null +++ b/i18n/zh/basics/multi-factor-authentication.md @@ -0,0 +1,165 @@ +--- +title: "多因认证" +icon: '资料/双因认证' +description: MFA is a critical security mechanism for securing your online accounts, but some methods are stronger than others. +--- + +**多因素认证** 是一种安全机制,除了输入用户名(或电子邮件)和密码外,还需要其他步骤。 最常见的方法可能是你需要从短信或应用程序中收到限时代码。 + +通常,如果黑客(或对手)能够找出您的密码,那么他们就能够访问密码所属的帐户。 有MFA的账户迫使黑客同时拥有密码(你 *知道*的东西)和你的设备(你 *拥有*的东西),比如你的手机。 + +MFA方法的安全性各不相同,但都是基于同样的前提:攻击者越是难以攻破的MFA方法,就越好。 举例说来,MFA方法(按由弱到强的顺序)包括短信、电子邮件代码、应用程序推送通知、TOTP、Yubico OTP和FIDO。 + +## MFA方法的比较 + +### 短信或电子邮件MFA + +通过短信或电子邮件接收OTP代码这种MFA方法保护帐户的力度比较弱。 通过电子邮件或短信获取代码会破坏掉“你 *拥有*”这个理念, 因为黑客可以通过各种方式 [接管您的电话号码](https://en.wikipedia.org/wiki/SIM_swap_scam) 或者获得您的电子邮件访问权限,而根本不需要实际访问您的设备。 如果一个未经授权的人得以进入你的电子邮箱,他们将能够重设你的密码并且获得验证码,这会让他们完全掌控你的账户。 + +### 推送通知 + +推送通知进行MFA的形式是向你手机上的应用程序发送一条信息,要求你确认新账户的登录。 这种方法比短信或电子邮件好得多,因为如果没有已经登录的设备,攻击者通常无法获得这些推送通知,这意味着他们需要先攻破你的其他设备之一。 + +我们都会犯错,您有可能会不小心地接受登录尝试。 推送通知登录授权通常一次发送至您 *所有* 的设备,如果您有许多设备,会扩大MFA代码的可用性。 + +推送通知MFA的安全性既取决于应用程序的质量,也取决于服务组件以及你有多信任该应用程序的开发者。 安装这样一个应用程序可能也会要求你授予侵入性的权限,比如允许访问你设备上的其他数据。 不同于好的TOTP生成器应用程序,个别应用程序还需要你为每项服务准备一个特定的应用程序,而且可能不需要密码就可以打开。 + +### 基于时间的一次性密码(TOTP)。 + +TOTP是目前最常见的MFA形式之一。 当你设置TOTP时,一般要求你扫描一个 [二维码](https://en.wikipedia.org/wiki/QR_code) ,与你打算使用的服务建立一个"[共享密钥](https://en.wikipedia.org/wiki/Shared_secret)" 。 共享密钥在身份验证器应用程序的数据中得到保护,有时还会受到密码保护。 + +然后,时限代码可以由共享密钥和当前时间派生。 由于代码只在很短的时间内有效,在无法获得共享密钥的情况下,对手无法生成新的代码。 + +如果你有一个支持TOTP的硬件安全密钥(如YubiKey与 [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)),我们建议你将 "共享密钥 "存储在硬件上。 YubiKey等硬件正是为了使 "共享密钥 "难以提取和复制而开发的。 YubiKey也没有连接到互联网,这与带有TOTP应用程序的手机不同。 + +与 [WebAuthn](#fido-fast-identity-online)不同,TOTP不提供对 [网络钓鱼](https://en.wikipedia.org/wiki/Phishing) 或重放攻击的保护。 如果对手从你那里获得一个有效的代码,他们可以随意使用,直到它过期(一般为60秒)。 + +对手可以建立一个网站来模仿官方服务,试图欺骗你提供你的用户名、密码和当前的TOTP代码。 如果对手随后使用这些记录下来的凭证,他们可能能够登录到真正的服务并劫持该账户。 + +虽然不完美,但TOTP对大多数人来说是足够安全的,即使不支持使用 [硬件安全密钥](/multi-factor-authentication/#hardware-security-keys) , 一个[认证器应用程序](/multi-factor-authentication/#authenticator-apps) 仍然是一个不错的选择。 + +### 硬件安全密钥 + +YubiKey将数据存储在防篡改的固态芯片上,如果不经过昂贵的实验室级别的取证程序,用非破坏性的方式是 [不可获取的](https://security.stackexchange.com/a/245772)。 + +这些密钥通常是多功能的,并提供许多验证方法。 以下是最常见的几种情况。 + +#### Yubico OTP + +Yubico OTP是一种通常在硬件安全密钥中实现的认证协议。 当你决定使用Yubico OTP时,密钥将产生一个公共ID、一个私人ID和一个密钥,然后上传到Yubico OTP服务器。 + +在登录网站时,你所需要做的就是用物理方式触摸安全钥匙。 安全键将模拟键盘,并将一次性密码打印到密码区。 + +然后,该服务将把一次性密码转发给Yubico OTP服务器进行验证。 在密钥和Yubico的验证服务器上都会递增计数器。 OTP只能使用一次,当认证成功后,计数器会增加,这可以防止OTP的重复使用。 Yubico提供了一份关于这个过程的 [详细文件](https://developers.yubico.com/OTP/OTPs_Explained.html) 。 + +
+ ![Yubico OTP](../assets/img/multi-factor-authentication/yubico-otp.png) +
+ +与TOTP相比,使用Yubico OTP有一些好处和坏处。 + +Yubico验证服务器是一个基于云的服务,你需要相信Yubico在安全地存储数据,而不是对你进行分析。 与Yubico OTP相关的公共ID在每个网站上都被复用,这可能有助于第三方对你进行行为素描。 与TOTP一样,Yubico OTP不提供防钓鱼功能。 + +如果你的威胁模型要求你为不同的网站准备不同的身份, **,不要** 在这些网站上使用有相同的硬件安全密钥的Yubico OTP,因为每个安全密钥具有唯一的公共ID。 + +#### FIDO(快速在线身份认证) + +[FIDO](https://en.wikipedia.org/wiki/FIDO_Alliance) 包括许多标准,首先是U2F,后来是 [FIDO2](https://en.wikipedia.org/wiki/FIDO2_Project) ,其中包括web标准 [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn)。 + +U2F和FIDO2指的是 [客户端到验证器协议](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol),这是安全密钥和计算机(如笔记本电脑或手机)之间的协议。 它带有WebAuthn作为补充,WebAuthn是用来对你试图登录的网站("信赖方")进行认证的组件。 + +WebAuthn是第二因素身份验证中的最安全、最私密的形式。 虽然身份验证体验类似于Yubico OTP ,但密钥不会打印一次性密码并使用第三方服务器进行验证。 相反,它使用 [公钥加密技术](https://en.wikipedia.org/wiki/Public-key_cryptography) 进行认证。 + +
+ ![FIDO](../assets/img/multi-factor-authentication/fido.png) +
+ +当你创建一个账户时,公钥被发送到该服务,然后当你登录时,该服务将要求你用你的私钥 "签署 "一些数据。 这样做的好处是,服务中没有存储任何密码数据,因此没有任何东西可供对手窃取。 + +这个演示文稿讨论了密码身份验证的历史、隐患(如密码复用)以及FIDO2和 [WebAuthn](https://webauthn.guide) 标准的相关内容。 + +
+ +
+ +与任何MFA方法相比, FIDO2和WebAuthn都具有更加卓越的安全性和隐私性。 + +通常对于web服务,使用的WebAuthn是 [W3C建议](https://en.wikipedia.org/wiki/World_Wide_Web_Consortium#W3C_recommendation_(REC))的一部分。 它使用公钥身份验证,比Yubico OTP和TOTP方法中使用的共享密文更安全,因为它包括身份验证期间的来源名称(通常是域名)。 提供认证是为了保护您免受网络钓鱼攻击,因为它可以帮助您确定您使用的是真实的服务,而不是伪造的副本。 + +与Yubico OTP不同, WebAuthn不使用任何公共ID ,因此密钥 **不能** 在不同的网站之间被识别。 它也不使用任何第三方云服务器进行认证。 所有的通信都是在钥匙和你正在登录的网站之间完成的。 FIDO还有会在使用时递增的计数器,以防止会话复用和密钥克隆。 + +如果一个网站或服务支持WebAuthn的认证,强烈建议你使用它而不是任何其他形式的MFA。 + +## 一般建议 + +我们提出以下一般性建议: + +### 我应该选择哪种方法? + +当配置你的MFA方法时,请记住,它的安全程度只相当于你所用的最弱的那种方法。 这意味着您必须仅使用最佳的MFA方法。 例如,如果你已经在使用TOTP,你应该禁用电子邮件和短信MFA。 如果你已经在用FIDO2/WebAuthn,就不应该再在你的账户上同时使用Yubico OTP或TOTP。 + +### 备份 + +你应该始终为你的MFA方法准备备份。 硬件安全钥匙可能会丢失、被盗或仅仅是随着时间的推移停止工作。 建议你准备一对而不是仅一个硬件安全钥匙,它们要对你的账户有相同的访问权限。 + +当使用TOTP和验证器应用程序时,请确保备份您的恢复密钥或应用程序本身,或将 "共享密文"复制到不同手机上的另一个应用程序实例或加密容器中(例如 [VeraCrypt](../encryption.md#veracrypt))。 + +### 初始设置 + +购买安全密钥时,请务必更改默认凭据,为密钥设置密码保护,并在密钥支持时启用触摸确认。 像YubiKey这样的产品有多个接口,每个接口都有独立的证书,所以你应该去检查每个接口,并为它们全都设置保护。 + +### 电子邮件和短信 + +如果你必须使用电子邮件进行MFA,请确保电子邮件账户本身有适当的MFA方法来保护。 + +如果您使用短信MFA ,请使用那些不允许未经授权的电话号码切换的运营商,或使用提供类似安全性的专用VoIP号码,以避免 [SIM交换攻击](https://en.wikipedia.org/wiki/SIM_swap_scam)。 + +[我们推荐的MFA工具](../multi-factor-authentication.md ""){.md-button} + +## MFA适用的更多场合 + +除了保护你的网站登录之外,多因素认证还可以用来保护你的本地登录、SSH密钥甚至是密码数据库。 + +### Windows 系统 + +Yubico有一个专用的 [凭据提供程序](https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows) ,为本地Windows帐户的用户名+密码登录流程添加质询-响应身份验证步骤。 如果你有一个支持质询-响应验证的YubiKey, 请看 [Yubico Login for Windows Configuration Guide](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), 该指南允许您在Windows计算机上设置MFA + +### mac系统 + +macOS [原生支持](https://support.apple.com/guide/deployment/intro-to-smart-card-integration-depd0b888248/web) 使用智能卡(PIV)进行认证。 如果你有一张支持PIV接口的智能卡或硬件安全钥匙,如YubiKey,我们建议你按照你的智能卡/硬件安全供应商的文档,为你的macOS电脑设置第二要素认证。 + +Yubico有一个指南 [在macOS中把YubiKey作为智能卡使用](https://support.yubico.com/hc/en-us/articles/360016649059) ,可以帮助你在macOS上设置YubiKey。 + +设置智能卡/安全密钥后,我们建议在终端中运行此命令: + +```text +sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES +``` + +该命令将阻止对手在计算机启动时绕过MFA。 + +### Linux系统 + +!!! 推荐 + + 如果你的系统的主机名改变了(如由于DHCP的原因),你将无法登录。 在遵循本指南之前,为您的计算机设置正确的主机名至关重要。 + +Linux上的 `pam_u2f` 模块可以在大多数流行的Linux发行版上为登录提供双因素认证。 如果你有一个支持U2F的硬件安全密钥,你可以为你的登录设置MFA认证。 Yubico有一个指南 [Ubuntu Linux登录指南 - U2F](https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F) ,它应该适用于任何发行版。 然而,软件包管理器的命令--如 `apt-get`--和软件包名称可能不同。 本指南 **不** 适用于Qubes OS。 + +### Qubes操作系统 + +Qubes OS支持使用YubiKeys进行质询-响应身份验证。 如果您有一个支持质询-响应身份验证的YubiKey,如果您想在Qubes OS上设置MFA,请查看Qubes OS的 [YubiKey文档](https://www.qubes-os.org/doc/yubikey/)。 + +### SSH + +#### 硬件安全密钥 + +可以用多种不同的流行的硬件安全密钥验证方法来设置SSH MFA。 我们建议你查看Yubico的 [文档](https://developers.yubico.com/SSH/) 了解如何设置。 + +#### 基于时间的一次性密码(TOTP)。 + +SSH MFA也可以使用TOTP进行设置。 DigitalOcean提供了一个教程 [如何在Ubuntu 20.04上为SSH设置多因素认证](https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04)。 无论哪个发行版,大多数东西都应该是一样的,但是软件包管理器命令--例如 `apt-get`--和软件包名称可能不同。 + +### KeePass (和KeePassXC) + +KeePass和KeePassXC数据库可以使用质询响应或HOTP作为第二因素身份验证进行保护。 Yubico为KeePass提供了一份文件 [Using Your YubiKey with KeePass](https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass) ,在 [KeePassXC](https://keepassxc.org/docs/#faq-yubikey-2fa) 网站上也有一份。 diff --git a/i18n/zh/basics/passwords-overview.md b/i18n/zh/basics/passwords-overview.md new file mode 100644 index 00000000..32dbf5fd --- /dev/null +++ b/i18n/zh/basics/passwords-overview.md @@ -0,0 +1,111 @@ +--- +title: "密码简介" +icon: 'material/form-textbox-password' +description: These are some tips and tricks on how to create the strongest passwords and keep your accounts secure. +--- + +密码是我们日常数字生活的重要组成部分。 我们用它们来保护我们的账户、我们的设备和我们的秘密。 尽管密码可能是挡在觊觎我们私人信息的对手前的唯一屏障,但人们并没有在密码上花很多心思,这往往导致使用的密码很容易被猜出或被破解。 + +## 最佳实践 + +### 为每项服务使用独立的密码 + +想象一下;你用同一个电子邮件和相同的密码在 注册了多个在线服务的账户。 只要这些服务提供商有一个是恶意的,或者他们的服务出现数据泄露,使你的密码以明文形式暴露出来,那么坏人只需要在多个流行的服务中尝试这个电子邮件和密码的组合,就能得手。 密码有多强根本不重要,因为那个密码他们已经拿到了。 + +这被称为[凭据填充](https://en.wikipedia.org/wiki/Credential_stuffing), 这也是坏人攻破你帐户的最常见方式之一。 为了避免这种情况,确保你从不复用你的密码。 + +### 使用随机生成的密码 + +==你 **绝不**应该依靠自己去想出一个好密码 == 我们建议使用[随机生成的密码](#passwords) 或者 [diceware短语](#diceware) ,它们的熵值需要足够大,才能保护你的帐户和设备。 + +所有我们 [推荐的密码管理器](../passwords.md) 都有一个你可以使用的内置密码生成器。 + +### 轮换密码 + +除非你有理由相信它已被泄露,否则应避免过于频繁地更改你必须记住的密码(比如密码管理器的主密码),因为过于频繁地更改密码提高了你忘记密码的风险。 + +而那些你不需要记住的密码(如存储在密码管理器内的密码),如果你的 [威胁模型](threat-modeling.md) 有需求,我们建议每隔几个月对重要账户(尤其是不使用多因认证的账户)进行检查并更改其密码,以防它们在尚未公开的数据泄露事件中被泄露。 大多数密码管理器允许你为你的密码设置一个到期日,使之更容易管理。 + +!!! 提示 "检查数据泄露情况" + + 如果你的密码管理器允许你检查被泄露的密码,请确保这样做,并及时更改任何可能在数据泄露中被泄露的密码。 你还可以在[新闻聚合器](.../news-aggregators.md)的帮助下关注[Have I Been Pwned's Latest Breaches feed](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches)。 + +## 创建强密码 + +### 密码 + +很多服务在涉及到密码时都有一定的标准,包括最小或最大长度,以及可以使用哪些特殊字符(如果有的话)。 你应该使用你的密码管理器的内置密码生成器,通过包括大写和小写字母、数字和特殊字符,创建当前服务所允许的尽可能长和复杂的密码。 + +如果你需要一个可以记住的密码,我们推荐[diceware口令](#diceware)。 + +### Diceware口令 + +Diceware是一种创建密码的方法,这种密码容易记忆,但很难猜到。 + +当你需要记忆或手动输入你的凭证时,Diceware口令是一个很好的选择,例如,你的密码管理器的主密码或你的设备的加密密码。 + +一个diceware口令的例子是`viewable fastness reluctant squishy seventeen shown pencil`. + +要使用真正的骰子生成一个diceware口令,请遵循以下步骤。 + +!!! note + + 这里的说明步骤假定你使用[EFF的大型词汇表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)来生成口令,每个词需要掷五个骰子。 其他词表可能需要更多或更少的回合,也可能需要不同数量的词来实现相同的熵值。 + +1. 掷一个六面体的骰子五次,每次掷完都记下数字。 + +2. 举个例子,假设你掷出 `2-5-2-6-6`。 通过 [EFF的大词表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) ,寻找与 `25266`相对应的词。 + +3. 你可以得到这个词 `encrypt` 把这个词写下来。 + +4. 重复这个过程,直到你的口令有你所需要的字数,你应该用空格来分隔每个词。 + +!!! 警告 “重要” + + 你**不**应该重新生成单词,来得到一个吸引你的单词组合。 这个过程应该是完全随机的。 + +如果你没有或者不愿意使用真正的骰子,你可以使用你的密码管理器的内置密码生成器,因为除了常规密码之外,大多数密码管理器都有生成骰子密码的选项。 + +我们建议使用 [EFF的大型词表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt) ,以生成你的二维码密码,因为它提供了与原始列表完全相同的安全性,同时包含更容易记忆的单词。 There are also [other wordlists in different languages](https://theworld.com/~reinhold/diceware.html#Diceware%20in%20Other%20Languages|outline), if you do not want your passphrase to be in English. + +??? 注:"解释熵和二维码密码的强度" + + 为了演示diceware密码短语有多强,我们将使用前面提到的七个单词密码短语`'viewable fastness,squishy seventeen showed pencil'`和[EFF的大单词列表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)为例。 + + 确定双关口令强度的一个指标是它的熵值有多少。 双关口令中每个字的熵计算为$\text{log}_2(\text{WordsInList})$,口令的整体熵计算为$\text{log}_2(\text{WordsInList}^\text{WordsInPhrase})$。 + + 因此,上述列表中的每个词都会产生~12.9比特的熵($\text{log}_2(7776)$),而由它衍生出的七个词的口令有~90.47比特的熵($\text{log}_2(7776^7)$)。 + + [EFF的大词表](https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt)包含7776个独特的词。 要计算可能的口令数量,我们所要做的就是$\text{WordsInList}^\text{WordsInPhrase}$,或者在我们的例子中,$7776^7$。 + + 让我们换一个角度来看:使用[EFF 's large wordlist] ( https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt )的七个单词密码是~ 1,719,070,799,748,422,500,000,000,000个可能的密码之一。 + + 平均而言,需要尝试所有可能的组合中的50%来猜测你的短语。 考虑到这一点,即使你的对手每秒能够猜出1,000,000,000,000次,他们仍然需要27,255,689年才能猜出你的口令。 即使以下情况属实,情况也是如此: + + - 你的对手知道你使用了diceware方法。 + - 你的对手知道你使用的具体词表。 + - 你的对手知道你的口令包含多少个字。 + +总而言之,当你需要一些既容易记住 *,又特别强大的* ,Diceware密码是你最好的选择。 + +## 存储密码 + +### 生产力工具 + +存储密码的最佳方式是使用密码管理器。 它们允许你将密码存储在文件或云中,并以单一的主密码保护它们。 这样一来,你只需记住一个强密码,就可以访问其余的密码。 + +有许多好的选择,包括基于云的和本地的。 选择我们推荐的密码管理器之一,并使用它在你的所有账户中建立强大的密码。 我们建议用一个至少由七个词组成的 [diceware](#diceware) 口令来保护你的密码管理器。 + +[推荐的密码管理器列表](../passwords.md ""){.md-button} + +!!! 警告 "不要把你的密码和TOTP令牌放在同一个密码管理器中" + + 如果您将TOTP用作任何帐户的 [多因素身份验证](../multi-factor-authentication.md) 方法,请勿在密码管理器中存储这些令牌、它们的任何备份代码或TOTP秘密本身,那样会抵消掉多因认证的益处。 + + 你应该使用专门的[TOTP应用程序](.../multi-factor-authentication.md/#authenticator-apps)来代替。 + + 此外,我们不建议在您的密码管理器中存储用于一次性恢复的代码。 它们应当单独存储在,例如离线存储设备上的加密容器中。 + +### 备份 + +你应该在多个存储设备或云存储提供商上存储 [加密的](../encryption.md) 密码备份。 如果你的主要设备或你正在使用的服务发生意外,这可以帮助你访问你的密码。 diff --git a/i18n/zh/basics/threat-modeling.md b/i18n/zh/basics/threat-modeling.md new file mode 100644 index 00000000..d1ae47d9 --- /dev/null +++ b/i18n/zh/basics/threat-modeling.md @@ -0,0 +1,110 @@ +--- +title: "威胁模型" +icon: '资料/目标账户' +description: 在安全、隐私和可用性之间取得平衡是你在隐私之路上面临的首要和最困难的任务之一。 +--- + +在安全、隐私和可用性之间取得平衡是你在隐私之路上面临的首要和最困难的任务之一。 每件事都是一种权衡:越是安全的东西,一般来说限制性越强或越不方便,等等。 人们经常会发现这些推荐的工具最大的问题就是太难于上手使用! + +如果你想使用**最安全**的工具,你就必须牺牲很多*的可用性*。 即使如此,==没有什么是完全安全的。== 有 **高度**安全 ,但从来没有**完全**安全。 这就是为什么威胁模型很重要。 + +**那么,威胁模型到底是什么?** + +==威胁模型是一份清单,列出那些对你的安全/隐私工作最有可能的威胁。== 由于不可能防御**每个**攻击(者),你应该把重点放在 **最有可能的** 威胁上。 在计算机安全方面,威胁是指可能破坏你保持隐私和安全的努力的事件。 + +专注于与你有关的威胁,缩小你对所需保护的思考范围,这样你就可以选择适合工作的工具。 + +## 创建你的威胁模型 + +为了确定你所珍视的东西可能发生什么,并确定你需要从谁那里保护它们,你应该回答这五个问题。 + +1. 我想保护什么? +2. 我想保护它免受谁的伤害? +3. 它有多大的可能性需要保护? +4. 如果我失败了,后果有多严重? +5. 我愿意付出多少代价来防止这些潜在的后果? + +### 我想保护什么? + +一个 "资产 "是你重视并想保护的东西。 在数字安全方面, ==一项资产通常是某种信息。== 例如,你的电子邮件、联系人名单、即时消息、位置和文件都是可能的资产。 你的设备本身也可能是资产。 + +*列出你的资产清单:你保存的数据,它被保存在哪里,谁可以访问它,以及有什么东西可以阻止其他人访问。* + +### 我想保护它免受谁的伤害? + +要回答这个问题,重要的是要确定你或你的信息可能是谁的目标。 ==对您的资产构成威胁的个人或实体就是"对手"。==举例来说对手可能有你的老板,你的前合伙人,你的商业竞争对手,你的政府或公共网络上的黑客。 + +*列出一份名单,包含你的对手或那些可能想要掌握你的资产的人。 你的名单可能包括个人、政府机构或公司。* + +根据你的对手是谁,在某些情况下,这份名单你可能需要在完成安全规划后把它销毁。 + +### 它有多大的可能性需要保护? + +==风险是指对特定资产的特定威胁实际发生的可能性。==它与能力密不可分。 尽管你的手机运营商有获得你全部数据的能力,但他们把你的隐私数据发布到网上来损害你名誉的风险是很低的。 + +区分一件事情是否有可能发生和这件事情发生的概率是很重要的。 比如说,你的建筑物当然有可能面临倒塌的威胁,但是发生这一威胁的风险在旧金山 (地震频发) 比在斯德哥尔摩 (地震不频发) 要大得多。 + +评估风险既是一个个人的也是一个主观的过程。 许多人认为某些威胁是不可接受的,无论它们发生的可能性有多大,因为仅仅是威胁的存在就不值得付出代价。 在另一些情形下,如果威胁不值一提,即使风险再高人们也可能会忽略掉它们。 + +*写一下你认为哪些威胁是严重的,以及哪些太罕见或者太无足轻重(或者太难对付) 所以不必关注。* + +### 如果我失败了,后果有多严重? + +对手有很多方法来获取你的数据。 比如,对手可以通过网络读取你的私人通讯,或者可以删除或者破坏你的数据。 + +==对手们的动机大相径庭,他们的策略也各不相同。==为了阻止一个揭露警察暴力的视频的传播,政府可能只会简单地删除或者降低这个视频的可得性。 相比之下,一个政治对手可能想要在你不知情的情况下获取你的机密并公之于众。 + +安全规划还需要你考虑,假设对手成功获取到你的某项资产, 这所能够导致的最差结果是什么。 为了确定这一点,你应该考虑你的对手的能力。 例如,您的手机运营商能够获取你全部的通话记录。 一个开放Wi-Fi网络上的骇客能够获取你的未加密通讯。 你的政府可能拥有更强大的能力。 + +*写一下你的对手想要用你的私人数据做什么。* + +### 我愿意付出多少代价来防止这些潜在的后果? + +==没有完美的安全选项。==每个人的优先级,关注点或者对资源的获取能力都不相同。 你的风险评估能够让你规划合适你自己的策略,在便捷,成本和隐私之间取得平衡。 + +比如说,一个国安案件当事人的代理律师,可能会愿意付出大得多的努力来保护案件有关的通讯,比如说使用加密邮箱;而一个通常只是给女儿发有趣的猫咪视频的母亲往往就不太愿意这么做。 + +*写下那些能够帮你减弱针对你的那些威胁的可行选项。 标注一下可能会存在的金融,技术或者社会方面的局限。* + +### 自己试一下:保护你的财物 + +这些问题可以适用于各种各样的情况,无论是线上还是线下。 作为这些问题的通用示范,让我们建立一个计划来保护你的房子和财产。 + +**我想保护什么? (或者, *你有什么值得保护的东西?*)** +: + +你的资产可能包括珠宝、电子产品、重要文件或照片。 + +**我想保护它免受谁的伤害?** +: + +你的对手可能包括窃贼、室友或客人。 + +**它需要我保护的可能性有多大?** +: + +你的社区是否有入室盗窃的历史? 你的室友或客人的可信度如何? 你的对手有哪些能力? 你应该考虑哪些风险? + +**如果我失败了,后果有多严重?** +: + +你的房子里有什么东西是无可替代的吗? 你有时间或金钱来更换这些东西吗? 你是否有为家中物品购买失窃险? + +**为了防止这些后果,你愿意付出多大的代价?** +: + +你愿意为敏感文件买一个保险箱吗? 你能买得起高质量的锁吗? 你有时间在当地银行开一个保险柜,把你的贵重物品放在那里吗? + +只有当你问过自己这些问题后,你才能评估要采取什么措施。 即使你的财物很值钱,如果破门而入的概率很低,那么你可能也不会在锁上投入太多的钱。 但是,如果破门而入的概率很高,你最好去买市面上最高质量的锁,并考虑增加一个安全系统。 + +制定安全计划将帮助你了解你所特有的威胁,并评估你的资产、对手们及其能力,还有你所面临的风险的可能性大小。 + +## 延伸阅读 + +对于希望增加网上隐私和安全的人来说,我们汇编了一份我们的访问者面临的常见威胁或访问者的目标的清单,以给你一些启发,并且展示了一些我们的基础建议。 + +- [常见的目标和威胁 :material-arrow-right-drop-circle:](common-threats.md) + +## 资料来源 + +- [EFF 监控自我防卫: 你的安全计划](https://ssd.eff.org/en/module/your-security-plan) diff --git a/i18n/zh/basics/vpn-overview.md b/i18n/zh/basics/vpn-overview.md new file mode 100644 index 00000000..a114a3c5 --- /dev/null +++ b/i18n/zh/basics/vpn-overview.md @@ -0,0 +1,77 @@ +--- +title: VPN概述 +icon: 资料/vpn +description: Virtual Private Networks shift risk away from your ISP to a third-party you trust. You should keep these things in mind. +--- + +虚拟专用网络是一种将你的网络末端延伸到世界其他地方的方式。 ISP可以看到进入和离开你的网络终端设备(即调制解调器)的互联网流量。 + +Encryption protocols such as HTTPS are commonly used on the internet, so they may not be able to see exactly what you're posting or reading, but they can get an idea of the [domains you request](../advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns). + +VPN可以提供帮助,因为它可以将信任转移到世界其他地方的服务器上。 因此,ISP只看到你连接到了VPN,而对你传入的活动一无所知。 + +## 我应该使用VPN吗? + +**是的**,除非你已经在使用Tor。 VPN做两件事:将风险从你的互联网服务提供商转移到vpn本身,并从第三方服务中隐藏你的IP。 + +VPN不能对你的设备和VPN服务器之间连接之外的数据进行加密。 VPN供应商可以像你的ISP一样看到并修改你的流量。 而且,没有办法以任何方式验证VPN供应商的 "无记录 "政策。 + +然而,假如IP没有泄露,他们的确可以向第三方服务隐藏您的实际IP。 它们可以帮助您融入其他人并减轻基于IP的跟踪。 + +## 什么时候我不应该使用VPN? + +在你使用你的 [已知身份的情况下使用VPN,](common-threats.md#common-misconceptions) ,不太可能是有用的。 + +这样做可能会触发垃圾邮件和欺诈检测系统,例如,如果你要登录银行的网站。 + +## 那加密呢? + +VPN供应商提供的加密是在你的设备和他们的服务器之间。 它保证这个特定的链接是安全的。 这比使用未加密的代理更上一层楼,因为网络上的对手可以截获你的设备和上述代理之间的通信,并修改它们。 然而,你的应用程序或浏览器与服务提供商之间的加密并不由这种加密处理。 + +为了保持你在你访问的网站上的实际操作的私密性和安全性,你必须使用HTTPS。 这将使你的密码、会话令牌和查询不被VPN供应商发现。 考虑在你的浏览器中启用 "HTTPS everywhere",以减轻降级攻击,如 [SSL Strip](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf)。 + +## 我是否应该使用带有VPN的加密DNS? + +除非你的VPN供应商托管加密的DNS服务器,否则 **,不要用**。 使用DOH/DOT(或任何其他形式的加密DNS)与第三方服务器将只是增加了更多的实体信任,对改善你的隐私/安全 **根本没用**。 你的VPN供应商仍然可以根据IP地址和其他方法看到你访问的网站。 你现在不是只信任你的VPN供应商,而是同时信任VPN供应商和DNS供应商。 + +推荐加密DNS的一个常见原因是,它有助于防止DNS欺骗。 然而,你的浏览器应该已经在检查 [TLS证书](https://en.wikipedia.org/wiki/Transport_Layer_Security#Digital_certificates) 与 **HTTPS** ,并警告你。 如果你没有使用 **HTTPS**,那么对手仍然可以直接修改你的DNS查询以外的任何东西,最终结果将没有什么不同。 + +更不必说, **,你不应该共用Tor和加密DNS**。 这将把你所有的DNS请求定向到某个单一连接,并允许加密DNS提供商对你进行去匿名化。 + +## 我应该共用Tor *和* VPN吗? + +通过将Vpn与Tor一起使用,您基本上创建了一个永久的入口节点,而且还通常附有资金相关的跟踪线索。 这没有为你带来额外的好处,同时大大增加了连接的攻击面。 如果您希望向ISP或政府隐藏Tor使用情况, Tor有内置的解决方案: Tor桥。 [阅读更多关于Tor桥和为什么使用VPN是没有必要的](tor-overview.md)。 + +## 那如果我需要匿名呢? + +VPN不能提供匿名性。 你的VPN供应商仍然会看到你的真实IP地址,而且往往有一个可以直接关联到你的资金线索。 您不能依赖“无日志记录”策略来保护您的数据。 使用 [Tor](https://www.torproject.org/) 来代替。 + +## 提供Tor节点的VPN供应商怎么样? + +不要使用该功能。 使用Tor的意义在于,你无需信任你的VPN供应商。 目前Tor只支持 [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) 协议。 [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) (用于 [WebRTC](https://en.wikipedia.org/wiki/WebRTC) 音频和视频共享,新的[HTTP3/QUIC](https://en.wikipedia.org/wiki/HTTP/3) 协议等), [ICMP](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol) 和其他数据包将被丢弃。 为了弥补这一点,VPN供应商通常会将所有非TCP数据包通过其VPN服务器(你的第一跳)进行路由。 [ProtonVPN](https://protonvpn.com/support/tor-vpn/)就是这种情况。 此外,在使用这种Tor over VPN设置时, 您无法控制其他重要的Tor功能,例如 [目的地址隔离](https://www.whonix.org/wiki/Stream_Isolation) (对您访问的每个域名使用不同的Tor线路)。 + +该功能应被视为访问Tor网络的一种便捷方式,而不是为了保持匿名。 为了获得适当的匿名性,请使用Tor浏览器、TorSocks或Tor网关。 + +## VPN何时有用? + +VPN在各种情况下仍可能对您有用,例如: + +1. **仅仅** 向您的Internet服务提供商隐藏流量。 +1. 向你的ISP和反盗版组织隐藏你的下载(如torrent)。 +1. 向第三方网站和服务隐藏你的IP,防止基于IP的跟踪。 + +对于这样的情况,或者如果你有其他令人信服的理由,我们上面列出的VPN供应商是我们认为最值得信赖的人。 然而,使用VPN供应商仍然意味着你在 *信任* 该供应商。 几乎在任何其他情况下,你都应该使用一个**由设计保证的** 安全工具,如Tor。 + +## 资料来源及延伸阅读 + +1. [VPN -一个非常危险的叙事 ](https://schub.io/blog/2019/04/08/very-precarious-narrative.html)作者:丹尼斯·舒伯特( Dennis Schubert ) +1. [Tor网络概述](../advanced/tor-overview.md) +1. [IVPN隐私指南](https://www.ivpn.net/privacy-guides) +1. ["我需要一个VPN吗?"](https://www.doineedavpn.com)这是由IVPN开发的一个工具,通过帮助个人决定VPN是否适合他们,来挑战咄咄逼人的VPN营销。 + +## VPN的相关信息 + +- [VPN和隐私审查网站的问题](https://blog.privacyguides.org/2019/11/20/the-trouble-with-vpn-and-privacy-review-sites/) +- [免费VPN应用调查](https://www.top10vpn.com/free-vpn-app-investigation/) +- [揭开隐蔽VPN所有者的面纱:101个VPN产品仅由23家公司运营](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/) +- [这家中国公司秘密地在24个流行的应用程序背后寻求危险的权限](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/) diff --git a/i18n/zh/calendar.md b/i18n/zh/calendar.md new file mode 100644 index 00000000..eb360e48 --- /dev/null +++ b/i18n/zh/calendar.md @@ -0,0 +1,68 @@ +--- +title: "VPN供应商" +icon: material/calendar +description: Calendars contain some of your most sensitive data; use products that implement encryption at rest. +--- + +日历包含一些最敏感的数据;使用静态实现E2EE的产品,以防止提供商读取它们。 + +## Tutanota + +!!! recommendation + + ![Tutanota标志](assets/img/calendar/tutanota.svg#only-light){ align=right } + ![Tutanota标志](assets/img/calendar/tutanota-dark.svg#only-dark){ align=right } + + **Tutanota**在其支持的平台上提供免费和加密的日历。 功能包括:所有数据的自动E2EE,共享功能,导入/导出功能,多因素认证,以及 [more](https://tutanota.com/calendar-app-comparison/)。 + + 多个日历和扩展的共享功能仅限于付费用户。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/faq#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="源代码" } + [:octicons-heart-16:](https://tutanota.com/community){ .card-link title="贡献" } 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/tutanota/id922429609) + - [:simple-windows11: Windows](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-apple: macOS](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-linux: Linux](https://tutanota.com/blog/posts/desktop-clients/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.tutanota.Tutanota) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +## Proton Calendar(Proton 日历) + +!!! recommendation + + ![Proton](aassets/img/calendar/proton-calendar.svg)}=right } + + **Proton Calendar** 是一个通过网络或移动客户提供给Proton成员的加密日历服务。 功能包括:所有数据的自动E2EE,共享功能,导入/导出功能,多因素认证,以及 [more](https://proton.me/support/proton-calendar-guide/)。 免费级别上的人可以使用单个日历,而付费用户可以创建多达20个日历。 扩展的分享功能也仅限于付费用户。 + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://proton.me/support/proton-calendar-guide#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="源代码" } + [](){ .card-link title="贡献" } 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.calendar) + - [:octicons-browser-16: Web](https://calendar.proton.me) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- 必须与E2EE同步并存储信息,以确保数据对服务提供者不可见。 + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- 如果适用的话,应该与本地操作系统的日历和联系人管理应用程序集成。 diff --git a/i18n/zh/cloud.md b/i18n/zh/cloud.md new file mode 100644 index 00000000..cf4c46c2 --- /dev/null +++ b/i18n/zh/cloud.md @@ -0,0 +1,99 @@ +--- +title: "路由器固件" +icon: material/file-cloud +description: Many cloud storage providers require your trust that they will not look at your files. These are private alternatives! +--- + +许多云存储供应商需要你完全信任他们不会查看你的文件。 The alternatives listed below eliminate the need for trust by implementing secure E2EE. + +If these alternatives do not fit your needs, we suggest you look into using encryption software like [Cryptomator](encryption.md#cryptomator-cloud) with another cloud provider. Using Cryptomator in conjunction with **any** cloud provider (including these) may be a good idea to reduce the risk of encryption flaws in a provider's native clients. + +??? 问题 "寻找Nextcloud?" + + Nextcloud is [still a recommended tool](productivity.md) for self-hosting a file management suite, however we do not recommend third-party Nextcloud storage providers at the moment, because we do [not recommend](https://discuss.privacyguides.net/t/dont-recommend-nextcloud-e2ee/10352/29) Nextcloud's built-in E2EE functionality for home users. + +## Proton Drive(Proton 云盘) + +!!! recommendation + + ![Proton Drive logo](assets/img/cloud/protondrive.svg){ align=right } + + **Proton Drive** is a Swiss encrypted cloud storage provider from the popular encrypted email provider [Proton Mail](email.md#proton-mail). + + [:octicons-home-16: 主页](https://grapheneos.org/){ .md-button .md-button--primary } + + [:octicons-eye-16:](https://proton.me/support/drive#privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://grapheneos.org/faq){ .card-link title=文档} + [:octicons-code-16:](https://github.com/ProtonMail/WebClients){ .card-link title="源代码" } + [](){ .card-link title="贡献" } 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=me.proton.android.drive) + - [:simple-appstore: Web](https://apps.apple.com/app/id1509667851) + +The Proton Drive web application has been independently audited by Securitum in [2021](https://proton.me/blog/security-audit-all-proton-apps), full details were not made available, but Securitum's letter of attestation states: + +> Auditors identified two low-severity vulnerabilities. Additionally, five general recommendations were reported. At the same time, we confirm that no important security issues were identified during the pentest. + +Proton Drive's brand new mobile clients have not yet been publicly audited by a third-party. + +## Tresorit + +!!! recommendation + + ![Tresorit logo](assets/img/cloud/tresorit.svg){ align=right } + + **Tresorit** is a Hungarian encrypted cloud storage provider founded in 2011. Tresorit is owned by the Swiss Post, the national postal service of Switzerland. + + [:octicons-home-16: Homepage](https://tresorit.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tresorit.com/legal/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.tresorit.com/hc/en-us){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.tresorit.mobile) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id722163232) + - [:simple-windows11: Windows](https://tresorit.com/download) + - [:simple-apple: macOS](https://tresorit.com/download) + - [:simple-linux: Linux](https://tresorit.com/download) + +Tresorit has received a number of independent security audits: + +- [2022](https://tresorit.com/blog/tresorit-receives-iso-27001-certification/): ISO/IEC 27001:2013[^1] Compliance [Certification](https://www.certipedia.com/quality_marks/9108644476) by TÜV Rheinland InterCert Kft +- [2021](https://tresorit.com/blog/fresh-penetration-testing-confirms-tresorit-security/): Penetration Testing by Computest + - This review assessed the security of the Tresorit web client, Android app, Windows app, and associated infrastructure. + - Computest discovered two vulnerabilities which have been resolved. +- [2019](https://tresorit.com/blog/ernst-young-review-verifies-tresorits-security-architecture/): Penetration Testing by Ernst & Young. + - This review analyzed the full source code of Tresorit and validated that the implementation matches the concepts described in Tresorit's [white paper](https://prodfrontendcdn.azureedge.net/202208011608/tresorit-encryption-whitepaper.pdf). + - Ernst & Young additionally tested the web, mobile, and desktop clients: "Test results found no deviation from Tresorit’s data confidentiality claims." + +They have also received the Digital Trust Label, a certification from the [Swiss Digital Initiative](https://www.swiss-digital-initiative.org/digital-trust-label/) which requires passing [35 criteria](https://digitaltrust-label.swiss/criteria/) related to security, privacy, and reliability. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- 使用端到端加密 +- 必须提供免费计划或试用期进行测试。 +- 必须支持TOTP或FIDO2多因素认证,或Passkey登录。 +- 必须提供一个支持基本文件管理功能的网络界面。 +- 必须允许所有文件/文档的轻松导出。 +- 必须使用标准的、经过审计的加密技术。 + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- 客户端应是开源的。 +- 客户端应由独立的第三方对其进行全面的审计。 +- 应提供Linux、Android、Windows、macOS和iOS的本地客户端。 + - 这些客户端应该与云存储供应商的本地操作系统工具集成,如iOS上的Files应用集成,或Android上的DocumentsProvider功能。 +- 应支持与其他用户轻松分享文件。 +- 应在网络界面上至少提供基本的文件预览和编辑功能。 + +[^1]: [ISO/IEC 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001):2013 compliance relates to the company's [information security management system](https://en.wikipedia.org/wiki/Information_security_management) and covers the sales, development, maintenance and support of their cloud services. diff --git a/i18n/zh/cryptocurrency.md b/i18n/zh/cryptocurrency.md new file mode 100644 index 00000000..a20ebf51 --- /dev/null +++ b/i18n/zh/cryptocurrency.md @@ -0,0 +1,53 @@ +--- +title: Cryptocurrency +icon: material/bank-circle +--- + +Making payments online is one of the biggest challenges to privacy. These cryptocurrencies provide transaction privacy by default (something which is **not** guaranteed by the majority of cryptocurrencies), provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +!!! 危险 + + Many if not most cryptocurrency projects are scams. Make transactions carefully with only projects you trust. + +## Monero + +!!! recommendation + + ![Monero logo](assets/img/cryptocurrency/monero.svg){ align=right } + + **Monero** uses a blockchain with privacy-enhancing technologies that obfuscate transactions to achieve anonymity. Every Monero transaction hides the transaction amount, sending and receiving addresses, and source of funds without any hoops to jump through, making it an ideal choice for cryptocurrency novices. + + [:octicons-home-16: Homepage](https://www.getmonero.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://www.getmonero.org/resources/user-guides/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/monero-project/monero){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.getmonero.org/get-started/contributing/){ .card-link title=Contribute } + +With Monero, outside observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories. + +For optimal privacy, make sure to use a noncustodial wallet where the view key stays on the device. This means that only you will have the ability to spend your funds and see incoming and outgoing transactions. If you use a custodial wallet, the provider can see **everything** you do; if you use a “lightweight” wallet where the provider retains your private view key, the provider can see almost everything you do. Some noncustodial wallets include: + +- [Official Monero client](https://getmonero.org/downloads) (Desktop) +- [Cake Wallet](https://cakewallet.com/) (iOS, Android) + - Cake Wallet supports multiple cryptocurrencies. A Monero-only version of Cake Wallet is available at [Monero.com](https://monero.com/). +- [Feather Wallet](https://featherwallet.org/) (Desktop) +- [Monerujo](https://www.monerujo.io/) (Android) + +For maximum privacy (even with a noncustodial wallet), you should run your own Monero node. Using another person’s node will expose some information to them, such as the IP address that you connect to it from, the timestamps that you sync your wallet, and the transactions that you send from your wallet (though no other details about those transactions). Alternatively, you can connect to someone else’s Monero node over Tor or i2p. + +In August 2021, CipherTrace [announced](https://finance.yahoo.com/news/ciphertrace-announces-enhanced-monero-tracing-160000275.html) enhanced Monero tracing capabilities for government agencies. Public postings show that the US Department of the Treasury's Financial Crimes Enforcement Network [licensed](https://sam.gov/opp/d12cbe9afbb94ca68006d0f006d355ac/view) CipherTrace's "Monero Module" in late 2022. + +Monero transaction graph privacy is limited by its relatively small ring signatures, especially against targeted attacks. Monero's privacy features have also been [called into question](https://web.archive.org/web/20180331203053/https://www.wired.com/story/monero-privacy/) by some security researchers, and a number of severe vulnerabilities have been found and patched in the past, so the claims made by organizations like CipherTrace are not out of the question. While it's unlikely that Monero mass surveillance tools exist like they do for Bitcoin and others, it's certain that tracing tools assist with targeted investigations. + +Ultimately, Monero is the strongest contender for a privacy-friendly cryptocurrency, but its privacy claims have **not** been definitively proven one way or the other. More time and research is needed to assess whether Monero is resilient enough to attacks to always provide adequate privacy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Cryptocurrency must provide private/untraceable transactions by default. diff --git a/i18n/zh/data-redaction.md b/i18n/zh/data-redaction.md new file mode 100644 index 00000000..c183901f --- /dev/null +++ b/i18n/zh/data-redaction.md @@ -0,0 +1,145 @@ +--- +title: "日历/联系人同步" +icon: material/tag-remove +description: Use these tools to remove metadata like GPS location and other identifying information from photos and files you share. +--- + +共享文件时,请务必删除关联的元数据。 图像文件通常包括 [Exif](https://en.wikipedia.org/wiki/Exif) 数据。 照片有时甚至包括文件元数据中的GPS坐标。 + +## 电脑版 + +### MAT2 + +!!! recommendation + + ![MAT2标志](assets/img/data-redaction/mat2.svg){ align=right } + + **MAT2**是免费软件,它允许从图像、音频、洪流和文件类型中删除元数据。 [KDE]它通过[Nautilus的扩展](https://0xacab.org/jvoisin/mat2/-/tree/master/nautilus)提供命令行工具和图形用户界面, [GNOME](https://www.gnome.org)的默认文件管理器和 [Dolphin](https://0xacab.org/jvoisin/mat2/-/tree/master/dolphin)的默认文件管理器(https://kde.org)。 + + 在Linux上,存在一个由MAT2驱动的第三方图形工具[Metadata Cleaner](https://gitlab.com/rmnvgr/metadata-cleaner),并[在Flathub上提供](https://flathub.org/apps/details/fr.romainvigier.MetadataCleaner)。 + + [:octicons-repo-16: Repository](https://0xacab.org/jvoisin/mat2){ .md-button .md-button--primary } + [:octicons-info-16:](https://0xacab.org/jvoisin/mat2/-/blob/master/README.md){ .card-link title="文档"} + [:octicons-code-16:](https://0xacab.org/jvoisin/mat2){ .card-link title="源代码" } 。 + + ??? 下载 + + - [:simple-windows11: Windows](https://pypi.org/project/mat2) + - [:simple-apple: macOS](https://0xacab.org/jvoisin/mat2#requirements-setup-on-macos-os-x-using-homebrew) + - [:simple-linux: Linux](https://pypi.org/project/mat2) + - [:octicons-globe-16: Web](https://0xacab.org/jvoisin/mat2#web-interface) + +## Android + +### ExifEraser (安卓系统) + +!!! recommendation + + ![ExifEraser标志](assets/img/data-redaction/exiferaser.svg) { align=right } + + **ExifEraser**是一个现代的、无权限的图像元数据删除应用程序,适用于Android。 + + 它目前支持JPEG、PNG和WebP文件。 + + [:octicons-repo-16: Repository](https://gitea.angry.im/PeterCxy/Shelter#shelter){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitea.angry.im/PeterCxy/Shelter){ .card-link title="源代码" } + [:octicons-code-16:](https://github.com/Tommy-Geenexus/exif-eraser){ .card-link title=贡献 } + + ??? 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.none.tom.exiferaser) + - [:octicons-moon-16: Accrescent](https://accrescent.app/app/com.none.tom.exiferaser) + - [:simple-github: GitHub](https://github.com/Tommy-Geenexus/exif-eraser/releases) + +被删除的元数据取决于图像的文件类型。 + +* **JPEG**: ICC Profile、Exif、Photoshop Image Resources和XMP/ExtendedXMP元数据如果存在,将被删除。 +* **PNG**:ICC Profile、Exif和XMP元数据如果存在,将被删除。 +* **WebP**:ICC Profile、Exif和XMP元数据如果存在,将被删除。 + +在处理完图像后,ExifEraser会向你提供一份完整的报告,说明每张图像中到底有哪些被删除。 + +该应用程序提供多种方法来消除图像中的元数据。 名称: + +* 你可以用ExifEraser分享另一个应用程序的图像。 +* 通过应用程序本身,你可以选择一张图片,一次选择多张图片,甚至是整个目录。 +* 它有一个 "相机 "选项,它使用你的操作系统的相机应用程序来拍摄照片,然后它将元数据从照片中删除。 +* 它允许你将照片从另一个应用程序拖入ExifEraser,当它们都以分屏模式打开时。 +* 最后,它允许你从剪贴板上粘贴图片。 + +### Metapho (iOS) + +!!! recommendation + + ![Metapho标志](assets/img/data-redaction/metapho.jpg){ align=right } + + **Metapho**是一个简单而干净的照片元数据查看器,如日期、文件名、大小、相机型号、快门速度和位置。 + + [:octicons-home-16: 首页](https://zininworks.com/metapho){ .md-button .md-button--primary } + [:octicons-eye-16:](https://zininworks.com/privacy/){ .card-link title="隐私政策" } 。 + + ??? 下载 + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/metapho/id914457352) + +### PrivacyBlur + +!!! recommendation + + ![PrivacyBlur标志](assets/img/data-redaction/privacyblur.svg) { align=right } + + **PrivacyBlur**是一个免费的应用程序,它可以在网上分享之前模糊图片的敏感部分。 + + [:octicons-home-16: 主页](https://privacyblur.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacyblur.app/privacy.html){ .card-link title="隐私政策" } + [:octicons-info-16:](https://github.com/MATHEMA-GmbH/privacyblur#readme){ .card-link title=文档} + [:octicons-code-16:](https://github.com/MATHEMA-GmbH/privacyblur){ .card-link title="源代码" } + + ??? 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.mathema.privacyblur) + - [:simple-appstore: Web](https://apps.apple.com/us/app/privacyblur/id1536274106) + +!!! 推荐 + + 您应该* *从不* *使用模糊来编辑[图片中的文本](https://bishopfox.com/blog/unredacter-tool-never-pixelation)。 如果你想编辑图像中的文本,在文本上画一个方框。 为此,我们建议使用[Pocket Paint](https://github.com/Catrobat/Paintroid)等应用程序。 + +## Command-line + +### ExifTool + +!!! recommendation + + ![ExifTool标志](assets/img/data-redaction/exiftool.png){ align=right } + + **ExifTool**是原始的perl库和命令行应用程序,用于读取、写入和编辑各种文件格式(JPEG、TIFF、PNG、PDF、RAW等)的元信息(Exif、IPTC、XMP等)。 + + 它通常是其他Exif删除应用程序的一个组成部分,并且在大多数Linux发行库中。 + + [:octicons-home-16: 主页](https://exiftool.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://exiftool.org/faq.html){ .card-link title=文档} + [:octicons-code-16:](https://github.com/exiftool/exiftool){ .card-link title="源代码" } + [:octicons-heart-16:](https://exiftool.org/#donate){ .card-link title="贡献" } + + ??? 下载 + + - [:simple-windows11: Windows](https://exiftool.org) + - [:simple-apple: macOS](https://exiftool.org) + - [:simple-linux: Linux](https://exiftool.org) + +!!! 例子 "从一个文件目录中删除数据" + + ```bash + exiftool -all= *.file_extension + ``` + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- 为开源操作系统开发的应用程序必须是开源的。 +- 应用程序必须是免费的,不应包括广告或其他限制。 diff --git a/i18n/zh/desktop-browsers.md b/i18n/zh/desktop-browsers.md new file mode 100644 index 00000000..2d4a6620 --- /dev/null +++ b/i18n/zh/desktop-browsers.md @@ -0,0 +1,412 @@ +--- +title: "电脑浏览器" +icon: material/laptop +description: These web browsers provide stronger privacy protections than Google Chrome. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Desktop Browser Recommendations + url: "./" + relatedLink: "../mobile-browsers/" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Mullvad Browser + image: /assets/img/browsers/mullvad_browser.svg + url: https://mullvad.net/en/browser + applicationCategory: Web Browser + operatingSystem: + - Windows 系统 + - mac系统 + - Linux系统 + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Firefox(火狐浏览器) + image: /assets/img/browsers/firefox.svg + url: https://firefox.com + sameAs: https://en.wikipedia.org/wiki/Firefox + applicationCategory: Web Browser + operatingSystem: + - Windows 系统 + - mac系统 + - Linux系统 + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + sameAs: https://en.wikipedia.org/wiki/Brave_(web_browser) + applicationCategory: Web Browser + operatingSystem: + - Windows 系统 + - mac系统 + - Linux系统 + subjectOf: + "@type": WebPage + url: "./" +--- + +这些是我们目前推荐的用于标准/非匿名浏览的桌面网络浏览器和配置。 We recommend [Mullvad Browser](#mullvad-browser) if you are focused on strong privacy protections and anti-fingerprinting out of the box, [Firefox](#firefox) for casual internet browsers looking for a good alternative to Google Chrome, and [Brave](#brave) if you need Chromium browser compatibility. + +如果您需要匿名浏览互联网,则应使用 [Tor](tor.md) 。 We make some configuration recommendations on this page, but all browsers other than Tor Browser will be traceable by *somebody* in some manner or another. + +## Mullvad Browser + +!!! recommendation + + ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ align=right } + + **Mullvad Browser** is a version of [Tor Browser](tor.md#tor-browser) with Tor network integrations removed, aimed at providing Tor Browser's anti-fingerprinting browser technologies to VPN users. It is developed by the Tor Project and distributed by [Mullvad](vpn.md#mullvad), and does **not** require the use of Mullvad's VPN. + + [:octicons-home-16: Homepage](https://mullvad.net/en/browser){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mullvad.net/en/help/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mullvad.net/en/help/tag/mullvad-browser/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.torproject.org/tpo/applications/mullvad-browser){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://mullvad.net/en/download/browser/windows) + - [:simple-apple: macOS](https://mullvad.net/en/download/browser/macos) + - [:simple-linux: Linux](https://mullvad.net/en/download/browser/linux) + +Like [Tor Browser](tor.md), Mullvad Browser is designed to prevent fingerprinting by making your browser fingerprint identical to all other Mullvad Browser users, and it includes default settings and extensions that are automatically configured by the default security levels: *Standard*, *Safer* and *Safest*. Therefore, it is imperative that you do not modify the browser at all outside adjusting the default [security levels](https://tb-manual.torproject.org/security-settings/). Other modifications would make your fingerprint unique, defeating the purpose of using this browser. If you want to configure your browser more heavily and fingerprinting is not a concern for you, we recommend [Firefox](#firefox) instead. + +### Anti-Fingerprinting + +**Without** using a [VPN](vpn.md), Mullvad Browser provides the same protections against [naive fingerprinting scripts](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) as other private browsers like Firefox+[Arkenfox](#arkenfox-advanced) or [Brave](#brave). Mullvad Browser provides these protections out of the box, at the expense of some flexibility and convenience that other private browsers can provide. + +==For the strongest anti-fingerprinting protection, we recommend using Mullvad Browser in conjunction **with** a VPN==, whether that is Mullvad or another recommended VPN provider. When using a VPN with Mullvad Browser, you will share a fingerprint and a pool of IP addresses with many other users, giving you a "crowd" to blend in with. This strategy is the only way to thwart advanced tracking scripts, and is the same anti-fingerprinting technique used by Tor Browser. + +Note that while you can use Mullvad Browser with any VPN provider, other people on that VPN must also be using Mullvad Browser for this "crowd" to exist, something which is more likely on Mullvad VPN compared to other providers, particularly this close to the launch of Mullvad Browser. Mullvad Browser does not have built-in VPN connectivity, nor does it check whether you are using a VPN before browsing; your VPN connection has to be configured and managed separately. + +Mullvad Browser comes with the *uBlock Origin* and *NoScript* browser extensions pre-installed. While we typically [don't recommend](#extensions) adding *additional* browser extensions, these extensions that come pre-installed with the browser should **not** be removed or configured outside their default values, because doing so would noticeably make your browser fingerprint distinct from other Mullvad Browser users. It also comes pre-installed with the Mullvad Browser Extension, which *can* be safely removed without impacting your browser fingerprint if you would like, but is also safe to keep even if you don't use Mullvad VPN. + +### Private Browsing Mode + +Mullvad Browser operates in permanent private browsing mode, meaning your history, cookies, and other site data will always be cleared every time the browser is closed. Your bookmarks, browser settings, and extension settings will still be preserved. + +This is required to prevent advanced forms of tracking, but does come at the cost of convenience and some Firefox features, such as Multi-Account Containers. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise don't work properly in Mullvad Browser, and Mullvad Browser for general browsing. + +### Mullvad Leta + +Mullvad Browser comes with DuckDuckGo set as the default [search engine](search-engines.md), but it also comes preinstalled with **Mullvad Leta**, a search engine which requires an active Mullvad VPN subscription to access. Mullvad Leta queries Google's paid search API directly (which is why it is limited to paying subscribers), however because of this limitation it is possible for Mullvad to correlate search queries and Mullvad VPN accounts. For this reason we discourage the use of Mullvad Leta, even though Mullvad collects very little information about their VPN subscribers. + +## Firefox(火狐浏览器) + +!!! recommendation + + ![火狐标志](assets/img/browsers/firefox.svg){ align=right } + + **火狐浏览器**提供强大的隐私设置,如[增强型跟踪保护](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop),它可以帮助阻止各种[类型的跟踪](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_what-enhanced-tracking-protection-blocks)。 + + [:octicons-home-16: 主页](https://firefox.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/firefox/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://firefox-source-docs.mozilla.org/){ .card-link title=文档} + [:octicons-code-16:](https://hg.mozilla.org/mozilla-central){ .card-link title="源代码" } + [:octicons-heart-16:](https://donate.mozilla.org/){ .card-link title="贡献" } + + ??? 下载 + + - [:simple-windows11: Windows](https://www.mozilla.org/firefox/windows) + - [:simple-apple: macOS](https://www.mozilla.org/firefox/mac) + - [:simple-linux: Linux](https://www.mozilla.org/firefox/linux) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.firefox) + +!!! 警告 + Firefox在从Mozilla网站的下载中包括一个独特的 [下载令牌](https://bugzilla.mozilla.org/show_bug.cgi?id=1677497#c0) ,并使用Firefox中的遥测技术来发送该令牌。 该令牌是 **,不包括在 [Mozilla FTP](https://ftp.mozilla.org/pub/firefox/releases/)的版本中。

+ +### 推荐配置 + +这些选项可以在 :material-menu: → **设置** → **隐私 & 安全**中找到。 + +##### 增强跟踪保护 + +- [x] 选择 **严格的** 增强跟踪保护 + +这可以通过阻止社交媒体追踪器、指纹脚本(注意,这并不能保护你 *所有* 指纹)、加密器、跨网站追踪cookies和其他一些追踪内容来保护你。 ETP可以防止许多常见的威胁,但它并不阻止所有的跟踪途径,因为它的设计对网站的可用性影响最小甚至没有影响。 + +##### 关闭时消毒 + +如果你想在特定的网站上保持登录状态,你可以在 **Cookies和网站数据** → **管理例外情况中允许例外。** + +- [x] 勾选 **当Firefox关闭时,删除cookies和网站数据** + +这可以保护您免受持久性cookies的影响,但不能保护您免受在任何一个浏览会话中获得的cookies的影响。 启用该功能后,只需重新启动火狐浏览器,就可以轻松清理浏览器的cookies。 如果你希望在你经常访问的特定网站上保持登录状态,你可以在每个网站的基础上设置例外。 + +##### 搜索建议 + +- [ ] 取消勾选 **提供搜索建议** + +搜索建议功能可能在你的地区无法使用。 + +搜索建议将你在地址栏中输入的所有内容发送到默认的搜索引擎,而不管你是否提交了实际的搜索。 禁用搜索建议可以让你更精确地控制你向搜索引擎供应商发送的数据。 + +##### 遥测 + +- [ ] 取消勾选 **允许火狐浏览器向Mozilla发送技术和互动数据** +- [ ] 取消勾选 **允许Firefox安装和运行研究** +- [ ] 取消勾选 **允许火狐代表您发送积压的崩溃报告** + +> 火狐浏览器会向我们发送有关您的火狐浏览器版本和语言、设备操作系统和硬件配置、内存、有关崩溃和错误的基本信息以及更新、安全浏览和激活等自动处理结果的数据。 当火狐浏览器向我们发送数据时,您的IP地址会被暂时收集,作为我们服务器日志的一部分。 + +此外,火狐账户服务还收集 [一些技术数据](https://www.mozilla.org/en-US/privacy/firefox/#firefox-accounts)。 如果你使用Firefox账户,你可以选择退出。 + +1. 在 accounts.firefox.com上打开你的 + +配置文件设置。 + + 2 取消勾选 **数据收集和使用** > **帮助改进火狐账户** + + + +##### HTTPS-Only 模式 + +- [x] 选择 **启用所有窗口的纯HTTPS-Only模式** + +这可以防止你无意中以纯文本的HTTP方式连接到一个网站。 现在没有HTTPS的网站已经不多见了,所以这对你的日常浏览应该没有什么影响。 + + + +### 火狐同步 + +[火狐浏览器同步](https://hacks.mozilla.org/2018/11/firefox-sync-privacy/) ,使您的浏览数据(历史记录、书签等)可以在您的所有设备上访问,并通过E2EE进行保护。 + + + +### Arkenfox (advanced) + +!!! tip "Use Mullvad Browser for advanced anti-fingerprinting" + + [Mullvad Browser](#mullvad-browser) provides the same anti-fingerprinting protections as Arkenfox out of the box, and does not require the use of Mullvad's VPN to benefit from these protections. Coupled with a VPN, Mullvad Browser can thwart more advanced tracking scripts which Arkenfox cannot. Arkenfox still has the advantage of being much more flexible, and allowing per-site exceptions for websites which you need to stay logged in to. + + +[Arkenfox项目](https://github.com/arkenfox/user.js) ,为Firefox提供了一套精心考虑的选项。 如果你 [决定](https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not) 使用Arkenfox,有几个 [选项](https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]) 是主观严格的和/或可能导致一些网站不能正常工作-- [,你可以很容易地改变](https://github.com/arkenfox/user.js/wiki/3.1-Overrides) 以满足你的需要。 我们 **,强烈建议** ,阅读其完整的 [wiki](https://github.com/arkenfox/user.js/wiki)。 Arkenfox还能支持 [容器](https://support.mozilla.org/en-US/kb/containers#w_for-advanced-users)。 + +Arkenfox only aims to thwart basic or naive tracking scripts through canvas randomization and Firefox's built-in fingerprint resistance configuration settings. It does not aim to make your browser blend in with a large crowd of other Arkenfox users in the same way Mullvad Browser or Tor Browser do, which is the only way to thwart advanced fingerprint tracking scripts. Remember you can always use multiple browsers, for example, you could consider using Firefox+Arkenfox for a few sites that you want to stay logged in on or otherwise trust, and Mullvad Browser for general browsing. + + + +## Brave + +!!! recommendation + + ![Brave标识](assets/img/browsers/brave.svg){ align=right } + + **Brave浏览器**包括一个内置的内容拦截器和[隐私功能](https://brave.com/privacy-features/),其中许多功能都是默认启用的。 + + Brave是建立在Chromium网络浏览器项目之上的,所以它应该有熟悉的感觉,而且网站兼容性问题最小。 + + [:octicons-home-16: 首页](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="洋葱服务" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title="文档"} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="源代码" } + + ??? 下载注释 + + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + - [:simple-windows11: Windows](https://brave.com/download/) + - [:simple-apple: macOS](https://brave.com/download/) + - [:simple-linux: Linux](https://brave.com/linux/) (1) + + + 1. 我们建议不要使用Flatpak版本的Brave,因为它用Flatpak的沙箱代替了Chromium的沙箱,效果较差。 此外,该软件包并非由Brave Software, Inc.维护。 + + + +### 推荐配置 + +这些选项可以在 :material-menu: → **设置**中找到。 + + + +##### 盾 + +Brave在其 [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) 功能中包括一些防指纹的措施。 我们建议将这些选项配置为 [,在你访问的所有页面上全局](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-)。 + +Shields的选项可以根据需要在每个站点的基础上进行降级,但在默认情况下,我们建议设置以下内容。 + +
+ +- [x] 选择**防止网站根据我的语言偏好对我进行指纹识别** +- [x] 选择跟踪器和广告拦截下的**攻击性** + +?? warning "Use default filter lists" + Brave允许你在内部`brave://adblock`页面中选择额外的内容过滤器。 我们建议不要使用这个功能;相反,保留默认的过滤列表。 使用额外的列表会使你从其他Brave用户中脱颖而出,如果Brave中存在漏洞,恶意规则被添加到你使用的列表中,也可能增加攻击面。 + +- [x] (可选)选择**屏蔽脚本**(1) +- [x] 在屏蔽指纹下选择**严格的,可能会破坏网站**。 + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + + + +##### 社交媒体图标 + +- [ ] 取消勾选所有社交媒体组件 + + + +##### 隐私和安全 + +
+ +- [x] 在[WebRTC IP处理策略]下选择**禁用非代理的UDP**(https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] 取消勾选 **使用谷歌服务推送消息** +- [ ] 取消勾选 **允许保留隐私的产品分析(P3A)** +- [ ] 取消勾选 **自动向Brave发送每日使用情况的Ping***。[] 取消勾选 **自动向Brave发送每日使用情况的ping** +- [] 取消勾选 **自动发送诊断报告** +- [x] 在**安全**菜单中选择 **始终使用安全连接** +- [] 取消勾选 **使用Tor的私人窗口** (1) + + !!! 提示 "关闭时消毒 " + - [x] 在*Cookies和其他网站数据*菜单中选择**关闭所有窗口时清除cookies和网站数据** + + 如果你希望在你经常访问的特定网站上保持登录状态,你可以在*自定义行为*部分中按网站设置例外。 + +
+ +1. Brave是 **,而不是** ,对指纹的抵抗力不如Tor浏览器,而且使用Brave和Tor的人要少得多,所以你会脱颖而出。 在需要强大的匿名性的地方 [](https://support.brave.com/hc/en-us/articles/360018121491-What-is-a-Private-Window-with-Tor-Connectivity-) ,使用 [Tor浏览器](tor.md#tor-browser)。 + + + +##### 扩展程序 + +在 **Extensions**,禁用你不使用的内置扩展程序。 + +- [ ] 取消勾选 **Hangouts** +- [] 取消勾选 **WebTorrent** + + + +##### Web3 + +
+ +- [x] Select **Disabled** on Method to resolve IPFS resources (1) + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + + + +##### 附加设置 + +Under the *System* menu + +
+ +- [ ] Uncheck **Continue running apps when Brave is closed** to disable background apps (1) + +
+ +1. This option is not present on all platforms. + + + +### Brave 同步 + +[Brave 同步](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) 允许你的浏览数据(历史记录、书签等)在你所有的设备上访问,而不需要账户,并以E2EE进行保护。 + + + +## 其它资源 + +In general, we recommend keeping your browser extensions to a minimum to decrease your attack surface; they have privileged access within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. However, uBlock Origin may prove useful if you value content blocking functionality. + + + +### uBlock Origin + +!!! recommendation + + ![uBlock Origin标识](assets/img/browsers/ublock_origin.svg){ align=right } + + **uBlock Origin**是一个流行的内容阻止器,可以帮助你阻止广告、跟踪器和指纹脚本。 + + [:octicons-repo-16: Repository](https://github.com/gorhill/uBlock#readme){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/gorhill/uBlock/wiki/Privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://github.com/gorhill/uBlock/wiki){ .card-link title="文档"} + [:octicons-code-16:](https://github.com/gorhill/uBlock){ .card-link title="源代码" } + + ??? 下载 + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/ublock-origin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak) + + +We suggest following the [developer's documentation](https://github.com/gorhill/uBlock/wiki/Blocking-mode) and picking one of the "modes". Additional filter lists can impact performance and [may increase attack surface](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css). + + + +##### 其它列表 + +These are some other [filter lists](https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists) that you may want to consider adding: + +- [x] Check **Privacy** > **AdGuard URL Tracking Protection** +- Add [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) + + + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + + + + +### Minimum Requirements + +- 它必须是开源软件。 +- Supports automatic updates. +- Receives engine updates in 0-1 days from upstream release. +- Available on Linux, macOS, and Windows. +- 为使浏览器更加尊重隐私所需的任何改变都不应该对用户体验产生负面影响。 +- Blocks third-party cookies by default. +- Supports [state partitioning](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) to mitigate cross-site tracking.[^1] + + + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Includes built-in content blocking functionality. +- Supports cookie compartmentalization (à la [Multi-Account Containers](https://support.mozilla.org/en-US/kb/containers)). +- Supports Progressive Web Apps. + PWAs enable you to install certain websites as if they were native apps on your computer. This can have advantages over installing Electron-based apps, because you benefit from your browser's regular security updates. + +- Does not include add-on functionality (bloatware) that does not impact user privacy. + +- Does not collect telemetry by default. +- Provides open-source sync server implementation. +- Defaults to a [private search engine](search-engines.md). + + + +### 扩展标准 + +- 不得复制内置浏览器或操作系统的功能。 +- 必须直接影响用户隐私,即不能简单地提供信息。 + + + +[^1]: + Brave's implementation is detailed at [Brave Privacy Updates: Partitioning network-state for privacy](https://brave.com/privacy-updates/14-partitioning-network-state/). diff --git a/i18n/zh/desktop.md b/i18n/zh/desktop.md new file mode 100644 index 00000000..7b1d9b31 --- /dev/null +++ b/i18n/zh/desktop.md @@ -0,0 +1,183 @@ +--- +title: "Android 应用" +icon: simple/linux +description: 由于隐私保护和软件自由,Linux发行版被普遍推荐。 +--- + +由于隐私保护和软件自由,Linux发行版被普遍推荐。 如果你还没有使用Linux,下面是我们建议尝试的一些发行版,以及一些适用于许多Linux发行版的一般隐私和安全改进提示。 + +- [安卓概况 :material-arrow-right-drop-circle:](os/linux-overview.md) + +## 传统发行版 + +### Fedora Workstation(Fedora 工作站) + +!!! recommendation + + ![Fedora标志](assets/img/linux-desktop/fedora-workstation.svg) { align=right } + + **Fedora Workstation**是我们为刚接触Linux的人推荐的发行版。 Fedora通常在其他发行版之前采用较新的技术,例如: [Wayland](https://wayland.freedesktop.org/), [PipeWire](https://pipewire.org)。 这些新技术往往伴随着安全、隐私和总体可用性的改进。 + + [:octicons-home-16: 主页](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=文档} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=贡献 } + +Fedora有一个半滚动的发布周期。 虽然有些软件包如 [GNOME](https://www.gnome.org) 被冻结到下一个 Fedora 版本,但大多数软件包(包括内核)在整个发行期都会频繁更新。 每个Fedora版本都支持一年,每6个月发布一个新版本。 + +### openSUSE Tumbleweed + +!!! recommendation + + ![openSUSE Tumbleweed logo](assets/img/linux-desktop/opensus-tumbleweed.svg){ align=right } + + **openSUSE Tumbleweed**是一个稳定的滚动发布版本。 + + openSUSE Tumbleweed 有一个 [事务性更新](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) 系统,使用 [Btrfs](https://en.wikipedia.org/wiki/Btrfs) 和 [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial) 来确保快照在出现问题时可以回滚。 + + [:octicons-home-16: 主页](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=文档} + [:octicons-heart-16:](https://shop.opensuse.org/){ .card-link title=贡献 } + +Tumbleweed采用的是滚动发布模式,每次更新都是以快照的形式发布。 当你升级你的系统时,会下载一个新的快照。 每个快照都要通过一系列的自动测试,由 [openQA](https://openqa.opensuse.org) ,以确保其质量。 + +### Arch Linux + +!!! recommendation + + ![Arch标志](assets/img/linux-desktop/archlinux.svg){ align=right } + + **Arch Linux**是一个轻量级的、自己动手的(DIY)发行版,意味着你只得到你所安装的东西。 更多信息见他们的 [FAQ](https://wiki.archlinux.org/title/Frequently_asked_questions)。 + + [:octicons-home-16: 主页](https://getfedora.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/docs/){ .card-link title=文档} + [:octicons-heart-16:](https://archlinux.org/donate/){ .card-link title=贡献 } + +Arch Linux有一个滚动的发布周期。 没有固定的发布时间表,软件包的更新非常频繁。 + +作为一个 DIY 发行版,您需要 [自行设置并维护您的](os/linux-overview.md#arch-based-distributions) 系统。 Arch有一个 [官方安装程序](https://wiki.archlinux.org/title/Archinstall) ,使安装过程更容易一些。 + +[Arch Linux的很大一部分软件包](https://reproducible.archlinux.org) ,都是 [,可复制的](https://reproducible-builds.org)。 + +## 不变的发行版 + +### Fedora Silverblue + +!!! recommendation + + ![Fedora Silverblue logo](assets/img/linux-desktop/fedora-silverblue.svg){ align=right }。 + + **Fedora Silverblue**和**Fedora Kinoite**是Fedora的不可改变的变体,非常注重容器工作流程。 Silverblue配有 [GNOME](https://www.gnome.org/)桌面环境,而Kinoite配有 [KDE](https://kde.org/)。 Silverblue和Kinoite遵循与Fedora Workstation相同的发布时间表,受益于同样的快速更新,并与上游保持非常紧密的联系。 + + [:octicons-home-16: 主页](https://silverblue.fedoraproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.fedoraproject.org/en-US/fedora-silverblue/){ .card-link title=文档} + [:octicons-heart-16:](https://whatcanidoforfedora.org/){ .card-link title=贡献 } + +Silverblue(和Kinoite)与Fedora Workstation不同,它们用一个更先进的替代品 [`rpm-ostree`](https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/package-management/rpm-ostree/),取代了 [DNF](https://fedoraproject.org/wiki/DNF) 软件包管理。 `rpm-ostree` 软件包管理器的工作方式是为系统下载一个基本镜像,然后在一个 [git](https://en.wikipedia.org/wiki/Git)-like commit tree中叠加软件包。 当系统更新时,会下载一个新的基本图像,覆盖物将被应用于该新图像。 + +更新完成后,你将重新启动系统进入新的部署。 `rpm-ostree` 保持系统的两个部署,这样如果在新的部署中出现问题,你可以很容易地回滚。 还可以根据需要选择钉更多的部署。 + +[Flatpak](https://www.flatpak.org) 是这些发行版上的主要软件包安装方法,因为 `rpm-ostree` 只是为了在基础镜像上叠加那些不能留在容器内的软件包。 + +作为Flatpaks的替代方案,可以选择 [Toolbox](https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) ,创建 [Podman](https://podman.io) 容器,与主机操作系统共享主目录,模仿传统的Fedora环境,这对有眼光的开发者来说是一个 [有用的功能](https://containertoolbx.org)。 + +### NixOS + +!!! recommendation + + ![NixOS标志](assets/img/linux-desktop/nixos.svg){ align=right } + + NixOS是一个基于Nix软件包管理器的独立发行版,注重可重复性和可靠性。 + + [:octicons-home-16: 主页](https://nixos.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://nixos.org/learn.html){ .card-link title=文档} + [:octicons-heart-16:](https://nixos.org/donate.html){ .card-link title=贡献 } + +NixOS的软件包管理器将每个软件包的每个版本保存在 **Nix商店的不同文件夹中**。 由于这个原因,你可以在你的系统上安装同一软件包的不同版本。 在包的内容被写入文件夹后,该文件夹被变成只读。 + +NixOS还提供了原子式更新;首先它下载(或构建)新一代系统的软件包和文件,然后切换到它。 有不同的方法来切换到新一代;你可以告诉NixOS在重启后激活它,或者你可以在运行时切换到它。 你也可以 *测试* ,在运行时切换到新的一代,但不把它设置为当前系统的一代。 如果在更新过程中出现了什么问题,你可以直接重新启动,并自动返回到你的系统的工作版本。 + +Nix软件包管理器使用一种纯粹的函数式语言--它也被称为Nix--来定义软件包。 + +[Nixpkgs](https://github.com/nixos/nixpkgs) (软件包的主要来源)包含在一个GitHub仓库中。 你也可以用同样的语言定义你自己的包,然后轻松地将它们纳入你的配置中。 + +Nix是一个基于源代码的软件包管理器;如果在二进制缓存中没有预置的可用软件包,Nix将直接使用其定义从源代码中构建软件包。 它在一个沙盒式的 *纯* 环境中构建每个软件包,该环境尽可能地独立于主机系统,从而使二进制文件可以重现。 + +## 以匿名为重点的发行版 + +### Whonix + +!!! recommendation + + ![Whonix标志](assets/img/linux-desktop/whonix.svg){ align=right } + + **Whonix**是基于 [Kicksecure](https://www.whonix.org/wiki/Kicksecure),一个注重安全的Debian分叉。 它的目的是在互联网上提供隐私、安全和匿名性。 Whonix最好与[Qubes OS](#qubes-os)一起使用。 + + [:octicons-home-16: 主页](https://www.whonix.org/){ .md-button .md-button--primary } + [:simple-torbrowser:](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion){ .card-link title="洋葱服务" } + [:octicons-info-16:](https://www.whonix.org/wiki/Documentation){ .card-link title=文档} + [:octicons-heart-16:](https://www.whonix.org/wiki/Donate){ .card-link title=贡献 } + +Whonix旨在作为两个虚拟机运行:一个 "工作站 "和一个Tor "网关"。 工作站的所有通信都必须通过Tor网关。 这意味着,即使工作站被某种恶意软件入侵,真实的IP地址仍然是隐藏的。 + +它的一些功能包括Tor流隔离, [按键匿名化](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [加密的交换](https://github.com/Whonix/swap-file-creator),以及一个加固的内存分配器。 + +Whonix的未来版本可能包括 [全系统AppArmor策略](https://github.com/Whonix/apparmor-profile-everything) 和 [沙盒应用程序启动器](https://www.whonix.org/wiki/Sandbox-app-launcher) ,以完全限制系统上的所有进程。 + +[Whonix最好与Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers),Qubes-Whonix与其他管理程序相比有各种 [,缺点](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581)。 + +### Tails + +!!! recommendation + + ![Tails标志](assets/img/linux-desktop/tails.svg){ align=right } + + **Tails**是一个基于Debian的实时操作系统,它通过Tor路由所有的通信,它可以从DVD、U盘或SD卡安装在几乎任何电脑上启动。 它使用 [Tor](tor.md)来保护隐私和匿名,同时规避审查制度,而且在关闭电源后,它不会在其使用的计算机上留下任何痕迹。 + + [:octicons-home-16: 主页](https://tails.boum.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://tails.boum.org/doc/index.en.html){ .card-link title=文档} + [:octicons-heart-16:](https://tails.boum.org/donate/){ .card-link title=贡献 } + +Tails由于具有失忆功能(意味着没有任何东西被写入磁盘),对于反取证来说是非常好的;然而,它并不是像Whonix那样的加固发行版。 它缺乏Whonix所具有的许多匿名和安全功能,而且更新频率更低(每六周才更新一次)。 被恶意软件入侵的Tails系统可能会绕过透明代理,允许用户去匿名化。 + +Tails默认在Tor浏览器中包括 [uBlock Origin](desktop-browsers.md#ublock-origin) ,这有可能使对手更容易对Tails用户进行指纹识别。 [Whonix](desktop.md#whonix) 虚拟机可能更加防漏,然而它们不是失忆的,这意味着数据可能会从你的存储设备中恢复。 + +在设计上,Tails是为了在每次重启后完全重置自己。 加密的 [持久性存储](https://tails.boum.org/doc/persistent_storage/index.en.html) ,可以配置为在重启之间存储一些数据。 + +## 以安全为重点的发行版 + +### Qubes操作系统 + +!!! recommendation + + ![Qubes OS标志](assets/img/qubes/qubes_os.svg){ align=right } + + **Qubes OS**是一个开源的操作系统,旨在为桌面计算提供强大的安全性。 Qubes基于Xen、X窗口系统和Linux,可以运行大多数Linux应用程序并使用大多数Linux驱动程序。 + + [:octicons-home-16: 主页](https://www.qubes-os.org/){ .md-button .md-button--primary } + [:material-arrow-right-drop-circle: 概述](os/qubes-overview.md){ .md-button .md-button--primary } + [:simple-torbrowser:](http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion){ .card-link title="洋葱头服务" } + [:octicons-eye-16:](https://www.qubes-os.org/privacy/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://www.qubes-os.org/doc/){ .card-link title="文档" } + [:octicons-code-16:](https://github.com/QubesOS/){ .card-link title="源代码" } + [:octicons-heart-16:](https://www.qubes-os.org/donate/){ .card-link title=贡献 } + +Qubes OS是一个基于Xen的操作系统,旨在通过安全的虚拟机(VM)为桌面计算提供强大的安全性,也被称为 *Qubes*。 + +Qubes OS操作系统通过将子系统(如网络、USB等)和应用程序隔离在独立的虚拟机中来保证计算机的安全。 如果系统的一个部分被破坏,额外的隔离可能会保护系统的其他部分。 更多详情请见Qubes [FAQ](https://www.qubes-os.org/faq/)。 + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +我们推荐的操作系统。 + +- 必须是开源的。 +- 必须定期接受软件和Linux内核的更新。 +- Linux发行版必须支持 [Wayland](os/linux-overview.md#Wayland)。 +- 在安装过程中必须支持全盘加密。 +- 不得将定期发布的信息冻结1年以上。 我们 [,不建议将](os/linux-overview.md#release-cycle) "长期支持 "或 "稳定 "的发行版用于桌面使用。 +- 必须支持各种各样的硬件。 diff --git a/i18n/zh/dns.md b/i18n/zh/dns.md new file mode 100644 index 00000000..5f63c24d --- /dev/null +++ b/i18n/zh/dns.md @@ -0,0 +1,139 @@ +--- +title: "DNS解析器" +icon: material/dns +description: These are some encrypted DNS providers we recommend switching to, to replace your ISP's default configuration. +--- + +Encrypted DNS with third-party servers should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences. 加密的DNS不会帮助你隐藏任何浏览活动。 + +[Learn more about DNS :material-arrow-right-drop-circle:](advanced/dns-overview.md ""){.md-button} + +## 推荐的供应商 + +| DNS供应商 | 隐私政策 | 协议 | 日志记录 | ECS | 筛选 | +| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------ | --- | ----------------------------------------------------------------------------------------------------- | +| [**AdGuard**](https://adguard.com/en/adguard-dns/overview.html) | [:octicons-link-external-24:](https://adguard.com/en/privacy/dns.html) | Cleartext
DoH/3
DoT
DNSCrypt | 一些[^1] | No | 基于服务器的选择。 正在使用的过滤器列表可以在这里找到。 [:octicons-link-external-24:](https://github.com/AdguardTeam/AdGuardDNS) | +| [**Cloudflare**](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/) | [:octicons-link-external-24:](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) | Cleartext
DoH/3
DoT | 一些[^2] | No | 基于服务器的选择。 | +| [**Control D**](https://controld.com/free-dns) | [:octicons-link-external-24:](https://controld.com/privacy) | Cleartext
DoH/3
DoT
DoQ | 可选[^3] | No | 基于服务器的选择。 | +| [**Mullvad**](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) | [:octicons-link-external-24:](https://mullvad.net/en/help/no-logging-data-policy/) | DoH
DoT | No[^4] | No | 基于服务器的选择。 正在使用的过滤器列表可以在这里找到。 [:octicons-link-external-24:](https://github.com/mullvad/dns-adblock) | +| [**NextDNS**](https://www.nextdns.io) | [:octicons-link-external-24:](https://www.nextdns.io/privacy) | Cleartext
DoH/3
DoT | 可选[^5] | 可选 | 基于服务器的选择。 | +| [**Quad9**](https://quad9.net) | [:octicons-link-external-24:](https://quad9.net/privacy/policy/) | Cleartext
DoH
DoT
DNSCrypt | 一些[^6] | 可选 | 基于服务器的选择,默认为恶意软件拦截。 | + +## 标准 + +**请注意,我们与我们推荐的任何项目都没有关系。** 除了 [我们的标准标准](about/criteria.md),我们还制定了一套明确的要求,使我们能够提供客观的建议。 我们建议你在选择使用一个项目之前熟悉这个清单,并进行自己的研究以确保它是你的正确选择。 + +!!! 例如 "本节是新的" + + 我们正在努力为我们网站的每个部分建立确定的标准,这可能会有变化。 如果你对我们的标准有任何疑问,请[在我们的论坛上提问](https://discuss.privacyguides.net/latest),如果这里没有列出,不要以为我们在做推荐时没有考虑到什么。 当我们推荐一个项目时,有许多因素被考虑和讨论,而记录每一个因素是一项正在进行的工作。 + +- 必须支持 [DNSSEC](advanced/dns-overview.md#what-is-dnssec)。 +- [QNAME最小化](advanced/dns-overview.md#what-is-qname-minimization). +- 允许 [ECS](advanced/dns-overview.md#what-is-edns-client-subnet-ecs) 被禁用。 +- 倾向于 [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) 支持或地理转向支持。 + +## 本地操作系统支持 + +### 安卓 + +安卓9及以上系统支持通过TLS的DNS。 这些设置可以在下面找到。 **设置** → **网络 & 互联网** → **私人DNS**。 + +### 苹果设备 + +最新版本的iOS、iPadOS、tvOS和macOS,同时支持DoT和DoH。 通过 [配置文件](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) ,或通过 [DNS设置API](https://developer.apple.com/documentation/networkextension/dns_settings),这两种协议都得到了本地支持。 + +在安装配置文件或使用DNS设置API的应用程序后,可以选择DNS配置。 如果VPN处于激活状态,在VPN隧道内的解析将使用VPN的DNS设置,而不是你整个系统的设置。 + +#### 已签名的配置文件 + +苹果公司没有为创建加密的DNS配置文件提供本地接口。 [安全DNS配置文件创建者](https://dns.notjakob.com/tool.html) 是一个非官方的工具,用于创建你自己的加密DNS配置文件,然而它们将不会被签署。 签名的档案是首选;签名验证了档案的来源,有助于确保档案的完整性。 绿色的 "已验证 "标签被赋予已签署的配置文件。 关于代码签名的更多信息,见 [关于代码签名](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html)。 ** [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html)、 [NextDNS](https://apple.nextdns.io)和 [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/)提供了签名的配置文件**。 + +!!! 信息 + + `systemd-resolved`,许多Linux发行版使用它来进行DNS查询,但还不[支持DoH](https://github.com/systemd/systemd/issues/8639)。 如果你想使用DoH,你需要安装一个代理,如 [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy)和[配置它](https://wiki.archlinux.org/title/Dnscrypt-proxy),从你的系统解析器接收所有的DNS查询并通过HTTPS转发。 + +## 加密DNS代理 + +加密的DNS代理软件为 [未加密的DNS](advanced/dns-overview.md#unencrypted-dns) 解析器提供一个本地代理转发。 通常情况下,它被用于那些不支持 [加密DNS的平台](advanced/dns-overview.md#what-is-encrypted-dns)。 + +### RethinkDNS + +!!! recommendation + + ![RethinkDNS logo](assets/img/android/rethinkdns.svg#only-light){ align=right } + ![RethinkDNS标志](assets/img/android/rethinkdns-dark.svg#only-dark){ align=right } + + **RethinkDNS**是一个开源的Android客户端,支持 [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh)、 [DNS-over-TLS](advanced/dns-overview.md#dns-over-tls-dot)、 [DNSCrypt](advanced/dns-overview.md#dnscrypt)和DNS Proxy,同时还可以缓存DNS响应,本地记录DNS查询,也可以作为防火墙使用。 + + [:octicons-home-16: 主页](https://rethinkdns.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://rethinkdns.com/privacy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://docs.rethinkdns.com/){ .card-link title=文档} + [:octicons-code-16:](https://github.com/celzero/rethink-app){ .card-link title="源代码" } + + ??? 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.celzero.bravedns) + - [:simple-github: GitHub](https://github.com/celzero/rethink-app/releases) + +### dnscrypt-代理 + +!!! recommendation + + ![dnscrypt-proxy标志](assets/img/dns/dnscrypt-proxy.svg) { align=right } + + **dnscrypt-proxy**是一个DNS代理,支持 [DNSCrypt](advanced/dns-overview.md#dnscrypt), [DNS-over-HTTPS](advanced/dns-overview.md#dns-over-https-doh),以及[Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS)。 + + !!! 警告 "匿名DNS功能不会[***](advanced/dns-overview.md#why-shouldnt-i-use-encrypted-dns)匿名化其他网络流量。" + + [:octicons-repo-16: Repository](https://github.com/DNSCrypt/dnscrypt-proxy){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/DNSCrypt/dnscrypt-proxy/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/DNSCrypt/dnscrypt-proxy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/dnscrypt/contribute){ .card-link title="贡献" } + + ??? 下载 + + - [:simple-windows11: Windows](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) + - [:simple-apple: macOS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-macOS) + - [:simple-linux: Linux](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux) + +## 自我托管的解决方案 + +自我托管的DNS解决方案对于在智能电视和其他物联网设备等受控平台上提供过滤非常有用,因为不需要客户端软件。 + +### AdGuard Home + +!!! recommendation + + ![AdGuard Home标识](assets/img/dns/adguard-home.svg){ align=right } + + **AdGuard Home**是一个开源的 [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole),它使用[DNS过滤](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/)来阻止不需要的网络内容,如广告。 + + AdGuard Home有一个精致的网络界面,可以查看洞察力和管理被阻止的内容。 + + [:octicons-home-16: 主页](https://adguard.com/adguard-home/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/home.html){ .card-link title="隐私政策" } + [:octicons-info-16:](https://github.com/AdguardTeam/AdGuardHome/wiki){ .card-link title=文档} + [:octicons-code-16:](https://github.com/AdguardTeam/AdGuardHome){ .card-link title="源代码" } + +### Pi-hole + +!!! recommendation + + ! [Pi-hole标志](assets/img/dns/pi-hole.svg){ align=right } + + **Pi-hole**是一个开源的 [DNS-sinkhole](https://wikipedia.org/wiki/DNS_sinkhole),它使用[DNS过滤](https://www.cloudflare.com/learning/access-management/what-is-dns-filtering/)来阻止不需要的网络内容,如广告。 + + Pi-hole被设计为在Raspberry Pi上托管,但它并不局限于这种硬件。 该软件具有一个友好的网络界面,可以查看洞察力和管理封锁的内容。 + + [:octicons-home-16: 主页](https://pi-hole.net/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://pi-hole.net/privacy/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://docs.pi-hole.net/){ .card-link title=文档} + [:octicons-code-16:](https://github.com/pi-hole/pi-hole){ .card-link title="源代码" } + [:octicons-heart-16:](https://pi-hole.net/donate){ .card-link title="贡献" } + +[^1]: AdGuard存储其DNS服务器的汇总性能指标,即对特定服务器的完整请求数、被阻止的请求数和处理请求的速度。 他们还保留并存储了过去24小时内请求的域名数据库。 "我们需要这些信息来识别和阻止新的追踪者和威胁。" "我们还记录了这个或那个追踪器被封锁的次数。 我们需要这些信息来从我们的过滤器中删除过时的规则"。 [https://adguard.com/en/privacy/dns.html](https://adguard.com/en/privacy/dns.html) +[^2]: Cloudflare只收集和存储发送到1.1.1.1解析器的有限DNS查询数据。 1.1.1.1解析器服务不记录个人数据,而且大部分有限的非个人识别的查询数据只存储25小时。 [https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/) +[^3]: Control D只记录具有自定义DNS配置文件的高级解析器。 自由解析器不记录数据。 [https://controld.com/privacy](https://controld.com/privacy) +[^4]: Mullvad的DNS服务对Mullvad VPN的订阅者和非订阅者都适用。 他们的隐私政策明确声称他们不会以任何方式记录DNS请求。 [https://mullvad.net/en/help/no-logging-data-policy/](https://mullvad.net/en/help/no-logging-data-policy/) +[^5]: NextDNS可以在选择加入的基础上提供见解和日志记录功能。 你可以为你选择保留的任何日志选择保留时间和日志存储位置。 如果没有特别要求,就不记录数据。 [https://nextdns.io/privacy](https://nextdns.io/privacy) +[^6]: Quad9收集了一些数据,用于威胁监测和应对。 然后,这些数据可能被重新混合和共享,例如为了安全研究的目的。 Quad9不会收集或记录IP地址或其他他们认为可以识别个人身份的数据。 [https://www.quad9.net/privacy/policy/](https://www.quad9.net/privacy/policy/) diff --git a/i18n/zh/email-clients.md b/i18n/zh/email-clients.md new file mode 100644 index 00000000..3b1b7cd1 --- /dev/null +++ b/i18n/zh/email-clients.md @@ -0,0 +1,238 @@ +--- +title: "笔记" +icon: material/email-open +description: These email clients are privacy-respecting and support OpenPGP email encryption. +--- + +Our recommendation list contains email clients that support both [OpenPGP](encryption.md#openpgp) and strong authentication such as [Open Authorization (OAuth)](https://en.wikipedia.org/wiki/OAuth). OAuth allows you to use [Multi-Factor Authentication](basics/multi-factor-authentication.md) and prevent account theft. + +??? warning "Email does not provide forward secrecy" + + When using end-to-end encryption (E2EE) technology like OpenPGP, email will still have [some metadata](email.md#email-metadata-overview) that is not encrypted in the header of the email. + + OpenPGP also does not support [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy), which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed: [How do I protect my private keys?](basics/email-security.md) Consider using a medium that provides forward secrecy: + + [Real-time Communication](real-time-communication.md){ .md-button } + +## Cross-Platform + +### Thunderbird + +!!! recommendation + + ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ align=right } + + **Thunderbird** is a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Twitter) client developed by the Thunderbird community, and previously by the Mozilla Foundation. + + [:octicons-home-16: Homepage](https://www.thunderbird.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mozilla.org/privacy/thunderbird){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mozilla.org/products/thunderbird){ .card-link title=Documentation} + [:octicons-code-16:](https://hg.mozilla.org/comm-central){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://www.thunderbird.net) + - [:simple-apple: macOS](https://www.thunderbird.net) + - [:simple-linux: Linux](https://www.thunderbird.net) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.mozilla.Thunderbird) + +#### 推荐配置 + +We recommend changing some of these settings to make Thunderbird a little more private. + +这些选项可以在 :material-menu: → **设置** → **隐私 & 安全**中找到。 + +##### Web Content + +- [ ] Uncheck **Remember websites and links I've visited** +- [ ] Uncheck **Accept cookies from sites** + +##### 遥测 + +- [ ] Uncheck **Allow Thunderbird to send technical and interaction data to Mozilla** + +#### Thunderbird-user.js (advanced) + +[`thunderbird-user.js`](https://github.com/HorlogeSkynet/thunderbird-user.js), is a set of configurations options that aims to disable as many of the web-browsing features within Thunderbird as possible in order to reduce surface area and maintain privacy. Some of the changes are backported from the [Arkenfox project](https://github.com/arkenfox/user.js). + +## Platform Specific + +### Apple Mail (macOS) + +!!! recommendation + + ![Apple Mail logo](assets/img/email-clients/applemail.png){ align=right } + + **Apple Mail** is included in macOS and can be extended to have OpenPGP support with [GPG Suite](encryption.md#gpg-suite), which adds the ability to send PGP-encrypted email. + + [:octicons-home-16: Homepage](https://support.apple.com/guide/mail/welcome/mac){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/en-ww/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/mail/toc){ .card-link title=Documentation} + +### Canary Mail (iOS) + +!!! recommendation + + ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ align=right } + + **Canary Mail** is a paid email client designed to make end-to-end encryption seamless with security features such as a biometric app lock. + + [:octicons-home-16: Homepage](https://canarymail.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://canarymail.io/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://canarymail.zendesk.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.canarymail.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1236045954) + - [:simple-windows11: Windows](https://canarymail.io/downloads.html) + +!!! 推荐 + + Canary Mail only recently released a Windows and Android client, though we don't believe they are as stable as their iOS and Mac counterparts. + +Canary Mail is closed-source. We recommend it due to the few choices there are for email clients on iOS that support PGP E2EE. + +### FairEmail (Android) + +!!! recommendation + + ![FairEmail logo](assets/img/email-clients/fairemail.svg){ align=right } + + **FairEmail** is a minimal, open-source email app, using open standards (IMAP, SMTP, OpenPGP) with a low data and battery usage. + + [:octicons-home-16: Homepage](https://email.faircode.eu){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/M66B/FairEmail/blob/master/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/M66B/FairEmail/blob/master/FAQ.md){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/M66B/FairEmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://email.faircode.eu/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=eu.faircode.email) + - [:simple-github: GitHub](https://github.com/M66B/FairEmail/releases) + +### GNOME Evolution (GNOME) + +!!! recommendation + + ![Evolution logo](assets/img/email-clients/evolution.svg){ align=right } + + **Evolution** is a personal information management application that provides integrated mail, calendaring and address book functionality. Evolution has extensive [documentation](https://help.gnome.org/users/evolution/stable/) to help you get started. + + [:octicons-home-16: Homepage](https://wiki.gnome.org/Apps/Evolution){ .md-button .md-button--primary } + [:octicons-eye-16:](https://wiki.gnome.org/Apps/Evolution/PrivacyPolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.gnome.org/users/evolution/stable/){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.gnome.org/GNOME/evolution/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.gnome.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gnome.Evolution) + +### K-9 Mail (Android) + +!!! recommendation + + ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ align=right } + + **K-9 Mail** is an independent mail application that supports both POP3 and IMAP mailboxes, but only supports push mail for IMAP. + + In the future, K-9 Mail will be the [officially branded](https://k9mail.app/2022/06/13/K-9-Mail-and-Thunderbird.html) Thunderbird client for Android. + + [:octicons-home-16: Homepage](https://k9mail.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://k9mail.app/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.k9mail.app/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/k9mail/k-9){ .card-link title="Source Code" } + [:octicons-heart-16:](https://k9mail.app/contribute){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.fsck.k9) + - [:simple-github: GitHub](https://github.com/k9mail/k-9/releases) + +!!! 推荐 + + When replying to someone on a mailing list the "reply" option may also include the mailing list. For more information see [thundernest/k-9 #3738](https://github.com/thundernest/k-9/issues/3738). + +### Kontact (KDE) + +!!! recommendation + + ![Kontact logo](assets/img/email-clients/kontact.svg){ align=right } + + **Kontact** is a personal information manager (PIM) application from the [KDE](https://kde.org) project. It provides a mail client, address book, organizer and RSS client. + + [:octicons-home-16: Homepage](https://kontact.kde.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kontact.kde.org/users/){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/kmail){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://kontact.kde.org/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.kontact) + +### Mailvelope (Browser) + +!!! recommendation + + ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ align=right } + + **Mailvelope** is a browser extension that enables the exchange of encrypted emails following the OpenPGP encryption standard. + + [:octicons-home-16: Homepage](https://www.mailvelope.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.mailvelope.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://mailvelope.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailvelope/mailvelope){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/mailvelope) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/mailvelope/dgcbddhdhjppfdfjpciagmmibadmoapc) + +### NeoMutt (CLI) + +!!! recommendation + + ![NeoMutt logo](assets/img/email-clients/mutt.svg){ align=right } + + **NeoMutt** is an open-source command line mail reader (or MUA) for Linux and BSD. It's a fork of [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client)) with added features. + + NeoMutt is a text-based client that has a steep learning curve. It is however, very customizable. + + [:octicons-home-16: Homepage](https://neomutt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://neomutt.org/guide/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/neomutt/neomutt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.paypal.com/paypalme/russon/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: macOS](https://neomutt.org/distro) + - [:simple-linux: Linux](https://neomutt.org/distro) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- 为开源操作系统开发的应用程序必须是开源的。 +- Must not collect telemetry, or have an easy way to disable all telemetry. +- Must support OpenPGP message encryption. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be open-source. +- Should be cross-platform. +- Should not collect any telemetry by default. +- Should support OpenPGP natively, i.e. without extensions. +- Should support storing OpenPGP encrypted emails locally. diff --git a/i18n/zh/email.md b/i18n/zh/email.md new file mode 100644 index 00000000..991984b7 --- /dev/null +++ b/i18n/zh/email.md @@ -0,0 +1,503 @@ +--- +title: "Email Services" +icon: material/email +description: These email providers offer a great place to store your emails securely, and many offer interoperable OpenPGP encryption with other providers. +--- + +电子邮件实际上是使用任何在线服务的必需品,但我们不建议使用它进行人与人之间的对话。 与其使用电子邮件与他人联系,不如考虑使用支持前向保密的即时通讯媒介。 + +[推荐的即时通讯工具](real-time-communication.md ""){.md-button} + +对于其他一切,我们根据可持续的商业模式和内置的安全和隐私功能,推荐各种电子邮件供应商。 + +- [OpenPGP-Compatible Email Providers :material-arrow-right-drop-circle:](#openpgp-compatible-services) +- [Other Encrypted Providers :material-arrow-right-drop-circle:](#more-providers) +- [Email Aliasing Services :material-arrow-right-drop-circle:](#email-aliasing-services) +- [Self-Hosted Options :material-arrow-right-drop-circle:](#self-hosting-email) + +## OpenPGP 兼容服务 + +These providers natively support OpenPGP encryption/decryption and the Web Key Directory (WKD) standard, allowing for provider-agnostic E2EE emails. 例如,Proton Mail用户可以向Mailbox.org用户发送E2EE信息,或者你可以从支持OpenPGP的互联网服务中收到OpenPGP加密的通知。 + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) + +
+ +!!! 警告 + + 当使用像OpenPGP这样的E2EE技术时,电子邮件仍然会有一些元数据没有在电子邮件的标题中进行加密。 阅读更多关于[电子邮件元数据](basics/email-security.md#email-metadata-overview)。 + + OpenPGP也不支持转发保密,这意味着如果你或收件人的私钥被盗,所有以前用它加密的信息都会暴露。 [如何保护我的私钥?](basics/email-security.md#how-do-i-protect-my-private-keys) + +### Proton Mail + +!!! recommendation + + ! [Proton Mail徽标] (assets/img/email/protonmail.svg) {align = right} + + * * Proton Mail * *是一项专注于隐私、加密、安全性和易用性的电子邮件服务。 他们自**2013年**以来一直在运作。 Proton公司总部位于瑞士日内瓦。 他们的免费计划中,账户一开始开始有500MB的存储空间。 + + [:octicons-home-16: 首页](https://proton.me/mail){ .md-button .md-button--primary } + [:simple-torbrowser:](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion){ .card-link title="洋葱服务" } + [:octicons-eye-16:](https://proton.me/legal/privacy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://proton.me/support/mail){ .card-link title="文档"} + [:octicons-code-16:](https://github.com/ProtonMail){ .card-link title="源代码" } + + ??? 下载 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonmail)。 ndroid) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id979659905) + - [:simple-github: GitHub](https://github. om/ProtonMail/proton-mail-android/releases) + - [:simple-windows11: Windows](https://proton.me/mail/bridge#download) + - [:simple-apple: macOS](https://proton. e/mail/bridge#download) + - [:simple-linux: Linux](https://proton.me/mail/bridge#download) + - [:octicons-browser-16: Web](https://mail.proton.me) + +免费账户有一些限制,如不能搜索正文,不能访问 [Proton Mail Bridge](https://proton.me/mail/bridge),这是使用 [推荐的桌面电子邮件客户端](email-clients.md) (如Thunderbird)所需要的。 付费帐户包括Proton Mail Bridge等功能,额外的存储空间和自定义域支持。 2021年11月9日, [Securitum](https://research.securitum.com),为Proton Mail的应用程序提供了一份 [的证明信](https://proton.me/blog/security-audit-all-proton-apps)。 + +如果你有 "Proton Unlimited"、" Business "或 "Visionary "计划,你还可以免费获得 [SimpleLogin](#simplelogin) Premium。 + + Proton Mail有内部碰撞报告,他们 **,不与第三方分享。 这可以在以下方面禁用。 **设置** > **转到设置** > **帐户** > **安全和隐私** > **发送崩溃报告**。

+ +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Proton Mail subscribers can use their own domain with the service or a [catch-all](https://proton.me/support/catch-all) address. Proton Mail also supports [subaddressing](https://proton.me/support/creating-aliases), which is useful for people who don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Proton Mail [accepts](https://proton.me/support/payment-options) cash by mail in addition to standard credit/debit card, [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), and PayPal payments. + +#### :material-check:{ .pg-green } Account Security + +Proton Mail supports TOTP [two factor authentication](https://proton.me/support/two-factor-authentication-2fa) and [hardware security keys](https://proton.me/support/2fa-security-key) using FIDO2 or U2F standards. The use of a hardware security key requires setting up TOTP two factor authentication first. + +#### :material-check:{ .pg-green } Data Security + +Proton Mail has [zero-access encryption](https://proton.me/blog/zero-access-encryption) at rest for your emails and [calendars](https://proton.me/news/protoncalendar-security-model). 使用零访问加密的数据只有你才能访问。 + +Certain information stored in [Proton Contacts](https://proton.me/support/proton-contacts), such as display names and email addresses, are not secured with zero-access encryption. 支持零访问加密的联系人字段,如电话号码,会用挂锁图标表示。 + +#### :material-check:{ .pg-green } Email Encryption + +Proton Mail has [integrated OpenPGP encryption](https://proton.me/support/how-to-use-pgp) in their webmail. 给其他Proton Mail账户的邮件是自动加密的,用OpenPGP密钥给非Proton Mail地址加密可以在账户设置中轻松启用。 They also allow you to [encrypt messages to non-Proton Mail addresses](https://proton.me/support/password-protected-emails) without the need for them to sign up for a Proton Mail account or use software like OpenPGP. + +Proton Mail also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). 这使得不使用Proton Mail的人可以轻松找到Proton Mail账户的OpenPGP密钥,实现跨供应商的E2EE。 + + +#### :material-information-outline:{ .pg-blue } Account Termination + +If you have a paid account and your [bill is unpaid](https://proton.me/support/delinquency) after 14 days, you won't be able to access your data. 30天后,你的账户将成为欠费账户,不会收到来信。 在此期间,您将继续收到账单。 + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton Mail提供9.99欧元/月的 "无限 "账户,除了提供多个账户、域名、别名和500GB的存储空间外,还能访问Proton VPN。 + +Proton Mail不提供数字遗留功能。 + +### Mailbox.org + +!!! recommendation + + ![Mailbox.org标志](assets/img/email/mailboxorg.svg){ align=right } + + **Mailbox.org**是一个专注于安全、无广告、并由100%环保能源私人提供的电子邮件服务。 他们自2014年以来一直在运作。 Mailbox.org总部位于德国柏林。 账户开始时有2GB的存储空间,可根据需要升级。 + + [:octicons-home-16: 首页](https://mailbox.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://mailbox.org/en/data-protection-privacy-policy){ .card-link title="隐私政策" } + [:octicons-info-16:](https://kb.mailbox.org/en/private){ .card-link title="文件"} + + ?? 下载 + + - [:octicons-browser-16: Web](https://login.mailbox.org) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Mailbox.org lets you use your own domain, and they support [catch-all](https://kb.mailbox.org/display/MBOKBEN/Using+catch-all+alias+with+own+domain) addresses. Mailbox.org also supports [subaddressing](https://kb.mailbox.org/display/BMBOKBEN/What+is+an+alias+and+how+do+I+use+it), which is useful if you don't want to purchase a domain. + +#### :material-check:{ .pg-green } Private Payment Methods + +Mailbox.org doesn't accept any cryptocurrencies as a result of their payment processor BitPay suspending operations in Germany. 然而,他们确实接受邮寄现金、向银行账户支付现金、银行转账、信用卡、贝宝和几个德国特有的处理器:Paydirekt和Sofortüberweisung。 + +#### :material-check:{ .pg-green } Account Security + +Mailbox.org supports [two factor authentication](https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA) for their webmail only. You can use either TOTP or a [Yubikey](https://en.wikipedia.org/wiki/YubiKey) via the [Yubicloud](https://www.yubico.com/products/services-software/yubicloud). Web standards such as [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) are not yet supported. + +#### :material-information-outline:{ .pg-blue } Data Security + +Mailbox.org allows for encryption of incoming mail using their [encrypted mailbox](https://kb.mailbox.org/display/MBOKBEN/The+Encrypted+Mailbox). New messages that you receive will then be immediately encrypted with your public key. + +However, [Open-Exchange](https://en.wikipedia.org/wiki/Open-Xchange), the software platform used by Mailbox.org, [does not support](https://kb.mailbox.org/display/BMBOKBEN/Encryption+of+calendar+and+address+book) the encryption of your address book and calendar. A [standalone option](calendar.md) may be more appropriate for that information. + +#### :material-check:{ .pg-green } Email Encryption + +Mailbox.org has [integrated encryption](https://kb.mailbox.org/display/MBOKBEN/Send+encrypted+e-mails+with+Guard) in their webmail, which simplifies sending messages to people with public OpenPGP keys. They also allow [remote recipients to decrypt an email](https://kb.mailbox.org/display/MBOKBEN/My+recipient+does+not+use+PGP) on Mailbox.org's servers. This feature is useful when the remote recipient does not have OpenPGP and cannot decrypt a copy of the email in their own mailbox. + +Mailbox.org also supports the discovery of public keys via HTTP from their [Web Key Directory (WKD)](https://wiki.gnupg.org/WKD). This allows people outside of Mailbox.org to find the OpenPGP keys of Mailbox.org accounts easily, for cross-provider E2EE. + +#### :material-information-outline:{ .pg-blue } Account Termination + +Your account will be set to a restricted user account when your contract ends, after [30 days it will be irrevocably deleted](https://kb.mailbox.org/en/private/payment-article/what-happens-at-the-end-of-my-contract). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +You can access your Mailbox.org account via IMAP/SMTP using their [.onion service](https://kb.mailbox.org/display/MBOKBEN/The+Tor+exit+node+of+mailbox.org). However, their webmail interface cannot be accessed via their .onion service and you may experience TLS certificate errors. + +All accounts come with limited cloud storage that [can be encrypted](https://kb.mailbox.org/display/MBOKBEN/Encrypt+files+on+your+Drive). Mailbox.org also offers the alias [@secure.mailbox.org](https://kb.mailbox.org/display/MBOKBEN/Ensuring+E-Mails+are+Sent+Securely), which enforces the TLS encryption on the connection between mail servers, otherwise the message will not be sent at all. Mailbox.org also supports [Exchange ActiveSync](https://en.wikipedia.org/wiki/Exchange_ActiveSync) in addition to standard access protocols like IMAP and POP3. + +Mailbox.org has a digital legacy feature for all plans. You can choose whether you want any of your data to be passed to heirs providing that they apply and provide your testament. Alternatively, you can nominate a person by name and address. + +## More Providers + +These providers store your emails with zero-knowledge encryption, making them great options for keeping your stored emails secure. However, they don't support interoperable encryption standards for E2EE communications between providers. + +
+ +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +### StartMail + +!!! recommendation + + ![StartMail logo](assets/img/email/startmail.svg#only-light){ align=right } + ![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ align=right } + + **StartMail** is an email service with a focus on security and privacy through the use of standard OpenPGP encryption. StartMail has been in operation since 2014 and is based in Boulevard 11, Zeist Netherlands. Accounts start with 10GB. They offer a 30-day trial. + + [:octicons-home-16: Homepage](https://www.startmail.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startmail.com/en/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startmail.com){ .card-link title=Documentation} + + ??? downloads + + - [:octicons-browser-16: Web](https://mail.startmail.com/login) + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Personal accounts can use [Custom or Quick](https://support.startmail.com/hc/en-us/articles/360007297457-Aliases) aliases. [Custom domains](https://support.startmail.com/hc/en-us/articles/4403911432209-Setup-a-custom-domain) are also available. + +#### :material-alert-outline:{ .pg-orange } Private Payment Methods + +StartMail accepts Visa, MasterCard, American Express and Paypal. StartMail also has other [payment options](https://support.startmail.com/hc/en-us/articles/360006620637-Payment-methods) such as [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc) (currently only for Personal accounts) and SEPA Direct Debit for accounts older than a year. + +#### :material-check:{ .pg-green } Account Security + +StartMail supports TOTP two factor authentication [for webmail only](https://support.startmail.com/hc/en-us/articles/360006682158-Two-factor-authentication-2FA). They do not allow U2F security key authentication. + +#### :material-information-outline:{ .pg-blue } Data Security + +StartMail has [zero access encryption at rest](https://www.startmail.com/en/whitepaper/#_Toc458527835), using their "user vault" system. When you log in, the vault is opened, and the email is then moved to the vault out of the queue where it is decrypted by the corresponding private key. + +StartMail supports importing [contacts](https://support.startmail.com/hc/en-us/articles/360006495557-Import-contacts) however, they are only accessible in the webmail and not through protocols such as [CalDAV](https://en.wikipedia.org/wiki/CalDAV). Contacts are also not stored using zero knowledge encryption. + +#### :material-check:{ .pg-green } Email Encryption + +StartMail has [integrated encryption](https://support.startmail.com/hc/en-us/sections/360001889078-Encryption) in their webmail, which simplifies sending encrypted messages with public OpenPGP keys. However, they do not support the Web Key Directory standard, making the discovery of a Startmail mailbox's public key more challenging for other email providers or clients. + +#### :material-information-outline:{ .pg-blue } Account Termination + +On account expiration, StartMail will permanently delete your account after [6 months in 3 phases](https://support.startmail.com/hc/en-us/articles/360006794398-Account-expiration). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +StartMail allows for proxying of images within emails. If you allow the remote image to be loaded, the sender won't know what your IP address is. + +StartMail does not offer a digital legacy feature. + +### Tutanota + +!!! recommendation + + ![Tutanota logo](assets/img/email/tutanota.svg){ align=right } + + **Tutanota** is an email service with a focus on security and privacy through the use of encryption. Tutanota has been in operation since **2011** and is based in Hanover, Germany. Accounts start with 1GB storage with their free plan. + + [:octicons-home-16: Homepage](https://tutanota.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://tutanota.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://tutanota.com/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/tutao/tutanota){ .card-link title="Source Code" } + [:octicons-heart-16:](https://tutanota.com/community/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=de.tutao.tutanota) + - [:simple-appstore: App Store](https://apps.apple.com/app/tutanota/id922429609) + - [:simple-github: GitHub](https://github.com/tutao/tutanota/releases) + - [:simple-windows11: Windows](https://tutanota.com/#download) + - [:simple-apple: macOS](https://tutanota.com/#download) + - [:simple-linux: Linux](https://tutanota.com/#download) + - [:octicons-browser-16: Web](https://mail.tutanota.com/) + +Tutanota doesn't support the [IMAP protocol](https://tutanota.com/faq/#imap) or the use of third-party [email clients](email-clients.md), and you also won't be able to add [external email accounts](https://github.com/tutao/tutanota/issues/544#issuecomment-670473647) to the Tutanota app. Neither [Email import](https://github.com/tutao/tutanota/issues/630) or [subfolders](https://github.com/tutao/tutanota/issues/927) are currently supported, though this is [due to be changed](https://tutanota.com/blog/posts/kickoff-import). Emails can be exported [individually or by bulk selection](https://tutanota.com/howto#generalMail) per folder, which may be inconvenient if you have many folders. + +#### :material-check:{ .pg-green } Custom Domains and Aliases + +Paid Tutanota accounts can use up to 5 [aliases](https://tutanota.com/faq#alias) and [custom domains](https://tutanota.com/faq#custom-domain). Tutanota doesn't allow for [subaddressing (plus addresses)](https://tutanota.com/faq#plus), but you can use a [catch-all](https://tutanota.com/howto#settings-global) with a custom domain. + +#### :material-information-outline:{ .pg-blue } Private Payment Methods + +Tutanota only directly accepts credit cards and PayPal, however [cryptocurrency](cryptocurrency.md) can be used to purchase gift cards via their [partnership](https://tutanota.com/faq/#cryptocurrency) with Proxystore. + +#### :material-check:{ .pg-green } Account Security + +Tutanota supports [two factor authentication](https://tutanota.com/faq#2fa) with either TOTP or U2F. + +#### :material-check:{ .pg-green } Data Security + +Tutanota has [zero access encryption at rest](https://tutanota.com/faq#what-encrypted) for your emails, [address book contacts](https://tutanota.com/faq#encrypted-address-book), and [calendars](https://tutanota.com/faq#calendar). This means the messages and other data stored in your account are only readable by you. + +#### :material-information-outline:{ .pg-blue } Email Encryption + +Tutanota [does not use OpenPGP](https://www.tutanota.com/faq/#pgp). Tutanota accounts can only receive encrypted emails from non-Tutanota email accounts when sent via a [temporary Tutanota mailbox](https://www.tutanota.com/howto/#encrypted-email-external). + +#### :material-information-outline:{ .pg-blue } Account Termination + +Tutanota will [delete inactive free accounts](https://tutanota.com/faq#inactive-accounts) after six months. You can reuse a deactivated free account if you pay. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Tutanota offers the business version of [Tutanota to non-profit organizations](https://tutanota.com/blog/posts/secure-email-for-non-profit) for free or with a heavy discount. + +Tutanota also has a business feature called [Secure Connect](https://tutanota.com/secure-connect/). This ensures customer contact to the business uses E2EE. The feature costs €240/y. + +Tutanota doesn't offer a digital legacy feature. + +## Email Aliasing Services + +An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your "main" email address and the identity of your email provider. True email aliasing is better than plus addressing commonly used and supported by many providers, which allows you to create aliases like yourname+[anythinghere]@example.com, because websites, advertisers, and tracking networks can trivially remove anything after the + sign to know your true email address. + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +Email aliasing can act as a safeguard in case your email provider ever ceases operation. In that scenario, you can easily re-route your aliases to a new email address. In turn, however, you are placing trust in the aliasing service to continue functioning. + +Using a dedicated email aliasing service also has a number of benefits over a catch-all alias on a custom domain: + +- Aliases can be turned on and off individually when you need them, preventing websites from emailing you randomly. +- Replies are sent from the alias address, shielding your real email address. + +They also have a number of benefits over "temporary email" services: + +- Aliases are permanent and can be turned on again if you need to receive something like a password reset. +- Emails are sent to your trusted mailbox rather than stored by the alias provider. +- Temporary email services typically have public mailboxes which can be accessed by anyone who knows the address, aliases are private to you. + +Our email aliasing recommendations are providers that allow you to create aliases on domains they control, as well as your own custom domain(s) for a modest yearly fee. They can also be self-hosted if you want maximum control. However, using a custom domain can have privacy-related drawbacks: If you are the only person using your custom domain, your actions can be easily tracked across websites simply by looking at the domain name in the email address and ignoring everything before the at (@) sign. + +Using an aliasing service requires trusting both your email provider and your aliasing provider with your unencrypted messages. Some providers mitigate this slightly with automatic PGP encryption, which reduces the number of parties you need to trust from two to one by encrypting incoming emails before they are delivered to your final mailbox provider. + +### AnonAddy + +!!! recommendation + + ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ align=right } + ![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ align=right } + + **AnonAddy** lets you create 20 domain aliases on a shared domain for free, or unlimited "standard" aliases which are less anonymous. + + [:octicons-home-16: Homepage](https://anonaddy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonaddy.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://app.anonaddy.com/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/anonaddy){ .card-link title="Source Code" } + [:octicons-heart-16:](https://anonaddy.com/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-android: Android](https://anonaddy.com/faq/#is-there-an-android-app) + - [:material-apple-ios: iOS](https://anonaddy.com/faq/#is-there-an-ios-app) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-GB/firefox/addon/anonaddy/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/anonaddy-anonymous-email/iadbdpnoknmbdeolbapdackdcogdmjpe) + +The number of shared aliases (which end in a shared domain like @anonaddy.me) that you can create is limited to 20 on AnonAddy's free plan and 50 on their $12/year plan. You can create unlimited standard aliases (which end in a domain like @[username].anonaddy.com or a custom domain on paid plans), however, as previously mentioned, this can be detrimental to privacy because people can trivially tie your standard aliases together based on the domain name alone. Unlimited shared aliases are available for $36/year. + +Notable free features: + +- [x] 20 Shared Aliases +- [x] Unlimited Standard Aliases +- [ ] No Outgoing Replies +- [x] 2 Recipient Mailboxes +- [x] Automatic PGP Encryption + +### SimpleLogin + +!!! recommendation + + ![Simplelogin logo](assets/img/email/simplelogin.svg){ align=right } + + **SimpleLogin** is a free service which provides email aliases on a variety of shared domain names, and optionally provides paid features like unlimited aliases and custom domains. + + [:octicons-home-16: Homepage](https://simplelogin.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://simplelogin.io/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://simplelogin.io/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simple-login){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=io.simplelogin.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1494359858) + - [:simple-github: GitHub](https://github.com/simple-login/Simple-Login-Android/releases) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/simplelogin/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/dphilobhebphkdjbpfohgikllaljmgbn) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/simpleloginreceive-sen/diacfpipniklenphgljfkmhinphjlfff) + - [:simple-safari: Safari](https://apps.apple.com/app/id1494051017) + +SimpleLogin was [acquired by Proton AG](https://proton.me/news/proton-and-simplelogin-join-forces) as of April 8, 2022. If you use Proton Mail for your primary mailbox, SimpleLogin is a great choice. As both products are now owned by the same company you now only have to trust a single entity. We also expect that SimpleLogin will be more tightly integrated with Proton's offerings in the future. SimpleLogin continues to support forwarding to any email provider of your choosing. Securitum [audited](https://simplelogin.io/blog/security-audit/) SimpleLogin in early 2022 and all issues [were addressed](https://simplelogin.io/audit2022/web.pdf). + +You can link your SimpleLogin account in the settings with your Proton account. If you have the Proton Unlimited, Business, or Visionary Plan, you will have SimpleLogin Premium for free. + +Notable free features: + +- [x] 10 Shared Aliases +- [x] Unlimited Replies +- [x] 1 Recipient Mailbox + +## Self-Hosting Email + +Advanced system administrators may consider setting up their own email server. Mail servers require attention and continuous maintenance in order to keep things secure and mail delivery reliable. + +### Combined software solutions + +!!! recommendation + + ![Mailcow logo](assets/img/email/mailcow.svg){ align=right } + + **Mailcow** is a more advanced mail server perfect for those with a bit more Linux experience. It has everything you need in a Docker container: A mail server with DKIM support, antivirus and spam monitoring, webmail and ActiveSync with SOGo, and web-based administration with 2FA support. + + [:octicons-home-16: Homepage](https://mailcow.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailcow.github.io/mailcow-dockerized-docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mailcow/mailcow-dockerized){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.servercow.de/mailcow?lang=en#sal){ .card-link title=Contribute } + +!!! recommendation + + ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ align=right } + + **Mail-in-a-Box** is an automated setup script for deploying a mail server on Ubuntu. Its goal is to make it easier for people to set up their own mail server. + + [:octicons-home-16: Homepage](https://mailinabox.email){ .md-button .md-button--primary } + [:octicons-info-16:](https://mailinabox.email/guide.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/mail-in-a-box/mailinabox){ .card-link title="Source Code" } + +For a more manual approach we've picked out these two articles: + +- [Setting up a mail server with OpenSMTPD, Dovecot and Rspamd](https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/) (2019) +- [How To Run Your Own Mail Server](https://www.c0ffee.net/blog/mail-server-guide/) (August 2017) + +## Criteria + +**Please note we are not affiliated with any of the providers we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements for any Email provider wishing to be recommended, including implementing industry best practices, modern technology and more. We suggest you familiarize yourself with this list before choosing an Email provider, and conduct your own research to ensure the Email provider you choose is the right choice for you. + +### 技术 + +We regard these features as important in order to provide a safe and optimal service. You should consider whether the provider which has the features you require. + +**符合条件的最低要求。** + +- Encrypts email account data at rest with zero-access encryption. +- Export capability as [Mbox](https://en.wikipedia.org/wiki/Mbox) or individual .eml with [RFC5322](https://datatracker.ietf.org/doc/rfc5322/) standard. +- Allow users to use their own [domain name](https://en.wikipedia.org/wiki/Domain_name). Custom domain names are important to users because it allows them to maintain their agency from the service, should it turn bad or be acquired by another company which doesn't prioritize privacy. +- Operates on owned infrastructure, i.e. not built upon third-party email service providers. + +**Best Case:** + +- Encrypts all account data (Contacts, Calendars, etc) at rest with zero-access encryption. +- Integrated webmail E2EE/PGP encryption provided as a convenience. +- Support for [WKD](https://wiki.gnupg.org/WKD) to allow improved discovery of public OpenPGP keys via HTTP. GnuPG users can get a key by typing: `gpg --locate-key example_user@example.com` +- Support for a temporary mailbox for external users. This is useful when you want to send an encrypted email, without sending an actual copy to your recipient. These emails usually have a limited lifespan and then are automatically deleted. They also don't require the recipient to configure any cryptography like OpenPGP. +- Availability of the email provider's services via an [onion service](https://en.wikipedia.org/wiki/.onion). +- [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing) support. +- Catch-all or alias functionality for those who own their own domains. +- Use of standard email access protocols such as IMAP, SMTP or [JMAP](https://en.wikipedia.org/wiki/JSON_Meta_Application_Protocol). Standard access protocols ensure customers can easily download all of their email, should they want to switch to another provider. + +### 隐私 + +We prefer our recommended providers to collect as little data as possible. + +**符合条件的最低要求。** + +- Protect sender's IP address. Filter it from showing in the `Received` header field. +- Don't require personally identifiable information (PII) besides a username and a password. +- Privacy policy that meets the requirements defined by the GDPR +- Must not be hosted in the US due to [ECPA](https://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act#Criticism) which has [yet to be reformed](https://epic.org/ecpa/). + +**Best Case:** + +- Accepts [anonymous payment options](advanced/payments.md) ([cryptocurrency](cryptocurrency.md), cash, gift cards, etc.) + +### 安全性 + +Email servers deal with a lot of very sensitive data. We expect that providers will adopt best industry practices in order to protect their members. + +**符合条件的最低要求。** + +- Protection of webmail with 2FA, such as TOTP. +- Zero access encryption, builds on encryption at rest. The provider does not have the decryption keys to the data they hold. This prevents a rogue employee leaking data they have access to or remote adversary from releasing data they have stolen by gaining unauthorized access to the server. +- [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) support. +- No TLS errors or vulnerabilities when being profiled by tools such as [Hardenize](https://www.hardenize.com/), [testssl.sh](https://testssl.sh/), or [Qualys SSL Labs](https://www.ssllabs.com/ssltest); this includes certificate related errors and weak DH parameters, such as those that led to [Logjam](https://en.wikipedia.org/wiki/Logjam_(computer_security)). +- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption. +- A valid [MTA-STS](https://tools.ietf.org/html/rfc8461) and [TLS-RPT](https://tools.ietf.org/html/rfc8460) policy. +- Valid [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records. +- Valid [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) records. +- Have a proper [DMARC](https://en.wikipedia.org/wiki/DMARC) record and policy or use [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) for authentication. If DMARC authentication is being used, the policy must be set to `reject` or `quarantine`. +- A server suite preference of TLS 1.2 or later and a plan for [RFC8996](https://datatracker.ietf.org/doc/rfc8996/). +- [SMTPS](https://en.wikipedia.org/wiki/SMTPS) submission, assuming SMTP is used. +- Website security standards such as: + - [HTTP Strict Transport Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) + - [Subresource Integrity](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading things from external domains. +- Must support viewing of [Message headers](https://en.wikipedia.org/wiki/Email#Message_header), as it is a crucial forensic feature to determine if an email is a phishing attempt. + +**Best Case:** + +- Support for hardware authentication, i.e. U2F and [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn). U2F and WebAuthn are more secure as they use a private key stored on a client-side hardware device to authenticate people, as opposed to a shared secret that is stored on the web server and on the client side when using TOTP. Furthermore, U2F and WebAuthn are more resistant to phishing as their authentication response is based on the authenticated [domain name](https://en.wikipedia.org/wiki/Domain_name). +- [DNS Certification Authority Authorization (CAA) Resource Record](https://tools.ietf.org/html/rfc6844) in addition to DANE support. +- Implementation of [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain), this is useful for people who post to mailing lists [RFC8617](https://tools.ietf.org/html/rfc8617). +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. +- Website security standards such as: + - [Content Security Policy (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) + - [RFC9163 Expect-CT](https://datatracker.ietf.org/doc/rfc9163/) + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your email? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**符合条件的最低要求。** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the email providers we recommend we like to see responsible marketing. + +**符合条件的最低要求。** + +- Must self-host analytics (no Google Analytics, Adobe Analytics, etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those who wish to opt-out. + +Must not have any marketing which is irresponsible: + +- Claims of "unbreakable encryption." Encryption should be used with the intention that it may not be secret in the future when the technology exists to crack it. +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + +- Reusing personal information e.g. (email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc) +- [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) + +**Best Case:** + +- Clear and easy to read documentation. This includes things like, setting up 2FA, email clients, OpenPGP, etc. + +### Additional Functionality + +While not strictly requirements, there are some other convenience or privacy factors we looked into when determining which providers to recommend. diff --git a/i18n/zh/encryption.md b/i18n/zh/encryption.md new file mode 100644 index 00000000..3774d182 --- /dev/null +++ b/i18n/zh/encryption.md @@ -0,0 +1,356 @@ +--- +title: "加密软件" +icon: material/file-lock +description: 对数据进行加密是控制谁能访问数据的唯一方法。 These tools allow you to encrypt your emails and any other files. +--- + +对数据进行加密是控制谁能访问数据的唯一方法。 如果你目前没有对你的硬盘、电子邮件或文件使用加密软件,你应该在这里挑选一个选项。 + +## 多平台 + +这里列出的选项是多平台的,对于创建你的数据的加密备份非常好。 + +### Cryptomator (云) + +!!! recommendation + + ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right } + + **Cryptomator** is an encryption solution designed for privately saving files to any cloud provider. 它允许你创建存储在虚拟驱动器上的保险库,其中的内容被加密并与你的云存储供应商同步。 + + [:octicons-home-16: Homepage](https://cryptomator.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptomator.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptomator.org/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163) + - [:simple-android: Android](https://cryptomator.org/android) + - [:simple-windows11: Windows](https://cryptomator.org/downloads) + - [:simple-apple: macOS](https://cryptomator.org/downloads) + - [:simple-linux: Linux](https://cryptomator.org/downloads) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator) + +Cryptomator使用AES-256加密,对文件和文件名进行加密。 Cryptomator不能加密元数据,如访问、修改和创建时间戳,也不能加密文件和文件夹的数量和大小。 + +Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS. + +Cryptomator's documentation details its intended [security target](https://docs.cryptomator.org/en/latest/security/security-target/), [security architecture](https://docs.cryptomator.org/en/latest/security/architecture/), and [best practices](https://docs.cryptomator.org/en/latest/security/best-practices/) for use in further detail. + +### Picocrypt (File) + +!!! recommendation + + ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right } + + **Picocrypt** is a small and simple encryption tool that provides modern encryption. Picocrypt使用安全的XChaCha20密码和Argon2id密钥推导功能来提供高水平的安全。 它使用Go的标准x/crypto模块来实现其加密功能。 + + [:octicons-repo-16: Repository](https://github.com/HACKERALERT/Picocrypt){ .md-button .md-button--primary } + [:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases) + - [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases) + +### VeraCrypt (磁盘) + +!!! recommendation + + ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right } + ![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right } + + **VeraCrypt** is a source-available freeware utility used for on-the-fly encryption. 它可以在一个文件中创建一个虚拟的加密磁盘,加密一个分区,或者用启动前的认证来加密整个存储设备。 + + [:octicons-home-16: Homepage](https://veracrypt.fr){ .md-button .md-button--primary } + [:octicons-info-16:](https://veracrypt.fr/en/Documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html) + - [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html) + +VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed. + +When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher. + +Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/TrueCrypt#Security_audits), and VeraCrypt has also been [audited separately](https://en.wikipedia.org/wiki/VeraCrypt#VeraCrypt_audit). + +## OS Full Disk Encryption + +Modern operating systems include [FDE](https://en.wikipedia.org/wiki/Disk_encryption) and will have a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). + +### BitLocker + +!!! recommendation + + ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } + + **BitLocker** is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its [use of TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm). [ElcomSoft](https://en.wikipedia.org/wiki/ElcomSoft), a forensics company, has written about it in [Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection/). + + [:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} + +BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. + +??? example "Enabling BitLocker on Windows Home" + + To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. + + 1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style": + + ``` + powershell Get-Disk + ``` + + 2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`: + + ``` + powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm + ``` + + 3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot** → **Advanced Options** → **Command Prompt**. + + 4. Login with your admin account and type this in the command prompt to start encryption: + + ``` + manage-bde -on c: -used + ``` + + 5. Close the command prompt and continue booting to regular Windows. + + 6. Open an admin command prompt and run the following commands: + + ``` + manage-bde c: -protectors -add -rp -tpm + manage-bde -protectors -enable c: + manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt + ``` + + !!! tip + + Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. + +### FileVault + +!!! recommendation + + ![FileVault logo](assets/img/encryption-software/filevault.png){ align=right } + + **FileVault** is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it [leverages](https://support.apple.com/guide/security/volume-encryption-with-filevault-sec4c6dc1b6e/web) hardware security capabilities present on an Apple silicon SoC or T2 Security Chip. + + [:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation} + +We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery. + +### Linux Unified Key Setup + +!!! recommendation + + ![LUKS logo](assets/img/encryption-software/luks.png){ align=right } + + **LUKS** is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers. + + [:octicons-home-16: Homepage](https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/README.md){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" } + +??? example "Creating and opening encrypted containers" + + ``` + dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress + sudo cryptsetup luksFormat /path-to-file + ``` + + + #### Opening encrypted containers + We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface. + ``` + udisksctl loop-setup -f /path-to-file + udisksctl unlock -b /dev/loop0 + ``` + +!!! note "Remember to back up volume headers" + + We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with: + + ``` + cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img + ``` + +## Browser-based + +Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device. + +### hat.sh + +!!! recommendation + + ![hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ align=right } + ![hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ align=right } + + **Hat.sh** is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies. + + [:octicons-globe-16: Website](https://hat.sh){ .md-button .md-button--primary } + [:octicons-eye-16:](https://hat.sh/about/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://hat.sh/about/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/sh-dv/hat.sh){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sh-dv/hat.sh#donations){ .card-link title="Donations methods can be found at the bottom of the website" } + +## Command-line + +Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script). + +### Kryptor + +!!! recommendation + + ![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right } + + **Kryptor** is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of [age](https://github.com/FiloSottile/age) and [Minisign](https://jedisct1.github.io/minisign/) to provide a simple, easier alternative to GPG. + + [:octicons-home-16: Homepage](https://www.kryptor.co.uk){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.kryptor.co.uk/features#privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.kryptor.co.uk/tutorial){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.kryptor.co.uk) + - [:simple-apple: macOS](https://www.kryptor.co.uk) + - [:simple-linux: Linux](https://www.kryptor.co.uk) + +### Tomb + +!!! recommendation + + ![Tomb logo](assets/img/encryption-software/tomb.png){ align=right } + + **Tomb** is a command-line shell wrapper for LUKS. It supports steganography via [third-party tools](https://github.com/dyne/Tomb#how-does-it-work). + + [:octicons-home-16: Homepage](https://www.dyne.org/software/tomb){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/dyne/Tomb/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute } + +## OpenPGP + +OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options. + +When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf). + +!!! tip "Use future defaults when generating a key" + + When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/): + + ```bash + gpg --quick-gen-key alice@example.com future-default + ``` + +### GNU Privacy Guard + +!!! recommendation + + ![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right } + + **GnuPG** is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with [RFC 4880](https://tools.ietf.org/html/rfc4880), which is the current IETF specification of OpenPGP. The GnuPG project has been working on an [updated draft](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/) in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major [funding](https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html) from the German government. + + [:octicons-home-16: Homepage](https://gnupg.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gnupg.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + - [:simple-apple: macOS](https://gpgtools.org) + - [:simple-linux: Linux](https://gnupg.org/download/index.html#binary) + +### GPG4win + +!!! recommendation + + ![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right } + + **GPG4win** is a package for Windows from [Intevation and g10 Code](https://gpg4win.org/impressum.html). It includes [various tools](https://gpg4win.org/about.html) that can assist you in using GPG on Microsoft Windows. The project was initiated and originally [funded by](https://web.archive.org/web/20190425125223/https://joinup.ec.europa.eu/news/government-used-cryptography) Germany's Federal Office for Information Security (BSI) in 2005. + + [:octicons-home-16: Homepage](https://gpg4win.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpg4win.org/privacy-policy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpg4win.org/documentation.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" } + [:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://gpg4win.org/download.html) + +### GPG Suite + +!!! note + + We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices. + +!!! recommendation + + ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right } + + **GPG Suite** provides OpenPGP support for [Apple Mail](email-clients.md#apple-mail) and macOS. + + We recommend taking a look at their [First steps](https://gpgtools.tenderapp.com/kb/how-to/first-steps-where-do-i-start-where-do-i-begin-setup-gpgtools-create-a-new-key-your-first-encrypted-email) and [Knowledge base](https://gpgtools.tenderapp.com/kb) for support. + + [:octicons-home-16: Homepage](https://gpgtools.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://gpgtools.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-apple: macOS](https://gpgtools.org) + +### OpenKeychain + +!!! recommendation + + ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right } + + **OpenKeychain** is an Android implementation of GnuPG. It's commonly required by mail clients such as [K-9 Mail](email-clients.md#k-9-mail) and [FairEmail](email-clients.md#fairemail) and other Android apps to provide encryption support. Cure53 completed a [security audit](https://www.openkeychain.org/openkeychain-3-6) of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found [here](https://github.com/open-keychain/open-keychain/wiki/cure53-Security-Audit-2015). + + [:octicons-home-16: Homepage](https://www.openkeychain.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.openkeychain.org/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain) + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Qualifications + +- Cross-platform encryption apps must be open-source. +- File encryption apps must support decryption on Linux, macOS, and Windows. +- External disk encryption apps must support decryption on Linux, macOS, and Windows. +- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave. +- File encryption apps should have first- or third-party support for mobile platforms. diff --git a/i18n/zh/file-sharing.md b/i18n/zh/file-sharing.md new file mode 100644 index 00000000..bae918b2 --- /dev/null +++ b/i18n/zh/file-sharing.md @@ -0,0 +1,147 @@ +--- +title: "加密软件" +icon: material/share-variant +description: Discover how to privately share your files between your devices, with your friends and family, or anonymously online. +--- + +Discover how to privately share your files between your devices, with your friends and family, or anonymously online. + +## 文件共享 + +### Send + +!!! recommendation + + ![Send logo](assets/img/file-sharing-sync/send.svg){ align=right } + + **Send** is a fork of Mozilla’s discontinued Firefox Send service which allows you to send files to others with a link. Files are encrypted on your device so that they cannot be read by the server, and they can be optionally password-protected as well. The maintainer of Send hosts a [public instance](https://send.vis.ee/). You can use other public instances, or you can host Send yourself. + + [:octicons-home-16: Homepage](https://send.vis.ee){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/timvisee/send-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/timvisee/send#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/timvisee/send){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/timvisee){ .card-link title=Contribute } + +Send can be used via its web interface or via the [ffsend](https://github.com/timvisee/ffsend) CLI. If you are familiar with the command-line and send files frequently, we recommend using the CLI client to avoid JavaScript-based encryption. You can specify the `--host` flag to use a specific server: + +```bash +ffsend upload --host https://send.vis.ee/ FILE +``` + +### OnionShare + +!!! recommendation + + ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ align=right } + + **OnionShare** is an open-source tool that lets you securely and anonymously share a file of any size. It works by starting a web server accessible as a Tor onion service, with an unguessable URL that you can share with the recipients to download or send files. + + [:octicons-home-16: Homepage](https://onionshare.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://docs.onionshare.org){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/onionshare/onionshare){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-windows11: Windows](https://onionshare.org/#download) + - [:simple-apple: macOS](https://onionshare.org/#download) + - [:simple-linux: Linux](https://onionshare.org/#download) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not store decrypted data on a remote server. +- 它必须是开源软件。 +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +## FreedomBox + +!!! recommendation + + ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ align=right } + + **FreedomBox** is an operating system designed to be run on a [single-board computer (SBC)](https://en.wikipedia.org/wiki/Single-board_computer). The purpose is to make it easy to set up server applications that you might want to self-host. + + [:octicons-home-16: Homepage](https://freedombox.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://wiki.debian.org/FreedomBox/Manual){ .card-link title=Documentation} + [:octicons-code-16:](https://salsa.debian.org/freedombox-team/freedombox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://freedomboxfoundation.org/donate/){ .card-link title=Contribute } + +## File Sync + +### Nextcloud (Client-Server) + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! 危险 + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. + +### Syncthing (P2P) + +!!! recommendation + + ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ align=right } + + **Syncthing** is an open-source peer-to-peer continuous file synchronization utility. It is used to synchronize files between two or more devices over the local network or the internet. Syncthing does not use a centralized server; it uses the [Block Exchange Protocol](https://docs.syncthing.net/specs/bep-v1.html#bep-v1) to transfer data between devices. All data is encrypted using TLS. + + [:octicons-home-16: Homepage](https://syncthing.net){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.syncthing.net){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/syncthing){ .card-link title="Source Code" } + [:octicons-heart-16:](https://syncthing.net/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nutomic.syncthingandroid) + - [:simple-windows11: Windows](https://syncthing.net/downloads/) + - [:simple-apple: macOS](https://syncthing.net/downloads/) + - [:simple-linux: Linux](https://syncthing.net/downloads/) + - [:simple-freebsd: FreeBSD](https://syncthing.net/downloads/) + - [:simple-openbsd: OpenBSD](https://syncthing.net/downloads/) + - [:simple-netbsd: NetBSD](https://syncthing.net/downloads/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must not require a third-party remote/cloud server. +- 它必须是开源软件。 +- Must either have clients for Linux, macOS, and Windows; or have a web interface. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Has mobile clients for iOS and Android, which at least support document previews. +- Supports photo backup from iOS and Android, and optionally supports file/folder sync on Android. diff --git a/i18n/zh/financial-services.md b/i18n/zh/financial-services.md new file mode 100644 index 00000000..480c924c --- /dev/null +++ b/i18n/zh/financial-services.md @@ -0,0 +1,94 @@ +--- +title: Financial Services +icon: material/bank +--- + +Making payments online is one of the biggest challenges to privacy. These services can assist you in protecting your privacy from merchants and other trackers, provided you have a strong understanding of how to make private payments effectively. We strongly encourage you first read our payments overview article before making any purchases: + +[Making Private Payments :material-arrow-right-drop-circle:](advanced/payments.md ""){.md-button} + +## Payment Masking Services + +There are a number of services which provide "virtual debit cards" which you can use with online merchants without revealing your actual banking or billing information in most cases. It's important to note that these financial services are **not** anonymous and are subject to "Know Your Customer" (KYC) laws and may require your ID or other identifying information. These services are primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft; and **not** for making a purchase completely anonymously. + +!!! tip "Check your current bank" + + Many banks and credit card providers offer native virtual card functionality. If you use one which provides this option already, you should use it over the following recommendations in most cases. That way you are not trusting multiple parties with your personal information. + +### Privacy.com (US) + +!!! recommendation + + ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ align=right } + ![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ align=right } + + **Privacy.com**'s free plan allows you to create up to 12 virtual cards per month, set spend limits on those cards, and shut off cards instantly. Their paid plan allows you to create up to 36 cards per month, get 1% cash back on purchases, and hide transaction information from your bank. + + [:octicons-home-16: Homepage](https://privacy.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://privacy.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.privacy.com/hc/en-us){ .card-link title=Documentation} + +Privacy.com gives information about the merchants you purchase from to your bank by default. Their paid "discreet merchants" feature hides merchant information from your bank, so your bank only sees that a purchase was made with Privacy.com but not where that money was spent, however that is not foolproof, and of course Privacy.com still has knowledge about the merchants you are spending money with. + +### MySudo (US, Paid) + +!!! recommendation + + ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ align=right } + ![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ align=right } + + **MySudo** provides up to 9 virtual cards depending on the plan you purchase. Their paid plans additionally include functionality which may be useful for making purchases privately, such as virtual phone numbers and email addresses, although we typically recommend other [email aliasing providers](email.md) for extensive email aliasing use. + + [:octicons-home-16: Homepage](https://mysudo.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://anonyome.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.mysudo.com/hc/en-us){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Allows the creation of multiple cards which function as a shield between the merchant and your personal finances. +- Cards must not require you to provide accurate billing address information to the merchant. + +## Gift Card Marketplaces + +These services allow you to purchase gift cards for a variety of merchants online with [cryptocurrency](cryptocurrency.md). Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits typically start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered). + +### Cake Pay + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/cakepay.svg){ align=right } + + **Cake Pay** allows you to purchase gift cards and related products with Monero. Purchases for USA merchants are available in the Cake Wallet mobile app, while the Cake Pay web app includes a broad selection of global merchants. + + [:octicons-home-16: Homepage](https://cakepay.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://ionia.docsend.com/view/jhjvdn7qq7k3ukwt){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://guides.cakewallet.com/){ .card-link title=Documentation} + +### CoinCards + +!!! recommendation + + ![CakePay logo](assets/img/financial-services/coincards.svg){ align=right } + + **CoinCards** (available in the US, Canada, and UK) allows you to purchase gift cards for a large variety of merchants. + + [:octicons-home-16: Homepage](https://coincards.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://coincards.com/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://coincards.com/frequently-asked-questions/){ .card-link title=Documentation} + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Accepts payment in [a recommended cryptocurrency](cryptocurrency.md). +- No ID requirement. diff --git a/i18n/zh/frontends.md b/i18n/zh/frontends.md new file mode 100644 index 00000000..118fa943 --- /dev/null +++ b/i18n/zh/frontends.md @@ -0,0 +1,267 @@ +--- +title: "文件共享" +icon: material/flip-to-front +description: These open-source frontends for various internet services allow you to access content without JavaScript or other annoyances. +--- + +有时,一些服务会用烦人的弹窗阻止你访问内容,以此来强迫你注册账户。 此时如果停用JavaScript网站也会崩溃。 这些前端应用可以帮助你绕过这些限制。 + +## 客户端 + +### Librarian + +!!! recommendation + + ![Librarian logo](assets/img/frontends/librarian.svg#only-light){ align=right } + ![Librarian logo](assets/img/frontends/librarian-dark.svg#only-dark){ align=right } + + **Librarian** is a free and open-source frontend for [Odysee](https://odysee.com/) (LBRY) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://codeberg.org/librarian/librarian){ .md-button .md-button--primary } + [:octicons-server-16:](https://librarian.codeberg.page/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://codeberg.org/librarian/librarian/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://codeberg.org/librarian/librarian){ .card-link title="Source Code" } + +!!! 推荐 + + Librarian does not proxy video streams by default. Videos watched through Librarian will still make direct connections to Odysee's servers (e.g. `odycdn.com`); however, some instances may enable proxying which would be detailed in the instance's privacy policy. + +!!! tip + + Librarian is useful if you want watch LBRY content on mobile without mandatory telemetry and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Librarian, as other peoples' usage will be linked to your hosting. + +When you are using a Librarian instance, make sure to read the privacy policy of that specific instance. Librarian instances can be modified by their owners and therefore may not reflect the default policy. Librarian instances feature a "privacy nutrition label" to provide an overview of their policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## Twitter + +### Nitter + +!!! recommendation + + ![Nitter logo](assets/img/frontends/nitter.svg){ align=right } + + **Nitter** is a free and open-source frontend for [Twitter](https://twitter.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/zedeus/nitter){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/zedeus/nitter/wiki/Instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/zedeus/nitter/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/zedeus/nitter){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/zedeus/nitter#nitter){ .card-link title=Contribute } + +!!! tip + + Nitter is useful if you want to browse Twitter content without having to log in and if you want to disable JavaScript in your browser, as is the case with [Tor Browser](https://www.torproject.org/) on the Safest security level. It also allows you to [create RSS feeds for Twitter](news-aggregators.md#twitter). + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Nitter, as other peoples' usage will be linked to your hosting. + +When you are using a Nitter instance, make sure to read the privacy policy of that specific instance. Nitter instances can be modified by their owners and therefore may not reflect the default policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## TikTok + +### ProxiTok + +!!! recommendation + + ![ProxiTok logo](assets/img/frontends/proxitok.svg){ align=right } + + **ProxiTok** is an open source frontend to the [TikTok](https://www.tiktok.com) website that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-repo-16: Repository](https://github.com/pablouser1/ProxiTok){ .md-button .md-button--primary } + [:octicons-server-16:](https://github.com/pablouser1/ProxiTok/wiki/Public-instances){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/pablouser1/ProxiTok/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/pablouser1/ProxiTok){ .card-link title="Source Code" } + +!!! tip + + ProxiTok is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting ProxiTok, as other peoples' usage will be linked to your hosting. + +When you are using a ProxiTok instance, make sure to read the privacy policy of that specific instance. ProxiTok instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +## YouTube + +### FreeTube + +!!! recommendation + + ![FreeTube logo](assets/img/frontends/freetube.svg){ align=right } + + **FreeTube** is a free and open-source desktop application for [YouTube](https://youtube.com). When using FreeTube, your subscription list and playlists are saved locally on your device. + + By default, FreeTube blocks all YouTube advertisements. In addition, FreeTube optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://freetubeapp.io/#download) + - [:simple-apple: macOS](https://freetubeapp.io/#download) + - [:simple-linux: Linux](https://freetubeapp.io/#download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! 推荐 + + When using FreeTube, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +### Yattee + +!!! recommendation + + ![Yattee logo](assets/img/frontends/yattee.svg){ align=right } + + **Yattee** is a free and open-source privacy oriented video player for iOS, tvOS and macOS for [YouTube](https://youtube.com). When using Yattee, your subscription list are saved locally on your device. + + You will need to take a few [extra steps](https://gonzoknows.com/posts/Yattee/) before you can use Yattee to watch YouTube, due to App Store restrictions. + + [:octicons-home-16: Homepage](https://github.com/yattee/yattee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://r.yattee.stream/docs/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yattee/yattee/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yattee/yattee){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/yattee/yattee/wiki/Donations){ .card-link title=Contribute } + + ??? downloads + + - [:simple-apple: App Store](https://apps.apple.com/us/app/yattee/id1595136629) + - [:simple-github: GitHub](https://github.com/yattee/yattee/releases) + +!!! 推荐 + + When using Yattee, your IP address may still be known to YouTube, [Invidious](https://instances.invidious.io), [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +By default, Yattee blocks all YouTube advertisements. In addition, Yattee optionally integrates with [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. + +### LibreTube (Android) + +!!! recommendation + + ![LibreTube logo](assets/img/frontends/libretube.svg#only-light){ align=right } + ![LibreTube logo](assets/img/frontends/libretube-dark.svg#only-dark){ align=right } + + **LibreTube** is a free and open-source Android application for [YouTube](https://youtube.com) which uses the [Piped](#piped) API. + + LibreTube allows you to store your subscription list and playlists locally on your Android device, or to an account on your Piped instance of choice, which allows you to access them seamlessly on other devices as well. + + [:octicons-home-16: Homepage](https://libre-tube.github.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/libre-tube/LibreTube#privacy-policy-and-disclaimer){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/libre-tube/LibreTube#readme){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/libre-tube/LibreTube){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/libre-tube/LibreTube/releases) + +!!! 推荐 + + When using LibreTube, your IP address will be visible to the [Piped](https://github.com/TeamPiped/Piped/wiki/Instances) instance you choose and/or [SponsorBlock](https://sponsor.ajay.app/) depending on your configuration. 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +By default, LibreTube blocks all YouTube advertisements. Additionally, Libretube uses [SponsorBlock](https://sponsor.ajay.app) to help you skip sponsored video segments. You are able to fully configure the types of segments that SponsorBlock will skip, or disable it completely. There is also a button on the video player itself to disable it for a specific video if desired. + +### NewPipe (Android) + +!!! 推荐备注 + + ![Newpipe logo](assets/img/frontends/newpipe.svg){ align=right } + + **NewPipe** is a free and open-source Android application for [YouTube](https://youtube.com), [SoundCloud](https://soundcloud.com), [media.ccc.de](https://media.ccc.de), [Bandcamp](https://bandcamp.com), and [PeerTube](https://joinpeertube.org/) (1). + + Your subscription list and playlists are saved locally on your Android device. + + [:octicons-home-16: Homepage](https://newpipe.net){ .md-button .md-button--primary } + [:octicons-eye-16:](https://newpipe.net/legal/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://teamnewpipe.github.io/documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamNewPipe/NewPipe){ .card-link title="Source Code" } + [:octicons-heart-16:](https://newpipe.net/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-github: GitHub](https://github.com/TeamNewPipe/NewPipe/releases) + +1. The default instance is [FramaTube](https://framatube.org/), however more can be added via **Settings** → **Content** → **PeerTube instances** + +!!! 警告 + + When using NewPipe, your IP address will be visible to the video providers used. 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +### Invidious + +!!! recommendation + + ![Invidious logo](assets/img/frontends/invidious.svg#only-light){ align=right } + ![Invidious logo](assets/img/frontends/invidious-dark.svg#only-dark){ align=right } + + **Invidious** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + There are a number of public instances, with some instances having [Tor](https://www.torproject.org) onion services support. + + [:octicons-home-16: Homepage](https://invidious.io){ .md-button .md-button--primary } + [:octicons-server-16:](https://instances.invidious.io){ .card-link title="Public Instances"} + [:octicons-info-16:](https://docs.invidious.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/iv-org/invidious){ .card-link title="Source Code" } + [:octicons-heart-16:](https://invidious.io/donate/){ .card-link title=Contribute } + +!!! 推荐 + + Invidious does not proxy video streams by default. Videos watched through Invidious will still make direct connections to Google's servers (e.g. `googlevideo.com`); however, some instances support video proxying—simply enable *Proxy videos* within the instances' settings or add `&local=true` to the URL. + +!!! tip + + Invidious is useful if you want to disable JavaScript in your browser, such as [Tor Browser](https://www.torproject.org/) on the Safest security level. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Invidious, as other peoples' usage will be linked to your hosting. + +When you are using an Invidious instance, make sure to read the privacy policy of that specific instance. Invidious instances can be modified by their owners and therefore may not reflect their associated privacy policy. Some instances have Tor .onion addresses which may grant some privacy as long as your search queries don't contain PII. + +### Piped + +!!! recommendation + + ![Piped logo](assets/img/frontends/piped.svg){ align=right } + + **Piped** is a free and open-source frontend for [YouTube](https://youtube.com) that is also self-hostable. + + Piped requires JavaScript in order to function and there are a number of public instances. + + [:octicons-repo-16: Repository](https://github.com/TeamPiped/Piped){ .md-button .md-button--primary } + [:octicons-server-16:](https://piped.kavin.rocks/preferences#ddlInstanceSelection){ .card-link title="Public Instances"} + [:octicons-info-16:](https://piped-docs.kavin.rocks/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/TeamPiped/Piped){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/TeamPiped/Piped#donations){ .card-link title=Contribute } + +!!! tip + + Piped is useful if you want to use [SponsorBlock](https://sponsor.ajay.app) without installing an extension or to access age-restricted content without an account. It does not provide privacy by itself, and we don’t recommend logging into any accounts. + +When self-hosting, it is important that you have other people using your instance as well in order for you to blend in. You should be careful with where and how you are hosting Piped, as other peoples' usage will be linked to your hosting. + +When you are using a Piped instance, make sure to read the privacy policy of that specific instance. Piped instances can be modified by their owners and therefore may not reflect their associated privacy policy. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +推荐的前端应用... + +- 它必须是开源软件。 +- 必须能够自托管。 +- 必须向匿名用户提供所有基本的网站功能。 + +We only consider frontends for websites which are... + +- 不启用Javascript就不能正常访问。 diff --git a/i18n/zh/index.md b/i18n/zh/index.md new file mode 100644 index 00000000..10b0eaea --- /dev/null +++ b/i18n/zh/index.md @@ -0,0 +1,70 @@ +--- +template: overrides/home.zh.html +hide: + - navigation + - toc + - 反馈 +schema: + - + "@context": https://schema.org + "@type": Organization + "@id": https://www.privacyguides.org/ + name: Privacy Guides + url: https://www.privacyguides.org/en/about/ + logo: https://www.privacyguides.org/en/assets/brand/png/square/pg-yellow.png + sameAs: + - https://twitter.com/privacy_guides + - https://github.com/privacyguides + - https://www.wikidata.org/wiki/Q111710163 + - https://opencollective.com/privacyguides + - https://www.youtube.com/@privacyguides + - https://mastodon.neat.computer/@privacyguides + - + "@context": https://schema.org + "@type": WebSite + name: Privacy Guides + url: "https://www.privacyguides.org/" + sameAs: + - https://www.wikidata.org/wiki/Q111710163 + potentialAction: + "@type": SearchAction + target: + "@type": EntryPoint + urlTemplate: "https://www.privacyguides.org/?q={search_term_string}" + query-input: required name=search_term_string +--- + + +## Why should I care? + +##### “I have nothing to hide. Why should I care about my privacy?” + +Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. ==Privacy is a human right, inherent to all of us,== that we are entitled to (without discrimination). + +You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. **Everyone** has something to protect. Privacy is something that makes us human. + +[:material-target-account: Common Internet Threats](basics/common-threats.md ""){.md-button.md-button--primary} + +## What should I do? + +##### First, you need to make a plan + +Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But don't worry! Security is a process, and, by thinking ahead, you can put together a plan that's right for you. Security isn't just about the tools you use or the software you download. Rather, it begins by understanding the unique threats you face, and how you can mitigate them. + +==This process of identifying threats and defining countermeasures is called **threat modeling**==, and it forms the basis of every good security and privacy plan. + +[:material-book-outline: Learn More About Threat Modeling](basics/threat-modeling.md ""){.md-button.md-button--primary} + +--- + +## We need you! Here's how to get involved: + +[:simple-discourse:](https://discuss.privacyguides.net/){ title="Join our Forum" } +[:simple-mastodon:](https://mastodon.neat.computer/@privacyguides){ rel=me title="Follow us on Mastodon" } +[:material-book-edit:](https://github.com/privacyguides/privacyguides.org){ title="Contribute to this website" } +[:material-translate:](https://matrix.to/#/#pg-i18n:aragon.sh){ title="Help translate this website" } +[:simple-matrix:](https://matrix.to/#/#privacyguides:matrix.org){ title="Chat with us on Matrix" } +[:material-information-outline:](about/index.md){ title="Learn more about us" } +[:material-hand-coin-outline:](about/donate.md){ title="Support the project" } + +It's important for a website like Privacy Guides to always stay up-to-date. We need our audience to keep an eye on software updates for the applications listed on our site and follow recent news about providers that we recommend. It's hard to keep up with the fast pace of the internet, but we try our best. If you spot an error, think a provider should not be listed, notice a qualified provider is missing, believe a browser plugin is no longer the best choice, or uncover any other issue, please let us know. diff --git a/i18n/zh/kb-archive.md b/i18n/zh/kb-archive.md new file mode 100644 index 00000000..92daee33 --- /dev/null +++ b/i18n/zh/kb-archive.md @@ -0,0 +1,17 @@ +--- +title: KB Archive +icon: material/archive +description: Some pages that used to be in our knowledge base can now be found on our blog. +--- + +# Pages Moved to Blog + +Some pages that used to be in our knowledge base can now be found on our blog: + +- [GrapheneOS vs. CalyxOS](https://blog.privacyguides.org/2022/04/21/grapheneos-or-calyxos/) +- [Signal Configuration Hardening](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) +- [Linux - System Hardening](https://blog.privacyguides.org/2022/04/22/linux-system-hardening/) +- [Linux - Application Sandboxing](https://blog.privacyguides.org/2022/04/22/linux-application-sandboxing/) +- [Secure Data Erasure](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) +- [Integrating Metadata Removal](https://blog.privacyguides.org/2022/04/09/integrating-metadata-removal/) +- [iOS Configuration Guide](https://blog.privacyguides.org/2022/10/22/ios-configuration-guide/) diff --git a/i18n/zh/meta/brand.md b/i18n/zh/meta/brand.md new file mode 100644 index 00000000..53cb9ac4 --- /dev/null +++ b/i18n/zh/meta/brand.md @@ -0,0 +1,22 @@ +--- +title: Branding Guidelines +--- + +The name of the website is **Privacy Guides** and should **not** be changed to: + +
+- PrivacyGuides +- Privacy guides +- PG +- PG.org +
+ +The name of the subreddit is **r/PrivacyGuides** or **the Privacy Guides Subreddit**. + +Additional branding guidelines can be found at [github.com/privacyguides/brand](https://github.com/privacyguides/brand) + +## Trademark + +"Privacy Guides" and the shield logo are trademarks owned by Jonah Aragon, unlimited usage is granted to the Privacy Guides project. + +Without waiving any of its rights, Privacy Guides does not advise others on the scope of its intellectual property rights. Privacy Guides does not permit or consent to any use of its trademarks in any manner that is likely to cause confusion by implying association with or sponsorship by Privacy Guides. If you are aware of any such use, please contact Jonah Aragon at jonah@privacyguides.org. Consult your legal counsel if you have questions. diff --git a/i18n/zh/meta/git-recommendations.md b/i18n/zh/meta/git-recommendations.md new file mode 100644 index 00000000..f59b5f81 --- /dev/null +++ b/i18n/zh/meta/git-recommendations.md @@ -0,0 +1,46 @@ +--- +title: Git Recommendations +--- + +If you make changes to this website on GitHub.com's web editor directly, you shouldn't have to worry about this. If you are developing locally and/or are a long-term website editor (who should probably be developing locally!), consider these recommendations. + +## Enable SSH Key Commit Signing + +You can use an existing SSH key for signing, or [create a new one](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent). + +1. Configure your Git client to sign commits and tags by default (remove `--global` to only sign by default for this repo): + ``` + git config --global commit.gpgsign true + git config --global gpg.format ssh + git config --global tag.gpgSign true + ``` +2. Copy your SSH public key to your clipboard, for example: + ``` + pbcopy < ~/.ssh/id_ed25519.pub + # Copies the contents of the id_ed25519.pub file to your clipboard + ``` +3. Set your SSH key for signing in Git with the following command, replacing the last string in quotes with the public key in your clipboard: + ``` + git config --global user.signingkey 'ssh-ed25519 AAAAC3(...) user@example.com' + ``` + +Ensure you [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account) **as a Signing Key** (as opposed to or in addition to as an Authentication Key). + +## Rebase on Git pull + +Use `git pull --rebase` instead of `git pull` when pulling in changes from GitHub to your local machine. This way your local changes will always be "on top of" the latest changes on GitHub, and you avoid merge commits (which are disallowed in this repo). + +You can set this to be the default behavior: + +``` +git config --global pull.rebase true +``` + +## Rebase from `main` before submitting a PR + +If you are working on your own branch, run these commands before submitting a PR: + +``` +git fetch origin +git rebase origin/main +``` diff --git a/i18n/zh/meta/uploading-images.md b/i18n/zh/meta/uploading-images.md new file mode 100644 index 00000000..55f136f8 --- /dev/null +++ b/i18n/zh/meta/uploading-images.md @@ -0,0 +1,89 @@ +--- +title: Uploading Images +--- + +Here are a couple of general rules for contributing to Privacy Guides: + +## Images + +- We **prefer** SVG images, but if those do not exist we can use PNG images + +Company logos have canvas size of: + +- 128x128px +- 384x128px + +## Optimization + +### PNG + +Use the [OptiPNG](https://sourceforge.net/projects/optipng/) to optimize the PNG image: + +```bash +optipng -o7 file.png +``` + +### SVG + +#### Inkscape + +[Scour](https://github.com/scour-project/scour) all SVG images. + +In Inkscape: + +1. File Save As.. +2. Set type to Optimized SVG (*.svg) + +In the **Options** tab: + +- **Number of significant digits for coordinates** > **5** +- [x] Turn on **Shorten color values** +- [x] Turn on **Convert CSS attributes to XML attributes** +- [x] Turn on **Collapse groups** +- [x] Turn on **Create groups for similar attributes** +- [ ] Turn off **Keep editor data** +- [ ] Turn off **Keep unreferenced definitions** +- [x] Turn on **Work around renderer bugs** + +In the **SVG Output** tab under **Document options**: + +- [ ] Turn off **Remove the XML declaration** +- [x] Turn on **Remove metadata** +- [x] Turn on **Remove comments** +- [x] Turn on **Embeded raster images** +- [x] Turn on **Enable viewboxing** + +In the **SVG Output** under **Pretty-printing**: + +- [ ] Turn off **Format output with line-breaks and indentation** +- **Indentation characters** > Select **Space** +- **Depth of indentation** > **1** +- [ ] Turn off **Strip the "xml:space" attribute from the root SVG element** + +In the **IDs** tab: + +- [x] Turn on **Remove unused IDs** +- [ ] Turn off **Shorten IDs** +- **Prefix shortened IDs with** > `leave blank` +- [x] Turn on **Preserve manually created IDs not ending with digits** +- **Preserve the following IDs** > `leave blank` +- **Preserve IDs starting with** > `leave blank` + +#### CLI + +The same can be achieved with the [Scour](https://github.com/scour-project/scour) command: + +```bash +scour --set-precision=5 \ + --create-groups \ + --renderer-workaround \ + --remove-descriptive-elements \ + --enable-comment-stripping \ + --enable-viewboxing \ + --indent=space \ + --nindent=1 \ + --no-line-breaks \ + --enable-id-stripping \ + --protect-ids-noninkscape \ + input.svg output.svg +``` diff --git a/i18n/zh/meta/writing-style.md b/i18n/zh/meta/writing-style.md new file mode 100644 index 00000000..b9e47a71 --- /dev/null +++ b/i18n/zh/meta/writing-style.md @@ -0,0 +1,87 @@ +--- +title: Writing Style +--- + +Privacy Guides is written in American English, and you should refer to [APA Style guidelines](https://apastyle.apa.org/style-grammar-guidelines/grammar) when in doubt. + +In general the [United States federal plain language guidelines](https://www.plainlanguage.gov/guidelines/) provide a good overview of how to write clearly and concisely. We highlight a few important notes from these guidelines below. + +## Writing for our audience + +Privacy Guides' intended [audience](https://www.plainlanguage.gov/guidelines/audience/) is primarily average, technology using adults. Don't dumb down content as if you are addressing a middle-school class, but don't overuse complicated terminology about concepts average computer users wouldn't be familiar with. + +### Address only what people want to know + +People don't need overly complex articles with little relevance to them. Figure out what you want people to accomplish when writing an article, and only include those details. + +> Tell your audience why the material is important to them. Say, “If you want a research grant, here’s what you have to do.” Or, “If you want to mine federal coal, here’s what you should know.” Or, “If you’re planning a trip to Rwanda, read this first.” + +### Address people directly + +We're writing *for* a wide variety of people, but we are writing *to* the person who is actually reading it. Use "you" to address the reader directly. + +> More than any other single technique, using “you” pulls users into the information and makes it relevant to them. +> +> When you use “you” to address users, they are more likely to understand what their responsibility is. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/audience/address-the-user/) + +### Avoid "users" + +Avoid calling people "users", in favor of "people", or a more specific description of the group of people you are writing for. + +## Organizing content + +Organization is key. Content should flow from most to least important information, and use headers as much as needed to logically separate different ideas. + +- Limit the document to around five or six sections. Long documents should probably be broken up into separate pages. +- Mark important ideas with **bold** or *italics*. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/design/) + +### Begin with a topic sentence + +> If you tell your reader what they’re going to read about, they’re less likely to have to read your paragraph again. Headings help, but they’re not enough. Establish a context for your audience before you provide them with the details. +> +> We often write the way we think, putting our premises first and then our conclusion. It may be the natural way to develop thoughts, but we wind up with the topic sentence at the end of the paragraph. Move it up front and let users know where you’re going. Don’t make readers hold a lot of information in their heads before getting to the point. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/organize/have-a-topic-sentence/) + +## Choose your words carefully + +> Words matter. They are the most basic building blocks of written and spoken communication. Don’t complicate things by using jargon, technical terms, or abbreviations that people won’t understand. + +We should try to avoid abbreviations where possible, but technology is full of abbreviations. In general, spell out the abbreviation/acronym the first time it is used on a page, and add the abbreviation to the abbreviation glossary file when it is used repeatedly. + +> Kathy McGinty offers tongue-in-cheek instructions for bulking up your simple, direct sentences: +> +> > There is no escaping the fact that it is considered very important to note that a number of various available applicable studies ipso facto have generally identified the fact that additional appropriate nocturnal employment could usually keep juvenile adolescents off thoroughfares during the night hours, including but not limited to the time prior to midnight on weeknights and/or 2 a.m. on weekends. +> +> And the original, using stronger, simpler words: +> +> > More night jobs would keep youths off the streets. + +## Be concise + +> Unnecessary words waste your audience’s time. Great writing is like a conversation. Omit information that the audience doesn’t need to know. This can be difficult as a subject matter expert so it’s important to have someone look at the information from the audience’s perspective. + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/concise/) + +## Keep text conversational + +> Verbs are the fuel of writing. They give your sentences power and direction. They enliven your writing and make it more interesting. +> +> Verbs tell your audience what to do. Make sure it’s clear who does what. + +### Use active voice + +> Active voice makes it clear who is supposed to do what. It eliminates ambiguity about responsibilities. Not “It must be done,” but “You must do it.” + +Source: [plainlanguage.gov](https://www.plainlanguage.gov/guidelines/conversational/use-active-voice/) + +### Use "must" for requirements + +> - “must” for an obligation +> - “must not” for a prohibition +> - “may” for a discretionary action +> - “should” for a recommendation diff --git a/i18n/zh/mobile-browsers.md b/i18n/zh/mobile-browsers.md new file mode 100644 index 00000000..32a53e73 --- /dev/null +++ b/i18n/zh/mobile-browsers.md @@ -0,0 +1,224 @@ +--- +title: "移动浏览器" +icon: material/cellphone-information +description: These browsers are what we currently recommend for standard/non-anonymous internet browsing on your phone. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Private Mobile Browser Recommendations + url: "./" + relatedLink: "../desktop-browsers/" + - + "@context": http://schema.org + "@type": MobileApplication + name: Brave + image: /assets/img/browsers/brave.svg + url: https://brave.com + applicationCategory: Web Browser + operatingSystem: + - 安卓 + subjectOf: + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": MobileApplication + name: Safari + image: /assets/img/browsers/safari.svg + url: https://www.apple.com/safari/ + applicationCategory: Web Browser + operatingSystem: + - iOS + subjectOf: + "@type": WebPage + url: "./" +--- + +这些是我们当前推荐的移动网络浏览器以及标准/非匿名互联网浏览的配置。 如果您需要匿名浏览互联网,则应使用 [Tor](tor.md) 。 一般来说,我们建议将扩展程序保持在最低限度;它们在您的浏览器中具有特权访问权限,要求您信任开发人员,可以使您 [突出](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), [弱化](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) 站点隔离。 + +## 安卓 + +在安卓系统上,火狐的安全性仍然低于基于Chromium的替代品。Mozilla的引擎, [GeckoView](https://mozilla.github.io/geckoview/),还没有支持 [网站隔离](https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture) 或启用 [isolatedProcess](https://bugzilla.mozilla.org/show_bug.cgi?id=1565196)。 + +### Brave + +!!! recommendation + + ![Brave标识](assets/img/browsers/brave.svg){ align=right } + + **Brave浏览器**包括一个内置的内容拦截器和[隐私功能](https://brave.com/privacy-features/),其中许多功能都是默认启用的。 + + Brave是建立在Chromium网络浏览器项目之上的,所以它应该有熟悉的感觉,而且网站兼容性问题最小。 + + [:octicons-home-16: 首页](https://brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="洋葱服务" } + [:octicons-eye-16:](https://brave.com/privacy/browser/){ .card-link title="隐私政策" } + [:octicons-info-16:](https://support.brave.com/){ .card-link title="文档"} + [:octicons-code-16:](https://github.com/brave/brave-browser){ .card-link title="源代码" } + + ??? downloads annotate + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.brave.browser) + - [:simple-github: GitHub](https://github.com/brave/brave-browser/releases) + +#### 推荐配置 + +Tor浏览器是匿名浏览互联网的唯一途径。 当您使用Brave时,我们建议您更改以下设置,以保护您的隐私不受某些方的侵害,但除了 [Tor浏览器](tor.md#tor-browser) 之外的所有浏览器都可以在某些方面被 *个人* 追踪。 + +这些选项可以在 :material-menu: → **设置** → **Brave Shields & 隐私**中找到 + +##### 盾 + +Brave在其 [Shields](https://support.brave.com/hc/en-us/articles/360022973471-What-is-Shields-) 功能中包括一些防指纹的措施。 我们建议将这些选项配置为 [,在你访问的所有页面上全局](https://support.brave.com/hc/en-us/articles/360023646212-How-do-I-configure-global-and-site-specific-Shields-settings-)。 + +##### Brave shields global defaults + +Shields的选项可以根据需要在每个站点的基础上进行降级,但在默认情况下,我们建议设置以下内容。 + +
+ +- [x] Select **Aggressive** under Block trackers & ads + + ??? warning "Use default filter lists" + Brave允许你在内部`brave://adblock`页面中选择额外的内容过滤器。 我们建议不要使用这个功能;相反,保留默认的过滤列表。 使用额外的列表会使你从其他Brave用户中脱颖而出,如果Brave中存在漏洞,恶意规则被添加到你使用的列表中,也可能增加攻击面。 + +- [x] Select **Upgrade connections to HTTPS** +- [x] Select **Always use secure connections** +- [x] (Optional) Select **Block Scripts** (1) +- [x] Select **Strict, may break sites** under **Block fingerprinting** + +
+ +1. This option provides functionality similar to uBlock Origin's advanced [blocking modes](https://github.com/gorhill/uBlock/wiki/Blocking-mode) or the [NoScript](https://noscript.net/) extension. + +##### Clear browsing data + +- [x] Select **Clear data on exit** + +##### Social Media Blocking + +- [ ] 取消勾选所有社交媒体组件 + +##### Other privacy settings + +
+ +- [x] Select **Disable non-proxied UDP** under [WebRTC IP Handling Policy](https://support.brave.com/hc/en-us/articles/360017989132-How-do-I-change-my-Privacy-Settings-#webrtc) +- [ ] Uncheck **Allow sites to check if you have payment methods saved** +- [ ] Uncheck **IPFS Gateway** (1) +- [x] Select **Close tabs on exit** +- [ ] Uncheck **Allow privacy-preserving product analytics (P3A)** +- [ ] Uncheck **Automatically send diagnostic reports** +- [ ] Uncheck **Automatically send daily usage ping to Brave** + +
+ +1. InterPlanetary File System (IPFS) is a decentralized, peer-to-peer network for storing and sharing data in a distributed filesystem. Unless you use the feature, disable it. + +#### Brave 同步 + +[Brave 同步](https://support.brave.com/hc/en-us/articles/360059793111-Understanding-Brave-Sync) 允许你的浏览数据(历史记录、书签等)在你所有的设备上访问,而不需要账户,并以E2EE进行保护。 + +## iOS + +On iOS, any app that can browse the web is [restricted](https://developer.apple.com/app-store/review/guidelines) to using an Apple-provided [WebKit framework](https://developer.apple.com/documentation/webkit), so there is little reason to use a third-party web browser. + +### Safari + +!!! recommendation + + ![Safari logo](assets/img/browsers/safari.svg){ align=right } + + **Safari** is the default browser in iOS. It includes [privacy features](https://support.apple.com/guide/iphone/browse-the-web-privately-iphb01fc3c85/15.0/ios/15.0) such as Intelligent Tracking Protection, Privacy Report, isolated Private Browsing tabs, iCloud Private Relay, and automatic HTTPS upgrades. + + [:octicons-home-16: Homepage](https://www.apple.com/safari/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.apple.com/legal/privacy/data/en/safari/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.apple.com/guide/safari/welcome/mac){ .card-link title=Documentation} + +#### 推荐配置 + +These options can be found in :gear: **Settings** → **Safari** → **Privacy and Security**. + +##### Cross-Site Tracking Prevention + +- [x] Enable **Prevent Cross-Site Tracking** + +This enables WebKit's [Intelligent Tracking Protection](https://webkit.org/tracking-prevention/#intelligent-tracking-prevention-itp). The feature helps protect against unwanted tracking by using on-device machine learning to stop trackers. ITP protects against many common threats, but it does not block all tracking avenues because it is designed to not interfere with website usability. + +##### Privacy Report + +Privacy Report provides a snapshot of cross-site trackers currently prevented from profiling you on the website you're visiting. It can also display a weekly report to show which trackers have been blocked over time. + +Privacy Report is accessible via the Page Settings menu. + +##### Privacy Preserving Ad Measurement + +- [ ] Disable **Privacy Preserving Ad Measurement** + +Ad click measurement has traditionally used tracking technology that infringes on user privacy. [Private Click Measurement](https://webkit.org/blog/11529/introducing-private-click-measurement-pcm/) is a WebKit feature and proposed web standard aimed towards allowing advertisers to measure the effectiveness of web campaigns without compromising on user privacy. + +The feature has little privacy concerns on its own, so while you can choose to leave it on, we consider the fact that it's automatically disabled in Private Browsing to be an indicator for disabling the feature. + +##### Always-on Private Browsing + +Open Safari and tap the Tabs button, located in the bottom right. Then, expand the Tab Groups list. + +- [x] Select **Private** + +Safari's Private Browsing mode offers additional privacy protections. Private Browsing uses a new [ephemeral](https://developer.apple.com/documentation/foundation/urlsessionconfiguration/1410529-ephemeral) session for each tab, meaning tabs are isolated from one another. There are also other smaller privacy benefits with Private Browsing, such as not sending a webpage’s address to Apple when using Safari's translation feature. + +Do note that Private Browsing does not save cookies and website data, so it won't be possible to remain signed into sites. This may be an inconvenience. + +##### iCloud Sync + +Synchronization of Safari History, Tab Groups, iCloud Tabs and saved passwords are E2EE. However, by default, bookmarks are [not](https://support.apple.com/en-us/HT202303). Apple can decrypt and access them in accordance with their [privacy policy](https://www.apple.com/legal/privacy/en-ww/). + +You can enable E2EE for you Safari bookmarks and downloads by enabling [Advanced Data Protection](https://support.apple.com/en-us/HT212520). Go to your **Apple ID name → iCloud → Advanced Data Protection**. + +- [x] Turn On **Advanced Data Protection** + +If you use iCloud with Advanced Data Protection disabled, we also recommend checking to ensure Safari's default download location is set to locally on your device. This option can be found in :gear: **Settings** → **Safari** → **General** → **Downloads**. + +### AdGuard + +!!! recommendation + + ![AdGuard logo](assets/img/browsers/adguard.svg){ align=right } + + **AdGuard for iOS** is a free and open-source content-blocking extension for Safari that uses the native [Content Blocker API](https://developer.apple.com/documentation/safariservices/creating_a_content_blocker). + + AdGuard for iOS has some premium features; however, standard Safari content blocking is free of charge. + + [:octicons-home-16: Homepage](https://adguard.com/en/adguard-ios/overview.html){ .md-button .md-button--primary } + [:octicons-eye-16:](https://adguard.com/privacy/ios.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://kb.adguard.com/ios){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/AdguardTeam/AdguardForiOS){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1047223162) + +Additional filter lists do slow things down and may increase your attack surface, so only apply what you need. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must support automatic updates. +- Must receive engine updates in 0-1 days from upstream release. +- 为使浏览器更加尊重隐私所需的任何改变都不应该对用户体验产生负面影响。 +- Android browsers must use the Chromium engine. + - Unfortunately, Mozilla GeckoView is still less secure than Chromium on Android. + - iOS browsers are limited to WebKit. + +### 扩展标准 + +- 不得复制内置浏览器或操作系统的功能。 +- 必须直接影响用户隐私,即不能简单地提供信息。 diff --git a/i18n/zh/multi-factor-authentication.md b/i18n/zh/multi-factor-authentication.md new file mode 100644 index 00000000..08f876fb --- /dev/null +++ b/i18n/zh/multi-factor-authentication.md @@ -0,0 +1,139 @@ +--- +title: "Multi-Factor Authenticators" +icon: '资料/双因认证' +description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party. +--- + +## 硬件安全密钥 + +### YubiKey + +!!! recommendation + + ![YubiKeys](assets/img/multi-factor-authentication/yubikey.png) + + The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP/), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication. + + One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://www.yubico.com/quiz/) before purchasing in order to make sure you make the right choice. + + [:octicons-home-16: Homepage](https://www.yubico.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.yubico.com/){ .card-link title=Documentation} + +The [comparison table](https://www.yubico.com/store/compare/) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series. + +YubiKeys can be programmed using the [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) or [YubiKey Personalization Tools](https://www.yubico.com/support/download/yubikey-personalization-tools/). For managing TOTP codes, you can use the [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/). All of Yubico's clients are open-source. + +For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker. + +!!! warning + The firmware of YubiKey is not open-source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key. + +### Nitrokey + +!!! recommendation + + ![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right } + + **Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**. + + [:octicons-home-16: Homepage](https://www.nitrokey.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.nitrokey.com/){ .card-link title=Documentation} + +The [comparison table](https://www.nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set. + +Nitrokey models can be configured using the [Nitrokey app](https://www.nitrokey.com/download). + +For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface. + +!!! 推荐 + + While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP these secrets, we highly recommend that you use a Yubikey instead. + +!!! 推荐 + + Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset). + +The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://www.coreboot.org/) + [Heads](https://osresearch.net/) firmware. + +Nitrokey's firmware is open-source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must use high quality, tamper resistant hardware security modules. +- Must support the latest FIDO2 specification. +- Must not allow private key extraction. +- Devices which cost over $35 must support handling OpenPGP and S/MIME. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be available in USB-C form-factor. +- Should be available with NFC. +- Should support TOTP secret storage. +- Should support secure firmware updates. + +## Authenticator Apps + +Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be. + +We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems. + +### Aegis Authenticator (Android) + +!!! recommendation + + ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ align=right } + + **Aegis Authenticator** is a free, secure and open-source app to manage your 2-step verification tokens for your online services. + + [:octicons-home-16: Homepage](https://getaegis.app){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getaegis.app/aegis/privacy.html){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/beemdevelopment/Aegis/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/beemdevelopment/Aegis){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.buymeacoffee.com/beemdevelopment){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) + - [:simple-github: GitHub](https://github.com/beemdevelopment/Aegis/releases) + +### Raivo OTP (iOS) + +!!! recommendation + + ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ align=right } + + **Raivo OTP** is a native, lightweight and secure time-based (TOTP) & counter-based (HOTP) password client for iOS. Raivo OTP offers optional iCloud backup & sync. Raivo OTP is also available for macOS in the form of a status bar application, however the Mac app does not work independently of the iOS app. + + [:octicons-home-16: Homepage](https://raivo-otp.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://raivo-otp.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-code-16:](https://github.com/raivo-otp/ios-application){ .card-link title="Source Code" } + [:octicons-heart-16:](https://raivo-otp.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/raivo-otp/id1459042137) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Source code must be publicly available. +- Must not require internet connectivity. +- Must not sync to a third-party cloud sync/backup service. + - **Optional** E2EE sync support with OS-native tools is acceptable, e.g. encrypted sync via iCloud. diff --git a/i18n/zh/news-aggregators.md b/i18n/zh/news-aggregators.md new file mode 100644 index 00000000..63e2b18f --- /dev/null +++ b/i18n/zh/news-aggregators.md @@ -0,0 +1,172 @@ +--- +title: "多因素认证工具" +icon: material/rss +description: These news aggregator clients let you keep up with your favorite blogs and news sites using internet standards like RSS. +--- + +A [news aggregator](https://en.wikipedia.org/wiki/News_aggregator) is a way to keep up with your favorite blogs and news sites. + +## Aggregator clients + +### Akregator + +!!! recommendation + + ![Akregator logo](assets/img/news-aggregators/akregator.svg){ align=right } + + **Akregator** is a news feed reader that is a part of the [KDE](https://kde.org) project. It comes with a fast search, advanced archiving functionality and an internal browser for easy news reading. + + [:octicons-home-16: Homepage](https://apps.kde.org/akregator){ .md-button .md-button--primary } + [:octicons-eye-16:](https://kde.org/privacypolicy-apps){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.kde.org/?application=akregator){ .card-link title=Documentation} + [:octicons-code-16:](https://invent.kde.org/pim/akregator){ .card-link title="Source Code" } + [:octicons-heart-16:](https://kde.org/community/donations/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.kde.akregator) + +### Feeder + +!!! recommendation + + ![Feeder logo](assets/img/news-aggregators/feeder.png){ align=right } + + **Feeder** is a modern RSS client for Android that has many [features](https://gitlab.com/spacecowboy/Feeder#features) and works well with folders of RSS feeds. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-repo-16: Repository](https://gitlab.com/spacecowboy/Feeder){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.com/spacecowboy/Feeder){ .card-link title="Source Code" } + [:octicons-heart-16:](https://ko-fi.com/spacecowboy){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nononsenseapps.feeder.play) + +### Fluent Reader + +!!! recommendation + + ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ align=right } + + **Fluent Reader** is a secure cross-platform news aggregator that has useful privacy features such as deletion of cookies on exit, strict [content security policies (CSP)](https://en.wikipedia.org/wiki/Content_Security_Policy) and proxy support, meaning you can use it over [Tor](tor.md). + + [:octicons-home-16: Homepage](https://hyliu.me/fluent-reader){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/yang991178/fluent-reader/wiki/Privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/yang991178/fluent-reader/wiki/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/yang991178/fluent-reader){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/yang991178){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://hyliu.me/fluent-reader) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1520907427) + +### GNOME Feeds + +!!! recommendation + + ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ align=right } + + **GNOME Feeds** is an [RSS](https://en.wikipedia.org/wiki/RSS) and [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)) news reader for [GNOME](https://www.gnome.org). It has a simple interface and is quite fast. + + [:octicons-home-16: Homepage](https://gfeeds.gabmus.org){ .md-button .md-button--primary } + [:octicons-code-16:](https://gitlab.gnome.org/World/gfeeds){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/gabmus/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-linux: Linux](https://gfeeds.gabmus.org/#install) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.gabmus.gfeeds) + +### Miniflux + +!!! recommendation + + ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ align=right } + ![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ align=right } + + **Miniflux** is a web-based news aggregator that you can self-host. It supports [RSS](https://en.wikipedia.org/wiki/RSS), [Atom](https://en.wikipedia.org/wiki/Atom_(Web_standard)), [RDF](https://en.wikipedia.org/wiki/RDF%2FXML) and [JSON Feed](https://en.wikipedia.org/wiki/JSON_Feed). + + [:octicons-home-16: Homepage](https://miniflux.app){ .md-button .md-button--primary } + [:octicons-info-16:](https://miniflux.app/docs/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/miniflux/v2){ .card-link title="Source Code" } + [:octicons-heart-16:](https://miniflux.app/#donations){ .card-link title=Contribute } + +### NetNewsWire + +!!! recommendation + + ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ align=right } + + **NetNewsWire** a free and open-source feed reader for macOS and iOS with a focus on a native design and feature set. It supports the typical feed formats alongside built-in support for Twitter and Reddit feeds. + + [:octicons-home-16: Homepage](https://netnewswire.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://netnewswire.com/privacypolicy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://netnewswire.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Ranchero-Software/NetNewsWire){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/us/app/netnewswire-rss-reader/id1480640210) + - [:simple-apple: macOS](https://netnewswire.com) + +### Newsboat + +!!! recommendation + + ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ align=right } + + **Newsboat** is an RSS/Atom feed reader for the text console. It's an actively maintained fork of [Newsbeuter](https://en.wikipedia.org/wiki/Newsbeuter). It is very lightweight, and ideal for use over [Secure Shell](https://en.wikipedia.org/wiki/Secure_Shell). + + [:octicons-home-16: Homepage](https://newsboat.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://newsboat.org/releases/2.27/docs/newsboat.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/newsboat/newsboat){ .card-link title="Source Code" } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- 它必须是开源软件。 +- Must operate locally, i.e. must not be a cloud service. + +## Social Media RSS Support + +Some social media services also support RSS although it's not often advertised. + +### Reddit + +Reddit allows you to subscribe to subreddits via RSS. + +!!! example + Replace `subreddit_name` with the subreddit you wish to subscribe to. + + ```text + https://www.reddit.com/r/{{ subreddit_name }}/new/.rss + ``` + +### Twitter + +Using any of the Nitter [instances](https://github.com/zedeus/nitter/wiki/Instances) you can easily subscribe using RSS. + +!!! example + 1. Pick an instance and set `nitter_instance`. + 2. Replace `twitter_account` with the account name. + + ```text + https://{{ nitter_instance }}/{{ twitter_account }}/rss + ``` + +### YouTube + +You can subscribe YouTube channels without logging in and associating usage information with your Google Account. + +!!! example + + To subscribe to a YouTube channel with an RSS client, first look for your [channel code](https://support.google.com/youtube/answer/6180214), replace `[CHANNEL ID]` below: + ```text + https://www.youtube.com/feeds/videos.xml?channel_id=[CHANNEL ID] + ``` diff --git a/i18n/zh/notebooks.md b/i18n/zh/notebooks.md new file mode 100644 index 00000000..0739f668 --- /dev/null +++ b/i18n/zh/notebooks.md @@ -0,0 +1,114 @@ +--- +title: "Notebooks" +icon: material/notebook-edit-outline +description: These encrypted note-taking apps let you keep track of your notes without giving them to a third-party. +--- + +Keep track of your notes and journalings without giving them to a third-party. + +If you are currently using an application like Evernote, Google Keep, or Microsoft OneNote, we suggest you pick an alternative here that supports E2EE. + +## Cloud-based + +### Joplin + +!!! recommendation + + ![Joplin logo](assets/img/notebooks/joplin.svg){ align=right } + + **Joplin** is a free, open-source, and fully-featured note-taking and to-do application which can handle a large number of markdown notes organized into notebooks and tags. It offers E2EE and can sync through Nextcloud, Dropbox, and more. It also offers easy import from Evernote and plain-text notes. + + [:octicons-home-16: Homepage](https://joplinapp.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://joplinapp.org/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://joplinapp.org/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/laurent22/joplin){ .card-link title="Source Code" } + [:octicons-heart-16:](https://joplinapp.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.cozic.joplin) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/joplin/id1315599797) + - [:simple-github: GitHub](https://github.com/laurent22/joplin-android/releases) + - [:simple-windows11: Windows](https://joplinapp.org/#desktop-applications) + - [:simple-apple: macOS](https://joplinapp.org/#desktop-applications) + - [:simple-linux: Linux](https://joplinapp.org/#desktop-applications) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/joplin-web-clipper/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/joplin-web-clipper/alofnhikmmkdbbbgpnglcpdollgjjfek) + +Joplin does not support password/PIN protection for the [application itself or individual notes and notebooks](https://github.com/laurent22/joplin/issues/289). However, your data is still encrypted in transit and at the sync location using your master key. Since January 2023, Joplin supports biometrics app lock for [Android](https://joplinapp.org/changelog_android/#android-v2-10-3-https-github-com-laurent22-joplin-releases-tag-android-v2-10-3-pre-release-2023-01-05t11-29-06z) and [iOS](https://joplinapp.org/changelog_ios/#ios-v12-10-2-https-github-com-laurent22-joplin-releases-tag-ios-v12-10-2-2023-01-20t17-41-13z). + +### Standard Notes + +!!! recommendation + + ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ align=right } + + **Standard Notes** is a simple and private notes app that makes your notes easy and available everywhere you are. It features E2EE on every platform, and a powerful desktop experience with themes and custom editors. It has also been [independently audited (PDF)](https://s3.amazonaws.com/standard-notes/security/Report-SN-Audit.pdf). + + [:octicons-home-16: Homepage](https://standardnotes.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://standardnotes.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://standardnotes.com/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/standardnotes){ .card-link title="Source Code" } + [:octicons-heart-16:](https://standardnotes.com/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.standardnotes) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1285392450) + - [:simple-github: GitHub](https://github.com/standardnotes/app/releases) + - [:simple-windows11: Windows](https://standardnotes.com) + - [:simple-apple: macOS](https://standardnotes.com) + - [:simple-linux: Linux](https://standardnotes.com) + - [:octicons-globe-16: Web](https://app.standardnotes.com/) + +### Cryptee + +!!! recommendation + + ![Cryptee logo](./assets/img/notebooks/cryptee.svg#only-light){ align=right } + ![Cryptee logo](./assets/img/notebooks/cryptee-dark.svg#only-dark){ align=right } + + **Cryptee** is an open-source, web-based E2EE document editor and photo storage application. Cryptee is a PWA, which means that it works seamlessly across all modern devices without requiring native apps for each respective platform. + + [:octicons-home-16: Homepage](https://crypt.ee){ .md-button .md-button--primary } + [:octicons-eye-16:](https://crypt.ee/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://crypt.ee/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/cryptee){ .card-link title="Source Code" } + + ??? downloads + + - [:octicons-globe-16: PWA](https://crypt.ee/download) + +Cryptee offers 100MB of storage for free, with paid options if you need more. Sign-up doesn't require an e-mail or other personally identifiable information. + +## Local notebooks + +### Org-mode + +!!! recommendation + + ![Org-mode logo](assets/img/notebooks/org-mode.svg){ align=right } + + **Org-mode** is a [major mode](https://www.gnu.org/software/emacs/manual/html_node/elisp/Major-Modes.html) for GNU Emacs. Org-mode is for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system. Synchronization is possible with [file synchronization](file-sharing.md#file-sync) tools. + + [:octicons-home-16: Homepage](https://orgmode.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://orgmode.org/manuals.html){ .card-link title=Documentation} + [:octicons-code-16:](https://git.savannah.gnu.org/cgit/emacs/org-mode.git){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/bzg){ .card-link title=Contribute } + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Clients must be open-source. +- Any cloud sync functionality must be E2EE. +- Must support exporting documents into a standard format. + +### Best Case + +- Local backup/sync functionality should support encryption. +- Cloud-based platforms should support document sharing. diff --git a/i18n/zh/os/android-overview.md b/i18n/zh/os/android-overview.md new file mode 100644 index 00000000..58225369 --- /dev/null +++ b/i18n/zh/os/android-overview.md @@ -0,0 +1,169 @@ +--- +title: Android概述 +icon: simple/android +description: Android is an open-source operating system with strong security protections, which makes it our top choice for phones. +--- + +安卓是一个安全的操作系统,它有强大的[应用程序沙箱](https://source.android.com/security/app-sandbox),[启动时验证](https://source.android.com/security/verifiedboot)(AVB),以及一个强大的[权限](https://developer.android.com/guide/topics/permissions/overview)控制系统。 + +## 挑选安卓 ROM + +你买到的安卓手机多半已经预装了能侵犯隐私的应用与服务,而这些服务并不属于 [AOSP](https://source.android.com/)。 例如 Google Play 服务:它有权访问你的文件、联系人、通话记录、短信、定位、相机、麦克风、硬件身份码等。且这些权限无法收回。 这类应用与服务扩大了你的设备的攻击面,也是安卓系统的各种隐私问题的源头。 + +换用一个不预装这类软件的安卓 ROM 可以解决这个问题。 不巧,很多安卓 ROM 不支持 AVB、回滚保护、系统更新、等这些关键的安全功能,破坏了安卓的安全模型。 某些 ROM 发布的版本属于 [`userdebug`](https://source.android.com/setup/build/building#choose-a-target) 构建版本。这个版本通过 [ADB](https://developer.android.com/studio/command-line/adb) 来提供 root 访问,并且为了支持调试,[放宽](https://github.com/LineageOS/android_system_sepolicy/search?q=userdebug&type=code)了 SELinux 规则。这进一步扩大了攻击面,弱化了安全模型。 + +在挑选安卓 ROM 时,理想的情况,是能找到坚持安卓安全模型的 ROM。 最起码的是,你选用的 ROM 应该提供生产版本(而非 `userdebug`版本)的构建,能支持 AVB、回滚保护、按时推送系统更新、把 SELinux 设为[强制模式](https://source.android.com/security/selinux/concepts#enforcement_levels)。 我们推荐的所有安卓 ROM 都满足上述标准。 + +[我们推荐的安卓 ROM :material-arrow-right-drop-circle:](../android.md ""){.md-button} + +## 避免 Root + +[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) 安卓手机会大大降低安全性,因为它削弱了完整的 [安卓安全模型](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy)。 如果有一个被降低的安全性所帮助的漏洞,这可能会减少隐私。 常见的root方法涉及直接篡改启动分区,使得它不可能成功地进行验证性启动。 需要root的应用程序也会修改系统分区,这意味着验证启动将不得不保持禁用。 在用户界面上直接暴露root也增加了你的设备的 [攻击面](https://en.wikipedia.org/wiki/Attack_surface) ,并可能有助于 [特权升级](https://en.wikipedia.org/wiki/Privilege_escalation) 漏洞和SELinux政策的绕过。 + +广告拦截器,修改 [hosts文件](https://en.wikipedia.org/wiki/Hosts_(file)) (AdAway)和防火墙(AFWall+),需要持续的根访问是危险的,不应该被使用。 它们也不是解决其预期目的的正确方法。 对于广告屏蔽,我们建议采用加密的 [DNS](../dns.md) 或 [VPN](../vpn.md) 服务器屏蔽解决方案。 RethinkDNS、TrackerControl和AdAway在非root模式下将占用VPN插槽(通过使用本地环回VPN),使你无法使用增强隐私的服务,如Orbot或真正的VPN服务器。 + +AFWall+基于 [包过滤](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) 方法工作,在某些情况下可能会被绕过。 + +我们认为,通过root手机所做的安全牺牲不值得那些应用程序的可疑隐私利益。 + +## 已验证的启动 + +[经过验证的启动](https://source.android.com/security/verifiedboot) ,是安卓安全模式的一个重要组成部分。 它能够保护您免受 [罪恶的](https://en.wikipedia.org/wiki/Evil_maid_attack) 攻击、恶意软件的持久性,并确保安全更新不能用 [回滚保护降级](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection) + +安卓10及以上版本已经从全盘加密转向更灵活的 [基于文件的加密](https://source.android.com/security/encryption/file-based)。 你的数据使用独特的加密密钥进行加密,而操作系统文件则不被加密。 + +验证启动确保了操作系统文件的完整性,从而防止有物理访问权限的对手在设备上篡改或安装恶意软件。 在不太可能的情况下,如果恶意软件能够利用系统的其他部分并获得更高的特权访问,验证性启动将防止并在重启设备时恢复对系统分区的更改。 + +遗憾的是,OEM厂商只有在其库存的安卓系统上才有义务支持验证性启动。 只有少数OEM厂商,如谷歌,支持在他们的设备上定制AVB密钥注册。 此外,一些AOSP衍生产品,如LineageOS或/e/ OS,即使在对第三方操作系统有验证启动支持的硬件上也不支持验证启动。 我们建议你在 购买新设备之前,先查看支持 **。 不支持验证性启动的AOSP衍生产品是 **,不推荐**。

+ +许多原始设备制造商也有破碎的实施验证启动,你必须注意他们的营销之外。 例如,Fairphone 3和4在默认情况下是不安全的,因为 [股票引导程序信任公共AVB签名密钥](https://forum.fairphone.com/t/bootloader-avb-keys-used-in-roms-for-fairphone-3-4/83448/11)。 这破坏了Fairphone设备上的验证引导,因为系统将引导替代Android操作系统(如/e/) [,而没有任何关于自定义操作系统使用的警告](https://source.android.com/security/verifiedboot/boot-flow#locked-devices-with-custom-root-of-trust) 。 + +## 固件更新 + +固件更新是维护安全的关键,没有它们,你的设备就不可能是安全的。 原始设备制造商与他们的合作伙伴有支持协议,在有限的支持期内提供闭源组件。 这些内容详见每月的 [Android安全公告](https://source.android.com/security/bulletin)。 + +由于手机的组件,如处理器和无线电技术依赖于闭源组件,更新必须由各自的制造商提供。 因此,重要的是,你要在一个有效的支持周期内购买设备。 [高通公司](https://www.qualcomm.com/news/releases/2020/12/16/qualcomm-and-google-announce-collaboration-extend-android-os-support-and) 和 [三星](https://news.samsung.com/us/samsung-galaxy-security-extending-updates-knox/) ,对其设备的支持期为4年,而便宜的产品往往支持周期更短。 随着 [Pixel 6](https://support.google.com/pixelphone/answer/4457705)的推出,谷歌现在制造自己的SoC,他们将提供至少5年的支持。 + +不再受SoC制造商支持的EOL设备无法从OEM供应商或后市场Android分销商处获得固件更新。 这意味着这些设备的安全问题将继续得不到解决。 + +例如,Fairphone在市场上宣传他们的设备可以获得6年的支持。 然而,SoC(Fairphone 4上的高通骁龙750G)的EOL日期要短得多。 这意味着高通公司为Fairphone 4提供的固件安全更新将在2023年9月结束,无论Fairphone是否继续发布软件安全更新。 + +## Android 版本 + +重要的是,不要使用 [报废的](https://endoflife.date/android) 版本的Android。 较新版本的安卓系统不仅会收到操作系统的安全更新,也会收到重要的隐私增强更新。 例如, [,在Android 10之前](https://developer.android.com/about/versions/10/privacy/changes),任何具有 [`READ_PHONE_STATE`](https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE) 权限的应用程序都可以访问你的手机的敏感和独特的序列号,如 [IMEI](https://en.wikipedia.org/wiki/International_Mobile_Equipment_Identity), [MEID](https://en.wikipedia.org/wiki/Mobile_equipment_identifier),你的SIM卡的 [IMSI](https://en.wikipedia.org/wiki/International_mobile_subscriber_identity),而现在他们必须是系统应用程序才能这样做。 系统应用只由OEM或安卓发行提供。 + +## Android 权限 + +[Android上的权限](https://developer.android.com/guide/topics/permissions/overview) ,让你控制哪些应用程序被允许访问。 谷歌定期在每个连续的版本中对权限系统进行 [改善](https://developer.android.com/about/versions/11/privacy/permissions)。 你安装的所有应用程序都是严格的 [沙箱](https://source.android.com/security/app-sandbox),因此,没有必要安装任何杀毒软件。 + +A smartphone with the latest version of Android will always be more secure than an old smartphone with an antivirus that you have paid for. It's better not to pay for antivirus software and to save money to buy a new smartphone such as a Google Pixel. + +Android 10: + +- [Scoped Storage](https://developer.android.com/about/versions/10/privacy/changes#scoped-storage) gives you more control over your files and can limit what can [access external storage](https://developer.android.com/training/data-storage#permissions). Apps can have a specific directory in external storage as well as the ability to store specific types of media there. +- Tighter access on [device location](https://developer.android.com/about/versions/10/privacy/changes#app-access-device-location) by introducing the `ACCESS_BACKGROUND_LOCATION` permission. This prevents apps from accessing the location when running in the background without express permission from the user. + +Android 11: + +- [One-time permissions](https://developer.android.com/about/versions/11/privacy/permissions#one-time) which allows you to grant a permission to an app just once. +- [Auto-reset permissions](https://developer.android.com/about/versions/11/privacy/permissions#auto-reset), which resets [runtime permissions](https://developer.android.com/guide/topics/permissions/overview#runtime) that were granted when the app was opened. +- Granular permissions for accessing [phone number](https://developer.android.com/about/versions/11/privacy/permissions#phone-numbers) related features. + +Android 12: + +- A permission to grant only the [approximate location](https://developer.android.com/about/versions/12/behavior-changes-12#approximate-location). +- Auto-reset of [hibernated apps](https://developer.android.com/about/versions/12/behavior-changes-12#app-hibernation). +- [Data access auditing](https://developer.android.com/about/versions/12/behavior-changes-12#data-access-auditing) which makes it easier to determine what part of an app is performing a specific type of data access. + +Android 13: + +- A permission for [nearby wifi access](https://developer.android.com/about/versions/13/behavior-changes-13#nearby-wifi-devices-permission). The MAC addresses of nearby WiFi access points was a popular way for apps to track a user's location. +- More [granular media permissions](https://developer.android.com/about/versions/13/behavior-changes-13#granular-media-permissions), meaning you can grant access to images, videos or audio files only. +- Background use of sensors now requires the [`BODY_SENSORS`](https://developer.android.com/about/versions/13/behavior-changes-13#body-sensors-background-permission) permission. + +An app may request a permission for a specific feature it has. For example, any app that can scan QR codes will require the camera permission. Some apps can request more permissions than they need. + +[Exodus](https://exodus-privacy.eu.org/) can be useful when comparing apps that have similar purposes. If an app requires a lot of permissions and has a lot of advertising and analytics this is probably a bad sign. We recommend looking at the individual trackers and reading their descriptions rather than simply **counting the total** and assuming all items listed are equal. + +!!! 推荐 + + If an app is mostly a web-based service, the tracking may occur on the server side. [Facebook](https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/) shows "no trackers" but certainly does track users' interests and behavior across the site. Apps may evade detection by not using standard code libraries produced by the advertising industry, though this is unlikely. + +!!! note + + Privacy-friendly apps such as [Bitwarden](https://reports.exodus-privacy.eu.org/en/reports/com.x8bit.bitwarden/latest/) may show some trackers such as [Google Firebase Analytics](https://reports.exodus-privacy.eu.org/en/trackers/49/). This library includes [Firebase Cloud Messaging](https://en.wikipedia.org/wiki/Firebase_Cloud_Messaging) which can provide [push notifications](https://en.wikipedia.org/wiki/Push_technology) in apps. This [is the case](https://fosstodon.org/@bitwarden/109636825700482007) with Bitwarden. That doesn't mean that Bitwarden is using all of the analytics features that are provided by Google Firebase Analytics. + +## 媒体访问 + +相当多的应用程序允许你与他们 "共享 "一个文件进行媒体上传。 例如,如果你想在推特上发布一张图片,不要授予推特对你的 "媒体和照片 "的访问权,因为那时它就可以访问你所有的图片。 相反,去你的文件管理器(documentsUI),按住图片,然后与Twitter分享。 + +## 用户资料 + +多个用户配置文件可以在 **设置** → **系统** → **多个用户** ,是Android中最简单的隔离方式。 + +通过用户个人资料,你可以对一个特定的个人资料施加限制,如:打电话、使用短信或在设备上安装应用程序。 每个用户资料使用自己的加密密钥进行加密,不能访问任何其他人的个人资料。 即使是设备所有者,如果不知道他们的密码,也不能查看其他人的个人资料。 多个个人资料是一种更安全的隔离方法。 + +## 工作身份 + +[工作配置文件](https://support.google.com/work/android/answer/6191949) 是隔离单个应用程序的另一种方式,可能比单独的用户配置文件更方便。 + +在没有企业MDM的情况下,需要一个 **设备控制器** 应用程序,如 [Shelter](#recommended-apps) ,以创建一个工作档案,除非你使用的是包括一个自定义的Android操作系统。 + +该工作档案依赖于设备控制器来运作。 诸如 *文件穿梭* 和 *接触搜索封锁* 或任何种类的隔离功能必须由控制器实现。 你还必须完全信任设备控制器应用程序,因为它可以完全访问你在工作档案中的数据。 + +这种方法通常不如二级用户配置文件安全;但是,它确实允许你在工作和个人配置文件中同时运行应用程序的便利。 + +## VPN Killswitch + +Android 7及更高版本支持VPN killswitch ,无需安装第三方应用程序即可使用。 如果VPN断开连接,此功能可以防止泄漏。 可以在 :gear: **设置** → **网络 & 互联网** → **VPN** → :gear: → **阻止没有VPN的连接**。 + +## 全局切换 + +现代安卓设备有全局切换键,用于禁用蓝牙和定位服务。 安卓12引入了相机和麦克风的切换功能。 在不使用时,我们建议禁用这些功能。 在重新启用之前,应用程序不能使用被禁用的功能(即使被授予个别许可)。 + +## 谷歌 + +如果你使用的是带有谷歌服务的设备,无论是你的原生操作系统还是像GrapheneOS这样的安全沙盒式的操作系统,你可以做一些额外的改变来改善你的隐私。 我们仍然建议完全避免使用谷歌服务,或者通过将 *Shelter* 等设备控制器与GrapheneOS的沙盒化谷歌游戏结合起来,将谷歌游戏服务限制在特定的用户/工作档案中。 + +### 高级保护计划 + +如果你有一个谷歌账户,我们建议注册 [高级保护计划](https://landing.google.com/advancedprotection/)。 任何拥有两个或更多支持 [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) 的硬件安全密钥的人都可以免费使用。 + +高级保护计划提供增强的威胁监控,并支持: + +- 更严格的双因素认证;例如,必须使用 [FIDO](../basics/multi-factor-authentication.md#fido-fast-identity-online) **,不允许使用 [SMS OTPs](../basics/multi-factor-authentication.md#sms-or-email-mfa), [TOTP](../basics/multi-factor-authentication.md#time-based-one-time-password-totp) 和 [OAuth](https://en.wikipedia.org/wiki/OAuth)。 +- 只有谷歌和经过验证的第三方应用程序可以访问账户数据 +- 在 Gmail 帐户上扫描收到的邮件以进行 [钓鱼](https://en.wikipedia.org/wiki/Phishing#Email_phishing) 尝试 +- 更严格的 [安全的浏览器扫描](https://www.google.com/chrome/privacy/whitepaper.html#malware) 与谷歌浏览器 +- 对丢失凭证的账户有更严格的恢复程序 + + 如果你使用非沙盒式的Google Play服务(在股票操作系统上很常见),高级保护计划还带有 [额外的好处](https://support.google.com/accounts/answer/9764949?hl=en) ,例如。 + +- 不允许在Google Play商店、操作系统供应商的应用程序商店之外安装应用程序,或通过 [`adb`](https://en.wikipedia.org/wiki/Android_Debug_Bridge) +- 强制性的自动设备扫描与 [Play Protect](https://support.google.com/googleplay/answer/2812853?hl=en#zippy=%2Chow-malware-protection-works%2Chow-privacy-alerts-work) +- 警告你有未经验证的应用程序 + +### Google Play 系统更新 + +在过去,安卓系统的安全更新必须由操作系统供应商来提供。 从安卓10开始,安卓变得更加模块化,谷歌可以通过特权游戏服务推送安全更新, **一些** 系统组件。 + +如果你有一个以安卓10或以上系统出厂的EOL设备,并且无法在你的设备上运行我们推荐的任何操作系统,你很可能最好坚持使用你的OEM安卓安装(而不是这里没有列出的操作系统,如LineageOS或/e/ OS)。 这将允许你从谷歌获得 **,一些** 安全修复,同时不会因为使用不安全的安卓衍生产品而违反安卓安全模式,增加你的攻击面。 我们仍然建议尽快升级到支持的设备。 + +### 广告 ID + +所有安装了Google Play服务的设备都会自动生成一个 [广告ID](https://support.google.com/googleplay/android-developer/answer/6048248?hl=en) ,用于定向广告。 禁用此功能以限制收集到的关于你的数据。 + +在带有 [Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play)的安卓发行上,进入 :gear: **设置** → **应用程序** → **Sandboxed Google Play** → **谷歌设置** → **广告**,并选择 *删除广告 ID*。 + +在拥有特权的谷歌游戏服务的安卓发行版上(如股票操作系统),该设置可能在几个位置之一。 查看 + +- :gear: **设置** → **谷歌** → **广告** +- :gear: **设置** → **隐私** → **广告** + +你可以选择删除你的广告ID,或者 *,选择退出基于兴趣的广告*,这在安卓的OEM发行中是不同的。 如果呈现出删除广告ID的选项,那是首选。 如果没有,那么请确保选择退出并重新设置你的广告ID。 + +### SafetyNet和Play Integrity API + +[安全网](https://developer.android.com/training/safetynet/attestation) 和 [Play Integrity APIs](https://developer.android.com/google/play/integrity) ,一般用于 [银行应用程序](https://grapheneos.org/usage#banking-apps)。 许多银行应用程序在GrapheneOS中使用沙盒游戏服务可以正常工作,但是一些非金融应用程序有自己的粗略防篡改机制,可能会失败。 GrapheneOS通过了 `basicIntegrity` 检查,但没有通过认证检查 `ctsProfileMatch`。 安卓8或更高版本的设备有硬件认证支持,如果没有泄露的密钥或严重的漏洞,就无法绕过。 + +至于谷歌钱包,我们不推荐这样做,因为他们的 [隐私政策](https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en),其中规定如果你不希望你的信用等级和个人信息与联盟营销服务共享,你必须选择退出。 diff --git a/i18n/zh/os/linux-overview.md b/i18n/zh/os/linux-overview.md new file mode 100644 index 00000000..f45e0a01 --- /dev/null +++ b/i18n/zh/os/linux-overview.md @@ -0,0 +1,170 @@ +--- +title: Linux概述 +icon: simple/linux +description: Linux is an open-source, privacy-focused desktop operating system alternative, but not all distribitions are created equal. +--- + +人们通常认为, [开源](https://en.wikipedia.org/wiki/Open-source_software) 软件本身是安全的,因为源代码是可用的。 预期社区验证会定期进行;但这并不总是 [案例](https://seirdy.one/posts/2022/02/02/floss-security/)。 It does depend on a number of factors, such as project activity, developer experience, level of rigor applied to [code reviews](https://en.wikipedia.org/wiki/Code_review), and how often attention is given to specific parts of the [codebase](https://en.wikipedia.org/wiki/Codebase) that may go untouched for years. + +目前,桌面Linux与它们的专利同行相比,确实有一些可以更好地改进的地方,例如:。 + +- 一个经过验证的启动链,如苹果的 [安全启动](https://support.apple.com/guide/security/startup-security-utility-secc7b34e5b5/web) (有 [安全飞地](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1)),安卓的 [验证启动](https://source.android.com/security/verifiedboot),ChromeOS的 [验证启动](https://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview/#verified-boot),或微软Windows的 [启动过程](https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process) ,有 [TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm)。 这些功能和硬件技术都可以帮助防止恶意软件的持续篡改或 [邪恶女仆的攻击](https://en.wikipedia.org/wiki/Evil_Maid_attack) +- 一个强大的沙箱解决方案,如在 [macOS](https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html), [ChromeOS](https://chromium.googlesource.com/chromiumos/docs/+/HEAD/sandboxing.md),和 [Android](https://source.android.com/security/app-sandbox)。 常用的Linux沙箱解决方案,如 [Flatpak](https://docs.flatpak.org/en/latest/sandbox-permissions.html) 和 [Firejail](https://firejail.wordpress.com/) ,仍然有很长的路要走。 +- 强大的 [漏洞缓解措施](https://madaidans-insecurities.github.io/linux.html#exploit-mitigations) + +尽管有这些缺点,但如果你想,桌面Linux发行版还是很不错的。 + +- 避免专有操作系统中经常出现的遥测现象 +- 保持 [软件自由](https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms) +- 有关注隐私的系统,如 [Whonix](https://www.whonix.org) 或 [Tails](https://tails.boum.org/) + +我们的网站通常使用术语 "Linux "来描述桌面Linux发行版。 其他也使用Linux内核的操作系统,如ChromeOS、Android和Qubes OS,这里不作讨论。 + +[我们的Linux推荐 :material-arrow-right-drop-circle:](../desktop.md ""){.md-button} + +## 选择您的发行版 + +并非所有的 Linux 发行版都是相同的。 虽然我们的Linux推荐页面并不是要成为你应该使用哪个发行版的权威来源,但在选择使用哪个发行版时,有几件事你应该记住。 + +### 发布周期 + +我们强烈建议你选择与稳定的上游软件版本接近的发行版,通常被称为滚动发行版。 这是因为冻结发布周期的发行版往往不更新软件包版本,并且在安全更新方面落后。 + +对于冻结的发行版,如 [Debian](https://www.debian.org/security/faq#handling),软件包维护者被要求回传补丁来修复漏洞,而不是将软件提升到上游开发者发布的 "下一个版本"。 有些安全补丁 + +,根本没有收到 [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (特别是不太流行的软件),因此在这种补丁模式下,不能进入发行版。 因此,小的安全修复有时会被推迟到下一个主要版本。

+ +我们不认为保留软件包和应用临时补丁是一个好主意,因为它偏离了开发者可能打算让软件工作的方式。 [理查德-布朗](https://rootco.de/aboutme/) ,有一个关于这个问题的介绍。 + +
+ +
+ +### 传统vs原子更新 + +传统上,Linux发行版的更新方式是依次更新所需的软件包。 如果在更新时发生错误,传统的更新,如基于Fedora、Arch Linux和Debian的发行版中使用的更新,可能不太可靠。 + +原子更新发行版完全或根本不应用更新。 通常情况下,事务性更新系统也是原子性的。 + +事务性更新系统创建了一个快照,在应用更新之前和之后进行。 如果更新在任何时候失败(也许是由于电源故障),更新可以很容易地回滚到 "最后已知良好状态"。 + +原子更新法用于Silverblue、Tumbleweed和NixOS等不可变的发行版,可以通过这种模式实现可靠性。 [Adam Šamalík](https://twitter.com/adsamalik) 提供了一个关于 `rpm-ostree` 如何与Silverblue一起工作的演讲。 + +
+ +
+ +### “以安全为重点”的分发 + +通常在“以安全为中心”的发行版和“渗透测试”发行版之间存在一些混淆。 快速搜索“最安全的Linux发行版”通常会得到像Kali Linux , Black Arch和Parrot OS这样的结果。 这些发行版是攻击性的渗透测试发行版,捆绑了测试其他系统的工具。 它们不包括任何 "额外的安全 "或用于常规使用的防御性缓解措施。 + + + +### 基于Arch的发行版 + +基于Arch的发行版不推荐给那些刚接触Linux的人,(无论哪个发行版),因为它们需要定期进行 [系统维护](https://wiki.archlinux.org/title/System_maintenance)。 Arch没有底层软件选择的分发更新机制。 因此,你必须保持对当前趋势的了解,并在技术取代旧有做法时自行采用。 + +对于一个安全的系统,你还应该有足够的Linux知识来为他们的系统正确设置安全,如采用 [强制性访问控制](https://en.wikipedia.org/wiki/Mandatory_access_control) 系统,设置 [内核模块](https://en.wikipedia.org/wiki/Loadable_kernel_module#Security) 黑名单,硬化启动参数,操作 [sysctl](https://en.wikipedia.org/wiki/Sysctl) 参数,并知道他们需要哪些组件,如 [Polkit](https://en.wikipedia.org/wiki/Polkit)。 + +任何使用 [Arch User Repository (AUR)](https://wiki.archlinux.org/title/Arch_User_Repository), **的人必须** ,对他们从该服务中安装的PKGBUILD进行审计。 AUR软件包是社区制作的内容,没有经过任何审查,因此很容易受到软件供应链的攻击,事实上在过去已经发生了 [](https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/)。 AUR总是应该少用,而且往往在各种网页上有很多不好的建议,指导人们盲目地使用 [AUR帮助器](https://wiki.archlinux.org/title/AUR_helpers) ,而没有足够的警告。 类似的警告也适用于在基于Debian的发行版上使用第三方个人软件包档案(PPAs)或在Fedora上使用社区项目(COPR)。 + +如果你对Linux有经验,并希望使用基于Arch的发行版,我们只推荐主线Arch Linux,而不是它的任何衍生品。 我们特别建议不要使用这两种Arch衍生品。 + +- **Manjaro**: 这个发行版将软件包保留2周,以确保他们自己的修改不会破坏,而不是确保上游的稳定。 当使用AUR软件包时,它们通常是根据Arch的软件库中最新的 [库构建的](https://en.wikipedia.org/wiki/Library_(computing))。 +- **Garuda**: 他们使用 [Chaotic-AUR](https://aur.chaotic.cx/) ,它自动地、盲目地从AUR编译软件包。 没有验证过程来确保AUR包不会受到供应链的攻击。 + + + +### Kicksecure + +虽然我们强烈建议不要使用像Debian这样的过时的发行版,但有一种基于Debian的操作系统已经被加固,比典型的Linux发行版要安全得多。 [Kicksecure](https://www.kicksecure.com/)。 Kicksecure,简单地说,是一组脚本、配置和软件包,可以大大减少 Debian 的攻击面。 它默认涵盖了大量的隐私和加固建议。 + + + +### Linux-libre内核和“Libre”发行版 + + 我们强烈建议 **,不要使用Linux-libre内核,因为它 [,删除了安全缓解措施](https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released) ,并且 [,出于意识形态的原因,抑制了内核对脆弱微码的警告](https://news.ycombinator.com/item?id=29674846)。

+ + + +## 一般建议 + + + +### 驱动器加密 + +大多数Linux发行版在其安装程序中都有一个选项用于启用 [LUKS](../encryption.md#linux-unified-key-setup) FDE。 如果在安装时没有设置这个选项,你将不得不备份你的数据并重新安装,因为加密是在 [磁盘分区](https://en.wikipedia.org/wiki/Disk_partitioning),但在 [文件系统](https://en.wikipedia.org/wiki/File_system) 被格式化之前应用。 我们还建议安全地删除你的存储设备。 + +- [安全数据清除 :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/05/25/secure-data-erasure/) + + + +### Swap + +考虑使用 [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) 或 [加密的交换空间](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) ,而不是未加密的交换空间,以避免敏感数据被推送到 [交换空间](https://en.wikipedia.org/wiki/Memory_paging)的潜在安全问题。 基于Fedora的发行版 [,默认使用ZRAM](https://fedoraproject.org/wiki/Changes/SwapOnZRAM)。 + + + +### Wayland + +我们建议使用支持 [Wayland](https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)) 显示协议的桌面环境,因为它的开发考虑到了安全 [](https://lwn.net/Articles/589147/)。 其前身 [X11](https://en.wikipedia.org/wiki/X_Window_System),不支持GUI隔离,允许所有窗口 [,记录屏幕、日志和注入其他窗口的输入](https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html),使任何沙箱的尝试都是徒劳的。 虽然有一些选项可以做嵌套的X11,比如 [Xpra](https://en.wikipedia.org/wiki/Xpra) 或 [Xephyr](https://en.wikipedia.org/wiki/Xephyr),但它们往往会带来负面的性能后果,而且设置起来也不方便,比起Wayland来并不可取。 + +幸运的是,常见的环境,如 [GNOME](https://www.gnome.org), [KDE](https://kde.org),以及窗口管理器 [Sway](https://swaywm.org) 都支持 Wayland。 一些发行版如Fedora和Tumbleweed默认使用它,其他一些发行版可能在未来也会这样做,因为X11处于 [hard maintenance mode](https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly)。 如果你使用的是这些环境之一,就像在桌面显示管理器中选择 "Wayland "会话一样简单([GDM](https://en.wikipedia.org/wiki/GNOME_Display_Manager), [SDDM](https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager)) 。 + + 我们建议 **,反对使用没有Wayland支持的桌面环境或窗口管理器,如Cinnamon(Linux Mint的默认)、Pantheon(Elementary OS的默认)、MATE、Xfce和i3。

+ + + +### 专有固件(Microcode更新) + +Linux发行版,如那些 [Linux-libre](https://en.wikipedia.org/wiki/Linux-libre) 或DIY(Arch Linux),不附带专有的 [微码](https://en.wikipedia.org/wiki/Microcode) 更新,而这些更新通常会修补漏洞。 这些漏洞的一些明显例子包括: [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)), [Meltdown](https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)), [SSB](https://en.wikipedia.org/wiki/Speculative_Store_Bypass), [Foreshadow](https://en.wikipedia.org/wiki/Foreshadow), [MDS](https://en.wikipedia.org/wiki/Microarchitectural_Data_Sampling), [SWAPGS](https://en.wikipedia.org/wiki/SWAPGS_(security_vulnerability)), 以及其他 [硬件漏洞](https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html)。 + +我们 **,强烈建议** ,安装微码更新,因为你的CPU在出厂时已经在运行专有的微码。 Fedora和openSUSE都有默认应用的微码更新。 + + + +### 更新 + +大多数Linux发行版会自动安装更新或提醒你这样做。 重要的是保持你的操作系统是最新的,这样当发现漏洞时,你的软件就会打上补丁。 + +一些发行版(尤其是那些针对高级用户的发行版)更加简陋,希望你能自己做一些事情(例如Arch或Debian)。 这些将需要手动运行 "软件包管理器" (`apt`, `pacman`, `dnf`, 等等),以便接收重要的安全更新。 + +此外,一些发行版将不会自动下载固件更新。 为此,你将需要安装 [`fwupd`](https://wiki.archlinux.org/title/Fwupd)。 + + + +## 隐私调整 + + + +### MAC地址随机化 + +许多桌面Linux发行版(Fedora、openSUSE等)将自带 [NetworkManager](https://en.wikipedia.org/wiki/NetworkManager),以配置以太网和Wi-Fi设置。 + +在使用NetworkManager时,可以随机化 [](https://fedoramagazine.org/randomize-mac-address-nm/) [MAC地址](https://en.wikipedia.org/wiki/MAC_address)。 这在Wi-Fi网络上提供了更多的隐私,因为它使你更难追踪你所连接的网络上的特定设备。 它并不是 [****](https://papers.mathyvanhoef.com/wisec2016.pdf) 让你匿名。 + +我们建议将设置改为 **随机** ,而不是 **稳定**,正如 [文章中建议的那样](https://fedoramagazine.org/randomize-mac-address-nm/)。 + +如果你使用 [systemd-networkd](https://en.wikipedia.org/wiki/Systemd#Ancillary_components),你需要设置 [`MACAddressPolicy=random`](https://www.freedesktop.org/software/systemd/man/systemd.link.html#MACAddressPolicy=) ,这将启用 [RFC 7844 (Anonymity Profiles for DHCP Clients)](https://www.freedesktop.org/software/systemd/man/systemd.network.html#Anonymize=)。 + +对以太网连接的MAC地址进行随机化的意义不大,因为系统管理员可以通过查看你在 [网络交换机上使用的端口找到你](https://en.wikipedia.org/wiki/Network_switch)。 随机化Wi-Fi MAC地址取决于Wi-Fi固件的支持。 + + + +### 其他标识符 + +还有一些其他的系统标识符,你可能要小心对待。 你应该考虑一下,看看它是否适用于你的 [威胁模型](../basics/threat-modeling.md)。 + +- **主机名。** 你的系统的主机名是与你所连接的网络共享的。 你应该避免在你的主机名中包括像你的名字或操作系统这样的识别术语,而是坚持使用通用术语或随机字符串。 +- **用户名。** 同样地,你的用户名在你的系统中以各种方式使用。 考虑使用 "用户 "这样的通用术语,而不是你的真实姓名。 +- **机器ID:**:在安装过程中,会生成一个独特的机器ID并存储在你的设备上。 考虑 [,将其设置为一个通用的ID](https://madaidans-insecurities.github.io/guides/linux-hardening.html#machine-id)。 + + + +### 系统计数 + +Fedora 项目 [通过使用一个 [`countme`](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Detailed_Description) 变量而不是唯一的 ID 来计算](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) 有多少独特的系统访问它的镜像。 Fedora这样做是为了确定负载并在必要时为更新提供更好的服务器。 + +这个 [选项](https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and-repo) ,目前默认是关闭的。 我们建议将 `countme=false` 添加到 `/etc/dnf/dnf.conf` ,以备将来启用它。 在使用 `rpm-ostree` 的系统上,如Silverblue,通过屏蔽 [rpm-ostree-countme](https://fedoramagazine.org/getting-better-at-counting-rpm-ostree-based-systems/) 计时器来禁用 countme 选项。 + +openSUSE 还使用一个 [唯一的 ID](https://en.opensuse.org/openSUSE:Statistics) 来计算系统,可以通过删除 `/var/lib/zypp/AnonymousUniqueId` 文件来禁用它。 diff --git a/i18n/zh/os/qubes-overview.md b/i18n/zh/os/qubes-overview.md new file mode 100644 index 00000000..d16528b3 --- /dev/null +++ b/i18n/zh/os/qubes-overview.md @@ -0,0 +1,58 @@ +--- +title: "Qubes概述" +icon: simple/qubesos +description: Qubes is an operating system built around isolating apps within virtual machines for heightened security. +--- + +[**Qubes OS**](../desktop.md#qubes-os) 是一个操作系统,它使用 [Xen](https://en.wikipedia.org/wiki/Xen) 管理程序,通过隔离的虚拟机为桌面计算提供强大的安全性。 每个虚拟机被称为 *Qube* ,你可以根据它的目的给每个Qube分配一个信任等级。 由于Qubes操作系统通过使用隔离来提供安全,并且只允许在每个案例的基础上进行操作,它与 [坏性枚举](https://www.ranum.com/security/computer_security/editorials/dumb/)。 + +## Qubes操作系统是如何工作的? + +Qubes使用 [分区](https://www.qubes-os.org/intro/) ,以保持系统的安全性。 Qubes是由模板创建的,默认的是Fedora、Debian和 [Whonix](../desktop.md#whonix)。 Qubes OS还允许你创建一次使用的 [一次性的](https://www.qubes-os.org/doc/how-to-use-disposables/) 虚拟机。 + +![Qubes架构](../assets/img/qubes/qubes-trust-level-architecture.png) +
Qubes架构,信用:什么是Qubes操作系统介绍
+ +每个Qubes应用程序都有一个 [色的边框](https://www.qubes-os.org/screenshots/) ,可以帮助你跟踪它所运行的虚拟机。 例如,你可以为你的银行浏览器使用一种特定的颜色,而对一般的不信任的浏览器使用不同的颜色。 + +![彩色边框](../assets/img/qubes/r4.0-xfce-three-domains-at-work.png) +
Qubes窗口边框,图片来源: Qubes截图
+ +## 为什么我应该使用Qubes? + +如果你的 [威胁模型](../basics/threat-modeling.md) ,需要强大的分隔和安全,例如你认为你会从不信任的来源打开不信任的文件,那么Qubes OS就很有用。 使用Qubes OS的一个典型原因是打开来自未知来源的文件。 + +Qubes操作系统利用 [Dom0](https://wiki.xenproject.org/wiki/Dom0) Xen VM(即 "AdminVM")来控制主机操作系统上的其他客户虚拟机或Qubes。 其他虚拟机在Dom0的桌面环境中显示单个应用程序窗口。 它允许你根据信任程度对窗口进行颜色编码,并以非常细化的控制方式运行可以相互交互的应用程序。 + +### 复制和粘贴文本 + +你可以 [,使用 `qvm-copy-to-vm` 或下面的说明复制和粘贴文本](https://www.qubes-os.org/doc/how-to-copy-and-paste-text/)。 + +1. 按 **Ctrl+C** ,告诉你所在的虚拟机,你想复制一些东西。 +2. 按 **Ctrl+Shift+C** ,告诉虚拟机将这个缓冲区提供给全局剪贴板。 +3. 在目标VM中按 **Ctrl+Shift+V** ,使全局剪贴板可用。 +4. 在目标虚拟机中按 **Ctrl+V** ,以粘贴缓冲区中的内容。 + +### 文件交换 + +要从一个虚拟机复制和粘贴文件和目录(文件夹)到另一个虚拟机,可以使用选项 **复制到其他AppVM...** 或 **移动到其他AppVM...**。 不同的是, **Move** 选项将删除原始文件。 无论哪种选择都会保护你的剪贴板不被泄露给任何其他Qubes。 这比空运的文件传输更安全,因为空运的计算机仍将被迫解析分区或文件系统。 这一点在跨区拷贝系统中是不需要的。 + +??? 信息 "AppVMs或qubes没有自己的文件系统" + + 你可以在Qubes之间[复制和移动文件](https://www.qubes-os.org/doc/how-to-copy-and-move-files/)。 当这样做的时候,改变并不是立即进行的,而且在发生事故的情况下可以很容易地撤消。 + +### 虚拟机之间的相互作用 + +[qrexec框架](https://www.qubes-os.org/doc/qrexec/) 是Qubes的一个核心部分,它允许虚拟机在域之间通信。 它建立在Xen库 *vchan*的基础上,通过策略,促进了 +隔离。

+ + + +## 其它资源 + +关于其他信息,我们鼓励你查阅位于 [Qubes OS网站上的大量Qubes OS文档页面](https://www.qubes-os.org/doc/)。 离线拷贝可以从Qubes OS [文档库中下载](https://github.com/QubesOS/qubes-doc)。 + +- 开放技术基金。 [*可以说是世界上最安全的操作系统*](https://www.opentech.fund/news/qubes-os-arguably-the-worlds-most-secure-operating-system-motherboard/) +- J. 鲁特科夫斯卡。 [*软件区隔与物理分离*](https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf) +- J. 鲁特科夫斯卡。 [*将我的数字生活划分为安全领域*](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html) +- Qubes OS: [*相关文章*](https://www.qubes-os.org/news/categories/#articles) diff --git a/i18n/zh/passwords.md b/i18n/zh/passwords.md new file mode 100644 index 00000000..49c0b4f0 --- /dev/null +++ b/i18n/zh/passwords.md @@ -0,0 +1,341 @@ +--- +title: "生产力工具" +icon: material/form-textbox-password +description: Password managers allow you to securely store and manage passwords and other credentials. +schema: + - + "@context": http://schema.org + "@type": WebPage + name: Password Manager Recommendations + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Bitwarden + image: /assets/img/password-management/bitwarden.svg + url: https://bitwarden.com + sameAs: https://en.wikipedia.org/wiki/Bitwarden + applicationCategory: 密码管理器 + operatingSystem: + - Windows 系统 + - mac系统 + - Linux系统 + - 安卓 + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: 1Password + image: /assets/img/password-management/1password.svg + url: https://1password.com + sameAs: https://en.wikipedia.org/wiki/1Password + applicationCategory: 密码管理器 + operatingSystem: + - Windows 系统 + - mac系统 + - Linux系统 + - 安卓 + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Psono + image: /assets/img/password-management/psono.svg + url: https://psono.com + applicationCategory: 密码管理器 + operatingSystem: + - 安卓 + - iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassXC + image: /assets/img/password-management/keepassxc.svg + url: https://keepassxc.org/ + sameAs: https://en.wikipedia.org/wiki/KeePassXC + applicationCategory: 密码管理器 + operatingSystem: + - Windows 系统 + - mac系统 + - Linux系统 + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: KeePassDX + image: /assets/img/password-management/keepassdx.svg + url: https://www.keepassdx.com/ + applicationCategory: 密码管理器 + operatingSystem: 安卓 + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: Strongbox + image: /assets/img/password-management/strongbox.svg + url: https://strongboxsafe.com/ + applicationCategory: 密码管理器 + operatingSystem: iOS + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" + - + "@context": http://schema.org + "@type": SoftwareApplication + name: gopass + image: /assets/img/password-management/gopass.svg + url: https://www.gopass.pw/ + applicationCategory: 密码管理器 + operatingSystem: + - Windows 系统 + - mac系统 + - Linux系统 + - FreeBSD + subjectOf: + "@context": http://schema.org + "@type": WebPage + url: "./" +--- + +Password managers allow you to securely store and manage passwords and other credentials with the use of a master password. + +[Introduction to Passwords :material-arrow-right-drop-circle:](./basics/passwords-overview.md) + +!!! info + + Built-in password managers in software like browsers and operating systems are sometimes not as good as dedicated password manager software. The advantage of a built-in password manager is good integration with the software, but it can often be very simple and lack privacy and security features standalone offerings have. + + For example, the password manager in Microsoft Edge doesn't offer E2EE at all. Google's password manager has [optional](https://support.google.com/accounts/answer/11350823) E2EE, and [Apple's](https://support.apple.com/en-us/HT202303) offers E2EE by default. + +## Cloud-based + +These password managers sync your passwords to a cloud server for easy accessibility from all your devices and safety against device loss. + +### Bitwarden + +!!! recommendation + + ![Bitwarden logo](assets/img/password-management/bitwarden.svg){ align=right } + + **Bitwarden** is a free and open-source password manager. It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the best and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices. + + [:octicons-home-16: Homepage](https://bitwarden.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://bitwarden.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://bitwarden.com/help/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/bitwarden){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.x8bit.bitwarden) + - [:simple-appstore: App Store](https://apps.apple.com/app/bitwarden-password-manager/id1137397744) + - [:simple-github: GitHub](https://github.com/bitwarden/mobile/releases) + - [:simple-windows11: Windows](https://bitwarden.com/download) + - [:simple-linux: Linux](https://bitwarden.com/download) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/com.bitwarden.desktop) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/bitwarden-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb) + - [:simple-microsoftedge: Edge](https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh) + +Bitwarden also features [Bitwarden Send](https://bitwarden.com/products/send/), which allows you to share text and files securely with [end-to-end encryption](https://bitwarden.com/help/send-encryption). A [password](https://bitwarden.com/help/send-privacy/#send-passwords) can be required along with the send link. Bitwarden Send also features [automatic deletion](https://bitwarden.com/help/send-lifespan). + +You need the [Premium Plan](https://bitwarden.com/help/about-bitwarden-plans/#compare-personal-plans) to be able to share files. The free plan only allows text sharing. + +Bitwarden's server-side code is [open-source](https://github.com/bitwarden/server), so if you don't want to use the Bitwarden cloud, you can easily host your own Bitwarden sync server. + +**Vaultwarden** is an alternative implementation of Bitwarden's sync server written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. If you are looking to self-host Bitwarden on your own server, you almost certainly want to use Vaultwarden over Bitwarden's official server code. + +[:octicons-repo-16: Vaultwarden Repository](https://github.com/dani-garcia/vaultwarden ""){.md-button} [:octicons-info-16:](https://github.com/dani-garcia/vaultwarden/wiki){ .card-link title=Documentation} +[:octicons-code-16:](https://github.com/dani-garcia/vaultwarden){ .card-link title="Source Code" } +[:octicons-heart-16:](https://github.com/sponsors/dani-garcia){ .card-link title=Contribute } + +### 1Password + +!!! recommendation + + ![1Password logo](assets/img/password-management/1password.svg){ align=right } + + **1Password** is a password manager with a strong focus on security and ease-of-use, which allows you to store passwords, credit cards, software licenses, and any other sensitive information in a secure digital vault. Your vault is hosted on 1Password's servers for a [monthly fee](https://1password.com/sign-up/). 1Password is [audited](https://support.1password.com/security-assessments/) on a regular basis and provides exceptional customer support. 1Password is closed source; however, the security of the product is thoroughly documented in their [security white paper](https://1passwordstatic.com/files/security/1password-white-paper.pdf). + + [:octicons-home-16: Homepage](https://1password.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://support.1password.com/1password-privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.1password.com/){ .card-link title=Documentation} + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onepassword.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1511601750?mt=8) + - [:simple-windows11: Windows](https://1password.com/downloads/windows/) + - [:simple-apple: macOS](https://1password.com/downloads/mac/) + - [:simple-linux: Linux](https://1password.com/downloads/linux/) + +Traditionally, **1Password** has offered the best password manager user experience for people using macOS and iOS; however, it has now achieved feature-parity across all platforms. It boasts many features geared towards families and less technical people, as well as advanced functionality. + +Your 1Password vault is secured with both your master password and a randomized 34-character security key to encrypt your data on their servers. This security key adds a layer of protection to your data because your data is secured with high entropy regardless of your master password. Many other password manager solutions are entirely reliant on the strength of your master password to secure your data. + +One advantage 1Password has over Bitwarden is its first-class support for native clients. While Bitwarden relegates many duties, especially account management features, to their web vault interface, 1Password makes nearly every feature available within its native mobile or desktop clients. 1Password's clients also have a more intuitive UI, which makes them easier to use and navigate. + +### Psono + +!!! recommendation + + ![Psono logo](assets/img/password-management/psono.svg){ align=right } + + **Psono** is a free and open-source password manager from Germany, with a focus on password management for teams. Psono supports secure sharing of passwords, files, bookmarks, and emails. All secrets are protected by a master password. + + [:octicons-home-16: Homepage](https://psono.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://psono.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://doc.psono.com){ .card-link title=Documentation} + [:octicons-code-16:](https://gitlab.com/psono){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.psono.psono) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/psono-password-manager/id1545581224) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/psono-pw-password-manager) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/psonopw-password-manager/eljmjmgjkbmpmfljlmklcfineebidmlo) + - [:simple-docker: Docker Hub](https://hub.docker.com/r/psono/psono-client) + +Psono provides extensive documentation for their product. The web-client for Psono can be self-hosted; alternatively, you can choose the full Community Edition or the Enterprise Edition with additional features. + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +#### Minimum Requirements + +- Must utilize strong, standards-based/modern E2EE. +- Must have thoroughly documented encryption and security practices. +- Must have a published audit from a reputable, independent third-party. +- All non-essential telemetry must be optional. +- Must not collect more PII than is necessary for billing purposes. + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Telemetry should be opt-in (disabled by default) or not collected at all. +- Should be open-source and reasonably self-hostable. + +## Local Storage + +These options allow you to manage an encrypted password database locally. + +### KeePassXC + +!!! recommendation + + ![KeePassXC logo](assets/img/password-management/keepassxc.svg){ align=right } + + **KeePassXC** is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, cross-platform and modern open-source password manager. + + [:octicons-home-16: Homepage](https://keepassxc.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://keepassxc.org/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://keepassxc.org/docs/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/keepassxreboot/keepassxc){ .card-link title="Source Code" } + [:octicons-heart-16:](https://keepassxc.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://keepassxc.org/download/#windows) + - [:simple-apple: macOS](https://keepassxc.org/download/#mac) + - [:simple-linux: Linux](https://keepassxc.org/download/#linux) + - [:simple-flathub: Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/firefox/addon/keepassxc-browser) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk) + +KeePassXC stores its export data as [CSV](https://en.wikipedia.org/wiki/Comma-separated_values) files. This may mean data loss if you import this file into another password manager. We advise you check each record manually. + +### KeePassDX (Android) + +!!! recommendation + + ![KeePassDX logo](assets/img/password-management/keepassdx.svg){ align=right } + + **KeePassDX** is a lightweight password manager for Android, allows editing encrypted data in a single file in KeePass format and can fill in the forms in a secure way. [Contributor Pro](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.pro) allows unlocking cosmetic content and non-standard protocol features, but more importantly, it helps and encourages development. + + [:octicons-home-16: Homepage](https://www.keepassdx.com){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/Kunzisoft/KeePassDX/wiki){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/Kunzisoft/KeePassDX){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.keepassdx.com/#donation){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.kunzisoft.keepass.free) + - [:simple-github: GitHub](https://github.com/Kunzisoft/KeePassDX/releases) + +### Strongbox (iOS & macOS) + +!!! recommendation + + ![Strongbox logo](assets/img/password-management/strongbox.svg){ align=right } + + **Strongbox** is a native, open-source password manager for iOS and macOS. Supporting both KeePass and Password Safe formats, Strongbox can be used in tandem with other password managers, like KeePassXC, on non-Apple platforms. By employing a [freemium model](https://strongboxsafe.com/pricing/), Strongbox offers most features under its free tier with more convenience-oriented [features](https://strongboxsafe.com/comparison/)—such as biometric authentication—locked behind a subscription or perpetual license. + + [:octicons-home-16: Homepage](https://strongboxsafe.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://strongboxsafe.com/privacy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://strongboxsafe.com/getting-started/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/strongbox-password-safe/Strongbox){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/strongbox-password-safe/Strongbox#supporting-development){ .card-link title=Contribute } + + ??? downloads + + - [:simple-appstore: App Store](https://apps.apple.com/app/strongbox-keepass-pwsafe/id897283731) + +Additionally, there is an offline-only version offered: [Strongbox Zero](https://apps.apple.com/app/strongbox-keepass-pwsafe/id1581589638). This version is stripped down in an attempt to reduce attack surface. + +### Command-line + +These products are minimal password managers that can be used within scripting applications. + +#### gopass + +!!! recommendation + + ![gopass logo](assets/img/password-management/gopass.svg){ align=right } + + **gopass** is a password manager for the command line written in Go. It works on all major desktop and server operating systems (Linux, macOS, BSD, Windows). + + [:octicons-home-16: Homepage](https://www.gopass.pw){ .md-button .md-button--primary } + [:octicons-info-16:](https://github.com/gopasspw/gopass/tree/master/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/gopasspw/gopass){ .card-link title="Source Code" } + [:octicons-heart-16:](https://github.com/sponsors/dominikschulz){ .card-link title=Contribute } + + ??? downloads + + - [:simple-windows11: Windows](https://www.gopass.pw/#install-windows) + - [:simple-apple: macOS](https://www.gopass.pw/#install-macos) + - [:simple-linux: Linux](https://www.gopass.pw/#install-linux) + - [:simple-freebsd: FreeBSD](https://www.gopass.pw/#install-bsd) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be cross-platform. diff --git a/i18n/zh/productivity.md b/i18n/zh/productivity.md new file mode 100644 index 00000000..ca8122bb --- /dev/null +++ b/i18n/zh/productivity.md @@ -0,0 +1,155 @@ +--- +title: "实时通讯" +icon: material/file-sign +description: Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. +--- + +Most online office suites do not support E2EE, meaning the cloud provider has access to everything you do. The privacy policy may legally protect your rights, but it does not provide technical access constraints. + +## Collaboration Platforms + +### Nextcloud + +!!! recommendation + + ![Nextcloud logo](assets/img/productivity/nextcloud.svg){ align=right } + + **Nextcloud** is a suite of free and open-source client-server software for creating your own file hosting services on a private server you control. + + [:octicons-home-16: Homepage](https://nextcloud.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://nextcloud.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://nextcloud.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/nextcloud){ .card-link title="Source Code" } + [:octicons-heart-16:](https://nextcloud.com/contribute/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.nextcloud.client) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1125420102) + - [:simple-github: GitHub](https://github.com/nextcloud/android/releases) + - [:simple-windows11: Windows](https://nextcloud.com/install/#install-clients) + - [:simple-apple: macOS](https://nextcloud.com/install/#install-clients) + - [:simple-linux: Linux](https://nextcloud.com/install/#install-clients) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/nextcloud) + +!!! 危险 + + We don't recommend using the [E2EE App](https://apps.nextcloud.com/apps/end_to_end_encryption) for Nextcloud as it may lead to data loss; it is highly experimental and not production quality. For this reason, we don't recommend third-party Nextcloud providers. + +### CryptPad + +!!! recommendation + + ![CryptPad logo](assets/img/productivity/cryptpad.svg){ align=right } + + **CryptPad** is a private-by-design alternative to popular office tools. All content on this web service is end-to-end encrypted and can be shared with other users easily. + + [:octicons-home-16: Homepage](https://cryptpad.fr){ .md-button .md-button--primary } + [:octicons-eye-16:](https://cryptpad.fr/pad/#/2/pad/view/GcNjAWmK6YDB3EO2IipRZ0fUe89j43Ryqeb4fjkjehE/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.cryptpad.fr/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/xwiki-labs/cryptpad){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opencollective.com/cryptpad){ .card-link title=Contribute } + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define collaboration platforms as full-fledged suites which could reasonably act as a replacement to collaboration platforms like Google Drive. + +- 开源 +- Makes files accessible via WebDAV unless it is impossible due to E2EE. +- Has sync clients for Linux, macOS, and Windows. +- Supports document and spreadsheet editing. +- Supports real-time document collaboration. +- Supports exporting documents to standard document formats (e.g. ODF). + +#### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should store files in a conventional filesystem. +- Should support TOTP or FIDO2 multi-factor authentication support, or Passkey logins. + +## Office Suites + +### LibreOffice + +!!! recommendation + + ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ align=right } + + **LibreOffice** is a free and open-source office suite with extensive functionality. + + [:octicons-home-16: Homepage](https://www.libreoffice.org){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.libreoffice.org/about-us/privacy/privacy-policy-en/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://documentation.libreoffice.org/en/english-documentation/){ .card-link title=Documentation} + [:octicons-code-16:](https://www.libreoffice.org/about-us/source-code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://www.libreoffice.org/donate/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-appstore: App Store](https://www.libreoffice.org/download/android-and-ios/) + - [:simple-windows11: Windows](https://www.libreoffice.org/download/download/) + - [:simple-apple: macOS](https://www.libreoffice.org/download/download/) + - [:simple-linux: Linux](https://www.libreoffice.org/download/download/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.libreoffice.LibreOffice) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/editors/libreoffice/) + +### OnlyOffice + +!!! recommendation + + ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ align=right } + + **OnlyOffice** is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud. + + [:octicons-home-16: Homepage](https://www.onlyoffice.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=5048502&doc=SXhWMEVzSEYxNlVVaXJJeUVtS0kyYk14YWdXTEFUQmRWL250NllHNUFGbz0_IjUwNDg1MDIi0){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://helpcenter.onlyoffice.com/userguides.aspx){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ONLYOFFICE){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=com.onlyoffice.documents) + - [:simple-appstore: App Store](https://apps.apple.com/app/id944896972) + - [:simple-windows11: Windows](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-apple: macOS](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-linux: Linux](https://www.onlyoffice.com/download-desktop.aspx) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.onlyoffice.desktopeditors) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/www/onlyoffice-documentserver/) + +### Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +In general, we define office suites as applications which could reasonably act as a replacement for Microsoft Word for most needs. + +- Must be cross-platform. +- 它必须是开源软件。 +- Must function offline. +- Must support editing documents, spreadsheets, and slideshows. +- Must export files to standard document formats. + +## Paste services + +### PrivateBin + +!!! recommendation + + ![PrivateBin logo](assets/img/productivity/privatebin.svg){ align=right } + + **PrivateBin** is a minimalist, open-source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256-bit AES. It is the improved version of ZeroBin. There is a [list of instances](https://privatebin.info/directory/). + + [:octicons-home-16: Homepage](https://privatebin.info){ .md-button .md-button--primary } + [:octicons-server-16:](https://privatebin.info/directory/){ .card-link title="Public Instances"} + [:octicons-info-16:](https://github.com/PrivateBin/PrivateBin/wiki/FAQ){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/PrivateBin/PrivateBin){ .card-link title="Source Code" } diff --git a/i18n/zh/real-time-communication.md b/i18n/zh/real-time-communication.md new file mode 100644 index 00000000..242944ad --- /dev/null +++ b/i18n/zh/real-time-communication.md @@ -0,0 +1,194 @@ +--- +title: "实时通讯" +icon: material/chat-processing +description: Other instant messengers make all of your private conversations available to the company that runs them. +--- + +这些是我们对加密实时通讯的建议。 + +[通信网络的类型 :material-arrow-right-drop-circle:](./advanced/communication-network-types.md) + +## 可加密的聊天软件 + +以下这些聊天软件能够非常好地保护你的敏感聊天信息。 + +### Signal + +!!! recommendation + + ![Signal logo](assets/img/messengers/signal.svg){ align=right } + + **Signal** 是Signal Messenger LLC所研发的一款手机应用。 这款应用提供即时通讯,语音通话以及视频通话。 + + 所有的聊天窗口都有端到端加密(E2EE) 联系人列表使用你的Signal PIN码来保护,且服务器无法访问。 个人资料也经过加密,并只与你联系过的人共享。 + + [:octicons-home-16: 主页](https://signal.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://signal.org/legal/#privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.signal.org/hc/en-us){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/signalapp){ .card-link title="Source Code" } + [:octicons-heart-16:](https://signal.org/donate/){ .card-link title=Contribute } + + ??? 下载地址 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms) + - [:simple-appstore: App Store](https://apps.apple.com/app/id874139669) + - [:simple-android: Android](https://signal.org/android/apk/) + - [:simple-windows11: Windows](https://signal.org/download/windows) + - [:simple-apple: macOS](https://signal.org/download/macos) + - [:simple-linux: Linux](https://signal.org/download/linux) + +Signal 支持 [私密群组](https://signal.org/blog/signal-private-group-system/). 服务器没有你的群组成员资格,名称,头像以及其他属性的记录。 只有当 [加密发送(Sealed Sender)](https://signal.org/blog/sealed-sender/)启用时,Signal才会保存最少的元数据。 发信人地址与消息正文一起被加密,只有收信人的地址对服务器可见。 加密发送仅对你联系人列表中的人启用,你也可以对所有收件人启用,但是这么做会增加你收到垃圾邮件的风险。 Signal需要你的电话号码作为个人识别码。 + +Signal协议在2016年被独立[审计](https://eprint.iacr.org/2016/1013.pdf) 。 该协议的规范可以在他们的[文档](https://signal.org/docs/)查看。 + +我们有一些额外的配置并加固你的Signal安装的建议: + +[Signal 配置与加固 :material-arrow-right-drop-circle:](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) + +### SimpleX Chat + +!!! recommendation + + ![Simplex logo](assets/img/messengers/simplex.svg){ align=right } + + **SimpleX** Chat 是一个去中心化的即时通讯软件,并且不依赖任何的个人识别码(电话号码,用户名等)。 SimpleX Chat的用户可以扫描二维码或着点击邀请链接参与到群组聊天。 + + [:octicons-home-16: 主页](https://simplex.chat){ .md-button .md-button--primary } + [:octicons-eye-16:](https://github.com/simplex-chat/simplex-chat/blob/stable/PRIVACY.md){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://github.com/simplex-chat/simplex-chat/tree/stable/docs){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/simplex-chat){ .card-link title="Source Code" } + + ??? 下载地址 + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=chat.simplex.app) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/simplex-chat/id1605771084) + - [:simple-github: GitHub](https://github.com/simplex-chat/simplex-chat/releases) + +SimpleX Chat [was audited](https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html) by Trail of Bits in October 2022. + +目前SimpleX Chat只有安卓和iOS版本。 Basic group chatting functionality, direct messaging, editing of messages and markdown are supported. E2EE Audio and Video calls are also supported. + +Your data can be exported, and imported onto another device, as there are no central servers where this is backed up. + +### Briar + +!!! recommendation + + ![Briar logo](assets/img/messengers/briar.svg){ align=right } + + **Briar** is an encrypted instant messenger that [connects](https://briarproject.org/how-it-works/) to other clients using the Tor Network. Briar can also connect via Wi-Fi or Bluetooth when in local proximity. Briar’s local mesh mode can be useful when internet availability is a problem. + + [:octicons-home-16: Homepage](https://briarproject.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://briarproject.org/privacy-policy/){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://code.briarproject.org/briar/briar/-/wikis/home){ .card-link title=Documentation} + [:octicons-code-16:](https://code.briarproject.org/briar/briar){ .card-link title="Source Code" } + [:octicons-heart-16:](https://briarproject.org/){ .card-link title="Donation options are listed on the bottom of the homepage" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.briarproject.briar.android) + - [:simple-windows11: Windows](https://briarproject.org/download-briar-desktop/) + - [:simple-linux: Linux](https://briarproject.org/download-briar-desktop/) + - [:simple-flathub: Flathub](https://flathub.org/apps/details/org.briarproject.Briar) + +To add a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contact’s QR code if they are nearby. + +The client software was independently [audited](https://briarproject.org/news/2017-beta-released-security-audit/), and the anonymous routing protocol uses the Tor network which has also been audited. + +Briar has a fully [published specification](https://code.briarproject.org/briar/briar-spec). + +Briar supports perfect forward secrecy by using the Bramble [Handshake](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BHP.md) and [Transport](https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md) protocol. + +## Additional Options + +!!! 推荐 + + These messengers do not have Perfect [Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) (PFS), and while they fulfill certain needs that our previous recommendations may not, we do not recommend them for long-term or sensitive communications. Any key compromise among message recipients would affect the confidentiality of **all** past communications. + +### Element + +!!! recommendation + + ![Element logo](assets/img/messengers/element.svg){ align=right } + + **Element** is the reference client for the [Matrix](https://matrix.org/docs/guides/introduction) protocol, an [open standard](https://matrix.org/docs/spec) for secure decentralized real-time communication. + + Messages and files shared in private rooms (those which require an invite) are by default E2EE as are one to one voice and video calls. + + [:octicons-home-16: Homepage](https://element.io/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://element.io/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://element.io/help){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/vector-im){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=im.vector.app) + - [:simple-appstore: App Store](https://apps.apple.com/app/vector/id1083446067) + - [:simple-github: GitHub](https://github.com/vector-im/element-android/releases) + - [:simple-windows11: Windows](https://element.io/get-started) + - [:simple-apple: macOS](https://element.io/get-started) + - [:simple-linux: Linux](https://element.io/get-started) + - [:octicons-globe-16: Web](https://app.element.io) + +Profile pictures, reactions, and nicknames are not encrypted. + +Group voice and video calls are [not](https://github.com/vector-im/element-web/issues/12878) E2EE, and use Jitsi, but this is expected to change with [Native Group VoIP Signalling](https://github.com/matrix-org/matrix-doc/pull/3401). Group calls have [no authentication](https://github.com/vector-im/element-web/issues/13074) currently, meaning that non-room participants can also join the calls. We recommend that you do not use this feature for private meetings. + +The Matrix protocol itself [theoretically supports PFS](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#partial-forward-secrecy), however this is [not currently supported in Element](https://github.com/vector-im/element-web/issues/7101) due to it breaking some aspects of the user experience such as key backups and shared message history. + +The protocol was independently [audited](https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last) in 2016. The specification for the Matrix protocol can be found in their [documentation](https://spec.matrix.org/latest/). The [Olm](https://matrix.org/docs/projects/other/olm) cryptographic ratchet used by Matrix is an implementation of Signal’s [Double Ratchet algorithm](https://signal.org/docs/specifications/doubleratchet/). + +### Session + +!!! recommendation + + ![Session logo](assets/img/messengers/session.svg){ align=right } + + **Session** is a decentralized messenger with a focus on private, secure, and anonymous communications. Session offers support for direct messages, group chats, and voice calls. + + Session uses the decentralized [Oxen Service Node Network](https://oxen.io/) to store and route messages. Every encrypted message is routed through three nodes in the Oxen Service Node Network, making it virtually impossible for the nodes to compile meaningful information on those using the network. + + [:octicons-home-16: Homepage](https://getsession.org/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://getsession.org/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://getsession.org/faq){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/oxen-io){ .card-link title="Source Code" } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=network.loki.messenger) + - [:simple-appstore: App Store](https://apps.apple.com/app/id1470168868) + - [:simple-github: GitHub](https://github.com/oxen-io/session-android/releases) + - [:simple-windows11: Windows](https://getsession.org/download) + - [:simple-apple: macOS](https://getsession.org/download) + - [:simple-linux: Linux](https://getsession.org/download) + +Session allows for E2EE in one-on-one chats or closed groups which allow for up to 100 members. Open groups have no restriction on the number of members, but are open by design. + +Session does [not](https://getsession.org/blog/session-protocol-technical-information) support PFS, which is when an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised it exposes a smaller portion of sensitive information. + +Oxen requested an independent audit for Session in March of 2020. The audit [concluded](https://getsession.org/session-code-audit) in April of 2021, “The overall security level of this application is good and makes it usable for privacy-concerned people.” + +Session has a [whitepaper](https://arxiv.org/pdf/2002.04609.pdf) describing the technicals of the app and protocol. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must have open-source clients. +- Must use E2EE for private messages by default. +- Must support E2EE for all messages. +- Must have been independently audited. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should have Perfect Forward Secrecy. +- Should have open-source servers. +- Should be decentralized, i.e. federated or P2P. +- Should use E2EE for all messages by default. +- Should support Linux, macOS, Windows, Android, and iOS. diff --git a/i18n/zh/router.md b/i18n/zh/router.md new file mode 100644 index 00000000..6374dcd7 --- /dev/null +++ b/i18n/zh/router.md @@ -0,0 +1,50 @@ +--- +title: "Router Firmware" +icon: material/router-wireless +description: These alternative operating systems can be used to secure your router or Wi-Fi access point. +--- + +Below are a few alternative operating systems, that can be used on routers, Wi-Fi access points, etc. + +## OpenWrt + +!!! recommendation + + ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ align=right } + ![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ align=right } + + **OpenWrt** is a Linux-based operating system; it's primarily used on embedded devices to route network traffic. It includes util-linux, uClibc, and BusyBox. All of the components have been optimized for home routers. + + [:octicons-home-16: Homepage](https://openwrt.org){ .md-button .md-button--primary } + [:octicons-info-16:](https://openwrt.org/docs/start){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/openwrt/openwrt){ .card-link title="Source Code" } + [:octicons-heart-16:](https://openwrt.org/donate){ .card-link title=Contribute } + +You can consult OpenWrt's [table of hardware](https://openwrt.org/toh/start) to check if your device is supported. + +## OPNsense + +!!! recommendation + + ![OPNsense logo](assets/img/router/opnsense.svg){ align=right } + + **OPNsense** is an open source, FreeBSD-based firewall and routing platform which incorporates many advanced features such as traffic shaping, load balancing, and VPN capabilities, with many more features available in the form of plugins. OPNsense is commonly deployed as a perimeter firewall, router, wireless access point, DHCP server, DNS server, and VPN endpoint. + + [:octicons-home-16: Homepage](https://opnsense.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://docs.opnsense.org/index.html){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/opnsense){ .card-link title="Source Code" } + [:octicons-heart-16:](https://opnsense.org/donate/){ .card-link title=Contribute } + +OPNsense was originally developed as a fork of [pfSense](https://en.wikipedia.org/wiki/PfSense), and both projects are noted for being free and reliable firewall distributions which offer features often only found in expensive commercial firewalls. Launched in 2015, the developers of OPNsense [cited](https://docs.opnsense.org/history/thefork.html) a number of security and code-quality issues with pfSense which they felt necessitated a fork of the project, as well as concerns about Netgate's majority acquisition of pfSense and the future direction of the pfSense project. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must be open source. +- Must receive regular updates. +- 必须支持各种各样的硬件。 diff --git a/i18n/zh/search-engines.md b/i18n/zh/search-engines.md new file mode 100644 index 00000000..992127f4 --- /dev/null +++ b/i18n/zh/search-engines.md @@ -0,0 +1,108 @@ +--- +title: "Search Engines" +icon: material/search-web +description: These privacy-respecting search engines don't build an advertising profile based on your searches. +--- + +Use a search engine that doesn't build an advertising profile based on your searches. + +The recommendations here are based on the merits of each service's privacy policy. There is **no guarantee** that these privacy policies are honored. + +Consider using a [VPN](vpn.md) or [Tor](https://www.torproject.org/) if your threat model requires hiding your IP address from the search provider. + +## Brave Search + +!!! recommendation + + ![Brave Search logo](assets/img/search-engines/brave-search.svg){ align=right } + + **Brave Search** is developed by Brave and serves results primarily from its own, independent index. The index is optimized against Google Search and therefore may provide more contextually accurate results compared to other alternatives. + + Brave Search includes unique features such as Discussions, which highlights conversation-focused results—such as forum posts. + + We recommend you disable [Anonymous usage metrics](https://search.brave.com/help/usage-metrics) as it is enabled by default and can be disabled within settings. + + [:octicons-home-16: Homepage](https://search.brave.com/){ .md-button .md-button--primary } + [:simple-torbrowser:](https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://search.brave.com/help/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://search.brave.com/help){ .card-link title=Documentation} + +Brave Search is based in the United States. Their [privacy policy](https://search.brave.com/help/privacy-policy) states they collect aggregated usage metrics, which includes the operating system and browser in use, however no personally identifiable information is collected. IP addresses are temporarily processed, but are not retained. + +## DuckDuckGo + +!!! recommendation + + ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ align=right } + + **DuckDuckGo** is one of the more mainstream private search engine options. Notable DuckDuckGo search features include [bangs](https://duckduckgo.com/bang) and many [instant answers](https://help.duckduckgo.com/duckduckgo-help-pages/features/instant-answers-and-other-features/). The search engine relies on a commercial Bing API to serve most results, but it does use numerous [other sources](https://help.duckduckgo.com/results/sources/) for instant answers and other non-primary results. + + DuckDuckGo is the default search engine for the Tor Browser and is one of the few available options on Apple’s Safari browser. + + [:octicons-home-16: Homepage](https://duckduckgo.com){ .md-button .md-button--primary } + [:simple-torbrowser:](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion){ .card-link title="Onion Service" } + [:octicons-eye-16:](https://duckduckgo.com/privacy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://help.duckduckgo.com/){ .card-link title=Documentation} + +DuckDuckGo is based in the United States. Their [privacy policy](https://duckduckgo.com/privacy) states they **do** log your searches for product improvement purposes, but not your IP address or any other personally identifying information. + +DuckDuckGo offers two [other versions](https://help.duckduckgo.com/features/non-javascript/) of their search engine, both of which do not require JavaScript. These versions do lack features, however. These versions can also be used in conjunction with their [Tor onion address](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/) by appending [/lite](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/lite) or [/html](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/html) for the respective version. + +## SearXNG + +!!! recommendation + + ![SearXNG logo](assets/img/search-engines/searxng.svg){ align=right } + + **SearXNG** is an open-source, self-hostable, metasearch engine, aggregating the results of other search engines while not storing any information itself. It is an actively maintained fork of [SearX](https://github.com/searx/searx). + + [:octicons-home-16: Homepage](https://searxng.org){ .md-button .md-button--primary } + [:octicons-server-16:](https://searx.space/){ .card-link title="Public Instances"} + [:octicons-code-16:](https://github.com/searxng/searxng){ .card-link title="Source Code" } + +SearXNG is a proxy between you and the search engines it aggregates from. Your search queries will still be sent to the search engines that SearXNG gets its results from. + +When self-hosting, it is important that you have other people using your instance so that the queries would blend in. You should be careful with where and how you are hosting SearXNG, as people looking up illegal content on your instance could draw unwanted attention from authorities. + +When you are using a SearXNG instance, be sure to go read their privacy policy. Since SearXNG instances may be modified by their owners, they do not necessarily reflect their privacy policy. Some instances run as a Tor hidden service, which may grant some privacy as long as your search queries does not contain PII. + +## Startpage + +!!! recommendation + + ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ align=right } + ![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ align=right } + + **Startpage** is a private search engine known for serving Google search results. One of Startpage's unique features is the [Anonymous View](https://www.startpage.com/en/anonymous-view/), which puts forth efforts to standardize user activity to make it more difficult to be uniquely identified. The feature can be useful for hiding [some](https://support.startpage.com/hc/en-us/articles/4455540212116-The-Anonymous-View-Proxy-technical-details) network and browser properties. Unlike the name suggests, the feature should not be relied upon for anonymity. If you are looking for anonymity, use the [Tor Browser](tor.md#tor-browser) instead. + + [:octicons-home-16: Homepage](https://www.startpage.com){ .md-button .md-button--primary } + [:octicons-eye-16:](https://www.startpage.com/en/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://support.startpage.com/hc/en-us/categories/4481917470356-Startpage-Search-Engine){ .card-link title=Documentation} + +!!! 推荐 + + Startpage regularly limits service access to certain IP addresses, such as IPs reserved for VPNs or Tor. [DuckDuckGo](#duckduckgo) and [Brave Search](#brave-search) are friendlier options if your threat model requires hiding your IP address from the search provider. + +Startpage is based in the Netherlands. According to their [privacy policy](https://www.startpage.com/en/privacy-policy/), they log details such as: operating system, type of browser, and language. They do not log your IP address, search queries, or other personally identifying information. + +Startpage's majority shareholder is System1 who is an adtech company. We don't believe that to be an issue as they have a distinctly separate [privacy policy](https://system1.com/terms/privacy-policy). The Privacy Guides team reached out to Startpage [back in 2020](https://web.archive.org/web/20210118031008/https://blog.privacytools.io/relisting-startpage/) to clear up any concerns with System1's sizeable investment into the service. We were satisfied with the answers we received. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +### Minimum Requirements + +- Must not collect personally identifiable information per their privacy policy. +- Must not allow users to create an account with them. + +### Best-Case + +Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page. + +- Should be based on open-source software. +- Should not block Tor exit node IP addresses. diff --git a/i18n/zh/tools.md b/i18n/zh/tools.md new file mode 100644 index 00000000..0501c800 --- /dev/null +++ b/i18n/zh/tools.md @@ -0,0 +1,473 @@ +--- +title: "隐私工具" +icon: 资料/工具 +hide: + - toc +description: Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats. +--- + +如果你正在寻找某项具体解决方案,这里是一些我们推荐的各种类别的软硬件工具。 我们推荐的隐私工具主要依据它们的安全功能来选择,另外还强调了去中心化和开源。 They are applicable to a variety of threat models ranging from protection against global mass surveillance programs and avoiding big tech companies to mitigating attacks, but only you can determine what will work best for your needs. + +If you want assistance figuring out the best privacy tools and alternative programs for your needs, start a discussion on our [forum](https://discuss.privacyguides.net/) or our [Matrix](https://matrix.to/#/#privacyguides:matrix.org) community! + +关于每个项目的更多相关细节, 为什么选择它们以及我们提议的一些额外的使用提示或技巧,请点击每个部分的 "了解详情" 链接, 或者也可以点击推荐项本身来转到具体的页面部分。 + +## 桌面端浏览器 + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser](desktop-browsers.md#tor-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +1. Snowflake 不能够增进你的隐私,但它能够让你轻松地为Tor网络做出贡献,并帮助那些受网络审查的人获得更好的隐私。 + +[了解更多 :hero-arrow-circle-right-fill:](tor.md) + +## 移动端浏览器 + +
+ +- ![Mullvad Browser logo](assets/img/browsers/mullvad_browser.svg){ .twemoji } [Mullvad Browser](desktop-browsers.md#mullvad-browser) +- ![Firefox logo](assets/img/browsers/firefox.svg){ .twemoji } [Firefox](desktop-browsers.md#firefox) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave](desktop-browsers.md#brave) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](desktop-browsers.md) + +### 其它资源 + +
+ +- ![Tor Browser logo](assets/img/browsers/tor.svg){ .twemoji } [Tor Browser (Android)](mobile-browsers.md#tor-browser) +- ![Brave logo](assets/img/browsers/brave.svg){ .twemoji } [Brave (Android)](mobile-browsers.md#brave) +- ![Safari logo](assets/img/browsers/safari.svg){ .twemoji } [Safari (iOS)](mobile-browsers.md#safari) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](desktop-browsers.md#additional-resources) + +## 操作系统 + +
+ +- ![AdGuard logo](assets/img/browsers/adguard.svg){ .twemoji } [AdGuard for iOS](mobile-browsers.md#adguard) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](mobile-browsers.md) + +### 其它资源 + +
+ +- ![GrapheneOS logo](assets/img/android/grapheneos.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/grapheneos-dark.svg#only-dark){ .twemoji } [GrapheneOS](android.md#grapheneos) +- ![DivestOS logo](assets/img/android/divestos.svg){ .twemoji } [DivestOS](android.md#divestos) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](mobile-browsers.md#adguard) + +## 服务供应商 + +### Android + +
+ +- ![Neo Store logo](assets/img/android/neo-store.png){ .twemoji } [Neo Store (F-Droid Client)](android.md#neo-store) +- ![Aurora Store logo](/assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](android.md) + +#### DNS 供应商 + +
+ +- ![Aurora Store logo](assets/img/android/aurora-store.webp){ .twemoji } [Aurora Store (Google Play Client)](android.md#aurora-store) +- ![Shelter logo](assets/img/android/mini/shelter.svg){ .twemoji } [Shelter (Work Profiles)](android.md#shelter) +- ![Auditor logo](assets/img/android/auditor.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/auditor-dark.svg#only-dark){ .twemoji } [Auditor (Supported Devices)](android.md#auditor) +- ![Secure Camera logo](assets/img/android/secure_camera.svg#only-light){ .twemoji }![Secure Camera logo](assets/img/android/secure_camera-dark.svg#only-dark){ .twemoji } [Secure Camera](android.md#secure-camera) +- ![Secure PDF Viewer logo](assets/img/android/secure_pdf_viewer.svg#only-light){ .twemoji }![GrapheneOS logo](assets/img/android/secure_pdf_viewer-dark.svg#only-dark){ .twemoji } [Secure PDF Viewer](android.md#secure-pdf-viewer) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](android.md#general-apps) + +### Android 应用 + +
+ +- ![OpenWrt logo](assets/img/router/openwrt.svg#only-light){ .twemoji }![OpenWrt logo](assets/img/router/openwrt-dark.svg#only-dark){ .twemoji } [OpenWrt](router.md#openwrt) +- ![OPNsense logo](assets/img/router/opnsense.svg){ .twemoji } [OPNsense](router.md#opnsense) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](desktop.md) + +### Router Firmware + +
+ +- ![Cryptee logo](assets/img/cloud/cryptee.svg#only-light){ .twemoji }![Cryptee logo](assets/img/cloud/cryptee-dark.svg#only-dark){ .twemoji } [Cryptee](cloud.md#cryptee) +- ![Nextcloud logo](assets/img/cloud/nextcloud.svg){ .twemoji } [Nextcloud (Self-Hostable)](cloud.md#nextcloud) +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](router.md) + +## 软件 + +### 路由器固件 + +
+ +- ![Proton Drive logo](assets/img/cloud/protondrive.svg){ .twemoji } [Proton Drive](cloud.md#proton-drive) +- ![Tresorit logo](assets/img/cloud/tresorit.svg){ .twemoji } [Tresorit](cloud.md#tresorit) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](cloud.md) + +### 云存储 + +#### 加密DNS代理 + +We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers based on a variety of criteria, such as [Mullvad](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls) and [Quad9](https://quad9.net/) amongst others. We recommend for you to read our pages on DNS before choosing a provider. In many cases, using an alternative DNS provider is not recommended. + +[了解更多 :hero-arrow-circle-right-fill:](dns.md) + +#### Encrypted DNS Proxies + +
+ +- ![AdGuard Home logo](assets/img/dns/adguard-home.svg){ .twemoji } [AdGuard Home](dns.md#adguard-home) +- ![Pi-hole logo](assets/img/dns/pi-hole.svg){ .twemoji } [Pi-hole](dns.md#pi-hole) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](dns.md#encrypted-dns-proxies) + +#### Self-hosted Solutions + +
+ +- ![Proton Mail logo](assets/img/email/protonmail.svg){ .twemoji } [Proton Mail](email.md#proton-mail) +- ![Mailbox.org logo](assets/img/email/mailboxorg.svg){ .twemoji } [Mailbox.org](email.md#mailboxorg) +- ![StartMail logo](assets/img/email/startmail.svg#only-light){ .twemoji }![StartMail logo](assets/img/email/startmail-dark.svg#only-dark){ .twemoji } [StartMail](email.md#startmail) +- ![Tutanota logo](assets/img/email/tutanota.svg){ .twemoji } [Tutanota](email.md#tutanota) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](dns.md#self-hosted-solutions) + +### DNS + +
+ +- ![AnonAddy logo](assets/img/email/anonaddy.svg#only-light){ .twemoji }![AnonAddy logo](assets/img/email/anonaddy-dark.svg#only-dark){ .twemoji } [AnonAddy](email.md#anonaddy) +- ![SimpleLogin logo](assets/img/email/simplelogin.svg){ .twemoji } [SimpleLogin](email.md#simplelogin) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](email.md) + +#### Email Aliasing Services + +
+ +- ![mailcow logo](assets/img/email/mailcow.svg){ .twemoji } [mailcow](email.md#self-hosting-email) +- ![Mail-in-a-Box logo](assets/img/email/mail-in-a-box.svg){ .twemoji } [Mail-in-a-Box](email.md#self-hosting-email) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](email.md#email-aliasing-services) + +#### Self-Hosting Email + +
+ +- ![Brave Search logo](assets/img/search-engines/brave-search.svg){ .twemoji } [Brave Search](search-engines.md#brave-search) +- ![DuckDuckGo logo](assets/img/search-engines/duckduckgo.svg){ .twemoji } [DuckDuckGo](search-engines.md#duckduckgo) +- ![SearXNG logo](assets/img/search-engines/searxng.svg){ .twemoji } [SearXNG](search-engines.md#searxng) +- ![Startpage logo](assets/img/search-engines/startpage.svg#only-light){ .twemoji }![Startpage logo](assets/img/search-engines/startpage-dark.svg#only-dark){ .twemoji } [Startpage](search-engines.md#startpage) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](email.md#self-hosting-email) + +### Financial Services + +#### Payment Masking Services + +
+ +- ![Privacy.com logo](assets/img/financial-services/privacy_com.svg#only-light){ .twemoji }![Privacy.com logo](assets/img/financial-services/privacy_com-dark.svg#only-dark){ .twemoji } [Privacy.com](financial-services.md#privacycom-us-free) +- ![MySudo logo](assets/img/financial-services/mysudo.svg#only-light){ .twemoji }![MySudo logo](assets/img/financial-services/mysudo-dark.svg#only-dark){ .twemoji } [MySudo](financial-services.md#mysudo-us-paid) +
+ +[了解更多 :hero-arrow-circle-right-fill:](financial-services.md#payment-masking-services) + +#### Online Gift Card Marketplaces + +
+ +- ![Cake Pay logo](assets/img/financial-services/cakepay.svg){ .twemoji } [Cake Pay](financial-services.md#cake-pay) +- ![CoinCards logo](assets/img/financial-services/coincards.svg){ .twemoji } [CoinCards](financial-services.md#coincards) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](financial-services.md#gift-card-marketplaces) + +### Search Engines + +
+ +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](search-engines.md) + +### 搜索引擎 + +??? 危险 "VPNs 不提供匿名性" + + 使用VPN **不** 会隐藏你的浏览习惯, 它也不会为不安全(HTTP) 流量额外增加安全性。 + + 如果你在寻求**匿名**, 你应该使用Tor 浏览器 **而不是** VPN。 + + 如果你在寻求增进**安全**, 你应该始终确保在使用 HTTPS连接到网站。 VPN不是良好安全实践的替代品。 + + [了解更多:hero-arrow-circle-right-fill:](vpn.md) + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](vpn.md#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](vpn.md#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](vpn.md#proton-vpn) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](vpn.md) + +## Software + +### VPN供应商 + +
+ +- ![EteSync Notes logo](assets/img/notebooks/etesync-notes.png){ .twemoji } [EteSync Notes](notebooks.md#etesync-notes) +- ![Joplin logo](assets/img/notebooks/joplin.svg){ .twemoji } [Joplin](notebooks.md#joplin) +- ![Standard Notes logo](assets/img/notebooks/standard-notes.svg){ .twemoji } [Standard Notes](notebooks.md#standard-notes) +- ![Org-mode logo](assets/img/notebooks/org-mode.svg){ .twemoji } [Org-mode](notebooks.md#org-mode) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](calendar.md) + +### Cryptocurrency + +
+ +- ![Monero logo](assets/img/cryptocurrency/monero.svg){ .twemoji } [Monero](cryptocurrency.md#monero) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](cryptocurrency.md) + +### 日历/联系人同步 + +
+ +- ![Thunderbird logo](assets/img/email-clients/thunderbird.svg){ .twemoji } [Thunderbird](email-clients.md#thunderbird) +- ![Apple Mail logo](assets/img/email-clients/applemail.png){ .twemoji } [Apple Mail (macOS)](email-clients.md#apple-mail-macos) +- ![Canary Mail logo](assets/img/email-clients/canarymail.svg){ .twemoji } [Canary Mail (iOS)](email-clients.md#canary-mail-ios) +- ![FairEmail logo](assets/img/email-clients/fairemail.svg){ .twemoji } [FairEmail (Android)](email-clients.md#fairemail-android) +- ![GNOME Evolution logo](assets/img/email-clients/evolution.svg){ .twemoji } [GNOME Evolution (Linux)](email-clients.md#gnome-evolution-gnome) +- ![K-9 Mail logo](assets/img/email-clients/k9mail.svg){ .twemoji } [K-9 Mail (Android)](email-clients.md#k-9-mail-android) +- ![Kontact logo](assets/img/email-clients/kontact.svg){ .twemoji } [Kontact (Linux)](email-clients.md#kontact-kde) +- ![Mailvelope logo](assets/img/email-clients/mailvelope.svg){ .twemoji } [Mailvelope (PGP in standard webmail)](email-clients.md#mailvelope-browser) +- ![NeoMutt logo](assets/img/email-clients/mutt.svg){ .twemoji } [NeoMutt (CLI)](email-clients.md#neomutt-cli) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](data-redaction.md) + +### 笔记 + +
+ +- ![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ .twemoji } [Cryptomator](encryption.md#cryptomator-cloud) +- ![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ .twemoji } [Picocrypt](encryption.md#picocrypt-file) +- ![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ .twemoji }![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ .twemoji } [VeraCrypt (FDE)](encryption.md#veracrypt-disk) +- ![Hat.sh logo](assets/img/encryption-software/hat-sh.png#only-light){ .twemoji }![Hat.sh logo](assets/img/encryption-software/hat-sh-dark.png#only-dark){ .twemoji } [Hat.sh (Browser-based)](encryption.md#hatsh) +- ![Kryptor logo](assets/img/encryption-software/kryptor.png){ .twemoji } [Kryptor](encryption.md#kryptor) +- ![Tomb logo](assets/img/encryption-software/tomb.png){ .twemoji } [Tomb](encryption.md#tomb) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](email-clients.md) + +### 加密软件 + +??? info "Operating System Disk Encryption" + + 对于加密你的系统盘,我们通常建议使用你的操作系统提供的任何加密工具,无论是Windows上的**BitLocker**,MacOS上的**FileVault**,还是Linux上的**LUKS**。 这些工具包含在操作系统中,通常使用硬件加密组件,如TPM,而其它的全盘加密软件如VeraCrypt则没有。 VeraCrypt仍然适用于加密非系统盘,如外部驱动器,特别是那些可能会从多个操作系统来访问的驱动器。 + + [了解更多:hero-arrow-circle-right-fill:](encryption.md##operating-system-included-full-disk-encryption-fde) + +
+ +- ![GnuPG logo](assets/img/encryption-software/gnupg.svg){ .twemoji } [GnuPG](encryption.md#gnu-privacy-guard) +- ![GPG4Win logo](assets/img/encryption-software/gpg4win.svg){ .twemoji } [GPG4Win (Windows)](encryption.md#gpg4win) +- ![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ .twemoji } [GPG Suite (macOS)](encryption.md#gpg-suite) +- ![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ .twemoji } [OpenKeychain](encryption.md#openkeychain) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](encryption.md) + +#### OpenPGP Clients + +
+ +- ![OnionShare logo](assets/img/file-sharing-sync/onionshare.svg){ .twemoji } [OnionShare](file-sharing.md#onionshare) +- ![FreedomBox logo](assets/img/file-sharing-sync/freedombox.svg){ .twemoji } [FreedomBox](file-sharing.md#freedombox) +- ![Syncthing logo](assets/img/file-sharing-sync/syncthing.svg){ .twemoji } [Syncthing](file-sharing.md#syncthing) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](encryption.md#openpgp) + +### 加密软件 + +
+ +- ![ExifCleaner logo](assets/img/data-redaction/exifcleaner.svg){ .twemoji } [ExifCleaner](data-redaction.md#exifcleaner) +- ![MAT2 logo](assets/img/data-redaction/mat2.svg){ .twemoji } [MAT2](data-redaction.md#mat2) +- ![ExifEraser logo](assets/img/data-redaction/exiferaser.svg){ .twemoji } [ExifEraser (Android)](data-redaction.md#exiferaser-android) +- ![Metapho logo](assets/img/data-redaction/metapho.jpg){ .twemoji } [Metapho (iOS)](data-redaction.md#metapho-ios) +- ![PrivacyBlur logo](assets/img/data-redaction/privacyblur.svg){ .twemoji } [PrivacyBlur](data-redaction.md#privacyblur) +- ![ExifTool logo](assets/img/data-redaction/exiftool.png){ .twemoji } [ExifTool (CLI)](data-redaction.md#exiftool) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](file-sharing.md) + +### 文件共享 + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey-librem-key) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](frontends.md) + +### 数据和元数据处理 + +
+ +- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji } [YubiKey](multi-factor-authentication.md#yubikey) +- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji } [Nitrokey](multi-factor-authentication.md#nitrokey) +- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji } [Aegis Authenticator](multi-factor-authentication.md#aegis-authenticator) +- ![Raivo OTP logo](assets/img/multi-factor-authentication/raivo-otp.png){ .twemoji } [Raivo OTP](multi-factor-authentication.md#raivo-otp) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](multi-factor-authentication.md) + +### 多因素认证工具 + +
+ +- ![LibreOffice logo](assets/img/productivity/libreoffice.svg){ .twemoji } [LibreOffice](productivity.md#libreoffice) +- ![OnlyOffice logo](assets/img/productivity/onlyoffice.svg){ .twemoji } [OnlyOffice](productivity.md#onlyoffice) +- ![CryptPad logo](assets/img/productivity/cryptpad.svg){ .twemoji } [CryptPad](productivity.md#cryptpad) +- ![PrivateBin logo](assets/img/productivity/privatebin.svg){ .twemoji } [PrivateBin (Pastebin)](productivity.md#privatebin) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](news-aggregators.md) + +### Notebooks + +
+ +- ![Signal logo](assets/img/messengers/signal.svg){ .twemoji } [Signal](real-time-communication.md#signal) +- ![Element logo](assets/img/messengers/element.svg){ .twemoji } [Element](real-time-communication.md#element) +- ![Session logo](assets/img/messengers/session.svg){ .twemoji } [Session](real-time-communication.md#session) +- ![Briar logo](assets/img/messengers/briar.svg){ .twemoji } [Briar (Android)](real-time-communication.md#briar-android) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](notebooks.md) + +### 生产力工具 + +
+ +- ![Akregator logo](assets/img/news-aggregators/akregator.svg){ .twemoji } [Akregator](news-aggregators.md#akregator) +- ![Feeder logo](assets/img/news-aggregators/feeder.png){ .twemoji} [Feeder](news-aggregators.md#feeder) +- ![Fluent Reader logo](assets/img/news-aggregators/fluent-reader.svg){ .twemoji } [Fluent Reader](news-aggregators.md#fluent-reader) +- ![GNOME Feeds logo](assets/img/news-aggregators/gfeeds.svg){ .twemoji } [GNOME Feeds](news-aggregators.md#gnome-feeds) +- ![Miniflux logo](assets/img/news-aggregators/miniflux.svg#only-light){ .twemoji }![Miniflux logo](assets/img/news-aggregators/miniflux-dark.svg#only-dark){ .twemoji } [Miniflux](news-aggregators.md#miniflux) +- ![NetNewsWire logo](assets/img/news-aggregators/netnewswire.png){ .twemoji } [NetNewsWire](news-aggregators.md#netnewswire) +- ![Newsboat logo](assets/img/news-aggregators/newsboat.svg){ .twemoji } [Newsboat](news-aggregators.md#newsboat) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](passwords.md) + +### 实时通讯 + +
+ +- ![Freenet logo](./assets/img/self-contained-networks/freenet.svg){ .twemoji } [Freenet](self-contained-networks.md#freenet) +- ![I2P logo](./assets/img/self-contained-networks/i2p.svg#only-light){ .twemoji } ![I2P logo](./assets/img/self-contained-networks/i2p-dark.svg#only-dark){ .twemoji } [I2P](self-contained-networks.md#invisible-internet-project) +- ![Tor logo](./assets/img/self-contained-networks/tor.svg){ .twemoji } [Tor](self-contained-networks.md#tor) +- ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ .twemoji } [Orbot (Smartphone Tor Proxy)](self-contained-networks.md#orbot) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](productivity.md) + +### 实时通讯 + +
+ +- ![FreeTube logo](assets/img/video-streaming/freetube.svg){ .twemoji } [FreeTube (YouTube, Desktop)](video-streaming.md#freetube) +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) +- ![NewPipe logo](assets/img//video-streaming/newpipe.svg){ .twemoji } [NewPipe (YouTube, Android)](video-streaming.md#newpipe) +- ![Invidious logo](assets/img/video-streaming/invidious.svg#only-light){ .twemoji }![Invidious logo](assets/img/video-streaming/invidious-dark.svg#only-dark){ .twemoji } [Invidious (YouTube, Web)](video-streaming.md#invidious) +- ![Librarian logo](assets/img/video-streaming/librarian.svg#only-light){ .twemoji }![Librarian logo](assets/img/video-streaming/librarian-dark.svg#only-dark){ .twemoji } [Librarian (LBRY, Web)](video-streaming.md#librarian) +- ![Piped logo](assets/img/video-streaming/piped.svg){ .twemoji } [Piped (YouTube, Web)](video-streaming.md#piped) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](real-time-communication.md) + +### 自足网络 + +
+ +- ![LBRY logo](assets/img/video-streaming/lbry.svg){ .twemoji } [LBRY](video-streaming.md#lbry) + +
+ +[了解更多 :hero-arrow-circle-right-fill:](video-streaming.md) diff --git a/i18n/zh/tor.md b/i18n/zh/tor.md new file mode 100644 index 00000000..a8c0ff72 --- /dev/null +++ b/i18n/zh/tor.md @@ -0,0 +1,119 @@ +--- +title: "桌面端浏览器" +icon: simple/torproject +description: Protect your internet browsing from prying eyes by using the Tor network, a secure network which circumvents censorship. +--- + +![Tor logo](assets/img/self-contained-networks/tor.svg){ align=right } + +**Tor** 网络是一组由志愿者操作的服务器,允许您免费连接以提高您的互联网的隐私和安全。 个人和组织也可以通过Tor网络与".onion隐藏服务"分享信息,而不损害其隐私。 由于Tor流量难以阻止和跟踪,因此Tor是一种有效的审查规避工具。 + +[:octicons-home-16:](https://www.torproject.org){ .card-link title=Homepage } +[:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } +[:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation} +[:octicons-code-16:](https://gitweb.torproject.org/tor.git){ .card-link title="Source Code" } +[:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + +Tor的工作原理是通过这些志愿者操作的服务器路由您的互联网流量,而不是直接连接到您试图访问的网站。 这会混淆流量的来源,并且连接路径中的任何服务器都无法看到流量来自和流向的完整路径,这意味着即使您用于连接的服务器也无法打破您的匿名性。 + +[详细的Tor概述 :material-arrow-right-drop-circle:](advanced/tor-overview.md ""){.md-button} + +## 连接到Tor + +有多种方法可以从您的设备连接到Tor网络,最常用的是 **Tor浏览器**,这是Firefox的一个分支,专为桌面计算机和Android的匿名浏览而设计。 除了下面列出的应用程序,还有专门设计用于连接到Tor网络的操作系统,例如 [Whonix](desktop.md#whonix) on [Qubes OS](desktop.md#qubes-os),它提供了比标准Tor浏览器更高的安全性和保护。 + +### Tor浏览器 + +!!! recommendation + + ! [Tor浏览器徽标] (assets/img/browsers/tor.svg) {align = right} + + * * Tor浏览器* *是您需要匿名时的选择,它为您提供了对Tor网络和网桥的访问权限,并且它包括默认安全的默认设置和扩展: *标准* , *更安全*和*最安全*。 + + [:octicons-home-16: Homepage](https://www.torproject.org){ .md-button .md-button--primary } + [:simple-torbrowser:](http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion){ .card-link title="Onion Service" } + [:octicons-info-16:](https://tb-manual.torproject.org/){ .card-link title=Documentation } + [:octicons-code-16:](https://gitweb.torproject.org/tor-browser.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) + - [:simple-android: Android](https://www.torproject.org/download/#android) + - [:simple-windows11: Windows](https://www.torproject.org/download/) + - [:simple-apple: macOS](https://www.torproject.org/download/) + - [:simple-linux: Linux](https://www.torproject.org/download/) + - [:simple-freebsd: FreeBSD](https://www.freshports.org/security/tor) + +!!! 危险 + + You should **never** install any additional extensions on Tor Browser or edit `about:config` settings, including the ones we suggest for Firefox. Browser extensions and non-standard settings make you stand out from others on the Tor network, thus making your browser easier to [fingerprint](https://support.torproject.org/glossary/browser-fingerprinting). + +Tor浏览器旨在防止指纹识别,或根据您的浏览器配置识别您。 Therefore, it is imperative that you do **not** modify the browser beyond the default [security levels](https://tb-manual.torproject.org/security-settings/). + +### Orbot + +!!! recommendation + + ![Orbot logo](assets/img/self-contained-networks/orbot.svg){ align=right } + + **Orbot** is a free Tor VPN for smartphones which routes traffic from any app on your device through the Tor network. + + [:octicons-home-16: Homepage](https://orbot.app/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://orbot.app/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://orbot.app/faqs){ .card-link title=Documentation} + [:octicons-code-16:](https://orbot.app/code){ .card-link title="Source Code" } + [:octicons-heart-16:](https://orbot.app/donate){ .card-link title=Contribute } + + ??? downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.torproject.android) + - [:simple-appstore: App Store](https://apps.apple.com/us/app/orbot/id1609461599) + - [:simple-github: GitHub](https://github.com/guardianproject/orbot/releases) + +We previously recommended enabling the *Isolate Destination Address* preference in Orbot settings. While this setting can theoretically improve privacy by enforcing the use of a different circuit for each IP address you connect to, it doesn't provide a practical advantage for most applications (especially web browsing), can come with a significant performance penalty, and increases the load on the Tor network. We no longer recommend adjusting this setting from its default value unless you know you need to.[^1] + +!!! tip "Tips for Android" + + Orbot can proxy individual apps if they support SOCKS or HTTP proxying. It can also proxy all your network connections using [VpnService](https://developer.android.com/reference/android/net/VpnService) and can be used with the VPN killswitch in :gear: **Settings** → **Network & internet** → **VPN** → :gear: → **Block connections without VPN**. + + Orbot is often outdated on the Guardian Project's [F-Droid repository](https://guardianproject.info/fdroid) and [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android), so consider downloading directly from the [GitHub repository](https://github.com/guardianproject/orbot/releases) instead. + + All versions are signed using the same signature so they should be compatible with each other. + +## Relays and Bridges + +### Snowflake + +!!! recommendation + + ![Snowflake logo](assets/img/browsers/snowflake.svg#only-light){ align=right } + ![Snowflake logo](assets/img/browsers/snowflake-dark.svg#only-dark){ align=right } + + **Snowflake** allows you to donate bandwidth to the Tor Project by operating a "Snowflake proxy" within your browser. + + People who are censored can use Snowflake proxies to connect to the Tor network. Snowflake is a great way to contribute to the network even if you don't have the technical know-how to run a Tor relay or bridge. + + [:octicons-home-16: Homepage](https://snowflake.torproject.org/){ .md-button .md-button--primary } + [:octicons-info-16:](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/Technical%20Overview){ .card-link title=Documentation} + [:octicons-code-16:](https://gitweb.torproject.org/pluggable-transports/snowflake.git/){ .card-link title="Source Code" } + [:octicons-heart-16:](https://donate.torproject.org/){ .card-link title=Contribute } + + ??? downloads + + - [:simple-firefoxbrowser: Firefox](https://addons.mozilla.org/en-US/firefox/addon/torproject-snowflake/) + - [:simple-googlechrome: Chrome](https://chrome.google.com/webstore/detail/snowflake/mafpmfcccpbjnhfhjnllmmalhifmlcie) + - [:octicons-browser-16: Web](https://snowflake.torproject.org/embed "Leave this page open to be a Snowflake proxy") + +??? tip "Embedded Snowflake" + + You can enable Snowflake in your browser by clicking the switch below and ==leaving this page open==. You can also install Snowflake as a browser extension to have it always run while your browser is open, however adding third-party extensions can increase your attack surface. + +
+ If the embed does not appear for you, ensure you are not blocking the third-party frame from `torproject.org`. Alternatively, visit [this page](https://snowflake.torproject.org/embed.html). + +Snowflake does not increase your privacy in any way, nor is it used to connect to the Tor network within your personal browser. However, if your internet connection is uncensored, you should consider running it to help people in censored networks achieve better privacy themselves. There is no need to worry about which websites people are accessing through your proxy—their visible browsing IP address will match their Tor exit node, not yours. + +Running a Snowflake proxy is low-risk, even moreso than running a Tor relay or bridge which are already not particularly risky endeavours. However, it does still proxy traffic through your network which can be impactful in some ways, especially if your network is bandwidth-limited. Make sure you understand [how Snowflake works](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/home) before deciding whether to run a proxy. + +[^1]: The `IsolateDestAddr` setting is discussed on the [Tor mailing list](https://lists.torproject.org/pipermail/tor-talk/2012-May/024403.html) and [Whonix's Stream Isolation documentation](https://www.whonix.org/wiki/Stream_Isolation), where both projects suggest that it is usually not a good approach for most people. diff --git a/i18n/zh/video-streaming.md b/i18n/zh/video-streaming.md new file mode 100644 index 00000000..2aceac4a --- /dev/null +++ b/i18n/zh/video-streaming.md @@ -0,0 +1,55 @@ +--- +title: "视频串流" +icon: 资料/视频-无线 +description: These networks allow you to stream internet content without building an advertising profile based on your interests. +--- + +使用视频流媒体平台时的主要威胁是,你的流媒体习惯和订阅名单可能被用来对你进行分析。 你应该将这些工具与 [VPN](vpn.md) 或 [Tor](https://www.torproject.org/) 结合起来,以使你的使用情况更难被分析。 + +## 客户端 + +!!! recommendation + + ![FreeTube logo](assets/img/video-streaming/freetube.svg){ align=right } + + **FreeTube** 是一个自由且开源的 [YouTube](https://youtube.com)桌面应用程序。 当你使用FreeTube时,订阅列表和播放列表都会被保存在设备本地。 默认情况下,FreeTube阻止所有YouTube广告。 + + 此外,FreeTube还可以与 [SponsorBlock](https://sponsor.ajay.app)集成,以帮助你跳过推广的视频片段。 + + [:octicons-home-16: Homepage](https://freetubeapp.io){ .md-button .md-button--primary } + [:octicons-eye-16:](https://freetubeapp.io/privacy.php){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://docs.freetubeapp.io/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/FreeTubeApp/FreeTube){ .card-link title="Source Code" } + [:octicons-heart-16:](https://liberapay.com/FreeTube){ .card-link title=Contribute } + + ??? 下载 + + - [:fontawesome-brands-windows: Windows](https://freetubeapp.io/#download) + - [:fontawesome-brands-apple: macOS](https://freetubeapp.io/#download) + - [:fontawesome-brands-linux: Linux](https://freetubeapp.io/#download) + - [:pg-flathub: Flatpak](https://flathub.org/apps/details/io.freetubeapp.FreeTube) + +!!! note + + Only the **LBRY desktop client** is recommended, as the [Odysee](https://odysee.com) website and the LBRY clients in F-Droid, Play Store, and the App Store have mandatory synchronization and telemetry. + +!!! 推荐 + + ![LBRY logo](assets/img/video-streaming/lbry.svg){ align=right } + + **The LBRY network** 是一个分布式视频分享网络。 它使用一个类似 [BitTorrent](https://wikipedia.org/wiki/BitTorrent)的网络来存储视频内容,并使用一个 [blockchain](https://wikipedia.org/wiki/Blockchain)来存储这些视频的索引。 + +We recommend **against** synchronizing your wallet with LBRY Inc., as synchronizing encrypted wallets is not supported yet. 备注 + +You can disable *Save hosting data to help the LBRY network* option in :gear: **Settings** → **Advanced Settings**, to avoid exposing your IP address and watched videos when using LBRY for a prolonged period of time. + +## Criteria + +**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you. + +!!! example "This section is new" + + We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress. + +- Must not require a centralized account to view videos. + - Decentralized authentication, such as via a mobile wallet's private key is acceptable. diff --git a/i18n/zh/vpn.md b/i18n/zh/vpn.md new file mode 100644 index 00000000..20c65cf6 --- /dev/null +++ b/i18n/zh/vpn.md @@ -0,0 +1,310 @@ +--- +title: "VPN Services" +icon: 资料/vpn +description: These are the best VPN services for protecting your privacy and security online. Find a provider here that isn’t out to spy on you. +--- + +If you're looking for additional **privacy** from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved. We think these providers are a cut above the rest: + +
+ +- ![IVPN logo](assets/img/vpn/mini/ivpn.svg){ .twemoji } [IVPN](#ivpn) +- ![Mullvad logo](assets/img/vpn/mullvad.svg){ .twemoji } [Mullvad](#mullvad) +- ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ .twemoji } [Proton VPN](#proton-vpn) + +
+ +!!! 危险 "VPNs 不提供匿名性" + + 使用VPN **不** 会隐藏你的浏览习惯, 它也不会为不安全(HTTP) 流量额外增加安全性。 + + 如果你在寻求**匿名**, 你应该使用Tor 浏览器 **而不是** VPN。 + + 如果你在寻求增进**安全**, 你应该始终确保在使用 HTTPS连接到网站。 VPN不是良好安全实践的替代品。 + + [Download Tor](https://www.torproject.org/){ .md-button .md-button--primary } [Tor Myths & FAQ](basics/tor-overview.md){ .md-button } + +[Detailed VPN Overview :material-arrow-right-drop-circle:](basics/vpn-overview.md ""){.md-button} + +## 推荐的供应商 + +我们推荐的供应商使用加密,接受Monero支付 ,支持WireGuard & OpenVPN ,并且有无日志策略。 Read our [full list of criteria](#criteria) for more information. + +### IVPN + +!!! recommendation + + ![IVPN标志](assets/img/vpn/ivpn.svg){ align=right } + + **IVPN**是另一个高级VPN供应商,他们自2009年以来一直在运营。 挑一个拥有离你最近的服务器的VPN供应商将减少你的网络流量的发送延迟。 + + 这是因为到达目的地的路由较短(跳数较少)。 我们还认为,如果VPN供应商使用[专用服务器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是使用[虚拟专用服务器](https://en.wikipedia.org/wiki/Virtual_private_server)等更便宜的(与其他客户)共享的解决方案,能提高VPN供应商私人密钥的安全性。 + +#### :material-check:{ .pg-green } 35 Countries + +IVPN has [servers in 35 countries](https://www.ivpn.net/server-locations).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. 这是因为到达目的地的路由较短(跳数较少)。 +{ .annotate } + +1. 如果订阅2年(119.76美元),还可享受10%的折扣。 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +IVPN has undergone a [no-logging audit from Cure53](https://cure53.de/audit-report_ivpn.pdf) which concluded in agreement with IVPN's no-logging claim. IVPN has also completed a [comprehensive pentest report Cure53](https://cure53.de/summary-report_ivpn_2019.pdf) in January 2020. IVPN has also said they plan to have [annual reports](https://www.ivpn.net/blog/independent-security-audit-concluded) in the future. A further review was conducted [in April 2022](https://www.ivpn.net/blog/ivpn-apps-security-audit-2022-concluded/) and was produced by Cure53 [on their website](https://cure53.de/pentest-report_IVPN_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +As of February 2020 [IVPN applications are now open-source](https://www.ivpn.net/blog/ivpn-applications-are-now-open-source). Source code can be obtained from their [GitHub organization](https://github.com/ivpn). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +In addition to accepting credit/debit cards and PayPal, IVPN accepts Bitcoin, **Monero** and **cash/local currency** (on annual plans) as anonymous forms of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +IVPN supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). 此外, WireGuard旨在更简单、更高效。 + +IVPN [recommends](https://www.ivpn.net/wireguard/) the use of WireGuard with their service and, as such, the protocol is the default on all of IVPN's apps. IVPN also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is possible with a Pro plan. Port forwarding [can be activated](https://www.ivpn.net/knowledgebase/81/How-do-I-activate-port-forwarding.html) via the client area. Port forwarding is only available on IVPN when using WireGuard or OpenVPN protocols and is [disabled on US servers](https://www.ivpn.net/knowledgebase/116/Port-forwarding-is-not-working-why.html). + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for [App Store](https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683), [Google Play](https://play.google.com/store/apps/details?id=net.ivpn.client), and [GitHub](https://github.com/ivpn/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +IVPN clients support two factor authentication (Mullvad's clients do not). IVPN also provides "[AntiTracker](https://www.ivpn.net/antitracker)" functionality, which blocks advertising networks and trackers from the network level. + +### Mullvad + +!!! recommendation + + ![Mullvad logo](assets/img/vpn/mullvad.svg){ align=right } + + **Mullvad** is a fast and inexpensive VPN with a serious focus on transparency and security. 挑一个拥有离你最近的服务器的VPN供应商将减少你的网络流量的发送延迟。 这是因为到达目的地的路由较短(跳数较少)。 + + 我们还认为,如果VPN供应商使用[专用服务器](https://en.wikipedia.org/wiki/Dedicated_hosting_service),而不是使用[虚拟专用服务器](https://en.wikipedia.org/wiki/Virtual_private_server)等更便宜的(与其他客户)共享的解决方案,能提高VPN供应商私人密钥的安全性。 downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) + - [:simple-appstore: App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) + - [:simple-github: GitHub](https://github.com/mullvad/mullvadvpn-app/releases) + - [:simple-windows11: Windows](https://mullvad.net/en/download/windows/) + - [:simple-apple: macOS](https://mullvad.net/en/download/macos/) + - [:simple-linux: Linux](https://mullvad.net/en/download/linux/) + +#### :material-check:{ .pg-green } 41 Countries + +Mullvad has [servers in 41 countries](https://mullvad.net/servers/).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. 这是因为到达目的地的路由较短(跳数较少)。 +{ .annotate } + +1. 如果订阅2年(119.76美元),还可享受10%的折扣。 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report [published at cure53.de](https://cure53.de/pentest-report_mullvad_v2.pdf). The security researchers concluded: + +> Cure53 and Assured AB are happy with the results of the audit and the software leaves an overall positive impression. With security dedication of the in-house team at the Mullvad VPN compound, the testers have no doubts about the project being on the right track from a security standpoint. + +In 2020 a second audit [was announced](https://mullvad.net/blog/2020/6/25/results-available-audit-mullvad-app/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2020_v2.pdf) was made available on Cure53's website: + +> The results of this May-June 2020 project targeting the Mullvad complex are quite positive. [...] The overall application ecosystem used by Mullvad leaves a sound and structured impression. The overall structure of the application makes it easy to roll out patches and fixes in a structured manner. More than anything, the findings spotted by Cure53 showcase the importance of constantly auditing and re-assessing the current leak vectors, in order to always ensure privacy of the end-users. With that being said, Mullvad does a great job protecting the end-user from common PII leaks and privacy related risks. + +In 2021 an infrastructure audit [was announced](https://mullvad.net/en/blog/2021/1/20/no-pii-or-privacy-leaks-found-cure53s-infrastructure-audit/) and the [final audit report](https://cure53.de/pentest-report_mullvad_2021_v1.pdf) was made available on Cure53's website. Another report was commissioned [in June 2022](https://mullvad.net/en/blog/2022/6/22/vpn-server-audit-found-no-information-leakage-or-logging-of-customer-data/) and is available on [Assured's website](https://www.assured.se/publications/Assured_Mullvad_relay_server_audit_report_2022.pdf). + +#### :material-check:{ .pg-green } Open-Source Clients + +Mullvad provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/mullvad/mullvadvpn-app). + +#### :material-check:{ .pg-green } Accepts Cash and Monero + +Mullvad, in addition to accepting credit/debit cards and PayPal, accepts Bitcoin, Bitcoin Cash, **Monero** and **cash/local currency** as anonymous forms of payment. \[WireGuard\](https://www.wireguard.com)是一个较新的协议,使用最先进的 \[cryptography\](https://www.wireguard.com/protocol/)。 + +#### :material-check:{ .pg-green } WireGuard Support + +Mullvad supports the WireGuard® protocol. [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). 此外, WireGuard旨在更简单、更高效。 + +Mullvad [recommends](https://mullvad.net/en/help/why-wireguard/) the use of WireGuard with their service. It is the default or only protocol on Mullvad's Android, iOS, macOS, and Linux apps, but on Windows you have to [manually enable](https://mullvad.net/en/help/how-turn-wireguard-mullvad-app/) WireGuard. Mullvad also offers a WireGuard configuration generator for use with the official WireGuard [apps](https://www.wireguard.com/install/). + +#### :material-check:{ .pg-green } IPv6 Support + +Mullvad supports the future of networking [IPv6](https://en.wikipedia.org/wiki/IPv6). Their network allows you to [access services hosted on IPv6](https://mullvad.net/en/blog/2014/9/15/ipv6-support/) as opposed to other providers who block IPv6 connections. + +#### :material-check:{ .pg-green } Remote Port Forwarding + +Remote [port forwarding](https://en.wikipedia.org/wiki/Port_forwarding) is allowed for people who make one-time payments, but not allowed for accounts with a recurring/subscription-based payment method. This is to prevent Mullvad from being able to identify you based on your port usage and stored subscription information. See [Port forwarding with Mullvad VPN](https://mullvad.net/help/port-forwarding-and-mullvad/) for more information. + +#### :material-check:{ .pg-green } Mobile Clients + +Mullvad has published [App Store](https://apps.apple.com/app/mullvad-vpn/id1488466513) and [Google Play](https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn) clients, both supporting an easy-to-use interface as opposed to requiring you to manually configure your WireGuard connection. The Android client is also available on [GitHub](https://github.com/mullvad/mullvadvpn-app/releases). + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Mullvad is very transparent about which nodes they [own or rent](https://mullvad.net/en/servers/). They use [ShadowSocks](https://shadowsocks.org/) in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with [Deep Packet Inspection](https://en.wikipedia.org/wiki/Deep_packet_inspection) trying to block VPNs. Supposedly, [China has to use a different method to block ShadowSocks servers](https://github.com/net4people/bbs/issues/22). Mullvad's website is also accessible via Tor at [o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion](http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion). + +### Proton VPN + +!!! 推荐备注 + + ![Proton VPN logo](assets/img/vpn/protonvpn.svg){ align=right } + + **Proton VPN**是VPN领域的强有力竞争者,他们自2016年以来一直保持运营。 Proton AG总部位于瑞士,提供有限制的免费使用等级,以及更具特色的高级选项。 + + **免费** — **Plus 套餐 USD $71.88/年** (1) + + [:octicons-home-16: Homepage](https://protonvpn.com/){ .md-button .md-button--primary } + [:octicons-eye-16:](https://protonvpn.com/privacy-policy){ .card-link title="Privacy Policy" } + [:octicons-info-16:](https://protonvpn.com/support/){ .card-link title=Documentation} + [:octicons-code-16:](https://github.com/ProtonVPN){ .card-link title="Source Code" } downloads + + - [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android) + - [:simple-appstore: App Store](https://apps.apple.com/app/apple-store/id1437005085) + - [:simple-github: GitHub](https://github.com/ProtonVPN/android-app/releases) + - [:simple-windows11: Windows](https://protonvpn.com/download-windows) + - [:simple-linux: Linux](https://protonvpn.com/support/linux-vpn-setup/) + +#### :material-check:{ .pg-green } 67 Countries + +Proton VPN has [servers in 67 countries](https://protonvpn.com/vpn-servers).(1) Picking a VPN provider with a server nearest to you will reduce latency of the network traffic you send. 这是因为到达目的地的路由较短(跳数较少)。 +{ .annotate } + +1. 如果订阅2年(119.76美元),还可享受10%的折扣。 + +We also think it's better for the security of the VPN provider's private keys if they use [dedicated servers](https://en.wikipedia.org/wiki/Dedicated_hosting_service), instead of cheaper shared solutions (with other customers) such as [virtual private servers](https://en.wikipedia.org/wiki/Virtual_private_server). + +#### :material-check:{ .pg-green } Independently Audited + +截至2020年1月,Proton VPN已经接受了SEC咨询公司的独立审计。 SEC Consult在Proton VPN的Windows、Android和iOS应用程序中发现了一些中度和低度风险的漏洞,在报告发布前,Proton VPN都已经 "妥善修复"。 所发现的问题中没有任何一个能让攻击者远程访问你的设备或流量。 You can view individual reports for each platform at [protonvpn.com](https://protonvpn.com/blog/open-source/). In April 2022 Proton VPN underwent [another audit](https://protonvpn.com/blog/no-logs-audit/) and the report was [produced by Securitum](https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf). A [letter of attestation](https://proton.me/blog/security-audit-all-proton-apps) was provided for Proton VPN's apps on 9th November 2021 by [Securitum](https://research.securitum.com). + +#### :material-check:{ .pg-green } Open-Source Clients + +Proton VPN provides the source code for their desktop and mobile clients in their [GitHub organization](https://github.com/ProtonVPN). + +#### :material-check:{ .pg-green } Accepts Cash + +Proton VPN, in addition to accepting credit/debit cards, PayPal, and [Bitcoin](advanced/payments.md#other-coins-bitcoin-ethereum-etc), also accepts **cash/local currency** as an anonymous form of payment. + +#### :material-check:{ .pg-green } WireGuard Support + +Proton VPN主要支持WireGuard®协议。 [WireGuard](https://www.wireguard.com) is a newer protocol that uses state-of-the-art [cryptography](https://www.wireguard.com/protocol/). 此外, WireGuard旨在更简单、更高效。 + +Proton VPN [recommends](https://protonvpn.com/blog/wireguard/) the use of WireGuard with their service. On Proton VPN's Windows, macOS, iOS, Android, ChromeOS, and Android TV apps, WireGuard is the default protocol; however, [support](https://protonvpn.com/support/how-to-change-vpn-protocols/) for the protocol is not present in their Linux app. + +#### :material-alert-outline:{ .pg-orange } Remote Port Forwarding + +Proton VPN currently only supports remote [port forwarding](https://protonvpn.com/support/port-forwarding/) on Windows, which may impact some applications. 特别是点对点的应用,如Torrent客户端。 + +#### :material-check:{ .pg-green } Mobile Clients + +In addition to providing standard OpenVPN configuration files, Proton VPN has mobile clients for [App Store](https://apps.apple.com/us/app/protonvpn-fast-secure-vpn/id1437005085), [Google Play](https://play.google.com/store/apps/details?id=ch.protonvpn.android&hl=en_US), and [GitHub](https://github.com/ProtonVPN/android-app/releases) allowing for easy connections to their servers. + +#### :material-information-outline:{ .pg-blue } Additional Functionality + +Proton VPN clients support two factor authentication on all platforms except Linux at the moment. Proton VPN has their own servers and datacenters in Switzerland, Iceland and Sweden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, Proton VPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using [the official Tor Browser](https://www.torproject.org/) for this purpose. + +#### :material-alert-outline:{ .pg-orange } Killswitch feature is broken on Intel-based Macs + +System crashes [may occur](https://protonvpn.com/support/macos-t2-chip-kill-switch/) on Intel-based Macs when using the VPN killswitch. If you require this feature, and you are using a Mac with Intel chipset, you should consider using another VPN service. + +## Criteria + +!!! 危险 + + 值得注意的是,使用VPN供应商不会使你成为匿名者,但在某些情况下会给你更好的隐私。 VPN不是非法活动的工具。 不要依赖 "无日志 "政策。 + +**请注意,我们与我们推荐的任何供应商都没有关系。 这使我们能够提供完全客观的建议。** 除了 [我们的标准标准](about/criteria.md),我们还为任何希望被推荐的VPN供应商制定了一套明确的要求,包括强大的加密、独立的安全审计、现代技术等。 我们建议你在选择VPN供应商之前熟悉这份清单,并进行自己的研究,以确保你选择的VPN供应商尽可能值得信赖。 + +### 技术 + +我们要求所有我们推荐的VPN供应商提供OpenVPN配置文件,以便在任何客户端使用。 **如果** 一个VPN提供他们自己的定制客户端,我们需要一个killswitch来阻止断开连接时的网络数据泄露。 + +**符合条件的最低要求。** + +- 支持强大的协议,如WireGuard & OpenVPN。 +- 客户端内置的杀毒软件。 +- 多跳支持。 多重跳转对于在单个节点受损的情况下保持数据的私密性非常重要。 +- 如果提供VPN客户端,它们应该是 [开源的](https://en.wikipedia.org/wiki/Open_source),就像它们一般内置的VPN软件。 我们相信, [源代码](https://en.wikipedia.org/wiki/Source_code) 的可用性提供了更大的透明度,了解你的设备实际上在做什么。 + +**Best Case:** + +- 支持WireGuard和OpenVPN。 +- 具有高度可配置的选项(在某些网络上启用/禁用,在启动时,等等)的杀戮开关。 +- 易于使用的VPN客户端 +- 支持 [IPv6](https://en.wikipedia.org/wiki/IPv6)。 我们希望服务器将允许通过IPv6的传入连接,并允许你访问IPv6地址上托管的服务。 +- [远程端口转发的能力](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) 在使用P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) 文件共享软件或托管服务器(如Mumble)时,有助于创建连接。 + +### 隐私 + +We prefer our recommended providers to collect as little data as possible. 不在注册时收集个人信息,并接受匿名的支付方式,这是必须的。 + +**符合条件的最低要求。** + +- [Anonymous cryptocurrency](cryptocurrency.md) **or** cash payment option. +- 注册时不需要提供个人信息。最多只有用户名、密码和电子邮件。 + +**Best Case:** + +- Accepts multiple [anonymous payment options](advanced/payments.md). +- No personal information accepted (autogenerated username, no email required, etc.). + +### 安全性 + +A VPN is pointless if it can't even provide adequate security. We require all our recommended providers to abide by current security standards for their OpenVPN connections. Ideally, they would use more future-proof encryption schemes by default. We also require an independent third-party to audit the provider's security, ideally in a very comprehensive manner and on a repeated (yearly) basis. + +**符合条件的最低要求。** + +- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption. +- Perfect Forward Secrecy (PFS). +- Published security audits from a reputable third-party firm. + +**Best Case:** + +- Strongest Encryption: RSA-4096. +- Perfect Forward Secrecy (PFS). +- Comprehensive published security audits from a reputable third-party firm. +- Bug-bounty programs and/or a coordinated vulnerability-disclosure process. + +### Trust + +You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data? We require our recommended providers to be public about their ownership or leadership. We also would like to see frequent transparency reports, especially in regard to how government requests are handled. + +**符合条件的最低要求。** + +- Public-facing leadership or ownership. + +**Best Case:** + +- Public-facing leadership. +- Frequent transparency reports. + +### Marketing + +With the VPN providers we recommend we like to see responsible marketing. + +**符合条件的最低要求。** + +- Must self-host analytics (i.e., no Google Analytics). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for people who want to opt-out. + +Must not have any marketing which is irresponsible: + +- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know people can quite easily deanonymize themselves in a number of ways, e.g.: + - Reusing personal information (e.g., email accounts, unique pseudonyms, etc) that they accessed without anonymity software (Tor, VPN, etc.) + - [Browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint) +- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of three or more hops that regularly changes. +- Use responsible language: i.e., it is okay to say that a VPN is "disconnected" or "not connected", however claiming that someone is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example, that person might simply be on another VPN provider's service or using Tor. + +**Best Case:** + +Responsible marketing that is both educational and useful to the consumer could include: + +- An accurate comparison to when [Tor](tor.md) should be used instead. +- Availability of the VPN provider's website over a [.onion service](https://en.wikipedia.org/wiki/.onion) + +### Additional Functionality + +While not strictly requirements, there are some factors we looked into when determining which providers to recommend. These include adblocking/tracker-blocking functionality, warrant canaries, multihop connections, excellent customer support, the number of allowed simultaneous connections, etc. diff --git a/includes/abbreviations.ar.txt b/includes/abbreviations.ar.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.ar.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.bn.txt b/includes/abbreviations.bn.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.bn.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.de.txt b/includes/abbreviations.de.txt new file mode 100644 index 00000000..09f63a6c --- /dev/null +++ b/includes/abbreviations.de.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Faktor-Authentifizierung +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open-Source Projekt +*[ATA]: Advanced Technology Attachment +*[attack surface]: Die Gesamtzahl der möglichen Einstiegspunkte für einen unbefugten Zugriff auf ein System +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Kommandozeilen-Schnittstelle +*[CSV]: Kommagetrennte Werte +*[CVE]: Häufige Schwachstellen und Gefährdungen +*[Digital Legacy]: Funktionen, die es ermöglichen nach dem eigenen Tod anderen Menschen Zugang zu Daten zu gewähren +*[DNSSEC]: Domänennamensystem-Sicherheitserweiterungen +*[DNS]: Domänennamensystem +*[DoH]: DNS über HTTPS +*[DoQ]: DNS über QUIC +*[DoH3]: DNS über HTTP/3 +*[DoT]: DNS über TLS +*[E2EE]: End-to-End-Verschlüsselung/Verschlüsselt +*[ECS]: EDNS Client Subnet +*[EEA]: Europäischer Wirtschaftsraum +*[entropy]: Ein Maß dafür, wie unvorhersehbar etwas ist +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: vollständige Festplattenverschlüsselung +*[FIDO]: Fast IDentity Online +*[fork]: Ein neues Softwareprojekt, das durch Kopieren eines bestehenden Projekts und das unabhängige Hinzufügen erstellt wird +*[DSGVO]: Datenschutzverordnung +*[GPG]: GNU Privacy Guard (PGP-Implementierung) +*[GPS]: Globales Positionsbestimmungssystem +*[GUI]: Grafische Benutzeroberfläche +*[GnuPG]: GNU Privacy Guard (PGP-Implementierung) +*[HDD]: Festplattenlaufwerk +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: sicheres Hypertext-Übertragungsprotokoll +*[HTTP]: Hypertext-Übertragungsprotokoll +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internetprotokoll +*[IPv4]: Internetprotokoll Version 4 +*[IPv6]: Internetprotokoll Version 6 +*[ISP]: Internetdienstanbieter +*[ISPs]: Internetdienstanbieter +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Faktor-Authentifizierung +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Netzwerk-Zeitprotokoll +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Betriebssystem +*[OTP]: Einmalpasswort +*[OTPs]: Einmalpasswörter +*[OpenPGP]: Open-Source-Implementierung von Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personenbezogene Daten +*[QNAME]: Qualified Name +*[rolling release]: Updates, die häufig und nicht nur in bestimmten Abständen veröffentlicht werden +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[AGB]: Allgemeine Geschäftsbedingungen +*[TOTP]: Zeitbasiertes Einmalpasswort +*[TPM]: Trusted Platform Module +*[U2F]: Universeller 2. Faktor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtuelles Privates Netzwerk +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.el.txt b/includes/abbreviations.el.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.el.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.eo.txt b/includes/abbreviations.eo.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.eo.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.es.txt b/includes/abbreviations.es.txt new file mode 100644 index 00000000..8cea113f --- /dev/null +++ b/includes/abbreviations.es.txt @@ -0,0 +1,96 @@ +*[2FA]: Autenticación de Doble Factor +*[ADB]: Puente de Depura de Android +*[AOSP]: Android Open Source Project +*[ATA]: Adjunto de Tecnología Avanzada +*[superficie de ataque]: La cantidad total de posibles puntos de entrada para acceso no autorizado a un sistema +*[AVB]: Inicio Verificado de Android +*[cgroups]: Grupos de Control +*[CLI]: Interfaz de Línea de Comando +*[CSV]: Valores Separados por Coma +*[CVE]: Vulnerabilidades y Exposiciones Comunes +*[Legado Digital]: Legado Digital se refiere a funciones que te permiten darle a otras personas acceso a tus datos cuando fallezcas +*[DNSSEC]: Extensiones de Seguridad del Sistema de Nombres de Dominio +*[DNS]: Sistema de Nombre de Dominio +*[DoH]: DNS sobre HTTPS +*[DoQ]: DNS sobre QUIC +*[DoH3]: DNS sobre HTTP/3 +*[DoT]: DNS sobre TLS +*[E2EE]: Cifrado/Encriptación de Extremo a Extremo +*[ECS]: Subred de Cliente EDNS +*[EEA]: Espacio Económico Europeo +*[entropy]: Una medición de qué tan impredecible puede ser algo +*[EOL]: Fin de Vida +*[Exif]: Formato de archivo de imagen intercambiable +*[FCM]: Firebase Cloud Messaging +*[FDE]: Encriptación de Disco Completo +*[FIDO]: Fast IDentity Online +*[fork]: Un nuevo proyecto de software creado copiando un proyecto existente y añadiéndole elementos de forma independiente +*[GDPR]: Reglamento General de Protección de Datos +*[GPG]: GNU Privacy Guard (implementación de PGP) +*[GPS]: Sistema de Posicionamiento Global +*[GUI]: Interfaz Gráfica de Usuario +*[GnuPG]: GNU Privacy Guard (implementación de PGP) +*[HDD]: Unidad de Disco Duro +*[HOTP]: HMAC (código de autenticación de mensajes basado en hash) basado en contraseña de un solo uso +*[HTTPS]: Protocolo de Transferencia de Hipertexto Seguro +*[HTTP]: Protocolo de Transferencia de Hipertexto +*[hypervisor]: Software, firmware o hardware informático que reparte los recursos de una CPU entre varios sistemas operativos +*[ICCID]: Identificador de Tarjeta de Circuito Integrado +*[IMAP]: Protocolo de Acceso a Mensajes de Internet +*[IMEI]: Identidad Internacional de Equipos Móviles +*[IMSI]: Identidad de Suscriptor Móvil Internacional +*[IP]: Protocolo de Internet +*[IPv4]: Protocolo de Internet versión 4 +*[IPv6]: Protocolo de Internet versión 6 +*[ISP]: Proveedor de servicio de internet +*[ISPs]: Proveedores de Servicio de Internet +*[JNI]: Interfaz nativa de Java +*[KYC]: Conoce a Tu Cliente +*[LUKS]: Configuración de clave unificada Linux (cifrado de disco completo) +*[MAC]: Control de Acceso a los Medios +*[MDAG]: Protección de aplicaciones de Microsoft Defender +*[MEID]: Identificador de Equipo Móvil +*[MFA]: Autenticación de Múltiples Factores +*[NVMe]: Memoria No Volátil Express +*[NTP]: Protocolo de Tiempo de Red +*[OCI]: Iniciativa de Contenedor Abierto +*[OCSP]: Protocolo del Estado del Certificado de Línea +*[OEM]: Fabricante Original de Equipo +*[OEMs]: Fabricantes Originales de Equipos +*[OS]: Sistema Operativo +*[OTP]: Contraseña de Un Solo Uso +*[OTPs]: Contraseña de Un Solo Uso +*[OpenPGP]: Aplicación de código abierto de Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Módulos de Autenticación Conectables a Linux +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Información Personalmente Identificable +*[QNAME]: Nombre Cualificado +*[liberación progresiva]: Actualizaciones que se publican frecuentemente en lugar de intervalos establecidos +*[RSS]: Sindicación Realmente Sencilla +*[SELinux]: Linux con Seguridad Mejorada +*[SIM]: Módulo de Identidad del Suscriptor +*[SMS]: Servicio de Mensajes Cortos (mensajería de texto estándar) +*[SMTP]: Protocolo de Transferencia de Correo Simple +*[SNI]: Indicación del Nombre de Servidor +*[SSD]: Unidad de Disco Duro de Estado Sólido +*[SSH]: Shell Seguro +*[SUID]: Establecer ID de usuario propietario +*[SaaS]: Software como servicio (software en la nube) +*[SoC]: Sistema en chip +*[SSO]: Inicio de sesión único +*[TCP]: Protocolo de Control de Transmisión +*[TEE]: Entorno de Ejecución de Confianza +*[TLS]: Seguridad de la Capa de Transporte +*[ToS]: Términos de Servicio +*[TOTP]: Contraseña de Un Solo Uso Basada en el Tiempo +*[TPM]: Módulo de plataforma de confianza +*[U2F]: Segundo Factor Universal +*[UEFI]: Interfaz de Firmware Extensible Unificada +*[UDP]: Protocolo de Datagramas de Usuario +*[VPN]: Red Privada Virtual +*[VoIP]: Voz sobre IP (Protocolo de Internet) +*[W3C]: Consorcio World Wide Web +*[XMPP]: Protocolo Extensible de Mensajería y Presencia +*[PWA]: Aplicación Web Progresiva diff --git a/includes/abbreviations.fa.txt b/includes/abbreviations.fa.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.fa.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.fr.txt b/includes/abbreviations.fr.txt new file mode 100644 index 00000000..4386ca85 --- /dev/null +++ b/includes/abbreviations.fr.txt @@ -0,0 +1,96 @@ +*[2FA]: Authentification à deux facteurs +*[ADB]: Pont de débogage Android +*[AOSP]: Projet Android Open Source +*[ATA]: Attachement de technologie avancée +*[surface d'attaque]: Le nombre total de points d'entrée possibles pour un accès non autorisé à un système +*[AVB]: Démarrage Vérifié d'Android +*[cgroups]: Groupes de contrôle +*[CLI]: Interface de ligne de commande +*[CSV]: Valeurs séparées par des virgules +*[CVE]: Vulnérabilités et expositions courantes +*[Héritage numérique]: L'héritage numérique désigne les fonctions qui vous permettent de donner à d'autres personnes l'accès à vos données à votre décès +*[DNSSEC]: Extensions de sécurité du système de nom de domaine +*[DNS]: Système de nom de domaine +*[DoH]: DNS sur HTTPS +*[DoQ]: DNS sur QUIC +*[DoH3]: DNS sur HTTP/3 +*[DoT]: DNS sur TLS +*[E2EE]: Chiffrement de bout en bout/Chiffré +*[ECS]: Sous-réseau du client EDNS +*[EEA]: Espace économique européen +*[entropy]: Une mesure du degré d'imprévisibilité d'une chose +*[EOL]: Fin de vie +*[Exif]: Format de fichier image échangeable +*[FCM]: Messagerie Cloud Firebase +*[FDE]: Chiffrement complet du disque +*[FIDO]: Identité rapide en ligne +*[fork]: Un nouveau projet de logiciel créé en copiant un projet existant et en le complétant de manière indépendante +*[RGPD]: Règlement Général sur la Protection des Données +*[GPG]: GNU Privacy Guard (implémentation de PGP) +*[GPS]: Système de positionnement global +*[GUI]: Interface utilisateur graphique +*[GnuPG]: GNU Privacy Guard (implémentation de PGP) +*[HDD]: Disque dur +*[HOTP]: HMAC (code d'authentification de message basé sur le hachage) basé sur un mot de passe à usage unique +*[HTTPS]: Protocole de transfert hypertexte sécurisé +*[HTTP]: Protocole de transfert hypertexte +*[superviseur]: Logiciel, micrologiciel ou matériel informatique qui répartit les ressources d'une unité centrale entre plusieurs systèmes d'exploitation +*[ICCID]: Identificateur de carte à circuit intégré +*[IMAP]: Protocole d'accès aux messages internet +*[IMEI]: Identité internationale des équipements mobiles +*[IMSI]: Identité internationale de l'abonné mobile +*[IP]: Protocole internet +*[IPv4]: Protocole internet version 4 +*[IPv6]: Protocole internet version 6 +*[FAI]: Fournisseur d'accès internet +*[FAIs]: Fournisseurs d'accès internet +*[JNI]: Interface native Java +*[KYC]: Connaissance du client +*[LUKS]: Configuration de la clé unifiée Linux (chiffrement complet du disque) +*[MAC]: Contrôle d'accès aux médias +*[MDAG]: Protection des applications Microsoft Defender +*[MEID]: Identificateur d'équipement mobile +*[MFA]: Authentification multi-facteurs +*[NVMe]: Mémoire express non volatile +*[NTP]: Protocole de temps réseau +*[OCI]: Open Container Initiative +*[OCSP]: Protocole d'état des certificats en ligne +*[OEM]: Fabricant d'équipement d'origine +*[OEMs]: Fabricants d'équipement d'origine +*[OS]: Système d'exploitation +*[OTP]: Mot de passe à usage unique +*[OTPs]: Mots de passe à usage unique +*[OpenPGP]: Implémentation open-source de Pretty Good Privacy (PGP) +*[P2P]: Pair à pair +*[PAM]: Modules d'authentification enfichables de Linux +*[POP3]: Protocole de bureau de poste 3 +*[PGP]: Pretty Good Privacy (voir OpenPGP) +*[DCP]: Donnée à charactère personnel +*[QNAME]: Nom qualifié +*[publication continue]: Mises à jour qui sont publiées fréquemment plutôt qu'à intervalles réguliers +*[RSS]: Syndication vraiment simple +*[SELinux]: Sécurité renforcée de Linux +*[SIM]: Module d'identité d'abonné +*[SMS]: Service de messages courts (messagerie texte standard) +*[SMTP]: Protocole de transfert de courrier simple +*[SNI]: Indication du nom du serveur +*[SSD]: Disque d'état solide +*[SSH]: Shell sécurisé +*[SUID]: Identifiant utilisateur du propriétaire défini +*[SaaS]: Logiciel en tant que service (logiciel cloud) +*[SoC]: Système sur puce +*[SSO]: Authentification unique +*[TCP]: Protocole de contrôle de transmission +*[TEE]: Environnement d'exécution de confiance +*[TLS]: Sécurité de la couche transport +*[CGU]: Conditions générales d'utilisation +*[TOTP]: Mot de passe à usage unique basé sur le temps +*[TPM]: Module de plateforme de confiance +*[U2F]: 2ème facteur universel +*[UEFI]: Interface micrologicielle extensible unifiée +*[UDP]: Protocole de datagramme utilisateur +*[VPN]: Réseau privé virtuel +*[VoIP]: Voix sur IP (protocole internet) +*[W3C]: Consortium World Wide Web +*[XMPP]: Protocole extensible de messagerie et de présence +*[PWA]: Application web progressive diff --git a/includes/abbreviations.he.txt b/includes/abbreviations.he.txt new file mode 100644 index 00000000..fa00a6e7 --- /dev/null +++ b/includes/abbreviations.he.txt @@ -0,0 +1,96 @@ +*[2FA]: אימות דו-שלבי +*[ADB]: Android Debug Bridge +*[AOSP]: פרויקט קוד פתוח של אנדרואיד +*[ATA]: Advanced Technology Attachment +*[משטח התקפה]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[מורשת דיגיטלית]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS דרך HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: סוף החיים +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: הצפנת דיסק מלאה +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: כונן קשיח +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: פרוטוקול אינטרנט +*[IPv4]: פרוטוקול אינטרנט גרסה 4 +*[IPv6]: פרוטוקול אינטרנט גרסה 6 +*[ISP]: ספק שירותי אינטרנט +*[ISPs]: ספקי שירותי אינטרנט +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: אימות מרובה גורמים +*[NVMe]: Nonvolatile Memory Express +*[NTP]: פרוטוקול זמן רשת +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: מערכת הפעלה +*[OTP]: סיסמה חד - פעמית +*[OTPs]: סיסמאות חד פעמיות +*[OpenPGP]: הטמעת קוד פתוח של פרטיות טובה למדי (PGP) +*[P2P]: עמית-לעמית +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: מעטפת מאובטחת +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: כניסה יחידה +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: אבטחת שכבת תעבורה +*[ToS]: תנאי השירות +*[TOTP]: סיסמה חד פעמית מבוססת זמן +*[TPM]: מודול פלטפורמה מהימנה +*[U2F]: גורם שני אוניברסלי +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: רשת וירטואלית פרטית +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.hi.txt b/includes/abbreviations.hi.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.hi.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.hu.txt b/includes/abbreviations.hu.txt new file mode 100644 index 00000000..f63ee749 --- /dev/null +++ b/includes/abbreviations.hu.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication - Kétlépcsős Hitelesítés +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project - Android Nyílt Forráskódú Projekt +*[ATA]: Advanced Technology Attachment +*[támadási felület]: Egy rendszerbe való illetéktelen hozzáférés lehetséges belépési pontjainak száma +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface - Parancssor Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: A digitális hagyaték olyan funkciókra utal, amelyek lehetővé teszik, hogy halál esetén más személyek is hozzáférhessenek az adataidhoz +*[DNSSEC]: Domain Name System Security Extensions - Domain Név Rendszer Biztonsági Kiterjesztések +*[DNS]: Domain Name System - Domain Név Rendszer +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[End-to-End]: Végponttól végpontig terjedő titkosítás +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area - Európai Gazdasági Övezet +*[entrópia]: Annak vizsgálata, hogy valami mennyire kiszámíthatatlan +*[EOL]: End-of-Life - Valami életciklusának a vége +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption - Teljes Lemez Titkosítás +*[FIDO]: Fast IDentity Online +*[fork]: Egy meglévő projekt másolásával és független hozzájárulással létrehozott új szoftverprojekt +*[GDPR]: General Data Protection Regulation - Általános Adatvédelmi Rendelet +*[GPG]: GNU Privacy Guard (PGP implementáció) +*[GPS]: Global Positioning System - Globális Helymeghatározó Rendszer +*[GUI]: Graphical User Interface - Grafikus Felhasználói Felület +*[GnuPG]: GNU Privacy Guard (PGP implementáció) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) alapú One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Számítógépes szoftver, firmware vagy hardver, amely a CPU erőforrásait több operációs rendszer között osztja fel +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol - Internet Üzenet-Hozzáférési Protokoll +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol verzió 4 +*[IPv6]: Internet Protocol verzió 6 +*[ISP]: Internet Service Provider - Internet Szolgáltató +*[ISPs]: Internet Service Providers - Internet Szolgáltatók +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Teljes Lemez Titkosítás) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier - Mobil Berendezés Azonosító +*[MFA]: Multi-Factor Authentication - Többlépcsős Hitelesítés +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol - Hálózati Idő Protokoll +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol - Online Tanúsítvány Státusz Protokoll +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System - Operációs Rendszer +*[OTP]: One-Time Password - Egyszer Használható Jelszó +*[OTPs]: One-Time Passwords - Egyszer Használható Jelszavak +*[OpenPGP]: A Pretty Good Privacy (PGP) nyílt forráskódú implementációja +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (lásd OpenPGP) +*[PII]: Personally Identifiable Information - Személyazonosításra Alkalmas Információ +*[QNAME]: Qualified Name +*[rolling release]: Gyakran és nem meghatározott időközönként kiadott frissítések +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (álltalános szöveges üzenetküldés) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (felhőszoftver) +*[SoC]: System on Chip +*[SSO]: Single sign-on - Egyszeri Bejelentkezés +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service - Felhasználási Feltételek +*[TOTP]: Time-based One-Time Password - Időalapú Egyszer Használható Jelszó +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network - Virtuális Privát Hálózat +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App - Progresszív Webes Alkalmazás diff --git a/includes/abbreviations.id.txt b/includes/abbreviations.id.txt new file mode 100644 index 00000000..84da5319 --- /dev/null +++ b/includes/abbreviations.id.txt @@ -0,0 +1,96 @@ +*[2FA]: Autentikasi 2 Faktor +*[ADB]: Jembatan Debug Android +*[AOSP]: Proyek Sumber Terbuka Android +*[ATA]: Lampiran Teknologi Canggih +*[permukaan serangan]: Jumlah total titik masuk yang mungkin untuk akses tidak sah ke sistem +*[AVB]: Boot Terverifikasi Android +*[cgroups]: Kelompok Kontrol +*[CLI]: Antarmuka Baris Perintah +*[CSV]: Nilai yang Dipisahkan dengan Koma +*[CVE]: Kerentanan dan Paparan Umum +*[Warisan Digital]: Warisan Digital mengacu pada fitur yang memungkinkan Anda untuk memberikan akses ke data Anda kepada orang lain ketika Anda meninggal dunia +*[DNSSEC]: Ekstensi Keamanan Sistem Nama Domain +*[DNS]: Sistem Nama Domain +*[DoH]: DNS melalui HTTPS +*[DoQ]: DNS melalui QUIC +*[DoH3]: DNS melalui HTTP/3 +*[DoT]: DNS melalui TLS +*[E2EE]: Enkripsi Ujung ke Ujung/Terenkripsi +*[ECS]: Subnet Klien EDNS +*[EEA]: Wilayah Ekonomi Eropa +*[entropi]: Sebuah pengukuran tentang bagaimana sesuatu yang tidak dapat diprediksi +*[EOL]: Akhir Masa Pakai +*[Exif]: Format berkas gambar yang dapat ditukar +*[FCM]: Firebase Cloud Messaging +*[FDE]: Enkripsi Diska Penuh +*[FIDO]: Fast IDentity Online (Identitas Daring Cepat) +*[fork]: Proyek perangkat lunak baru yang dibuat dengan menyalin proyek yang sudah ada dan menambahkannya secara mandiri +*[GDPR]: Peraturan Perlindungan Data Umum +*[GPG]: GNU Privacy Guard (implementasi PGP) +*[GPS]: Sistem Pemosisian Global +*[GUI]: Antarmuka Pengguna Grafis +*[GnuPG]: GNU Privacy Guard (implementasi PGP) +*[HDD]: Penyimpanan Hard Disk +*[HOTP]: Kata sandi sekali pakai berbasis HMAC (kode autentikasi pesan berbasis hash) +*[HTTPS]: Protokol Transfer Hiperteks Aman +*[HTTP]: Protokol Transfer Hiperteks +*[hypervisor]: Perangkat lunak, perangkat tegar, atau perangkat keras komputer yang membagi sumber daya CPU di antara beberapa sistem operasi +*[ICCID]: Pengidentifikasi Kartu Sirkuit Terpadu +*[IMAP]: Protokol Akses Pesan Internet +*[IMEI]: Identitas Peralatan Seluler Internasional +*[IMSI]: Identitas Pelanggan Seluler Internasional +*[IP]: Protokol Internet +*[IPv4]: Protokol Internet versi 4 +*[IPv6]: Protokol Internet versi 6 +*[ISP]: Penyedia Layanan Internet +*[ISPs]: Penyedia Layanan Internet +*[JNI]: Antarmuka Asli Java +*[KYC]: Kenali Pelanggan Anda +*[LUKS]: Pengaturan Kunci Terpadu Linux (Enkripsi Diska Penuh) +*[MAC]: Kontrol Akses Media +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Pengidentifikasi Peralatan Seluler +*[MFA]: Autentikasi Multifaktor +*[NVMe]: Memori Ekspres yang Tidak Mudah Menguap +*[NTP]: Protokol Waktu Jaringan +*[OCI]: Inisiatif Kontainer Terbuka +*[OCSP]: Protokol Status Sertifikat Daring +*[OEM]: Produsen Peralatan Asli +*[OEMs]: Produsen Peralatan Asli +*[OS]: Sistem Operasi +*[OTP]: Kata Sandi Sekali Pakai +*[OTPs]: Kata Sandi Sekali Pakai +*[OpenPGP]: Implementasi sumber terbuka dari Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Modul Otentikasi Linux yang Dapat Dicolokkan +*[POP3]: Protokol Kantor Pos 3 +*[PGP]: Pretty Good Privacy (lihat OpenPGP) +*[PII]: Informasi Identifikasi Pribadi +*[QNAME]: Nama yang Memenuhi Syarat +*[rilis bergulir]: Pembaruan yang sering dirilis daripada interval yang ditetapkan +*[RSS]: Really Simple Syndication +*[SELinux]: Linux yang Ditingkatkan Keamanannya +*[SIM]: Modul Identitas Pelanggan +*[SMS]: Layanan Pesan Singkat (pesan teks standar) +*[SMTP]: Protokol Transfer Surat Sederhana +*[SNI]: Indikasi Nama Server +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Penetapan ID Pengguna Pemilik +*[SaaS]: Perangkat lunak sebagai layanan (perangkat lunak awan) +*[SoC]: Sistem pada Chip +*[SSO]: Sistem masuk tunggal +*[TCP]: Protokol Kontrol Transmisi +*[TEE]: Lingkungan Eksekusi Terpercaya +*[TLS]: Keamanan Lapisan Transportasi +*[ToS]: Ketentuan Layanan +*[TOTP]: Kata Sandi Sekali Pakai Berbasis Waktu +*[TPM]: Modul Platform Tepercaya +*[U2F]: Faktor ke-2 Universal +*[UEFI]: Antarmuka Firmware yang Dapat Diperluas Terpadu +*[UDP]: Protokol Datagram Pengguna +*[VPN]: Jaringan Pribadi Virtual +*[VoIP]: Suara melalui IP (Protokol Internet) +*[W3C]: Konsorsium Waring Wera Wanua +*[XMPP]: Protokol Perpesanan dan Kehadiran yang Dapat Diperluas +*[PWA]: Aplikasi Web Progresif diff --git a/includes/abbreviations.it.txt b/includes/abbreviations.it.txt new file mode 100644 index 00000000..794574e5 --- /dev/null +++ b/includes/abbreviations.it.txt @@ -0,0 +1,96 @@ +*[2FA]: Autenticazione a 2 fattori +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[superficie di attacco]: Il numero totale di possibili punti d'ingresso per l'accesso non autorizzato a un sistema +*[AVB]: Android Verified Boot +*[cgroups]: Gruppo di Controllo +*[CLI]: Interfaccia a linea di comando +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: Crittografia/Crittografato end-to-end +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: Una misura dell'imprevedibilità di qualcosa +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Crittografia completa del disco +*[FIDO]: Fast IDentity Online +*[fork]: Un nuovo progetto basato su un altro progetto già esistente con l'aggiunta di elementi indipendenti +*[GDPR]: Regolamento generale per la protezione dei dati personali +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Interfaccia grafica utente +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Autenticazione a più fattori +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Rete virtuale privata +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.ko.txt b/includes/abbreviations.ko.txt new file mode 100644 index 00000000..123109fc --- /dev/null +++ b/includes/abbreviations.ko.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android 디버그 브리지 +*[AOSP]: Android 오픈소스 프로젝트 +*[ATA]: 고급 기술 결합(Advanced Technology Attachment) +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android 자체 검사 부팅 +*[cgroups]: Control Groups +*[CLI]: 명령어 인터페이스 +*[CSV]: Comma-Separated Values +*[CVE]: 공통 보안 취약점 및 노출(Common Vulnerabilities and Exposures) +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: 도메인 네임 시스템 +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: 종단 간 암호화 +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: 교환 이미지 파일 형식(Exchangeable image file format) +*[FCM]: Firebase 클라우드 메시징 +*[FDE]: 전체 디스크 암호화 +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP 구현체) +*[GPS]: Global Positioning System +*[GUI]: 그래픽 사용자 인터페이스 +*[GnuPG]: GNU Privacy Guard (PGP 구현체) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: 하이퍼텍스트 보안 전송 프로토콜 +*[HTTP]: 하이퍼텍스트 전송 프로토콜 +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: 인터넷 메시지 접속 프로토콜(Internet Message Access Protocol) +*[IMEI]: 국제 이동 단말기 식별 번호(International Mobile Equipment Identity) +*[IMSI]: 국제 이동국 식별 번호(International Mobile Subscriber Identity) +*[IP]: 인터넷 프로토콜(Internet Protocol) +*[IPv4]: IP 버전 4 (Internet Protocol version 4) +*[IPv6]: IP 버전 6 (Internet Protocol version 6) +*[ISP]: 인터넷 서비스 제공자(Internet Service Provider) +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: 네트워크 타임 프로토콜(Network Time Protocol) +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: 운영 체제 +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: 보안 강화 리눅스(Security-Enhanced Linux) +*[SIM]: Subscriber Identity Module +*[SMS]: 문자 메시지 서비스 +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: 전송 제어 프로토콜 +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: 신뢰 플랫폼 모듈(Trusted Platform Module) +*[U2F]: Universal 2nd Factor +*[UEFI]: 통합 확장 펌웨어 인터페이스(Unified Extensible Firmware Interface) +*[UDP]: 사용자 데이터그램 프로토콜 +*[VPN]: 가상 사설망(Virtual Private Network) +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: 프로그레시브 웹 앱 diff --git a/includes/abbreviations.ku-IQ.txt b/includes/abbreviations.ku-IQ.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.ku-IQ.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.nl.txt b/includes/abbreviations.nl.txt new file mode 100644 index 00000000..efd1ac26 --- /dev/null +++ b/includes/abbreviations.nl.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authenticatie +*[ADB]: Android Debug Bridge +*[AOSP]: Android opensource project +*[ATA]: Advanced Technology Attachment +*[aanvalsoppervlakte]: Het totale aantal mogelijke ingangen voor onbevoegde toegang tot een systeem +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digitaal erfgoed]: Digital Legacy verwijst naar functies waarmee je andere mensen toegang kunt geven tot jouw gegevens wanneer je overlijdt +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: Een meting van hoe onvoorspelbaar iets is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: Een nieuw software project gemaakt door een bestaand project te kopiëren en er zelfstandig iets aan toe te voegen +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) gebaseerd eenmalig wachtwoord +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computersoftware, firmware of hardware die de resources van een CPU verdeelt over meerdere besturingssystemen +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer (ken uw klant) +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multifactor-authenticatie +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementatie van Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (zie OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates die regelmatig worden uitgebracht in plaats van met vaste tussenpozen +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standaard sms) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Eenmalige aanmelding +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.pl.txt b/includes/abbreviations.pl.txt new file mode 100644 index 00000000..eab94131 --- /dev/null +++ b/includes/abbreviations.pl.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Uwierzytelnianie wieloskładnikowe +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.pt-BR.txt b/includes/abbreviations.pt-BR.txt new file mode 100644 index 00000000..8a2860a4 --- /dev/null +++ b/includes/abbreviations.pt-BR.txt @@ -0,0 +1,96 @@ +*[2FA]: Autenticação de dois fatores +*[ADB]: Android Debug Bridge +*[AOSP]: Projeto Open Source Android +*[ATA]: Advanced Technology Attachment +*[superfície de ataque]: O número total de pontos de entrada possíveis para o acesso não autorizado a um sistema +*[AVB]: Inicialização Verificada do Android +*[cgroups]: Grupos de Controle +*[CLI]: Interface de Linha de Comando +*[CSV]: Valores Separados por Vírgulas +*[CVE]: Vulnerabilidades e Exposições Comuns +*[Legado Digital]: Legado Digital refere-se a recursos que permitem que você dê a outras pessoas acesso aos seus dados quando você morre +*[DNSSEC]: Extensões de Segurança do Sistema de Nomes de Domínio +*[DNS]: Sistema de Nomes de Domínio +*[DoH]: DNS sobre HTTPS +*[DoQ]: DNS sobre QUIC +*[DoH3]: DNS sobre HTTP/3 +*[DoT]: DNS sobre TLS +*[E2EE]: Criptografia/Criptografia ponto-a-ponto +*[ECS]: Sub-rede de clientes EDNS +*[EEA]: Espaço Econômico Europeu +*[entropy]: Uma medida de quão imprevisível algo é +*[EOL]: Fim da vida útil +*[Exif]: Formato de arquivo de imagem intercambiável +*[FCM]: Firebase Cloud Messaging +*[FDE]: Criptografia total de disco +*[FIDO]: Fast IDentity Online +*[fork]: Um novo projeto de software criado copiando um projeto existente e desenvolvendo ele independentemente +*[GDPR]: Regulamento Geral de Proteção de Dados +*[GPG]: GNU Privacy Guard (implementação PGP) +*[GPS]: Sistema de Posicionamento Global +*[GUI]: Interface Gráfica do Usuário +*[GnuPG]: GNU Privacy Guard (implementação PGP) +*[HDD]: Disco Rígido +*[HOTP]: HMAC (Código de Autenticação de Mensagem Baseado em Hash) baseado em Senha Única +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Software de computador, firmware ou hardware que divide os recursos de uma CPU entre vários sistemas operacionais +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Protocolo de Acesso a Mensagens da Internet +*[IMEI]: Identificação Internacional de Equipamento Móvel +*[IMSI]: Identidade Internacional do Assinante de Celular +*[IP]: Protocolo de Internet +*[IPv4]: Protocolo de Internet versão 4 +*[IPv6]: Protocolo de Internet versão 6 +*[ISP]: Provedor de Internet +*[ISPs]: Provedores de Internet +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Criptografia total de disco) +*[MAC]: Controle de Acesso ao Meio +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Autenticação de Múltiplos Fatores +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Protocolo de Status de Certificado Online +*[OEM]: Fabricante do Equipamento Original +*[OEMs]: Fabricantes de Equipamentos Originais +*[OS]: Sistema Operacional +*[OTP]: Senha de uso único +*[OTPs]: Senhas de uso único +*[OpenPGP]: Implementação de código aberto do Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (veja OpenPGP) +*[PII]: Informações Pessoalmente Identificáveis +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Termos de Serviço +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Rede Privada Virtual +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.pt.txt b/includes/abbreviations.pt.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.pt.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.ru.txt b/includes/abbreviations.ru.txt new file mode 100644 index 00000000..edc184cf --- /dev/null +++ b/includes/abbreviations.ru.txt @@ -0,0 +1,96 @@ +*[2FA]: Двухфакторная аутентификация +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[площадь атаки]: Общее количество возможных точек входа для несанкционированного доступа к системе +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values, формат таблиц +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: Сквозное шифрование +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[форк]: Новое программное обеспечение, созданное путем модификации открытого кода существующего проекта +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Операционная система +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[ПД]: Персональные данные +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Твердотельный накопитель +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.sv.txt b/includes/abbreviations.sv.txt new file mode 100644 index 00000000..97deb2a7 --- /dev/null +++ b/includes/abbreviations.sv.txt @@ -0,0 +1,96 @@ +*[2FA]: Tvåfaktorsautentisering +*[ADB]: Felsökning av Android +*[AOSP]: Android Open Source-projekt +*[ATA]: Avancerad teknikbilaga +*[attackyta]: Det totala antalet möjliga ingångspunkter för obehörig åtkomst till ett system +*[AVB]: Android verifierad uppstart +*[cgroups]: Kontrollgrupper +*[CLI]: Kommandoradsgränssnitt +*[CSV]: Kommaseparerade värden +*[CVE]: Vanliga sårbarheter och exponeringar +*[Digitalt Arv]: Digitalt arv avser funktioner som gör att du kan ge andra personer tillgång till dina uppgifter när du dör +*[DNSSEC]: Säkerhetstillägg för domännamnssystem +*[DNS]: Domännamnssystem +*[DoH]: DNS över HTTPS +*[DoQ]: DNS över QUIC +*[DoH3]: DNS över HTTPS +*[DoT]: DNS över TLS +*[E2EE]: End-to-End-kryptering/krypterad +*[ECS]: EDNS Client Subnet +*[EEA]: Europeiska ekonomiska samarbetsområdet +*[entropy]: Ett mått på hur oförutsägbart något är +*[EOL]: Slutet av livslängden +*[Exif]: Utbytbart bildfilformat +*[FCM]: Firebase Cloud Messaging +*[FDE]: Fullständig diskkryptering +*[FIDO]: Snabb IDentitet online +*[fork]: Ett nytt programvaruprojekt som skapas genom att ett befintligt projekt kopieras och kompletteras självständigt +*[GDPR]: Allmän dataskyddsförordning +*[GPG]: GNU Privacy Guard (PGP-implementering) +*[GPS]: Globalt positioneringssystem +*[GUI]: Grafiskt användargränssnitt +*[GnuPG]: GNU Privacy Guard (PGP-implementering) +*[HDD]: Hårddisk +*[HOTP]: HMAC-baserat engångslösenord (Hash-based Message Authentication Code) +*[HTTPS]: Hypertext Transfer Protocol Säkert +*[HTTP]: Hypertextöverföringsprotokoll +*[hypervisor]: Datorprogramvara, firmware eller hårdvara som delar upp en processors resurser mellan flera operativsystem +*[ICCID]: Identifierare för integrerat kretskort +*[IMAP]: Protokoll för åtkomst till Internetmeddelanden +*[IMEI]: Internationell identitet för mobil utrustning +*[IMSI]: Internationell identitet för mobil utrustning +*[IP]: Internetprotokoll +*[IPv4]: Internetprotokoll version 4 +*[IPv6]: Internetprotokoll version 6 +*[ISP]: Internetleverantör +*[ISPs]: Internetleverantör +*[JNI]: Java inbyggt gränssnitt +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Kryptering) +*[MAC]: Medieåtkomstkontroll +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Identifiering av mobil utrustning +*[MFA]: Multi-Faktor Autentisering +*[NVMe]: Icke-flyktigt minne Express +*[NTP]: Nätverkstidsprotokoll +*[OCI]: Initiativ för öppna behållare +*[OCSP]: Certifikatstatus online +*[OEM]: Originalutrustningstillverkare +*[OEMs]: Originalutrustningstillverkare +*[OS]: Operativsystem +*[OTP]: Engångslösenord +*[OTPs]: Engångslösenord +*[OpenPGP]: Implementering av Pretty Good Privacy (PGP) med öppen källkod +*[P2P]: Peer-To-Peer +*[PAM]: Linux Pluggable autentiseringsmoduler +*[POP3]: Postkontorets protokoll 3 +*[PGP]: Pretty Good Privacy (se OpenPGP) +*[PII]: Personligt identifierbar information +*[QNAME]: Kvalificerat namn +*[rullande utgåva]: Uppdateringar som släpps ofta i stället för med fasta intervaller +*[RSS]: Riktigt enkel syndikering +*[SELinux]: Linux med förbättrad säkerhet +*[SIM]: Modul för abonnentidentitet +*[SMS]: Short Message Service (standardiserade textmeddelanden) +*[SMTP]: Protokoll för enkel överföring av e-post (Simple Mail Transfer Protocol) +*[SNI]: Serverns namnindikering +*[SSD]: Ssd-disk +*[SSH]: Säkert skal +*[SUID]: Ange ägarens användar-ID +*[SaaS]: Programvara som tjänst (molnprogramvara) +*[SoC]: System på chip +*[SSO]: Single sign-on +*[TCP]: Protokoll för överföringskontroll +*[TEE]: Miljö för tillförlitlig utförande +*[TLS]: Säkerhet för transportlager +*[ToS]: Användarvillkor +*[TOTP]: Tidsbaserat engångslösenord +*[TPM]: Modul för betrodd plattform +*[U2F]: Universell 2-faktor +*[UEFI]: Unified Extensible Firmware-gränssnitt +*[UDP]: Användardatagramprotokoll +*[VPN]: Virtuella privata servrar +*[VoIP]: Röst över IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Utökningsbart meddelande- och närvaroprotokoll +*[PWA]: Progressiv webbapp diff --git a/includes/abbreviations.tr.txt b/includes/abbreviations.tr.txt new file mode 100644 index 00000000..e7083961 --- /dev/null +++ b/includes/abbreviations.tr.txt @@ -0,0 +1,96 @@ +*[2FA]: İki Faktörlü Kimlik Doğrulama +*[ADB]: Android Hata Ayıklama Köprüsü +*[AOSP]: Android Açık Kaynak Projesi +*[ATA]: İleri Teknoloji Eklentisi +*[attack surface]: Bir sisteme yetkisiz erişim için olası giriş noktalarının toplam sayısı +*[AVB]: Android Onaylanmış Önyükleme +*[cgroups]: Kontrol Grupları +*[CLI]: Komut satırı arayüzü +*[CSV]: CSV Dosyası +*[CVE]: Yaygın Güvenlik Açıkları ve Maruziyetler +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: Uçtan Uca Şifreleme/Şifreli +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: Kullanım Ömrü Sonu +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.uk.txt b/includes/abbreviations.uk.txt new file mode 100644 index 00000000..95ba80ad --- /dev/null +++ b/includes/abbreviations.uk.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Факторна Автентифікація (2-Factor-Authentication) +*[ADB]: Налагоджувальний міст для Android (Android Debugging Bridge) +*[AOSP]: Проект з відкритим вихідним кодом Android (Android Open Source Project) +*[ATA]: Передове технологічне обладнання (Advanced Technology Attachment) +*[поверхня атаки]: Загальна кількість можливих точок входу для несанкціонованого доступу до системи +*[AVB]: Перевірене завантаження Android (Android Verified Boot) +*[cgroups]: Контрольні групи Linux (Control Groups) +*[CLI]: Інтерфейс командного рядка (Command Line Interface) +*[CSV]: Значення, розділені комами (Comma-Separated Values) +*[CVE]: Поширені вразливості та ризики (Common Vulnerabilities and Exposures) +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Розширення безпеки системи доменних імен (Domain Name System Security Extensions) +*[DNS]: Система доменних імен (Domain Name System) +*[DoH]: DNS через HTTPS (DNS over HTTPS) +*[DoQ]: DNS через QUIC (DNS over QUIC) +*[DoH3]: DNS через HTTP/3 (DNS over HTTP/3) +*[DoT]: DNS через TLS (DNS over TLS) +*[E2EE]: Наскрізне шифрування/зашифроване (End-to-End Encryption/Encrypted) +*[ECS]: Клієнтська підмережа EDNS (EDNS Client Subnet) +*[EEA]: Європейська економічна зона (European Economic Area) +*[ентропія]: Міра того, наскільки щось є непередбачуваним +*[EOL]: Кінець життя/терміну служби (End-of-Life) +*[Exif]: Обмінний формат файлів зображень (Exchangeable image file format) +*[FCM]: Хмарний обмін повідомленнями Firebase (Firebase Cloud Messaging) +*[FDE]: Повне шифрування диска (Full Disk Encryption) +*[FIDO]: Швидка ідентифікація особи онлайн (Fast IDentity Online) +*[форк]: Новий програмний проєкт, створений шляхом копіювання наявного проєкту та самостійного його доповнення +*[GDPR]: Загальний регламент про захист даних ЄС (General Data Protection Regulation) +*[GPG]: GNU Privacy Guard (реалізація PGP) +*[GPS]: Система глобального позиціювання (Global Positioning System) +*[GUI]: Графічний інтерфейс користувача (Graphical User Interface) +*[GnuPG]: GNU Privacy Guard (реалізація PGP) +*[HDD]: Жорсткий диск (Hard Disk Drive) +*[HOTP]: Одноразовий пароль на основі HMAC (Hash-based Message Authentication Code based One-time Password) +*[HTTPS]: Безпечний протокол передачі гіпертексту (Hypertext Transfer Protocol Secure) +*[HTTP]: Протокол передачі гіпертексту (Hypertext Transfer Protocol) +*[гіпервізор]: Комп'ютерне програмне забезпечення, прошивка або апаратне забезпечення, яке розподіляє ресурси центрального процесора між кількома операційними системами +*[ICCID]: Ідентифікатор плати інтегральної мікросхеми (Integrated Circuit Card Identifier) +*[IMAP]: Протокол доступу до Інтернет-повідомлень (Internet Message Access Protocol) +*[IMEI]: Міжнародний ідентифікатор мобільного обладнання (International Mobile Equipment Identity) +*[IMSI]: Міжнародний ідентифікатор абонента мобільного зв'язку (International Mobile Subscriber Identity) +*[IP]: Інтернет-протокол (Internet Protocol) +*[IPv4]: Інтернет-протокол версії 4 (Internet Protocol version 4) +*[IPv6]: Інтернет-протокол версії 6 (Internet Protocol version 6) +*[ISP]: Інтернет-провайдер (Internet Service Provider) +*[ISPs]: Інтернет-провайдери (Internet Service Providers) +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.vi.txt b/includes/abbreviations.vi.txt new file mode 100644 index 00000000..2553f881 --- /dev/null +++ b/includes/abbreviations.vi.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: Multi-Factor Authentication +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: Single sign-on +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/includes/abbreviations.zh-Hant.txt b/includes/abbreviations.zh-Hant.txt new file mode 100644 index 00000000..f41eb956 --- /dev/null +++ b/includes/abbreviations.zh-Hant.txt @@ -0,0 +1,96 @@ +*[2FA]: 雙因素驗證 +*[ADB]: Android Debug Bridge +*[AOSP]: Android 開放原始碼計畫 (AOSP) +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: 命令列介面 +*[CSV]: Comma-Separated Values (以逗號分開數值的文件) +*[CVE]: Common Vulnerabilities and Exposures (常見漏洞和暴露) +* [Digital Legacy]: 數位遺產是指在您死亡之後,允許讓其他人取用您留下的資料。 +*[DNSSEC]: 網域名稱系統安全擴充套件 +*[DNS]: 域名系統 +*[DoH]: 通過 HTTPS 的 DNS +*[DoQ]: 通過 QUIC 的 DNS +*[DoH3]: 通過 HTTP/3 的 DNS +*[DoT]: 通過 TLS 的 DNS +*[E2EE]: 端到端加密/加密 +*[ECS]: EDNS客戶端子網 +*[EEA]: 歐洲經濟區 +*[entropy]: 衡量某件事有多不可預測 +*[EOL]: 結束生命週期 +*[Exif]: 可交換影像檔案格式 +*[FCM]: Firebase 雲消息 +*[FDE]: 完整磁碟加密 +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: 超文本傳輸協議 +*[hypervisor]: 多重作業系統中分割CPU資源給電腦軟體、韌體或硬體。 +*[ICCID]: 集成式迴路卡識別碼 +*[IMAP]: 網際網路訊息存取協定 +*[IMEI]: 國際移動設備識別碼 +*[IMSI]: 國際移動使用者辨識碼 +*[IP]: 網際網路協議 +*[IPv4]: 互聯網協議版本4 +*[IPv6]: 網際網路協議版本6 +*[ISP]: 網路連線供應商 +*[ISPs]: 網路連線供應商 +*[JNI]: Java 原生介面 +*[KYC]: 了解您的客戶 +*[LUKS]: Linux Unified Key設定 (全磁碟加密) +*[MAC]: 媒體存取控制 +*[MDAG]: Microsoft Defender 應用程式防護 +*[MEID]: 行動裝置識別碼 +*[MFA]: 多重身分驗證 +*[NVMe]: NVMe (非揮發性記憶體控制規範) +*[NTP]: 網絡時間協議 +*[OCI]: Open Container Initiative +*[OCSP]: 線上憑邆狀態協議 +*[OEM]: 代工生產 +*[OEMs]: 代工生產 +*[OS]: 作業系統 +*[OTP]: 一次性密碼 +*[OTPs]: 一次性密碼 +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: 點對點 +*[PAM]: Linux 插入式驗證模組 +*[POP3]: 郵件協議 3 +*[PGP]: Pretty Good Privacy (見OpenPGP ) +*[PII]: 個人識別資訊 +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: 單一登入(Single Sign-On) +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: 用戶資料圖報協議 +*[VPN]: 虛擬私密連線 +*[VoIP]: IP語音(Internet通訊協定) +*[W3C]: 萬維網聯盟 +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: 漸進式網絡應用程式 (PWA) diff --git a/includes/abbreviations.zh.txt b/includes/abbreviations.zh.txt new file mode 100644 index 00000000..449e4cb7 --- /dev/null +++ b/includes/abbreviations.zh.txt @@ -0,0 +1,96 @@ +*[2FA]: 2-Factor Authentication +*[ADB]: Android Debug Bridge +*[AOSP]: Android Open Source Project +*[ATA]: Advanced Technology Attachment +*[attack surface]: The total number of possible entry points for unauthorized access to a system +*[AVB]: Android Verified Boot +*[cgroups]: Control Groups +*[CLI]: Command Line Interface +*[CSV]: Comma-Separated Values +*[CVE]: Common Vulnerabilities and Exposures +*[Digital Legacy]: Digital Legacy refers to features that allow you to give other people access to your data when you die +*[DNSSEC]: Domain Name System Security Extensions +*[DNS]: Domain Name System +*[DoH]: DNS over HTTPS +*[DoQ]: DNS over QUIC +*[DoH3]: DNS over HTTP/3 +*[DoT]: DNS over TLS +*[E2EE]: End-to-End Encryption/Encrypted +*[ECS]: EDNS Client Subnet +*[EEA]: European Economic Area +*[entropy]: A measurement of how unpredictable something is +*[EOL]: End-of-Life +*[Exif]: Exchangeable image file format +*[FCM]: Firebase Cloud Messaging +*[FDE]: Full Disk Encryption +*[FIDO]: Fast IDentity Online +*[fork]: A new software project created by copying an existing project and adding to it independently +*[GDPR]: General Data Protection Regulation +*[GPG]: GNU Privacy Guard (PGP implementation) +*[GPS]: Global Positioning System +*[GUI]: Graphical User Interface +*[GnuPG]: GNU Privacy Guard (PGP implementation) +*[HDD]: Hard Disk Drive +*[HOTP]: HMAC (Hash-based Message Authentication Code) based One-Time Password +*[HTTPS]: Hypertext Transfer Protocol Secure +*[HTTP]: Hypertext Transfer Protocol +*[hypervisor]: Computer software, firmware, or hardware that splits the resources of a CPU among multiple operating systems +*[ICCID]: Integrated Circuit Card Identifier +*[IMAP]: Internet Message Access Protocol +*[IMEI]: International Mobile Equipment Identity +*[IMSI]: International Mobile Subscriber Identity +*[IP]: Internet Protocol +*[IPv4]: Internet Protocol version 4 +*[IPv6]: Internet Protocol version 6 +*[ISP]: Internet Service Provider +*[ISPs]: Internet Service Providers +*[JNI]: Java Native Interface +*[KYC]: Know Your Customer +*[LUKS]: Linux Unified Key Setup (Full-Disk Encryption) +*[MAC]: Media Access Control +*[MDAG]: Microsoft Defender Application Guard +*[MEID]: Mobile Equipment Identifier +*[MFA]: 多因认证 +*[NVMe]: Nonvolatile Memory Express +*[NTP]: Network Time Protocol +*[OCI]: Open Container Initiative +*[OCSP]: Online Certificate Status Protocol +*[OEM]: Original Equipment Manufacturer +*[OEMs]: Original Equipment Manufacturers +*[OS]: Operating System +*[OTP]: One-Time Password +*[OTPs]: One-Time Passwords +*[OpenPGP]: Open-source implementation of Pretty Good Privacy (PGP) +*[P2P]: Peer-to-Peer +*[PAM]: Linux Pluggable Authentication Modules +*[POP3]: Post Office Protocol 3 +*[PGP]: Pretty Good Privacy (see OpenPGP) +*[PII]: Personally Identifiable Information +*[QNAME]: Qualified Name +*[rolling release]: Updates which are released frequently rather than set intervals +*[RSS]: Really Simple Syndication +*[SELinux]: Security-Enhanced Linux +*[SIM]: Subscriber Identity Module +*[SMS]: Short Message Service (standard text messaging) +*[SMTP]: Simple Mail Transfer Protocol +*[SNI]: Server Name Indication +*[SSD]: Solid-State Drive +*[SSH]: Secure Shell +*[SUID]: Set Owner User ID +*[SaaS]: Software as a Service (cloud software) +*[SoC]: System on Chip +*[SSO]: 单点登录 +*[TCP]: Transmission Control Protocol +*[TEE]: Trusted Execution Environment +*[TLS]: Transport Layer Security +*[ToS]: Terms of Service +*[TOTP]: Time-based One-Time Password +*[TPM]: Trusted Platform Module +*[U2F]: Universal 2nd Factor +*[UEFI]: Unified Extensible Firmware Interface +*[UDP]: User Datagram Protocol +*[VPN]: Virtual Private Network +*[VoIP]: Voice over IP (Internet Protocol) +*[W3C]: World Wide Web Consortium +*[XMPP]: Extensible Messaging and Presence Protocol +*[PWA]: Progressive Web App diff --git a/theme/overrides/home.ar.html b/theme/overrides/home.ar.html new file mode 100644 index 00000000..680e65ff --- /dev/null +++ b/theme/overrides/home.ar.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

المُرشِدُ لِتَحسينِ خُصُوصِيَّتَكَ عَلَى الإنتَرنِت.

+

منظمات ضخمة تراقب أنشطتك على الإنترنت. إرشاداتُ الخصوصيَّة هي مورِدُك المركزي للخصوصية والأمان لِتحمي نفسك على الإنترنت.

+ + اِبدَأ رِحلَةَ تَحسينِ خُصُوصِيَّتِك + + + أدَوَاتٌ يُنصَحُ بِهَا + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.bn.html b/theme/overrides/home.bn.html new file mode 100644 index 00000000..f4fd10f7 --- /dev/null +++ b/theme/overrides/home.bn.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

আপনার অনলাইন প্রাইভেসী রক্ষা করার জন্য গাইড।

+

বড়ো কোম্পানিগুলি আপনার অনলাইন কার্যক্রম-এর ওপর নজরদারি করছে। প্রাইভেসী গাইডস হলো আপনার অনলাইন প্রাইভেসী এবং সিকিউরিটি সম্পর্কে জানবার প্রধান জায়গা।

+ + আপনার প্রাইভেসি এর যাত্রা শুরু করুন + + + প্রস্তাবিত সরঞ্জাম + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.de.html b/theme/overrides/home.de.html new file mode 100644 index 00000000..1c764c4b --- /dev/null +++ b/theme/overrides/home.de.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Der Leitfaden zur Wiederherstellung Ihrer Online-Privatsphäre.

+

Riesige Unternehmen überwachen Ihre Online-Aktivitäten. Privacy Guides ist deine zentrale Informationsquelle für Datenschutz und Sicherheit, um dich online zu schützen.

+ + Beginne Deine Reise zur Privatsphäre + + + Empfohlene Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.el.html b/theme/overrides/home.el.html new file mode 100644 index 00000000..bb6f4b34 --- /dev/null +++ b/theme/overrides/home.el.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Ο οδηγός για την αποκατάσταση του διαδικτυακού απορρήτου σας.

+

Μαζικές οργανώσεις παρακολουθούν τις δραστηριότητές σας στο διαδίκτυο. Ο οδηγός Privacy Guides είναι η κεντρική πηγή προστασίας του απορρήτου σας και της ασφάλειας στο διαδίκτυο.

+ + Ξεκινήστε το ταξίδι απορρήτου σας + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.eo.html b/theme/overrides/home.eo.html new file mode 100644 index 00000000..2b4df311 --- /dev/null +++ b/theme/overrides/home.eo.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.es.html b/theme/overrides/home.es.html new file mode 100644 index 00000000..90dafd53 --- /dev/null +++ b/theme/overrides/home.es.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

La guía para restaurar tu privacidad en línea.

+

Organizaciones masivas están monitoreando tus actividades en línea. Privacy Guides es tu recurso central de privacidad y seguridad para protegerte en línea.

+ + Inicia Tu Viaje de Privacidad + + + Herramientas recomendadas + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.fa.html b/theme/overrides/home.fa.html new file mode 100644 index 00000000..bc046c80 --- /dev/null +++ b/theme/overrides/home.fa.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

راهنمای بازگرداندن حریم خصوصی شما.

+

سازمانهای بزرگ فعالیتهای اینترنتی شما را رصد می‌کنند. وبسایت Privacy Guides منبع اصلی حریم خصوصی و امنیت شما برای محافظت از خودتان در اینترنت است.

+ + Start Your Privacy Journey + + + ابزارهای پیشنهادی + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.fr.html b/theme/overrides/home.fr.html new file mode 100644 index 00000000..43ade0ea --- /dev/null +++ b/theme/overrides/home.fr.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Le guide pour restaurer votre vie privée en ligne.

+

Des organisations massives surveillent vos activités en ligne. Privacy Guides est votre ressource centrale en matière de vie privée et de sécurité pour vous protéger en ligne.

+ + Commencez votre voyage vers la vie privée + + + Outils recommandés + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.he.html b/theme/overrides/home.he.html new file mode 100644 index 00000000..63c0e334 --- /dev/null +++ b/theme/overrides/home.he.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

המדריך לשחזור הפרטיות המקוונת שלך.

+

ארגונים גדולים עוקבים אחר הפעילות שלכם באינטרנט. Privacy Guides (מדריכי פרטיות) הם משאב הפרטיות והאבטחה המרכזי שלכם כדי להגן על עצמכם באופן מקוון.

+ + התחל את מסע הפרטיות שלך + + + כלים מומלצים + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.hi.html b/theme/overrides/home.hi.html new file mode 100644 index 00000000..2b4df311 --- /dev/null +++ b/theme/overrides/home.hi.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.hu.html b/theme/overrides/home.hu.html new file mode 100644 index 00000000..6be43237 --- /dev/null +++ b/theme/overrides/home.hu.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Útmutató az online magánéleted helyreállításához.

+

Hatalmas szervezetek figyelik az online tevékenységeidet. A Privacy Guides a te központi adatvédelmi és adatbiztonsági erőforrásod magad megvédéséhez online.

+ + Kezdj Bele Adatvédelmi Utazásodba + + + Ajánlott Eszközök + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.id.html b/theme/overrides/home.id.html new file mode 100644 index 00000000..2de49786 --- /dev/null +++ b/theme/overrides/home.id.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Panduan untuk memulihkan privasi daring Anda.

+

Organisasi besar sedang memantau aktivitas daring Anda. Privacy Guides adalah sumber daya privasi dan keamanan Anda untuk melindungi Anda secara daring.

+ + Mulai Perjalanan Privasi Anda + + + Alat yang Direkomendasikan + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.it.html b/theme/overrides/home.it.html new file mode 100644 index 00000000..d3494eb0 --- /dev/null +++ b/theme/overrides/home.it.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

La guida per ripristinare la tua privacy online.

+

Le grandi organizzazioni stanno monitorando le tue attività online. Privacy Guides è la risorsa centrale per la privacy e la sicurezza per proteggersi online.

+ + Inizia il tuo percorso sulla privacy + + + Strumenti consigliati + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.ko.html b/theme/overrides/home.ko.html new file mode 100644 index 00000000..1b6aa5ee --- /dev/null +++ b/theme/overrides/home.ko.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.ku-IQ.html b/theme/overrides/home.ku-IQ.html new file mode 100644 index 00000000..6e80c206 --- /dev/null +++ b/theme/overrides/home.ku-IQ.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

ڕێبەرێک بۆ گەڕاندنەوەی تایبەتێتی خۆت لە ئینتەرنێت.

+

ڕێکخراوە زەبەلاحەکان چاودێری چالاکی سەرئینتەرنێتت دەکەن. Privacy Guides ناوەندی سەرچاوەی تۆیە بۆ پاراستن و تایبەتێتی شێوازی خۆپاراستن لەسەرهێڵ.

+ + گەشتی تایبەتێتی دەست پێبکە + + + ئامرازە پێشنیارکراوەکان + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.nl.html b/theme/overrides/home.nl.html new file mode 100644 index 00000000..1b45e309 --- /dev/null +++ b/theme/overrides/home.nl.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

De gids voor het herstellen van jouw online privacy.

+

Enorme organisaties houden jouw online activiteiten in de gaten. Privacy Guides is jouw centrale bron voor privacy en beveiliging om jezelf online te beschermen.

+ + Begin jouw privacyreis + + + Aanbevolen tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.pl.html b/theme/overrides/home.pl.html new file mode 100644 index 00000000..e5861e47 --- /dev/null +++ b/theme/overrides/home.pl.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Przewodnik do odzyskania swojej prywatności w Internecie.

+

Ogromne korporacje monitorują Twoją aktywność w Internecie. Privacy Guides to Twoje centrum dla prywatności oraz bezpieczeństwa, które pomoże Ci chronić się w Internecie.

+ + Rozpocznij swoją przygodę ku prywatności + + + Polecane narzędzia + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.pt-BR.html b/theme/overrides/home.pt-BR.html new file mode 100644 index 00000000..28cfcff6 --- /dev/null +++ b/theme/overrides/home.pt-BR.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

O guia para restaurar sua privacidade online.

+

Grandes organizações estão monitorando suas atividades online. Privacy Guides é sua central de recursos no que diz respeito a privacidade e segurança para se proteger online.

+ + Comece Sua Jornada de Privacidade + + + Ferramentas Recomendadas + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.pt.html b/theme/overrides/home.pt.html new file mode 100644 index 00000000..2b4df311 --- /dev/null +++ b/theme/overrides/home.pt.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

The guide to restoring your online privacy.

+

Massive organizations are monitoring your online activities. Privacy Guides is your central privacy and security resource to protect yourself online.

+ + Start Your Privacy Journey + + + Recommended Tools + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.ru.html b/theme/overrides/home.ru.html new file mode 100644 index 00000000..b459a40e --- /dev/null +++ b/theme/overrides/home.ru.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Руководство по возвращению вашей приватности в интернете.

+

Огромные организации следят за вашей деятельностью в Интернете. Privacy Guides - это ваш главный ресурс по конфиденциальности и безопасности для защиты себя в Интернете.

+ + Начните свой путь к приватности + + + Рекомендуемые инструменты + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.sv.html b/theme/overrides/home.sv.html new file mode 100644 index 00000000..c7e2d88c --- /dev/null +++ b/theme/overrides/home.sv.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

En guide till hur du återställer din integritet på nätet.

+

Stora organisationer övervakar dina aktiviteter på nätet. Privacy Guides är din centrala resurs för integritet och säkerhet för att skydda dig själv på nätet.

+ + Börja din resa i integritetsfrågor + + + Rekommenderade verktyg + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.tr.html b/theme/overrides/home.tr.html new file mode 100644 index 00000000..f80d51fc --- /dev/null +++ b/theme/overrides/home.tr.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Çevrimiçi gizliliğinizi yeniden sağlama rehberi.

+

Büyük kurumlar sizin çevrimiçi hareketlerinizi izliyor. Privacy Guides, kendinizi çevrimiçi olarak korumanız için merkezi gizlilik ve güvenlik kaynağıdır.

+ + Gizlilik Yolculuğunuza Başlayın + + + Tavsiye Edilen Araçlar + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.uk.html b/theme/overrides/home.uk.html new file mode 100644 index 00000000..bd5c88d4 --- /dev/null +++ b/theme/overrides/home.uk.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Посібник з відновлення вашої конфіденційності в Інтернеті.

+

Великі організації стежать за вашою діяльністю в Інтернеті. Privacy Guides — ваш головний ресурс для захисту конфіденційності та безпеки в Інтернеті.

+ + Почніть свою подорож до конфіденційності + + + Рекомендовані інструменти + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.vi.html b/theme/overrides/home.vi.html new file mode 100644 index 00000000..9dca41c7 --- /dev/null +++ b/theme/overrides/home.vi.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

Hướng dẫn khôi phục quyền riêng tư trực tuyến của bạn.

+

Các tổ chức đông đảo đang theo dõi các hoạt động trực tuyến của bạn. Privacy Guides là tài nguyên bảo mật và quyền riêng tư trung tâm của bạn để bảo vệ bạn khi trực tuyến.

+ + Start Your Privacy Journey + + + Các công cụ được đề xuất + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.zh-Hant.html b/theme/overrides/home.zh-Hant.html new file mode 100644 index 00000000..c3534252 --- /dev/null +++ b/theme/overrides/home.zh-Hant.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

重振網路隱私的線上指南。

+

巨型組織正在監視您的線上活動。 Privacy Guides 是您重要的網路隱私與安全資源。

+ + 按此開始您的隱私旅程 + + + 推薦工具 + +
+
+
+
+{% endblock %} diff --git a/theme/overrides/home.zh.html b/theme/overrides/home.zh.html new file mode 100644 index 00000000..ef59f1d1 --- /dev/null +++ b/theme/overrides/home.zh.html @@ -0,0 +1,47 @@ + +{% extends "main.html" %} +{% block extrahead %} + + {{ super() }} +{% endblock %} +{% block tabs %} + {{ super() }} + +
+
+
+
+

保护你的在线隐私

+

大规模组织正在监控你的在线活动。 Privacy Guides是您保护自己在线隐私的实用资源。

+ + 开始你的隐私之旅 + + + 推荐工具 + +
+
+
+
+{% endblock %}